Windows Update

Hi guys,

Problem : I have clean images and I like to keep these images up-to-date without going online to avoid any possible infection from the internet.
"Windows Update" requires an internet connection and I'm looking for an alternative.
Please no nLite-solution, I know nLite already.

I have "Windows XP Professional Service Pack 2" 32-bit - English

Possible solution :
Can I use this as an alternative for Windows Update ? I'm not familiar with this at all. Is this really the same as "Windows Update" or am I missing something ? Does it update my Windows completely ?
Any additional info is also welcome and to make it easier for readers, I provided all the links regarding this alternative.

http://support.microsoft.com/kb/913086
http://www.microsoft.com/downloads/...1A-7801-4074-8E40-CAB74D586A6C&displaylang=en

 

Maybe I didn't read far enough or missed it somewhere in there, but are these ISOs simply that particular months' updates? If so, that would seem to be a huge pain to download all that and add them to your image one by one. However, if you have all the others and just want to start doing it this way, I can see that being a lot easier.

I assume of course you don't mind going online to get these ISOs (I'm guessing doing it from a different system). Though unless I'm missing something, isn't the risk of getting a virus the same whether you go online to download the ISO or use Windows Update for your image? In either case, the risk of a virus via either method, provided that website that hosts the ISO, or the Windows Update website is pretty slim if they are the only two places you go.

 

The updates run about 1 to 2 weeks behind the MS release but THIS will give you links to all security related Windows updates.

 

I download the updates i believe are necessary from http://www.softwarepatch.com/

I give them a scan and if alls clear i burn them to disk for safe storage.

 

The chances of being infected when connected to Microsoft surely must be negligable
Unless you have a friend download the updates on your behalf in whatever form, ISO or otherwise,someone has to go online and use the internet ,obviously at some stage!!

I believe the SP3 updates are available from Microsoft as a CD-just buy that.
SP3 works well

 

AutoPatcher
Update Windows with Offline Update

 

Maybe MBSA 2.1 from MS can do this ?

http://technet.microsoft.com/en-us/security/cc184924.aspx

I use it on a XPpro guest in VMware Server

Lamehand

 

Yes, you are missing something, because you assume that I have only ONE system partition, an actual system partition, like most users have.
I have a CLEAN system partition = image and an ACTUAL system partition = harddisk[C:].
I do my downloadings in my actual system partition, not in my clean system partition.
Each time I upgrade my clean system partition, I replace my actual system partition with my upgraded clean system partition.
I don't backup my actual system partition anymore, it might be infected, because it has been online too long.

 

Microsoft forced Autopatcher to stop their activities and I assume that Autopatcher won't be the last one, like RyanVM, nLite, vLite and others. It's just a matter of time. Duplicating Windows Installation CD's isn't really good for M$.

 

I will try this one, just to see what it is. Never heard of it, but that is normal for me. LOL. Thanks.

 

ErikAlbert,

Here is a suggestion that might work for you:
Install Microsoft Baseline Security Analyzer.
Let is run and find missing updates.
Click on the solution, which usually is a separate download of the missing hotfix (without going to the Microsoft Update site)
Store all the hotfixes in a safe place.

Reboot into a "clean offline installation" and run the stored updates.

The free Personal Secunia Inspector is another option to accomplish the updates check. It also looks for missing updates of third party software.

If you install Windows XP Service pack 3 for your language, you do skip 90+ mandated hotfixes! Install it with the option /nobackup to save space.

Paul Thurrott explains here how to slipstream SP3 into your CD without nLite. (meaning without making any alternations behind your back)

 

I tried some of the above mentioned tools but disliked them. They either had a lag on updates notifications or were too intrusive for my taste. For example, BelArc installs a driver (it needs to, as it does more than checking for updates) which I don't need. MBSA otoh will not run if "Server" service is disabled, starting it will open a port (I have no need for "Server" service, and will not have it running because of MBSA) . I also tried SecuniaPSI, I can't remember exactly why, but it was the worst of all (a hog?).
So I do everything manually. It's not so tedious (there are few updates these days). You just need to do a search for the exact KB###### and you'll find your updates in no time. By doing it this way, you also have a chance to read (on the download page) release notes for each update and to decide whether you need it or not. Download exes and execute them.

You certainly do not need to download the whole ISO just because of few MBs of updates. ISOs are mutilingual - hence the size.

Cheers,.

 

Yes, I'm investigating this at the moment along with Belarc Advisor.
Although I keep my system unchanged and malware-free, it won't hurt me to install some security patches (81 are missing already).
I think installing SP3 is the shortest way to install ALL updates, but I will look at the rest also to find a complete solution that will work in the future.

 

by removing all changes at reboot. by having out of date applications with secuirty holes you alot more likely to be infected. sure the changes are gone at reboot but your confidental data could be stolen then you reboot and all the evidence goes with it.

 

No, I'm not infected, but it takes too long to explain it in full detail and defending myself is usually a waste of time.
My boot-to-restore is just a daily protection, I have something much better in the background.

 

i never said you was infected.
i was saying by having out of date applications you more likely to be hit by the security exploits because they havent updated them. so you could get hit someone could then nick information then you reboot and evidence that it happerned goes at reboot.
im here to listen.
im sure it doesnt take that long to explain.
at some points your to paranoid but it still seems you leave your system to open.
so what else do you use along side your daily boot to restore?

 

Not paranoid, I'm doing things in the right sequence, not the classical sequence. Paranoia is a mental disease, I'm not crazy.
In my setup an infection is in the worst case scenario a temporary one, never a permanent one. I read enough posts to know I'm doing much better than other users.
But don't worry, I will take care of Windows Update, it wasn't my priority #1. I'm just polishing my approach, the final touch.

 

Unfortunately even with SP3 installed, you still won't get all the critical updates after installation. You will still need to get the post SP3 updates from microsoft. But hey, if your set up atm works fine for you, why bother?

 

At first I was fond of Belarc, but I discovered that they are not up to date with the security hotfixes. Which means that Belarc doesn't show missing hotfixes from this month. (at least not when I used it after June's "update Tuesday")

To be more specific: All updates which were available on release date of SP3, excluding Internet Explorer 7, Adobe Flash Player and Media Player 11 plus their own updates.

 

It only shows how much you can trust M$. The website says clearly that all previous updates are included in SP3, probably not true. But it doesn't really matter. I live almost 2 years with an unpatched Windows.
Tomorrow I will see what needs to be done.

 

I think he is talking about the updates released AFTER SP3

I think all updates released prior to SP3 is included.

I have to agree with lodore. Regardless of whether you are borderline paranoid or not (I'm no doctor ): it's a bit odd you choose to go for a solution where you choose not to patch all the known security holes in Windows.

I know you have a good security solution that enables you to reboot to the "original" state but I still think you would benefit from a patched OS. Either by MS updates or by manual fixes (that is the "hardening"-part). I don't know if all known exploits can be manually fixed. If you don't plan on altering the code yourself you will have to rely on MS updated or 3rd party apps/fixes if you want a secure OS.

I hope you will find a solution that you can trust, I really do, but IMO it seems you have set your security standards very close to what is practically impossible.

Prettig weekend - Proost
/T

 

This is my new BEFORE/AFTER game

Belarc Advisor BEFORE installing SP3 :
1. CIS Benchmark Score : 0.63 of 10
2. Virus Protection : Unknown
3. Microsoft Security Updates : 81 missing

Belarc Advisor AFTER installing SP3 :
1. CIS Benchmark Score : 1.88 of 10
2. Virus Protection : Unknown
3. Microsoft Security Updates : 5 missing

 

Current status:

 

LOL. I have now 2 advisors to ski with me through my white as snow computer.
1. Belarc Advisor v7.2x
2. Microsoft Baseline Security Analyzer v2.1
It's a bit of fun too and it might give me new ideas. Thanks again for the links.

 

You could also try the blink vulnerability assessment, which scans your system and lists all known vulnerabilities it finds. It does require installing blink personal but it definitely can be helpful.