How to install Microsoft updates manually?

I have a legal copy of Windows 8.1, but I don't want to allow automatic downloads of Microsoft updates because it would involve a firewall rule allowing svchost.exe to send to all IP addresses, and svchost.exe is a vector for malware/spyware. I could use advice from forum members who already do manual updates.

So far, I haven't connected my new PC to the internet. I have installed Belarc Advisor, which tells me which applicable MS updates have not yet been installed. One link it gives me is this one:
http://support.microsoft.com/kb/2538242

I think this update applies to my PC because one of the installed programs is "Microsoft Visual C++ 2005 Redistributable". On the above page, I followed the link for IT professionals to here:
https://technet.microsoft.com/library/security/ms11-025

I searched for "KB2538242" on that page and found one link for a download.

I followed a similar procedure for another update link provided by Belarc Advisor. In this case, there were several download links for the KB, but only one for Windows 8.1 X64.

So far, my method seems successful, but is there something I am missing? Any general advice to finding the correct downloads for my PC?

 

I found two other ways to locate the downloads once I have the KB number from Belarc Advisor:
1: Use the search bar for KBXXX here: http://www.microsoft.com/en-us/download/default.aspx
2: Download an ISO for each month's updates here: http://support.microsoft.com/kb/913086

 

This app may be useful for updating a new PC before connecting it to the internet:
http://www.wsusoffline.net/

 

If you want to automate the KBXXX installation use this batch script (not made by me)

Code:

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
PUSHD %~dp0
FOR %%A IN (*-KB*.MSU) DO (
   CALL :SUB %%~nA
   ECHO= Installing KB!KB_NUM!
   >NUL TIMEOUT /t 3
   WUSA "%%~fA" /quiet /norestart)
ECHO= == Press any key to restart ==
>NUL PAUSE
SHUTDOWN.EXE /r /t 0
GOTO :EOF
:SUB
SET "KB_NUM=%*"
FOR /F "DELIMS=-" %%B IN ("%KB_NUM:*-KB=%") DO SET "KB_NUM=%%B"

 

You've brought a subject that's unknown to me.

Are there examples of PCs becoming infected by allowing automatic updates of Windows?

I can understand the desire to manually control what is being updated on one's computer (I have that desire myself.) But I've never seen Windows Update being the source of any infection. And I've been around PCs for a long time (and have a hand in both casually and professionally supporting/fixing/looking after probably at least a couple hundred or more over the years.)

 

How To Change Windows Update Settings in Windows 8 & 8.1

 

The problem I brought up is a firewall rule allowing svchost.exe to send to all IP addresses. So a better question would be: Are there examples of PCs becoming infected by allowing svchost.exe to send to all IP addresses?

This site gives the infamous Conficker worm as an example.
http://www.neuber.com/free/svchost-analyzer/index.html

Manual updates of Microsoft products allows me to craft my firewall rules for svchost.exe to only allow certain addresses, such as my NTP server and my printer. If you have a way to achieve this for Windows 8.1 and still allow automatic Microsoft updates, I would like to hear it.

 

I took a look at the neuber.com link you listed. And following that, looked at several other pages discussing Conficker. From what I saw, the infecting/hijacking of svchost by Conficker is a symptom of infection by other means, not the source of infection. To say it another way, you could block the svchost instance (that includes WU) using your firewall and still be infected by Conficker by every documented means I saw.

I run Win 7 at home. The WU setting I use is "never check for updates". (This can be the same in Win 8.1.) When I know new updates are available, I manually check for updates, then download and install the ones I want. I hide or ignore the ones I don't want. Using this method gives me control of the WU process and I have never seen any update "sneak" through without my permission. It's my understanding that Microsoft uses a secure connection for all this activity. As I mentioned above, I am unaware of any malware infection sneaking through the WU process (svchost related) MS has devised.

 

@HAN: I agree with what you said about the specific case of Conflicker. However, creating firewall rules to limit svchost.exe sending to known-good IPs still offers advantages:
1. It prevents leakage of privacy info by otherwise well-behaved software. For example, I have seen in my firewall logs where reputable freeware tried to send data to Google, Yahoo and Microsoft.
2. If a malware infection does occur, it prevents communication between the malware and its server. This prevents privacy leakage and the payload for severe damage.