Strange Behavior When Updating MSE Defs

Topic

New Reply

I manually did a definition update on MSE this AM, as is my wont, and was surprised to see the familiar, “Do you want this program to change your computer” box pop up!

This has never happened when updating before, and I have touched NOTHING in the user control settings.

Did a scan with Malwarebytes AND a quick one with MSE, nothing came up.

Details:
Definition Update for Microsoft Security Essentials – KB 2310138 (Definition 1.291.82.0)
Installation date: ‎3/‎22/‎2019 1:04 PM
Installation status: Successful
Update type: Recommended

Now, the definition before that one was a whopping 70MB:
Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.289.1745.0)
Installation date: ‎3/‎21/‎2019 3:11 PM
Installation status: Successful
Update type: Recommended

Everything went normally on the next MSE manual update:
Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.291.105.0)
Installation date: ‎3/‎22/‎2019 4:38 PM
Installation status: Successful
Update type: Recommended

Cosmic Rays? EMI? Weird.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Replies

It appears that manual definition updates for MSE need to be run as administrator, so it ought to give you the UAC prompt when you install them.

If it hasn’t given you the prompt before for a manual update before, maybe that was done from an administrator-level account, rather than a user-level account, or there have been some other change to the privilege level?

Reply | Quote

From the log file MpSigStub, on this mornings run, the engine itself updated from 1.1.15700.9 to 1.1.15800.1

I do not recall answering a permission prompt, but I might have approved without thinking. Could have been a insufficiently caffeinated.

Reply | Quote

The information above relates to manual updates, not to automatically installed updates

Reply | Quote

Yes, I did read that. Not sure how that changes the information I added. I thought pointing out the log might give NtDbD more information.

Installing a new engine could trigger a changes to system dialog box for permission, even in an administrator’s account. I regret that I did not pay enough attention to the mundane task myself. I could easily have clicked through without giving it the attention it deserved.

I had performed the task by request through the MSE display by clicking on “Update now”. Not manually by command line, but still not a scheduled task. I think all updates are logged in MpSigStub, whether by schedule, WU, or through MSE itself. Probably if invoked from CLI, too.

Since I did not use Windows Update, I was not informed of the file size. I do not know a source for that information after the fact. But again I would expect a new engine might account for at least a part of the 70MB that surprised NtDbD. Because we may not have hit the server at the same time, I cannot tell from my log if the 70MB was associated with the engine, the signatures marked 289, or the 291s. Each of these actions are entered separately in the log. NTDBD could consult his log and determine which download included the engine. (from the OP the 289 was 70MB, the 291s were smaller)

Reply | Quote

anonymous wrote:

I had performed the task by request through the MSE display by clicking on “Update now”.

The article on manual updating that I linked above explains that it relates to downloading the updates and installing them manually – it’s not related to clicking “Update Now”.

The log is a good resource to point out, thank you.

Reply | Quote

Kirstty: NTDBD here….no change in the privilege level…and the second time  did it manually too. And am running at User level….was always taught to do that and bump it up as needed.

Just more grist for the puzzle mill. I think this thing is haunted.

Reply | Quote

Checked the logs, and sure enough, the pop-up “permission box” only occurred after the 70 MB monster. It was either:

Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.291.82.0)

-OR-

Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.289.1745.0)

It was one or the other..have been REAL busy today and gotten somewhat distracted…someone I know MAY be on that Viking cruise ship that lost it’s power today, and have been nailed to that story…anyway, have done manual updates twice since and no pop-up permission box.  Either one must have done some serious updating to the engine modules.

Thanks, all!

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote