Software update checker with an offline checking mode?

Discussion in 'other software & services' started by TheWindBringeth, Dec 12, 2012.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Have any of you come across a decent software update checker (basically similar to a Secunia PSI or SUMo I guess) that can be used on a machine *without* an Internet connection? Initial search engine based research hasn't turned up any obvious candidates and I'm not sure whether explicit, per-product research will be fruitful. They could all be cloud based now. TIA.
     
  2. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Aren't you asking for mutually exclusive things?
     
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Conceptually, no, because a database that things are checked against could be downloaded and transported to the target machine along with the checking program. The full, comprehensive database for all OSs, applications, etc might be too large for that though, in which case a subset of the database could be used (for example, generated based on the OS you specify and containing information for the more common programs perhaps even for a general locale you specify). I suspect such an approach could fully cover a significant percentage of users. In those cases where the checker doesn't have local information for something on the target machine, it could simply point that out via a "Didn't have information to check these:" list.

    Practically speaking, I'm not sure where such an approach might be problematic. Any one company, perhaps Microsoft or the developer of the checker, that doesn't want such checking information to be downloaded could render it significantly less useful if not impossible.

    Note that here I'm just talking about checking. Obviously, if something old was found you might want to update it. In many cases that could be done manually. I'm not sure how easy/viable doing so would be with Microsoft software.
     
  4. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I will be very surprised if any update checker works that way. Looks like an .... "inefficient waste".

    What kind of users / user scenarios? I'm curious.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I think such a design could be useful in contexts where information security is an objective. I'm talking legitimate and lawful scenarios BTW. Which would include various contexts where routes to the Internet are prohibited. Also, contexts where a machine can have a connection but one simply doesn't want to expose their machine and the information it contains to a "collect and phone home" type program. Unless you carefully study it, and I'm not sure how easy that would be in practice, you don't actually know what it is that is being phoned home. There may be other usage scenarios as well, such as machines which for no particular reason just don't have an Internet connection and someone doesn't feel like setting one up for them. Granted, in most corporate environments the problem of keeping software up to date would likely be approached in a different manner. Still, I think it could be useful and would be used.
     
  6. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Ah ok, the usual paranoid usage. lol Yeah, an interesting market.

    This is not difficult to determine with network tools.
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Just to be clear, I wasn't referring to users who think geostationary satellites are reading their brainwaves ;)

    If the information isn't encrypted the product would be considered unusable to begin with. A MITM via certificate installation *on a test machine with nothing valuable* would probably give you a look, yes. Sometimes I've done that and still been unable to figure out some of the information being passed, and I've also run into custom encrypted protocols on a few occasions. That's what I meant.
     
  8. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Why the heck information like "version of the installed software" needs to be encrypted. Don't answer with one word - "privacy" - , please. Explain why this privacy, in this case, is actually needed.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I should back up and qualify what I previously said. I did mention a non information security type context where such a tool could be useful (a machine of less importance simply not having an Internet connection). In that scenario the owner may not care whether a checker phoned home information in the clear.

    For various reasons my initial assumption would be that such software could/would communicate which specific applications, drivers, OS files, etc are on the computer... along with version information... and possibly some more information about the computer itself. Anyone receiving such information would have a fairly detailed picture of the user's software environment. Although they wouldn't (shouldn't) know how everything is configured and used, they might in some cases... if they were familiar with the vulnerabilities in software... be able to identify specific vulnerabilities and techniques which would work against that user's computer. For this reason alone such information would be considered sensitive.

    Depending on the specific context there could be other sensitive information involved. The user may use encryption software to protect their data and knowledge of the encryption software could reveal information about the encryption method they use. The user could be developing a stealth product, or testing software under NDA, or looking at a program that must be protected for some other legal reason. The user may have installed software that is associated with their particular financial institution (and a particular type of account at that institution). There could be a program on the computer which is associated with something else in the user's environment that is sensitive, such as GUI interface to their particular security system. Things of that nature. If the machine is also for personal use, there could be programs on the machine which reveal information about the products the user owns, services they use, the user's interests and behaviors, etc which the user simply prefers to treat as sensitive because they don't want to freely share such information with those they don't know.

    IOW, it isn't just the data on a machine that can be sensitive. Information about the software on the machine can also be sensitive... when it reveals something else that is considered sensitive. A particular user, even one that is concerned about information security, might decide to share information about their software with a specific company. However, that doesn't mean they'd want it sent in the clear for intermediaries to possibly capture. Seeing it transmitted that way is enough reason to doubt the competency/intent of the company offering such a tool.
     
  10. Jaspion

    Jaspion Registered Member

    Joined:
    Nov 23, 2012
    Posts:
    195
    Location:
    Brazil
    Maybe the best thing is to know which software is installed on the machine and bring the most up-to-date installers with you.

    If there was such an offline checker, it would only indeed check and it would be very impractical for it to actually update anything, because it would have to be gigantic to have all the latest versions of all the software you might possibly find.

    Now, wouldn't a regular update checker be able to show you which versions of software are installed on the computer? You just disable its internet connection and let it show you only the versions found on the local machine (in case you are so concerned security/privacy-wise)?
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I kind of take that approach with my own machines. I use Microsoft Update, but for my applications I periodically download their updated installers to a local network archive and update using those. I feel there is the potential for something to fall through the cracks though. I'm pickier than most out of principle and always try to stick to correct patterns for information security, but for myself I could bend that and at least try a cloud based checker to see what it finds. Then if it finds anything add what is necessary to my archive based routine. I would prefer a more generic solution, though. Something I could recommend and/or run on someone else's machine when I'm roped into helping someone.

    I'm thinking that if it were capable of analyzing everything and presenting a human friendly list (for example, telling me that portable/zipped versions of applications X, Y, and Z were found rather than just dumping a list of exe/dll files) then it would be using a local database of some kind and be the type of tool I'm inquiring about. Maybe, though, there are some checkers which fall between "online for everything" and "offline for everything". Are you aware of one?
     
  12. Jaspion

    Jaspion Registered Member

    Joined:
    Nov 23, 2012
    Posts:
    195
    Location:
    Brazil
    I have not used it a lot, and if I'm not mistaken there's some bad reviews around (when I did use it, I remember it found updated program versions above what was available from the producers, so I don't like it), but I think it could serve your needs: SUMo.

    It will list all installed programs and tell you their versions. Also, you can export the results. Just block it with a firewall (or cut the internet connection when using it) and you're done.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    OK, I've started to take a look at using it in that way. Thanks for the suggestion.
     
  14. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    please use Sumo portable version is the 2rd icon (zip icon)

    http://www.kcsoftwares.com/?download

    The portable version is without crapware inside (needed for survive)
    It works great and with CCleaner is my favorite little tools

    If you are used to store all your program setup in a hd you can try Ketarin (portable too) http://ketarin.canneverbe.com/
    it update all setup you have with the last one, is not perfect but better than nothing
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Thanks for the warning about bundled PUPs. I do look for that and did catch that when selecting a SUMo download. I have my own system, including some scripts, which helps me to maintain my library of updaters. It isn't all that I would like it to be, so I'll take a look at Ketarin too. Perhaps it would fit in or at least give me some ideas. So thanks for mentioning that too.
     
  16. Jaspion

    Jaspion Registered Member

    Joined:
    Nov 23, 2012
    Posts:
    195
    Location:
    Brazil
    I forgot to mention about the crapware, and forgot to give the link. But thanks a lot Romagnolo1973 for doing that.
     
  17. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    you are welcome :thumb:
     
Loading...
Thread Status:
Not open for further replies.