Windows Update

Discussion in 'ESET NOD32 Antivirus' started by pakratt, Jun 21, 2012.

Thread Status:
Not open for further replies.
  1. pakratt

    pakratt Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    30
    I have Nod32 version 5.2.9.1 installed on a Windows 7 Home Premium PC.
    On June 18 Windows Update installed "Windows Update Agent 7.67600.256." I have no idea what that is for or if it can cause problems. Anyhow, it seems since this update was installed I no longer can download Windows Updates. Error Code 80244004 Cannot search for Windows Updates. Is it possible that I need to adjust settings in Nod32? I am not computer literate so would appreciate any help.
     
  2. bwb1

    bwb1 Registered Member

    Joined:
    Mar 20, 2010
    Posts:
    113
    Location:
    UK
    I had the same but found this elsewhere and it works, but do not know if the answer will have other ramifications. Someone better than I should be able to say.

    Open ESS>Set up>advanced>web & Email>web access and anti phishing>HTTP,HTTPS>In HTTPS scanner set up tab>In HTTPS filtering mode tab check 'Do not use HTTPS protocol filtering.

    This is what Microsoft say about the update agent;
    Improvements made to version 7.6.7600.256 of the Windows Update Agent

    Hardened Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client.
    Strengthened the communication channel used by Windows Update Client to protect it in a similar way
     
  3. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .

    Attached Files:

    Last edited: Jun 22, 2012
  4. pakratt

    pakratt Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    30
    Thanks for the info. I did as proposed and was able download and install the latest Windows Update. I also wonder if in so doing I am losing protection for HTTPS website activity.
     
  5. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hey pakratt
    Well I have the same concern, and in that regard I found that I cannot login to Windows live.com (hotmail), when HTTPS protocol filtering is enabled, without refreshing the website numerous of times. And when I get through to my Hot-mail, :D then I have to do another quick round of updating the website . That occurred after the update " Windows Update Agent 7.67600.256 ". Using Ie9 version 9.08.112.16421 64 bit. Eset version 5.2.9.12. Windows 7 64 bit. sp. 1.
     

    Attached Files:

    • sky.png
      sky.png
      File size:
      86.6 KB
      Views:
      26
  6. pakratt

    pakratt Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    30
    Hi Janus

    Same here for Windows Live (Gmail). I thought it was because I had enabled under SSL/Protocol Filtering/Always scan SSL Protocol. After hitting the Send/Receive button it would attempt to download the E-Mail but would time out. I would then wait about 30 seconds and try again. Usually on the 3rd or 4th attempt it would finally download the E-Mail.
    Back to my main concern now is with "Do not use HTTPS protocol filtering" enabled am I exposing my PC and myself to any problems especially with by Bank sites as well as other confidential sites. I really don't know the answer. Hope someone could help.
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    And again a question that got no answer from ESET on the so-called official ESET forum. And for the record: there were several ESET mods logged on since the thread was started.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm sorry but I'm not online 24 hours 7 days a week. It was late Friday afternoon when I spotted the issue here and I started investigating it via our support. Now it's early Saturday morning (watching Wilders' in my free time from home during weekends) and I can confirm we've reproduced the error and will start investigating it deeper immediately on Monday morning.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Can somebody confirm that the error occurs only for 2 Internet Explorer updates and the rest is installed fine?
     
  10. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    I experienced the exact same issue testing with IE8 and XP SP3 while using NOD32 beta 6. I had recently installed the WU update, so I know I am running that version. In order to see the issue, I had to enable SSL scanning. I have had that turned off for a long time because I could see no good reason for using it since I cannot get it to work with Thunderbird.

    With SSL enabled and protocol filtering enabled, I found that the MS update site would fail. If I changed SSL scanning to the option from Always to Ask about non-visited sites, I would get the popup from NOD32 to allow the site and had to enter my master password. However, no matter how many times I allowed the site, it would fail. I eventually went back to disabling SSL scanning. Windows update worked again without any issues with SSL scanning disabled. I will try it again with SSL enabled, but protocol filtering disabled and see what happens.

    OK. With SSL scanning set to Always, I then changed the web access setting to Do not use HTTPS checking.

    With those settings, Windows Update works fine, so that is the other way to skin this cat.

    Note, that if I left the setting for Protocol Filtering at default, it was set to scan only selected ports and the only port listed is 443 (a mail port). So how would or why would that affect the web? That's not on port 443. Just another configuration mystery or interaction between settings. Clearly, some of the settings do not mean exactly what they say or perhaps they do not tell the whole truth, but are true as far as they go. Perhaps it is not the web in general but only Windows (or Microsoft) Update that is affected.

    I will re-enable Protocol Filtering on Port 443 and see whether that affects access to banking, for example.

    Just checked BofA site and no problem logging in there. Checked dslreports.com and no problem with their SSL login. Tried American Express and no problem with https login there, either.

    It would appear that the problem is just with MS (or Windows) Update. However, since I kind of need that, I will probably disable either SSL or Protocol Filtering again.

    Oh, I should add that the error I get with MS (or Windows) Update site was/is a standard unable to connect type display after it starts if the SSL scan is set to Always. I believe that display probably coincides with a certificate request. That was what I saw when I set NOD32 to ask for certificates for non-visited sites (apparently MS Update is being identified as non-visited). Perhaps excluding the site would allow it to work.

    I decided to add wuaudit.exe as an excluded application to see if that works. I could not see a way to exclude the MS update site.


    Nope, that does not work. Even with wuaudit.exe excluded from protocol checking, I get this text from the page (I copied the text, not the image).

    [Error number: 0x80244004]
    The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
    For self-help options:

    Frequently Asked Questions

    Find Solutions

    Windows Update Newsgroup
    For assisted support options:

    Microsoft Online Assisted Support (no-cost for Windows Update issues)


    And, YES, it is the same error code as others have seen, regardless of the fact I'm using XP and not Win 7.

    Marcos, you are probably right regarding IE updates, assuming that the updates concerned affect all currently supported versions of IE. That would be where the problem would arise, since IE is the application used to connect to MS Update. It should have occurred to me that excluding wuaudit.exe would have no effect. I'll try excluding iexplore.exe just to see what happens.

    That does no good, either, but I see that the option to exclude applications from Protocol filtering is for http and pop3 only, and not for https. So, selecting an application from the list by checking the box next to it doesn't exclude it from https protocol checking, which is a different thing. That's assuming that I am reading the menu correctly. In any case, I tried some other changes, but the only things that seem to work are to either disable SSL scanning or disable Protocol checking.
     
    Last edited: Jun 23, 2012
  11. bwb1

    bwb1 Registered Member

    Joined:
    Mar 20, 2010
    Posts:
    113
    Location:
    UK
    I was using Firefox 13.0.1 Marcos.
     
  12. pakratt

    pakratt Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    30
    I have tried using SSL Scanning set to Always Scan and Do not use HTTPS Protocol checking for selected ports and Windows Updates works. I then tried changing SSL Scanning to Do not scan and to Use HTTPS Protocol checking for selected ports and Windows Updates works. However, when both are set to scan Windows Updates will not work.
    I also was able to access my bank web page with Do not use HTTPS checking enabled but does that mean that I am able to open the web page but it is not checked by ESET?
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  14. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hey siljaline
    Thanks for the Link siljaline , It is most appreciated :) . But unfortunately it does not offer the solution needed. And just to be sure in my case (that I had tried all solutions), I gave "FIX IT" from Microsoft a chance , but it were not able to change anything that would change the issue in a more positive direction,.. towards a permanent solution. So the main problem is still, that when Https is set to " always scan Https connections" then I am not able to use Windows update without receiving the error, shown in post 3.
    Thanks again siljaline for the input.
     
  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    It's an issue that ESET is looking at as Marcos said here, Janus.

    For those that were able to enable some type of work-around, ensure it does not interfere with the ability of correct anti-virus protection. From what I am reading, the root issue is with the latest Microsoft Windows Update Agent software to which I have already pointed. It is not recommended in removing the latest Windows Update Agent Update as this may render your computer unbootable !!

    Unless stated otherwise by ESET, wait for an official position by ESET on the described date.
     
  16. tommy456

    tommy456 Registered Member

    Joined:
    Jun 11, 2011
    Posts:
    137
    As this same issue with SSL/HTTPS scanning and the way in which eset ss reads the certificates or doesn't which every is the case here,
    I had this on both WIN XP Pro sp3 x86 and win 7 ultimate SP1 x 86, on both o/s,But by selecting to exclude the windows service/process SVCHOST.EXE located:Windows/ system32/svchost.exe from protocol filtering WUS worked without issues,as did manually searching the Microsoft.com update site and checking for updates that way
    Does and should SVCHOST.EXE that is used by the WUS Update agent be set to be filtered, does it even use ssl/https protocols when phoning home?
    1, o/s Xp sp3 has the latest version of ESS v5 installed 5.2.9.1

    2,o/s win7 sp1 has the older version of ESS v5 installed 5.0.95.0

    So the reason it is affecting WUS now could be down to one of the modules that where updated earlier on this month this would presumably also affect the latest version as it will use the later versions of the modules if one of those is the culprit
     
    Last edited: Jun 24, 2012
  17. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi
    I find this funny :D
    I wrote to ESET and they replied that they know nothing about this error with Windows update.
    I think I will just send them a link to this thread, maybe that will remind them that there is an error. :mad:
    Cheers :D
     
  18. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    So far as I can tell, all the scanning options can be turned on except that in order to allow the new Windows Update to work, there is one setting has to be changed.

    In advanced setup, under Web and email, open Web access and antiphishing protection. Next, open HTTP, HTTPS and in the HTTP/HTTPS Scanner panel, under HTTPS scanner setup, select "Do not use HTTPS protocol checking," and click on OK. That one setting should make Windows Update work, without disabling any other feature.

    How much risk is this? I ran for a long time with all SSL scanning disabled, and nothing happened, but that was in the past and things change all the time. There is no doubt more risk now. I hope this issue with Windows Update is fixed quickly so that all scanning options can be enabled without any conflict.
     
  19. Wallaby

    Wallaby Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    156
    Hope this helps
    http://www.h-online.com/security/ne...ows-Update-has-teething-troubles-1624979.html
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Jun 26, 2012
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Due to fundamental security-related changes made to Windows Update, its communication cannot be scanned by antivirus programs and the MS certificate has to be excluded from scanning.
     
  22. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hey Marcos :)
    Would it not be a good idea, to make your post sticky? I can easily imagine tons of questions regarding this issue on the first tuesday of the month. It would hopefully be helpful for some, looking for a explanation...... Going to bed now, it is way over bedtime :D
     
  23. bwb1

    bwb1 Registered Member

    Joined:
    Mar 20, 2010
    Posts:
    113
    Location:
    UK
    Yes please with an idiot guide (me) how to make the xclusion!
     
  24. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    I found that I could add the Windows Update certificate to the excluded certificates list by changing the setting for Protocol checking mode to "Ask about non-visited sites (exclusions can be set)" I also checked the box "Apply created exceptions based on certificates."

    Once I had done that I opened the SSL, Certificates, Trusted Certificates list and made sure to remove the one for Windows Update (or Microsoft Update).

    After this, I ran Windows Update and when Eset NOD32 asked what to do with the certificate, I clicked on "Exclude." That fixed things so that Protocol checking works without stopping Windows Update.

    Finally, I reset the Protocol checking mode to "Always scan SSL protocol." All I needed the "Ask" setting for was to add the Windows Update certificate.
     
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    When switching the SSL scanner to "Always scan SSL" mode, make sure to leave the "Apply created exceptions based on certificates" box checked so that the communication utilizing the excluded MS certificate is not scanned.
    I assume that it will be possible to address this issue via a module update.
     
Thread Status:
Not open for further replies.