How to install Microsoft updates manually?

Discussion in 'other software & services' started by SilentMusic7, Jul 8, 2014.

Thread Status:
Not open for further replies.
  1. SilentMusic7

    SilentMusic7 Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    16
    I have a legal copy of Windows 8.1, but I don't want to allow automatic downloads of Microsoft updates because it would involve a firewall rule allowing svchost.exe to send to all IP addresses, and svchost.exe is a vector for malware/spyware. I could use advice from forum members who already do manual updates.

    So far, I haven't connected my new PC to the internet. I have installed Belarc Advisor, which tells me which applicable MS updates have not yet been installed. One link it gives me is this one:
    http://support.microsoft.com/kb/2538242

    I think this update applies to my PC because one of the installed programs is "Microsoft Visual C++ 2005 Redistributable". On the above page, I followed the link for IT professionals to here:
    https://technet.microsoft.com/library/security/ms11-025

    I searched for "KB2538242" on that page and found one link for a download.

    I followed a similar procedure for another update link provided by Belarc Advisor. In this case, there were several download links for the KB, but only one for Windows 8.1 X64.

    So far, my method seems successful, but is there something I am missing? Any general advice to finding the correct downloads for my PC?
     
  2. SilentMusic7

    SilentMusic7 Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    16
  3. SilentMusic7

    SilentMusic7 Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    16
  4. Splosh

    Splosh Registered Member

    Joined:
    Nov 19, 2012
    Posts:
    18
    If you want to automate the KBXXX installation use this batch script (not made by me)

    Code:
    @ECHO OFF
    SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
    PUSHD %~dp0
    FOR %%A IN (*-KB*.MSU) DO (
       CALL :SUB %%~nA
       ECHO= Installing KB!KB_NUM!
       >NUL TIMEOUT /t 3
       WUSA "%%~fA" /quiet /norestart)
    ECHO= == Press any key to restart ==
    >NUL PAUSE
    SHUTDOWN.EXE /r /t 0
    GOTO :EOF
    :SUB
    SET "KB_NUM=%*"
    FOR /F "DELIMS=-" %%B IN ("%KB_NUM:*-KB=%") DO SET "KB_NUM=%%B"
    
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    You've brought a subject that's unknown to me.

    Are there examples of PCs becoming infected by allowing automatic updates of Windows?

    I can understand the desire to manually control what is being updated on one's computer (I have that desire myself.) But I've never seen Windows Update being the source of any infection. And I've been around PCs for a long time (and have a hand in both casually and professionally supporting/fixing/looking after probably at least a couple hundred or more over the years.)
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. SilentMusic7

    SilentMusic7 Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    16
    The problem I brought up is a firewall rule allowing svchost.exe to send to all IP addresses. So a better question would be: Are there examples of PCs becoming infected by allowing svchost.exe to send to all IP addresses?

    This site gives the infamous Conficker worm as an example.
    http://www.neuber.com/free/svchost-analyzer/index.html

    Manual updates of Microsoft products allows me to craft my firewall rules for svchost.exe to only allow certain addresses, such as my NTP server and my printer. If you have a way to achieve this for Windows 8.1 and still allow automatic Microsoft updates, I would like to hear it.
     
  8. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I took a look at the neuber.com link you listed. And following that, looked at several other pages discussing Conficker. From what I saw, the infecting/hijacking of svchost by Conficker is a symptom of infection by other means, not the source of infection. To say it another way, you could block the svchost instance (that includes WU) using your firewall and still be infected by Conficker by every documented means I saw.

    I run Win 7 at home. The WU setting I use is "never check for updates". (This can be the same in Win 8.1.) When I know new updates are available, I manually check for updates, then download and install the ones I want. I hide or ignore the ones I don't want. Using this method gives me control of the WU process and I have never seen any update "sneak" through without my permission. It's my understanding that Microsoft uses a secure connection for all this activity. As I mentioned above, I am unaware of any malware infection sneaking through the WU process (svchost related) MS has devised.
     
    Last edited: Jul 10, 2014
  9. SilentMusic7

    SilentMusic7 Registered Member

    Joined:
    Aug 29, 2008
    Posts:
    16
    @HAN: I agree with what you said about the specific case of Conflicker. However, creating firewall rules to limit svchost.exe sending to known-good IPs still offers advantages:
    1. It prevents leakage of privacy info by otherwise well-behaved software. For example, I have seen in my firewall logs where reputable freeware tried to send data to Google, Yahoo and Microsoft.
    2. If a malware infection does occur, it prevents communication between the malware and its server. This prevents privacy leakage and the payload for severe damage.
     
Loading...
Thread Status:
Not open for further replies.