The case for not updating Windows 7. Ever.

Topic

New Reply

When I wrote in InfoWorld about the Windows 7 and 8.1 “patchocalypse” – last month’s abrupt change in the way Microsoft patches Win7 and 8.1 – I descr
[See the full post at: The case for not updating Windows 7. Ever.]

Reply | Quote

Replies

Though I hugely respect Canadian Tech’s contributions on this site, I don’t agree with this logic at all (unless I haven’t understood correctly, which is very possible).
1. “It now appears that B is an impractical strategy for 99% of users. And, here is the reason why: When an error is made in a security-only update, if the error turns out not to have a security affect, it may be corrected in a non-security update.”
As a non-techie I find B entirely practical until such time as it is not. Basing a recommendation on what might happen in the future rather than what is happening now (especially in this state of flux) seems to be jumping the gun and the “99%” is merely an assertion.
2. “So, as things have evolved, it looks like the vast majority have really only two choices: A as described above or C (modified as described above).”
I disagree entirely. The recommendation appears to be that you should abandon group B because you might miss a month of updates. Let’s say Group B has 100 security updates spread evenly over the next 10 months. That means that because you might miss a month (and therefore 10 out of 100 security updates) that it is reasonable to choose Group C instead. So zero updates is better than 90 updates out of 100?

Reply | Quote

I don’t understand how the Group B approach can be so easily discounted. I can always jump to Group A from Group B if the need arises due to some very important bug that only a Cumulative Update Patch can resolve.

We all know that Group B requires diligence to install the monthly security only update and to stay abreast of breaking issues. If an individual is unwilling to take on those responsibilities because they are too onerous or confusing then they shouldn’t opt for Group B.

Reply | Quote

@Woody,

OK…at least we now have an official Woody “qualified” case for Group C. Thank You for that.

And I understand the slight conflicted position you are in even thinking about encouraging a group C membership…Now, 2 issues in your post…

“NOTE well, that Security-only updates are NOT cumulative. Which means if you miss a month, you may never get the missed updates.”

I don’t know if that’s true. From my understanding of this…there are two ways, as of right now, that one can apparently go back to get all the Security Only updates.

1- make note of the KB number of each Security Only update each month, write it down in a notebook, spreadsheet, whatever…and come May 2017, or 2018, or whenever, go to the catalogue, put in each KB number and download all the necessary Security Only updates.

2- Download the Security Only updates each month, as they are released, and keep them in a doomsday folder on your desktop until, or if, they are needed.

Now, a caveat for method #1…I have to assume that MS will allow all Security Only updates to remain in the catalogue, ad infinitum.
That said, I don’t know if MS can be trusted to keep all Security Only updates in their catalogue that are 12-24 months old.

I mean, I can’t imagine MS making 6-12 month old Security Only updates disappear from the catalogue, forcing a Group C user– (who is trying to get into Group B)–into a reluctant Group A. Microsoft would never be so cynical and sneaky to do something like that to loyal users. So method #2 seems to be the safest way; grab the Security Only update each month, from the catalogue, as it is released and store it on your machine

“The good news is that if you follow the modified C strategy, you have a way back to the Microsoft way, that is easy to implement.”

I guess I’ll be fighting a losing battle about whether moving from group C to Group A is going to be “easy”. Everyone here KNOWS nothing is easy with Microsoft. I am not going to beat this dead horse, so I’ll say this for the last time.

If two years down the road some Group C users are panicked into moving into Group A, the monthly Rollup that is supposed to get users “all caught up” with “every patch from the beginning that MS deems appropriate”, the user is going to get the Kitchen Sink.

And anyone that thinks INSTALLING every security, non-security, optional, unchecked, checked, .NET, Office patches going back to when you purchased your machine and/or when your OS was released, is going to be “easy”, think again. Clicking is easy, INSTALLING, not so easy.

No one has attempted to play ‘catch up” with a 12-24 month lag in updates via an all encompassing “Rollup”. It really is an injustice to call it an easy fix and may well give people a false sense of security.

Just my 2 cents.

Reply | Quote

Woody…… don’t know if I’m being naive here…… but everything is a gamble most of the time in life……. and this updating is certainly becoming one, if it hasn’t already.

So I’m thinking surely if there are going to be any bugs in future Security Only updates…. these will become evident before you give the go ahead (say the 3 weeks after Patch Tuesday) so that we in Group B would be aware and possibly be able to avoid any problems by not installing the ‘buggy’ patch, and probably then re-deciding our future…….. or have someone (abbodi comes to mind) who would be kind enough to provide something to prevent/fix the issue ??? Would this be another possibility ??

I know all this is weighing on your conscience in so far as being someone giving advice and help to so many of us……… but you know we are the ones who are taking responsibility and making our own decisions….. so really the buck stops with US – not you! So in that regard please Woody rest easy!!

Unfortunately as in life……. we don’t know what’s around the corner and we have to have a certain confidence and trust in ourselves to judge what is the best way to navigate through all this.
The future is not a given……. and things change from day to day…….. hour to hour, minute to minute….. I think we all know this.

So guess what I’m trying to say is….. why don’t we just play it by ear as it comes….. at least for those who want to…. don’t think we will ever have a time where the so called ‘rules’ or ‘playing fields’ are going to be set in concrete. They are going to be ‘fluid’ ….. changing all the time……… so perhaps we need
to be too! Just my 2 bits! LT

“If your ship doesn’t come in, swim out to it.” – Jonathan Winters

Reply | Quote

It feels downright weird to hop off the update tram. Conversely, it is irresponsible to remain blind to the changes at Microsoft.

The probability is, IMO rising that Microsoft is going to screw up Windows 7 or 8 either a) by not doing good work and not testing it thoroughly or b) intentionally.

The probability that something could be discovered by the bad people of the world that will result in a latent deficiency (that is already there) becoming exploited and thus much more dangerous is ALSO non-zero.

Right now we are in a kind of a Good Place w/regard to updating the older operating systems… The new “cumulative” update strategy is brand new, and Microsoft I’m sure would rather avoid Really Bad Press coverage of the switch, and no doubt are spending more effort to make sure . So Woody, your current move to a Windows Update Defcon 4 recommendation is right. Very right.

But that’s not going to keep. We see how it is going with Microsoft: They are getting worse at engineering Windows.

Right now I have a Win 7 system functioning primarily as a server, which hasn’t had a Windows Update since May. It’s 100% reliable at what it does, and it’s not used interactively nor does it get any new software. If it works, I don’t fix it.

I also have a Win 8.1 system which I use continuously to engineer software and run my business. A few weeks ago I went through the process of vetting and testing (in a virtual machine first) the November “Group A” updates, and while it got no updates at all for a long while (July to November), it’s now FULLY up to date. Lo and behold (knocking on wood, crossing fingers and toes) it’s still fully functional, and has been running a solid week now with no faults I can see. And yes, I had to disable the DiagTrack service because of added telemetry.

Nothing says that “Group Anything” has to update every month, and re-evaluation is ALWAYS possible. You can always choose to research/test/insdtall updates at a time that’s good for YOU, when your risk is mitigated, and when you’re prepared with backups, time, knowledge, etc. to deal with eventual problems.

Trust in YOUR ability to make good decisions with the newest information available at the time.

-Noel

Reply | Quote

In the thread below about the Malwarebytes problem, poohsticks wrote:

“Another thing I could possibly do is have an airgap, keeping my files and whatever on one computer that is never again connected to the internet, and using a different computer that doesn’t have much else on it to connect to the internet.”

I have been doing this for over twenty years, and it has saved my bacon several times, especially in the days before Win7 when exposure to the Internet gradually ruined the OS. Still, if you are moving files from one computer to the other, you are potentially exposed to some extent.

Reply | Quote

I personally have decided to go with group A. The reason for this is that Microsoft is just one piece of sand on the beach full of cyber spying companies out there. I elect to keep a couple of good backup images handy and if a bad update comes my way and things get dicey, it takes about 15 minutes fix. Granted, Microsoft isn’t the most upfront bunch of people out there, but there are worse and some we don’t even know about. As far as bad updates and messing things up, well my printer software messed everything up last week and I had to do it over and other software occasionally does too. Windows is much more complicated to fix, but all software regardless if its an operating system or a ten dollar game is going to have bugs. Technology is not perfect and I just try to deal with an open mind day to day or it would drive me crazy. If I see a way to turn off a setting or change something to decrease the amount of spying without sacrificing security, I will. These are just my thoughts on the whole thing and by no means a recommendation. To each his own.

Steve

Reply | Quote

Tremendous insight.

Reply | Quote

Amen!

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

That brings up the question of the level of bugginess. For lack of a better term.

I would submit that, while MS16-087 has severe bugs, most users are better off installing the security patch and figuring out how to deal with the consequences. I think it’s unconscionable that Microsoft has issued a non-security fix in a Win7 (and 8.1) Monthly Rollup, and in Win10 cumulative updates, but not in a Security-only patch. I hope they see the error of their ways and continue to support Group B.

But the problem’s obscure enough that I doubt they ever will. It’s very hard to explain even to people who understand Windows and its updating foibles. For the average Josephine in the street, it’s far too complex.

Microsoft is killing its own product. I hate to be witnessing the process.

Reply | Quote

What you say may well come true. We (which is to say, I) have no experience with moving from Group C to Group B, much less Group A.

When I get the web site worked out, I intend to come up with a list of links to the monthly Security-only updates, so people will be able to refer to one list without much fear. I think it’s highly unlikely Microsoft will ever pull the individual updates.

But, hey, we’re talkin’ Microsoft here…

Reply | Quote

I agree completely – and think that Group B is still the best choice for folks who are willing to manually install monthly Security-only patches.

Reply | Quote

Good points.

Reply | Quote

That’s a perfectly reasonable – and well-considered – approach.

I regularly use my Chromebook, realizing full well that Google’s looking over my shoulder. And I use Win10 on all of my production machines.

That said, I certainly respect Win7 and 8.1 owners who don’t want the snooping. They didn’t buy Win7 or 8.1 in anticipation of being snooped, and they aren’t being compensated for their loss of privacy.

Reply | Quote

Well that reassures me about going ahead in Group B and updating the Monthly Security updates plus the .NET and Office 2007 ones……. at least for the present… and should any ‘buggy’ ones appear…. then those can be dealt with when the time comes….. depending on what happens…. Of course backups and Images saved would also be a very necessary and important part of one’s thinking. So good luck to us all I say! LT

Reply | Quote

[Woody, this may be TL;DR. Please edit & delete where & what you will, or even not approve this post. Sorry to add to your workload. 🙁 ]

I consider myself a “Power User +,” i.e. I’ve been building & maintaining my own Microsoft MS-DOS & Windows PCs for over 30 years. I got my MCSE (NT 4.0) and A+ hardware certs in 1998, though I haven’t kept up with them. I am the “fam & friends IT guy.” I built and maintained some small biz networks, from Win 3.11 P2P to NT. While my PC hardware & Windows software knowledge is (was?) fairly extensive, it is far, far from encyclopedic.

For my own personal PCs, and what I have recommended to others, I have used MS-DOS, Win 3.1, Win 95, Win 98SE, Win XP, and Win 7. All, many of us might acknowledge, pretty stable OSes. I also did the free upgrade to Win 10 on a 2009 laptop, just so I could play with/keep up with current Windows technology. I have zero experience with Linux and very little with Mac OSes. I like to build and run pretty clean machines, with not much frippery.

As far as the interweb goes, I started in 1994 with Mozilla, then Netscape Navigator, then moved on to IE and stayed there for many years, only moving to Chrome about a year and a half ago. I’m considering installing Firefox as well. I stopped using IE the minute I moved to Chrome and haven’t looked back. I’ve always used what I researched and considered to be the strongest AV & Anti-Malware/Spyware products for the then current times. I used and was very happy with MSE for years. I am a *strong* proponent of individual and group privacy.

Fast-forward to when Win 10 was announced and that [garbled] from M$ chirping about Windows as a “service.” As soon as I heard/saw that M$ was going to be shoving Win 10 down our collective throats via the GWX debacle, I luckily found Josh Mayfield’s GWX Control Panel.

Soon after, I thankfully found your excellent site and have been visiting here daily, usually very early in the day and sometimes several times daily. I can’t thank you and the quality contributors here enough.

Having said all that (whew!), I was firmly in the “Group B” camp after I carefully read yours and others’ articles about the inbound patchocalypse. I patched up on 8/15/16, I think it was, turned WU to “Never,” and bunkered in, only patching up the security-only updates when the coast was clear and your DefCon was 3.

However, after the last several weeks of reading articles here and elsewhere, I decided to hang my head in futility, give in, and join Group A. I installed the November Security Quality Rollup (KB3197868). 🙁 I use MBAM Premium, but thankfully wasn’t affected by the digital signature bug. I turned my WU back to Never and will periodically check to see what updates come up and install them when it seems prudent/necessary to do so.

It’s really very unlike my personality to give in like this, but I just don’t have the time or energy to keep jumping through all these hoops and acting like a flea on a hot skillet, but I truly believe M$ will, maybe sooner than later, find a way to subvert the Group B’ers. 🙁

Reply | Quote

Well said and I agree. I think that with today’s aggressive marketing strategy combined with advances in technology that Windows has fallen victim. I can’t buy a roll of toilet paper without someone calling me for a survey and my phone rings all day long with this stuff. At times I feel like we’re trying to put out a forest fire with a garden hose.

Reply | Quote

Even though Canadian Tech has recommended only Group A and Group C, I am sticking with Group B at this point, with an option to be selectively in Group C depending on the situation each month.

If a certain month’s security update is found to cause problems for me, then I won’t install that month’s update (or remove it if it has been installed). I will deal with the consequences myself if need to.

I will never go to Group A myself, especially with the knowledge that Microsoft is going to add back the old updates (including the “bad” updates) to the “quality rollup” starting in 2017. If that means missing any number of security updates, so be it.

Reply | Quote

I support louis’ “two ways”. In particular, I had already invented (for my own use) his method #2, namely download each month’s Security-Only dot-msu file, and squirrel that away somewhere (with the benefit of local backups).

I also acknowledge Canadian Tech’s method of getting (sometime in future) from Group C to Group A: it is certainly easy to describe — very important–, and is easy to carry out, and meets thst requirement. It may not be painless at that future time, but it does seem to be easy to do.

Myself personally, I imagine (in a “Great Internet Catastrophe” situation) wanting to go from Group C/W to Group B (but not to Group A). I think that louis’ schemes (for myself, I choose #2) would work for that, at no more cost in run-time or mental effort than doing the Security-Only updates month-by-month in the interim. And louis’ schemes avoid the risk that a monthly security update introduces a bad non-security bug, which you can’t get rid of without going then to Group A.

I congratulate louis for describing these “Group C” schemes.

Reply | Quote

I do not understand the statement of Canadian Techs, that if you are a Group W, you would need to switch from MSE browser, as you would not get MSE updates. These MSE updates still would be available from Windows Update (and they exclusively could still be downloaded in this manner), though this would technically mea you are not a pure W person. Am I missing something here?

Reply | Quote

I’m with Canadian Tech here, and for the reasons outlined. Even if I have time, patience, and sanity to apply updates, it seems almost inevitable that M$ will simply decline to offer fixes to problems, and that there will be features I find desirable in the rollup updates that were part and parcel of my reason for owning my copy of 8.1 in the first place. And in any event, Windows is currently my secondary OS, with Mac being my first (I am prevented from switching fully to Windows essentially because of these update antics and telemetry). If I do head back to Windows full-time I am going to work out how to defeat telemetry because I really can’t see any other way forward. I won’t know just how pure Microsoft’s intentions are towards the privacy of their customers until I properly audit it, but my hopes are not up.

TL;DR: there is a reason security-only updates only appear in the Windows Update Catalog. 🙂

Reply | Quote

“Microsoft is killing its own product.” Prophetic, Woody. That really says it all.

I too hate to be witnessing this. I have been a huge advocate for Microsoft since the 80’s. Every one who knows me knows that I would enter a discussion defending Microsoft to the hilt.

Today, I see a major company with a reputation in tatters. In the midst of a strategy that amounts to self-immolation.

It is truly sad to see.

My greatest concern is over all the people who I have encouraged to spend their hard earned money to buy a computer which depended completely on Windows being viable, usable product. Those investments are crumbling before our eyes. I am embarrassed and angry to see what post Gates management has done to this once wonderful company.

The Achilles’ heel of my recommendations was the assumption that Windows would continue to be viable and usable over the life of their investment. That was a mistake.

Reply | Quote

I have put most of the “average” Users I deal with in Group A. They will not/cannot take responsibility for their computers if updates are left on manual. They deal with the Internet, e-mail, file transfer, etc in irresponsible ways. Therefore, IMO they are better off being patched (Group A) than not at all(Group W). They are NOT Group B material.

My computers have always been on “Search but let me choose whether to download and install.” I have also left “Give me Recommended” checked, feeling that I did not need many of the updates offered but in the worst case they were just excess baggage. I have had no serious problems with this approach… until GWX.

During the GWX campaign I hid patches associated with compatibility, telemetry, upgrade, and Win Update Client (list enumerated on AskWoody several times in the past). After GWX ended, I unhid all the patches. Most disappeared (superseded, no longer valid). I still hide a few – I will NOT install KB2952664, KB3021917, KB3068708, KB3080149, KB8050513, and KB3184143.

Otherwise, I have gone back to my original method, being sure to check on the contents of the updates first, through October (including the October Security Monthly Quality Rollup). And, of course, following Woody’s DEFCON, delaying long enough to be sure the patches were not causing problems. Sort of Group A, but not completely.

Looking at the November patches, I see that telemetry (or more of it) is being added to the Monthly Rollup. And as all the previous updates get included by 2017, I see that the ones I have chosen to hide will then be forced on me. Yet I am not ready to give up security fixes and move to Group W.

For now, I will cautiously move to Group B, downloading from the Catalog and installing the security-only updates manually. I did this with the November security-only update. In Windows Update, I UNCHECKED the Monthly Rollup (it will always show up anyway b/c it supersedes the security-only) and installed the updates for other things like Office, .NET, etc. I do not want to hide the Monthly Rollup each month (it will be superseded by the next month’s), so I will simply UNCHECK it each time to avoid installation.

For now, I will remain in Group B, each month taking the time to check on the contents of the security-only update and waiting on DEFCON to be sure the updates are vetted. I do not want MS’s snooping (Group A), but I am not ready (YET) to forego all patching for Windows (Group W).

After Windows 7/8.1 goes, there will NOT be a Windows 10 (or other MS product) for me.

Reply | Quote

I need to add one more note. My expectation is that there is little likelihood of people moving from C (I prefer to call it W) to A.

While it is possible a bad situation could rear its ugly head and show potential to damage millions of unpatched computers, I believe it is very unlikely. To put it another way, the risk is not large.

I cannot discount the hundreds of PCs I have seen that have never seen an update. PCs that people bought and never turned WU on to begin with. Or ones that encountered a WU problem and the owner never paid attention to it.

Yet I have never seen a PC that had been hacked truly. I have seen badly infected ones that most of the time were cleaned up with the use of some cleaning tools and a good AV. In some cases, I re-installed systems that were so badly infected that it wasn’t worth the effort to clean them. Actually I favour that idea a lot because it always results in a PC that performs amazingly well.

The strength of the group W strategy that I favour is that there is a way back, should the worst actually happen. Yes, I realize that would result in a huge batch of updates and who knows what that would do, but in all likelihood, it would be doable. The result is unlikely to be anything different than what a person would have when he bought a new computer.

Keep in mind the case of the computer that needs a new hard drive 2 years from now. Think about the update process that would take place from a Win7 install disk onwards. This is most surely going to happen.

Reply | Quote

+1 [sigh]

Reply | Quote

Sorry, I didn’t understand. Are you talking about MSE antivirus?

I don’t think you can (or would want to) download Microsoft Security Essentials updates from the Update Catalog.

Reply | Quote

Of course I’ll approve the post. You have a very valid point of view – and an interesting solution for your situation.

Reply | Quote

This is pretty much the approach I’m adopting as well. Additionally, I always keep a weekly full image so it’s not that onerous to rollback should I need to.

Because of a bad update which I have to keep hidden, I can’t go down the Group A route (shudder) even if I wanted to, as sooner or later the fault from that patch will be reintroduced and break sfc.

Reply | Quote

Isn’t 3200006 another such case?
https://support.microsoft.com/en-us/kb/3200006

Reply | Quote

Hi everyone-
I have been following this with great interest.
last security update for me was prior the “mess”.
I have chosen to sit back and watch….I fall into the category that MS has already killed the product, Win 7 and it is now just like XP. I need Win 7 for 4 programs required to run on a Win machine. so, Dual boot or keep a separate machine to run the programs ( 1 may require web access) still playing with wine…I will see.
I have a nice stable W7 machine I do not need it fouled!

My solution has been move to Linux for all web based items. So far Linux Mint (stable) and Manjro (cutting edge) has been doing just great. I tried numerous distros over the past year each has its’ issues and a steep learning curve.
If you are at all tech savvy get rid of windows and move on. If enough folks dump MS (it will not happen) they may notice, although it is obvious they do not care.
Do know that most of the younger bunch appear not to care about snooping/privacy/telemetry issues at this time, they may in the future.
I will continue to wait’n see what happens wishing everyone the best.
sitting in group E for exit
Renée

Reply | Quote

It seems to me the whole problem is caused by MS. MS is confusing general bug fixes, new features with security updates which creates chaos with users. Many users really only need the security patches and bug fixes. The new features are meh. But MS seems to push these often unwanted features as if they are security fixes.

This forces many to opt for one of two relatively unappealing options: take everything or take nothing. Taking everything means the user has added system bloat and larger attack surface with features they do not use. Taking nothing is very risky because of zero days and unpatched security problems.

Reply | Quote

That’s the core of the situation:

> most of the younger bunch appear not to care about snooping/privacy/telemetry issues at this time, they may in the future.

Although I wouldn’t subscribe it to just age, the fact is that people have become inured to the snooping. I certainly have.

Reply | Quote

It is indeed. I overlooked that one this morning. Thanks!

Reply | Quote

Some additional facts that I failed to mention above:

I DO NOT install ANY unchecked/optional updates, including previews.

As CYA, I am downloading and saving the security-only updates and the Monthly Quality Rollups each month (just in case MS removes them).

I make an image of my computers once a month – right before patch Tues.

Reply | Quote

October 2016 Cumulative Rollup (Group A) gave me 2 incidents of BSD, 2 separate times. Had to do a Restore to fix it.

I went with (Group B) for November 2016, so far so good.

I run Norton 360’s paid version, also run the paid version MalwareBytes and the freebie Spybot Search and Destroy and the freebie SpyBlaster and Secunia PSI.

I also read the PC techie side of the gaming forums.

The more advanced gamer guys seem to have a pretty good handle on what’s going on.

Also subscribe to the magazine MaximumPC.

I wish the one game / flight sim I like to play would quit using Windows, but not likely that will happen and they are based out of Moscow, Russia.

AND >>> I stay tuned with your forum, here!!

Reply | Quote

If Firefox/Chrome were more secure than Internet Explorer, how comes that computers of users running Firefox/Chrome are also infected with malware? Maybe it’s not the Web browser, but the user who downloads and installs crap?

Reply | Quote

Interesting! And scary. I haven’t seen that reported elsewhere, but I’ll keep my eyes open.

Thanks.

Reply | Quote

I did not refer to or ever heard of an MSE browser. I am referring here specifically to Internet Explorer currently in version 11.

Reply | Quote

Woody, according to the trusted Windows powers that be (you included), it’s All or NOTHING
I think that Microsoft is telling us that you can’t outdo us: we will be the winner. Right or wrong?

Reply | Quote

@woody

Woody said… “When I get the web site worked out, I intend to come up with a list of links to the monthly Security-only updates, so people will be able to refer to one list without much fear.”

… And that’s why I will be a Patreon supporter of http://www.askwoody.com !

My go-to site for information on Microsoft Windows updating shenanigans.

Please support this site everybody.

Reply | Quote

Eric, let me ask you a question. What would you recommend to your dad/mom/sister/brother/uncle?

That is my dilemma. These are not people who would be interested in or capable of “stay abreast of breaking issues.”

I certainly do not wish to discount B as a viable strategy for you and many others. I am concerned about looking after the average Joe/Jane. For them B is just not feasible.

Reply | Quote

Woody, you say: “If Microsoft breaks something in a Security-only patch, they need to fix it in a Security-only patch. Otherwise, those who only install Security-only patches are going to end up with bug-infested systems.”

I would rather think that Microsoft keeps fixing the security holes in the security updates, but not the functional bugs. I think this is the same with what abbodi said not long ago in another thread.
So people who religiously belong to Group B would not end with non-secure systems, but rather functionally broken systems, maybe not so badly, but still broken to some extent.

Reply | Quote

No. The November 2016 security-only update also supersedes this one. See http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=fbf7eca2-6688-419f-b187-26d41c6b603f.

Reply | Quote

I have been using Microsoft operating systems since before Windows was first released. I was reasonably happy with Windows 7, but had been planning to upgrade to Windows 10 in the hope that it might improve security and performance while removing the poor UI features that were introduced in Windows 8.

However, once all the restrictions, snooping, forced updates and MS’s aggressive strategy to force Windows 10 upon everyone became apparent, I decided that I would stay with Windows 7.

After spending many months trying to make sure that MS didn’t sneak any of their nefarious ‘features’ onto my PC, while trying to also keep it secure, I started wondering if it was worth all the effort. There was one photo editing application that I had spent several hundred pounds on buying and upgrading that I would be sorry to lose; but when MS announced that we would no longer be able to download and apply individual updates I decided enough was enough.

I have now replaced Windows 7 on my last PC with Linux, so all my machines are now running Linux Mint. I am lucky in that, before I retired, I had worked for many years as a software developer on Unix and Linux systems, so the transition is quite easy for me.

Having since seen the lengths that people are having to go to in order to try to maintain control of their PCs (as amply demonstrated here on Ask Woody), I don’t regret my decision at all.

One thing is for sure, due to MS’s behaviour over the last year or so, I will never, ever buy any MS operating system, application, game or hardware ever again!

Reply | Quote

If we shifted the focus from avoiding *telemetry updates* to avoiding *telemetry*, then Group B (I’m one of them) would disappear and the whole mess would simplify into just two groups, take ALL updates (Group A) and take NO updates (Group C/W).

I’m considering moving to Group A if I can succeed in blocking telemetry in other ways. (In Windows 8.1), turning of the DiagTrack service and blocking a few domains in my routers “Access Restrictions” seems a workable solution ATM.

If I can find a definitive list of telemetry domains, that is. The lists I’ve found so far don’t seem well thought out, containing plenty of domains completely unrelated to telemetry.

Reply | Quote

By Jove, you’re right!

The bug in KB 3200006 was fixed in the Security-only update KB3197867.

So we’re back to just one example, so far.

Reply | Quote

That may well be the case – as Abbodi did mention some time ago. But if it is, the approach undermines Security-only updating.

Microsoft needs to fix bugs in Security-only patches with fixes in Security-only patches. Even if the bug doesn’t show up in the security part of the patch.

Reply | Quote

Thank you!

Now I need to get the appendage fleshed out… :0)

Reply | Quote

I am more comfortable sticking with Group B. I follow Woody’s articles and monthly research for patch recommendations. My reasoning for being in Group B is simply that I believe many in the business world implement security only patches. If my reasoning is correct, any severe problems should be addressed. Many thanks to Woody and his followers for providing valuable information for avoiding update problems.

Reply | Quote

I’m hoping that this “Security-only bug fixed in a Non-security Monthly Rollup” thing is an oversight and that Microsoft will see the error of their ways.

Microsoft isn’t a monolith, and they aren’t Lords of the Dark Side. I’m sure there are many inside Microsoft who see the problem. It just isn’t clear if they’ll prevail.

Reply | Quote

I’ve been using and working on PCs since 486 & DOS 6.22 days. Not long into the XP era, I switched to the “no updates” group. I fought off SP2 for as long as I could, but then software started requiring it. Fought off SP1 in Win7, but then same issue as XP. But never an update.
SO much less stress, and a bystander in watching the Windows update train wreck.

Reply | Quote

I was not debating what Microsoft “should” do, only commenting about the current state of things.

Reply | Quote

@Canadian Tech
I tend not to agree with you on some issues, but in this matter I think you are 100% right.
And there is one more aspect that most people don’t really understand.
Woody has an impossible task to keep up with the Group B recommendations and sooner or later he will not be able to continue to do this effectively. The Group B style of updating is meant to be used in the context of the updates being deployed with Enterprise tools like WSUS or SCCM and not by individually downloading and installing updates.
All those non-technical users who entirely depend on Woody, will find themselves without reliable support and what is left then? Exactly what you claim in your posts spread over many threads and which are the subject of this thread.
Here we may disagree as I say the default updating path should be Group A, where you say it should be Group C/W.

Reply | Quote

Looks like the ball’s in my court, eh?

Reply | Quote

If you don’t keep your operating system up to date, you can be successfully exploited while using a web browser or some other programs because of vulnerabilities in the operating system.

From “Using Kernel Exploits to Bypass Sandboxes for Fun and Profit” (https://threatpost.com/using-kernel-exploits-bypass-sandboxes-fun-and-profit-031813/77638/):
“Researchers and attackers alike are quickly discovering you don’t need a fancy Java or Flash exploit to beat application sandboxes. Exploiting an unpatched kernel vulnerability in the underlying operating system, one that’s likely to stay unpatched for a long time, will do just fine.”

Some web browsers on some Windows operating systems have ways to mitigate some of this. See ‘Thoughts on the recent “NtSetWindowLongPtr” vulnerability’ (https://labs.bromium.com/2016/11/08/thoughts-on-the-recent-ntsetwindowlongptr-vulnerability/) for more information. The last link is from a security vendor blog but its information is relevant.

Reply | Quote

+1

Reply | Quote

If you come up with a comprehensive list of domains, I’d love to see it!

Reply | Quote

Updates to existing security-only updates (if there will ever be any) hopefully will be documented at https://support.microsoft.com/en-us/kb/894199.

Reply | Quote

What is the best way for Group B users to evaluate if they are missing a security only update?

Microsoft Baseline Security Analyzer (MBSA) says I need the latest monthly rollup, even though I have all the security only updates installed on my system. That’s not helpful for Group B users.

What about Belarc Advisor? Will Belarc Advisor say which security only update I’m missing or will it only say I need the latest monthly rollup?

Reply | Quote

It’s my understanding that Belarc Advisor gets it right, but Secunia PSI does not.

I’m surprised that MBSA doesn’t get it right – but I bet they fix it soon.

Reply | Quote

But that’s only for Windows Update stuff. Security-only updates are only available from the Update Catalog, and don’t appear on that WSUS list.

Reply | Quote

They will not pull the old updates unless they are superseded and this would happen after a while.

Reply | Quote

A search of that link for “security only” (without quotes) gives 39 matches.

Reply | Quote

I agree with Richard T. I have been using Microsoft Software ever since DOS Shell, Windows 95, Windows 98, Windows XP and Windows Vista. Early next year when Microsoft stops supporting Visa I will be purchasing a new Apple Mac Book Pro. I will never purchase anything associated with Microsoft ever again.

Reply | Quote

What RichardT said except for me it’s MacOS vs Linux. I’m well into my conversion running a buffed out Mac mini side by side with my main Windows 7 PC, converting function by function at a comfortable pace. Also, I’m through with all MS s/w for ever and ever but I’m keeping my favorite MS wireless mouse in a drawer for times when I need a little more precision than my old hands can wring out of my new trackpad!

Reply | Quote

+1 🙂

Reply | Quote

Please do check back. There are lots of disgruntled Windows users with eons of experience who are looking for help with a new OS.

Reply | Quote

The most effective and powerful way customers can complain is with their pocketbooks. Tell you friends too.

Reply | Quote

Woody, I completely understand your nightmare scenario because I feel exactly the same way about recommending that my clients just stop all Windows Updates. But as the days and weeks go by and more and more of them call me to fix issues CAUSED BY the updates, it’s making it extremely difficult to resist.

Case in point….I’ve had to roll back video driver updates on many systems over the last few weeks because Microsoft insisted on replacing perfectly good drivers with ones that caused all sorts of problems. Do I REALLY need to show clients who can barely find the ON button how to run wushowhide and block hardware driver updates??

I keep thinking to myself that the odds of Windows Update causing a support call is infinitely higher than what I might see if I disabled all updates to these systems and they got hit by some obscure security loophole. But I just…can’t…pull…the…trigger…yet.

Reply | Quote

Windows 10 is even more fraught with problems for blocked patches…

Reply | Quote

Tss, tss. No you’ve upset a whole bunch of Josephines reading this thread.

Reply | Quote

And then what do you think these great power users will start installing to their friends instead of the ugly things that Microsoft will produce?

Good job on destroying a market.

I had the same feelings. Regardless that I am a bit stuck on Windows, this whole situation just prompted me to never ever buy a store App, an Xbox or anything else made by Microsoft to not be stuck in their golden cage. Also, I avoid everything Ms makes when possible like Edge or Cortana. Edge could be great. The ideas behind it are sound, but sorry, now way I am selling my privacy for that. I will keep Firefox.

If you were smarter Microsoft, you should have had everybody hop in the wagon and a few years down the road, you start your bad things after they have everything working together and being more stuck with you because they don’t want to loose all that. Now you sold your master plan too early and we won’t be part of it.

Reply | Quote

This comes from my SpyBot Anti-Beacon log file:

“Telemetry Hosts: 107 entries found in hosts file (C:WindowsSystem32driversetchosts.).”

There’s a decent place to start. 🙂

Reply | Quote

As I stated in another thread I’m going to keep fighting this Windows 7 battle until 2020 to keep my systems alive & well. By that time I will no longer NEED anything M$. As far as M$ hardware goes I’ve never spent a penny on any of it over the past 20+ years. Not even a mouse.

Like Canadian Tech advised… tell all your friends (and family) to hit M$ in the pocketbook and start boycotting all things M$.

The biggest sales season of the year begins this week!

Reply | Quote

I’m going to start a new post tomorrow on that very topic.

Reply | Quote

Yikes!

Reply | Quote

GACK! Put DOWN that brickbat!

Reply | Quote

Great. I am looking forward to that.

Reply | Quote

“So one strategy that you may wish to consider is following Group C, but still updating .net and Microsoft Office through Windows Update, but installing no Windows updates at all. It would be advisable in this case that you stop using Internet Explorer because you would not be getting those updates, but instead use an alternative browser.”

This is exactly my position. IE is disabled, no Office application, hence .net updates only are concerned here. I have not an ounce of confidence in Microsoft (when I did, blindly, until Windows 10) and I have no time to spend on practicing brain storming as whether the updates (be they security, Group B, only) are healthy or not. I don’t know if Microsoft realizes what they’ve done, the very chaotic situation they’ve created, the bother their inconsistent approach of a tomorrow-now perspective has spread all over the world.

We manage Windows 7 for the time being but once it’ll be really too old we’ll move to another OS but not, never, to Windows 10.

Reply | Quote

Hi Woody, I’m staying Group B for now. But it’s starting to sound like … “resistance is futile.”

Reply | Quote

I worked for a computer company. My job was to test and update new OS systems and subsystems for mainframes. After 21 years at that, I moved to network engineering for 10 years. Yes I am a geek, however I am also a Desktop Windows User. With the Microsoft Update Policy change, I chose Group B.

With a background such as mine, you’d probably think I’d be a shoe-in for Group A. My decision to go for Group B was purely based on the fact that W7 is in extended support. If it was not I would be in Group A.

W7/8 will not get any more feature updates and I do not require any driver updates from Microsoft. Due to the relationship that Microsoft has with its enterprise clients, most non-security patches will be aimed at them, primarily to keep their production environment stable until 2019. The security-only and Net Framework patches are all I want and need. If a security-only patch causes crashes or instability, it can be uninstalled. If Microsoft does not provide a fix in the security-only set, so be it. If they did this with a critical update, there would be hell to pay and I have enough confidence in their professionalism to not do that. Group B is the only option that allows you to skip a bad patch (the monthly offer) and install the next months patches until MS produces a fix to fix the fix.

Group C/W is not for the novice.

Reply | Quote

Personally, I think this was MS’s plan all along. They knew a lot of people would opt for Group B so they’ve deliberately created a bug in a security patch which they then fix with a non security patch, forcing people to change to Group A with it’s associated telemetry, etc.

Expect to see more of the same in the coming months, that’s my prediction. Perhaps I’m being a bit paranoid, but, after MS’s behaviour with the GWX campaign, nothing would surprise me anymore.

And, on a side note – speaking of the GWX campaign – I wonder what happened with the news from 4 months ago about several US Attorney Generals pursuing cases against MS?

http://betanews.com/2016/07/11/windows-10-lawsuits/

Haven’t heard anything since – has it all just “quietly gone away”? That also wouldn’t surprise me.

Reply | Quote

I mentioned in a reply to a different blog post a couple of weeks ago that I also have recently set up my desktop PC to dual boot Windows 7 and Linux Mint. If not for a couple of computer games that I enjoy that only work on Windows, I would have divested myself of Windows altogether.

I believe that it’s important to mention that, although I probably have above average computer skills and knowledge, I never worked in a computer-related business or industry. And I would like to disabuse people of the idea that prior software development, IT, or other PC industry work experience is required to install Linux.

There are many detailed, straight-forward, uncomplicated guides available online regarding setting up Linux on one’s PC. And although there can be the occasional complication (just like with a Windows installation/upgrade), if one is able to conduct internet searches for error messages and follow step-by-step directions, that person can troubleshoot a Linux installation.

I believe that the greatest benefit from my modest knowledge of PCs in this process was that I was less intimidated by the prospect of making this transition than perhaps other people may be who have less experience. But I would really like to encourage people who are fed up with M$’s shenanigans to consider the idea and not dismiss it out of hand. I have been thrilled with Linux and it’s such a relief not to have to worry about my PC on a daily basis.

Reply | Quote

Spybot reported 107 entries for me, as well. [Win 7 Ult x64]
The log file Manaka cites does show telemetry hosts as identified by Spybot, although just 37 (in the text file, open with Notepad). Below are the first six entries after the opening comment line (Win 10 too, apparently).

“# Start of entries inserted by Spybot Anti-Beacon for Windows 10
0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nstac.net
0.0.0.0 df.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com.nsatc.net
0.0.0.0 redir.metaservices.microsoft.com”

I feel comfortable that the telemetry issue for me is in order, regardless of what it is “they” are trying to collect. Wouldn’t want to get in the “redir” lane!

Reply | Quote

Which is precisely why this whole thread, with all due respect to Canadian Tech, is premature and an overreaction at this time.

Reply | Quote

Yes, but the question is what M$ will do in the future. One example does not equal “the current state of things.”

Reply | Quote

Good strategy until M$ decides to push more malware–other than telemetry–at us.

Reply | Quote

@Samak,

Re: “Basing a recommendation on what might happen in the future rather than what is happening now… seems to be jumping the gun”

It is not conjecture on the part of Canadian Tech. As Woody described in his blogpost above, this has already happened with a July security patch that had a bug in it and Microsoft only fixed the bug in their Group A Rollup and not their Group B Security-Only Update.

If Microsoft is happy to do this in the first 2 months that they are running the new updating system, then they obviously are not concerned about doing it, and they will likely do it again. I do not think that Canadian Tech is jumping the gun on this particular point.

—
Re: “The recommendation appears to be that you should abandon group B because you might miss a month of updates.”

I don’t think that the possibility of missing 1 month of updates is the main reason that Canadian Tech decided to tell his large base of non-techie ‘customers’ (hundreds of individuals spread around the world who are running home computers and have no IT help, other than Canadian Tech, who helps them for free) that Group B is not the best path for them, and therefore Group C is what he recommends. I did not get that impression from what he wrote.

Reply | Quote

@Canadian Tech: Agree 100% !!!!

I have a terabyte HD which is just “waiting” for me to have it partitioned for a Mac! 🙂 🙂

Reply | Quote

@CH100,

Why will Woody not be able to keep up with his recommendations in the future?

(Other than, of course, an unfortunate bout of poor health, or death. Or maybe he will run away to a desert island to retire in peace!)

I should think that it’s not going to get harder than it already has been for him in the prior 8 months to keep up with the many changes and surprises (with Get-Win-10 and the change in the Win 7&8 updating system).

Shortly, Windows 10 will “bed in”, and the new updating system for Win 7&8 will “bed in”.

It will all become more automated and easier, once everything settles into a groove.

Or, if it doesn’t become easier, and Group B instead becomes much harder and more treacherous, Woody will have the sense to tell most people to leave Group B and go to Group A.
(And he’ll agree that a few people can go to Group C in that case, but at their own risk.)

Reply | Quote

@louis,

From your post —

[Canadian Tech wrote,] “Security-only updates are NOT cumulative. Which means if you miss a month, you may never get the missed updates.”

[You replied,] “I don’t know if that’s true. From my understanding of this…there are two ways, as of right now, that one can apparently go back to get all the Security Only updates.”

You have missed the point of Canadian Tech’s statement.
His statement is what he wrote on the Microsoft Support Forum several days ago to the hundreds of non-techie, individual, home computer users across the world whom he helps, for free.
His statement is not aimed at most of the people who frequent AskWoody.com.

An average non-techie, haphazard, imprecise home computer user is occasionally going to miss a month of Group-B-style complex updates, if indeed that sort of user EVER even undertakes the Group-B-style of updates. That person will not remember or may not even care that they missed a month here and here.
Canadian Tech was just saying that if a person like that isn’t very diligent, careful, and organized, then the Group B path does not offer them the Group-A-style of CUMULATIVE rollups to cover their occasional lapses in updating, and therefore this is an additional problem in recommending that his sort of “customers” should try Group B. Either they do Group A, or they do Group C. But Group B is just too complicated for THAT SORT of computer user.

Reply | Quote

No one has said that it would be “painless” to go from Group C to Group A. That is a given, so there isn’t an argument there to be had. I never thought that Woody and Canadian Tech were saying that it would be “painless”, only that it would be easy to initiate, easy to choose to do.

Reply | Quote

Actually, I was thinking about running for President.

Never too early to start.

Reply | Quote

Any recommendations?

Reply | Quote

Thank you Poohsticks. You understand it well.

Reply | Quote

Or more precisely, the move from W to A is possible, and theoretically clean.

Reply | Quote

@CH100

Re: “All those non-technical users who entirely depend on Woody, will find themselves without reliable support and what is left then?”

I have already written a couple of posts where I argued that Woody does not have that much responsibility for the people who choose to follow his writings and to enact certain options that he describes.

I won’t repeat those earlier posts, but I will say again that we are all adults, we undertake it all at our own risk.

If anyone reading Woody’s blog is going to be totally confused and in limbo because one day Woody’s blog might shut down and there will be no directions from Woody on how to do the same thing for the ‘n’th month in a row, then that person has no business choosing to go down the Group B path, and should go into into Group A now, and stay there.

Reply | Quote

Not nasty enough; have too much sense. Sorry, wouldn’t fly.
😛

Reply | Quote

Oops, I left a few words out.
I was trying to say that what is a “given”
is that it is _not_ going to be “painless” to go from C to A,
because any time you install a lot of updates at once, it takes time and requires restarts and that kind of thing.
Installing months and months of updates at the same time would not be painless, but moving from Group C to Group A will be easy to choose to do, easy to press the initial button and get the process started.

Reply | Quote

@Lizzytish,

Re: “surely if there are going to be any bugs in future Security Only updates…. these will become evident before you give the go ahead (say the 3 weeks after Patch Tuesday) so that we in Group B would be aware and possibly be able to avoid any problems by not installing the ‘buggy’ patch, and probably then re-deciding our future”

The thing is, this did not happen with the example that has already occurred in real life, which Woody described in the blog post.

A “security” update that was released in July, which we all installed, was found later to have a bug in it.
I don’t know how long it took them to find the bug and to tell the public about the bug. In any case, it wasn’t something that Woody would have changed the July DefCon rating for, because it happened well after July.
The fix for that bug was only released in the Group A Rollup in October or November.
The fix was not released in the Security-Only Group B Update in October or November, so the Group B people have a “security” update on their computers that has a bug in it, which Microsoft is not going to fix for Group B.

Sometimes bugs take quite a while to be found and fixed.
I think we should assume that the time it will take Microsoft to find a bug, to reveal to the public that there is a bug, and then to devise, test, and release to the general public a fix for that bug will take longer than a few weeks, most of the time.

With this July security patch’s being only fixed for Group A this autumn, Microsoft now has form about not offering a bug fix on a “security” patch for the “security-only” Group B pathway.

And it’s not just the likes of our motley crew who are in Group B — a lot of major companies and other organizations are in Group B. They must also be nervous that the bug fix for July’s security patch was not offered to them in the Security-Only Update group.

So whatever Microsoft is playing at, it doesn’t instill confidence that they are going to take good care of the Group B Security-Only people and companies. And we all know that they see us as a hassle anyway, they just want to shove us into Group A or really Windows 10 asap.

Reply | Quote

I don’t think I know enough about what you have in mind? Can you give a title or some kind of a feel for what you want to write?

Reply | Quote

Having read through a lot of these comments, it struck me that there is a mindset that updates need to be done immediately. I am Group B, but why would it be a problem to download those updates monthly, store them, as I am doing, and install them after waiting to see if there is a major flaw? And Woody is good, but there are a lot of resources to get info.

I realize that on occasion there may be a particularly pernicious flu going around and vaccination is required quickly. If that’s the case, and security-only updates are NOT cumulative, install the first relevant update to protect against it. Even if they are cumulative, so what, I’m protected. Then back to delayed updating.

I agree that for the casual user the security all-wonderful rollup is best.

But abandon Group B protocols? Nah. If I stay 2 or 3 updates behind, and subsequently find a non-security patch required for a security-only flaw, and that security-only update had no serious consequences, just uninstall it, and go on with your life one update short. So what? I’ve been doing it for years without serious consequence.

Here’s the funny thing. Up until a year ago I ran XP, and I ran W2K Pro until about 2011. I’ve always done updates manually, I’ve skipped hundreds, and my up-time for those machines is near 98%, that’s conservative. So my question is, how important are all those updates, really?
I’ve often felt that all those updates meant 1) MS is incredibly incompetent, or 2) they make you think you need them to keep you coming back.

Reply | Quote

+1
As a home-user/self-taught tech nerd, I’m comforted knowing I’m in good company with this approach.

Reply | Quote

@Manaka,
I appreciate your describing your background, your decisions along the way, your experiences.
I agree with your prediction in the last sentence. I wish I didn’t.

Reply | Quote

FWIW
From security columnist Roger Grimes:

A handful of applications (Java, Adobe Acrobat, Flash, Internet Explorer) account for almost all risk.

In fact, OS patching is now so good that malware writers and hackers almost never target OS vulnerabilities. Instead, they target popular third-party apps or rely on tricking users to run Trojans.

http://www.infoworld.com/article/3025807/security/why-patching-is-still-a-problem-and-how-to-fix-it.html NB: the second sentence seems to have been edited out of the most recent version of the article. Presumably the original version is available via Internet Archive.

from Michael Horowitz at Computerworld:

Personally, I trust Microsoft less than I am scared of bad guys hacking my Windows 7 computers.

http://www.computerworld.com/article/3129257/windows-pcs/taking-a-break-from-windows-update.html

Reply | Quote

@Daubie,

Re: “The more advanced gamer guys seem to have a pretty good handle on what’s going on.”

What path are most of them going down – Group B?

Reply | Quote

Grimes knows security inside and out.

Horowitz is a great guy – and I share his caution!

Reply | Quote

If you were in the market for a new computer in the next few weeks, what would you buy?

If your best friend were in the market, what would you recommend to them?

Reply | Quote

All of that is true, but on the flipside…

If the bug were bad enough, we would’ve known fairly quickly. This particular bug isn’t all that common.

Reply | Quote

@wdburt1,

I don’t think the thread is premature or an over-reaction — for 2 reasons.

I. I am really glad we are talking about this as its own topic (with a dedicated blogpost and thread).

I’m glad to hear the views and decisions of everyone who has offered them.

I respect everyone’s knowledge and viewpoints, and it’s helping me to shape my own B-or-C decision.

—
II. Canadian Tech’s statement was written for his ‘clients’ — a couple hundred non-techie, home users around the world who rely on him to be their IT-person (for free).

He posted it on an existing thread of his (that has over 50 “likes”) at the Microsoft Support Forum.

Canadian Tech did not write it for the AskWoody.com crowd.

However, yesterday he brought Woody’s attention to this statement, when other people were asking Woody to give us his analysis and tips about the Group C pathway.
Canadian Tech mentioned to Woody that this is the conclusion that he has come to, to be in favor of the Group C pathway, for ordinary computer owners like his ‘clients’.
Woody said that he might post it verbatim, to get the discussion going.

For Canadian Tech’s ‘clients’, it is not premature to get them on a particular path now, to get them trained about what to do: It’s actually 2 months into the new updating system, so it’s high time to get people like that sorted out with a plan that they can understand and follow.

Reply | Quote

Were those video driver updates optional choices via Windows Update which mainly Group A people were vulnerable to, or were they pushed out to Group B in the Security-Only Update?

Reply | Quote

Go for it!
Make America Woody Again.

Reply | Quote

@poohsticks

Woody actually understands better than almost anyone else how much trouble is to keep up with the recommendations for Group B users.
I actually agree with you that:
“Or, if it doesn’t become easier, and Group B instead becomes much harder and more treacherous, Woody will have the sense to tell most people to leave Group B and go to Group A.”

You may have the right approach and feel “that Woody does not have that much responsibility for the people who choose to follow his writings and to enact certain options that he describes.”
However I feel that the current culture encourages quite the opposite. A lot of people find easier to lay blame on someone else than to take responsibility or at least to take some form of action.

Reply | Quote

That’s a very good question.

Let me start with “best friend”, which to me means my clients. I would make absolutely sure they understood what Windows 10 is and is not. Some may not care a bit about the downsides that worry most people I know. I would explain that Win10 is like a Good Housekeeping magazine on steroids, complete with as much spyware as you could imagine.

I would also try my best to explain Apple. If pressed, I would likely tell them that Apple is likely as intrusive as MS is trying to be, but much more refined about it. The biggest reason to consider Apple is that they are predictable and because they are customer focused.

Chromebook is a possibility, but I am not familiar with it at all. It likely is at least as spyware equipped as the others but at least it is cheaper.

If pressed hard, I would recommend Apple and if pressed really hard, would recommend they not touch anything made by Microsoft. They have proven to be a bad actor. One that cannot be trusted to provide a quality product that will last.

Depending on who they are and what they need, I would encourage the use of a pad of some sort or better yet a smart phone.

I would also recommend they consider one of those “refurb” Windows 7 systems. But, I would explain the downsides of that alternative.

For me, I have retail licences for Windows 7. I would install Windows in them. I have a brand new system I just built less than a year ago. I did a complete re-install in September and have an image of that. I also have a 2nd backup computer that can be ready to be in place in a few hours. I expect to keep this Windows 7 system running for as long as I am capable of using a computer.

In almost all cases, I would repair, re-build and re-install my client’s computers. Over the past year or so, I made sure they are all equipped with equipment that is good till at least 2020. I have a database with all of their product keys. I am equipped with all the stuff I need to re-install.

I expect the PC repair business is about to have a good time.

I expect most every one I know will follow W indefinitely. Which in an odd kind of way means January 2020 is a meaningless date.

Reply | Quote

As for my experience:

Last month I didn’t want to be in the market for a new computer, because my problematic Lenovo is still running okay, but I considered the following:

—
1. The official last date of _manufacturing_ new Windows 7 computers was Oct. 31.
There is no way of knowing how long it’s going to take the remaining stocks that are in retail stores and in manufacturer warehouses to become depleted.

—
2. I have programs that don’t run on anything after Windows 7, so if I had to go to any other operating system, I’d have to purchase newer versions of those programs, or find replacement programs, and in either case I’d have to deal with the hassle of the transition

—
3. I only have one computer myself, so I’m awfully reliant on the 3-year-old Lenovo, and if it died suddenly, which some other computers of mine have done in the past, I’d be up a creek without a paddle

—
4. I don’t want to go to Win 10,
I don’t want to go to Chrome (no cloud for me; no Google for me),
I don’t have the technical ability to go to Linux,
and I can’t afford either the expense or the huge amount of time and studying that it would take for me to move everything over to Apple and to feel like I knew my way around.

This means that Windows 7 is my only port in the storm, so I decided that I have to focus on making it work for the next few years, for as long as I can.

—
5. Given the difficulties with the new Windows updating system —

Group B seems shaky, incomplete, complicated, time-consuming, and probably doomed (unfortunately);

Group C seems risky and anxiety-inducing, keeping one on high alert, tiptoeing quietly down the straight-and-narrow path, for fear of all the unseen baddies that are lurking all around;

Group A I cannot do on my Lenovo because there are 1 or 2 historical patches that Group A will require either now or in a few months, and which will screw my computer up —

I am thinking that I might want to keep the option open to do a kind of “airgap” procedure, using one “empty” computer simply as a way to go on the internet, and using another one that never is connected to the internet to keep all my files on and to do work on.

So having a 2nd computer would give me that option.

—
Therefore, I bought an inexpensive backup computer, a new Dell with Win 7 pre-installed, for less than $300.

=======
To a friend of mine who was in a similar situation to me, and who had a similar level of technical understanding and stubbornness, I would suggest he/she do the same, and buy a new Win 7 pre-installed computer now, to have on hand.

——
I take care of a relative’s computer. The person is a total non-techie, and that person would not understand if I tried to explain everything that was going on right now with Windows, and would get nervous about my concerns, yet would quickly stop listening and tune me out. There would be massive resistance to buying a second computer as a sort of backup, if it wasn’t currently needed.

That person I may need to put into Group A soon, anyway. I don’t think any other path is safe, but I’m really, really annoyed about the telemetry etc.

I would really hate to do it, but in the future, if their current Win 7 computer dies, and no more inexpensive Win 7 computers are available for sale, I’ll probably have to set that person up with a Chromebook. Windows 10 is out, Linux is out, Apple is out. I would take all their files and move them to my computer, really strip down what was on their computer. I suppose it would become mainly an email and internet-surfing station.

Reply | Quote

@Dave,

Thank you for posting those external articles. I appreciate getting all sorts of views on this situation.

Reply | Quote

The cultural shift is what I find most disturbing.

There were good reasons we all thought privacy invasion / harvesting of personal data for profit, duping people into pressing the wrong button, taking over one’s computer and changing users’ settings, etc. were considered unthinkable and malicious just a few short years ago.

Nothing substantive has changed to make that judgment obsolete. You can STILL be hurt by someone taking your data. “Secure” systems are still breached every day. The things we do are more complex than ever and yet systems don’t watch our backs better.

But because such “old fashioned” thinking stood in the way of profits, the big companies revved up their marketing engines to do no less than change the culture. To define a New Normal. And by gosh they’ve managed it.

Software that acts just like yesteryear’s malware is being pushed on us with hardly so much as a “trust us” reassurance any more. Pushed so ubiquitously that we as a society are becoming worn down to it. As Woody says, inured.

If anything, data is MORE important to our lives now than ever before. Now is not the time to be more cavalier with it!

If you’ve never yet been the victim of identity theft or cyber crime, count yourself fortunate. Just think twice about letting your guard down because “heck, everybody’s doing it” or “I’m getting tired of paddling upstream”.

-Noel

Reply | Quote

Buying new? I would buy a Mac. Recommending for a friend who needs more than a browser and also would like to avoid excessive spying? Also a Mac. For someone who really is only interested in web browsing and social media and wants no fuss, no muss? I’d suggest a Chromebook.

Reply | Quote

I take your point. Good point.

—
However, the (mainly Australian, I think) advice for new ventures is to
“start as you mean to go on”,
and if MS is deliberately not repairing for the Security-Only Update group an admittedly minor bug contained in a security update, then what’s to stop them from doing that again and again, maybe with bugs that cause more people more problems.
It must have been a deliberate decision to put it only in the Rollup and not in the Update. It wouldn’t have “cost” much to put it in the Update, and make sure everyone who is careful to install all security patches was covered.
It may be a one-off, low-level, nearly-inconsequential oversight, or it may be a tiny slight, tiny provocation, tiny signal of things to come.

Reply | Quote

FYI, I have read the articles now, and I noticed that the Grimes one is from January 2016. Not that this would change anything that he said, but I’m just pointing out that, especially with that one sentence about OS’s having been removed, it’s not about the current dilemma with Windows Updates.

—
I am surprised that the Horowitz article is so strongly worded! For example:

“Microsoft is rolling out a new procedure for Windows Update, one that mimics the scheme used by Windows 10, and *I don’t trust them*. Microsoft has shown themselves to be incompetent, both at deciding what to do… and in implementing things….”

—
He mentioned Woody several times in this recent article:
http://www.computerworld.com/article/3139048/windows-pcs/windows-update-on-windows-7-is-fast-again.html

And he was scathing about the Intel Bluetooth adapter problem caused by the speed-up patch 3172605.

He criticized the Intel update procedure for that Bluetooth issue, which took him all over the place. (If he found it frustrating and confusing, then I feel a lot better that I found it frustrating and confusing.)

He wrote, “That Windows 7 users have to deal with things _at this level_ is archaic in this day and age. An operating system should just work.”

—
In another recent article:
http://www.computerworld.com/article/3138460/windows-pcs/the-continuing-slowness-of-windows-update-on-windows-7.html

which also heavily referred to and thanked Woody,

he wrote,

“Why is it like this?

Why can’t Windows 7 users easily (forget automatically) get the new and improved version of Windows Update?

Is Microsoft that incompetent?

Do they not care at all about Windows 7?

Are they being malicious to nudge victims onto Windows 10”

Reply | Quote

While I was there, I had a look through the recent Computerworld articles about Windows Patching, and I found the following article interesting because it quotes Susan Bradley on the patching system changes, and on how hard and expensive it can be for an organization to bring a patching problem to Microsoft’s attention:
http://www.computerworld.com/article/3130073/windows-pcs/buggy-windows-7-cumulative-update-just-tell-us-says-microsoft.html

Reply | Quote

Windows 7 Home Premium x64: My Spybot Anti-Beacon log shows “Telemetry Hosts: 145 entries found in hosts file”.

Reply | Quote

Surely there must be some way of extracting the individual updates from the rollup updates? If this was possible we could install the bits we wanted and leave the bits we didn’t, e.g. telemetry.

Reply | Quote

Me too ☺

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

I’m a 72-year-old genuine crusty old curmudgeon who was raised on and believes the mantra “if it ain’t broke, don’t fix it” (for instance, I’m still using my grandfather’s 100-year old wood chisels and #4 smooth plane). I understand why M$ has issued successive versions of Windows (more features, better security – in essence the old version was “broke” so they “fixed” it), and I’ve moved from 3.1 to XP to 7 over the years (“thank you” Woody for your books on how to get the most from each of those products – they’ve been invaluable companions during that time).

I’ve been using a PC at work and home since the days of DOS (I used NDOS at home because the batch file flexibility it provided relative to M$-DOS allowed me to put a simple menu screen up for my kids to use back in the days of command prompts) but am now retired and just have one desktop system that I use – no mobile devices, no game boxes, etc.

At this point, on my home Win-7 machine I run SpyBot and Gibson’s Shields Up once a week, have both MSE and Malware Bytes running in the background, and run MSE and Malware Bytes scans weekly. Once a month I drop a complete image of my boot and apps drive (C:) to an otherwise disconnected hard drive and at the same time I do ditto with my data drive (E:). I’m firmly attached to the group W bench (I love Alice’s Restaurant!) – a place I’d have eventually found myself when M$ discontinues all support for Win-7.

As far as I’m concerned, I’ve had enough of the technological “progress” supposedly represented by Win-10 and “one-size-fits-all conglomerate patches”. My Win-7 machine works just fine, the drivers all work just fine, I’ve got all the applications I’ll ever need, and I see no good reason for subjecting my ever shortening life-span to the aggravation and hassle of upgrading to Win-10 or changing to a different OS. The only on-line places I go are here, Woody on Windows, Malware Bytes Unpacked, my local car club site, and my e-mail (I quit shopping on line last year – I buy local or order stuff by phone now). I’ll probably be shutting down my e-mail account sometime in the next year or so (notifying everyone of importance to me that I’m going off-line permanently and that they can either call or get out pen and paper to write a letter), toss my modem into the recycling bin, and M$ can go to the devil. My sincere sympathies to all of you who still need to wrestle with this crap.

Reply | Quote

I know there are for Windows 10 but,
does anyone know of any 3rd party utility that will block Microsoft telemetry for Windows 7/8.1?

This would be more interesting/beneficial to us given the ruthless force-feeding of Microsoft telemetry over the last 18 months.
Quite happy to pay for it also if needs be 🙂

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

I thought I had read several times that MS telemetry is bypassing the hosts file, rendering that technique ineffective. Has that been verified?

Reply | Quote

Yes. On many occasions.

Reply | Quote

I hear ya. But seriously think about getting a Chromebook.

Reply | Quote

Abbodi is the only person I know with the moxie to do it.

Unfortunately, picking and choosing subsets of rollups may leave your system in a highly unstable state.

Reply | Quote

+1

Reply | Quote

🙂

Reply | Quote

I, and at least one other, am using SpyBot AntiBeacon http://tinyurl.com/nzjh8aa which claims to work with W7 and W8.1 as well as W10. I cannot say any more than a) it claims to block telemetry sites and b) it hasn’t given me any cause for concern so far,

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

Yes, some of the IPs are hard-coded in some system files… can’t remember which at the moment.

Reply | Quote

I especially liked the part in that linked article where Susan pointed out that most people would have to pay Microsoft $499 for the privilege of informing them that their software is buggy. Just mind boggling.

Reply | Quote

We have another example as well, Windows 8.1 Preview Rollup KB3197875 fixes an issue in security update KB3172729

Reply | Quote

Thanks! That makes two Security-only bugs fixed in Monthly Rollups.

Details in the KB article.

Reply | Quote

The details is actually in Update History
https://support.microsoft.com/en-us/help/24717

“Addressed issue with the boot partition appearing in File Explorer after installing MS16-100.”

Reply | Quote

“I would like to disabuse people of the idea that prior software development, IT, or other PC industry work experience is required to install Linux.”

Certainly not the case with Ubuntu 16.04 Linux. I don’t use the Command Line much, although it’s really not that intimidating after the first rounds of use. And I have zero Tech education or work experience. Never had two lines of original code to my name. I had more trouble installing Win 10 Pro on my NUC PC than installing Ubuntu 16.04. And all my disk setup tools are Linux based and run from Live CDs or bootable USB drives. Secure Boot doesn’t bother any of this.

Linux complications range from simple to patch or remove, to very thorny. I have had NVidia-Intel hybrid graphics issues and Bluetooth 4.1 issues which are still not properly resolved, but also sound and networking issues which a little online research and some trial and error troubleshooting resolved fairly quickly. Also, wireless scanner issues which took a bit of head-scratching and testing to fix. But even getting Flash Player up to date in Firefox and Chrome Beta in Ubuntu has proven to be much more complicated than the same operations under Windows.

“t’s such a relief not to have to worry about my PC on a daily basis.” Plus One and amen on that, although Linux security may soon demand its own (improved) antivirus solutions.

Reply | Quote

Although i believe that disabling DiagTrack service and deleting/disabling AutoLogger-Diagtrack-Listener registry key is enough for Win7-8.1, but Microsoft documents the official DNS Endpoints that is used for telemetry:
https://support.microsoft.com/en-us/kb/3068708
https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization

basically they are:
vortex.data.microsoft.com
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
oca.telemetry.microsoft.com
sqm.telemetry.microsoft.com
watson.telemetry.microsoft.com

Reply | Quote

MBSA relies on the same database as WSUS, and Security Only update is offered as superseded by Monthly Rollup

Reply | Quote

Remember when Windows XP went “End-of-Life” a few years ago and there were no more MS security updates available; all the tech experts predicted a disaster for XP users with the bad guys reverse engineering other security patches and then attacking all of the XP’s.
This isn’t a much different situation than what’s proposed here with just not doing the MS patches for your Win 7 machine. … I see from the graph that there’s still 10% XP usage out there. Obviously the apocalypse predictions were wrong.

Reply | Quote

MS plan about Security Only was cristal clear in the label, it’s for security fixes only.

i’m confident that if MS added any non-security fix for it, the FUD-lovers will still criticize it for that

Reply | Quote

Not all components in the rollup gets their individual deplyoment packages

in this case, the fix for print bug in MS16-087 is gathered and installed with around 20 other components/fixes
which makes it impossible to have it alone

Reply | Quote

They do not even pull superseded updates, they are still downloadable for years
only very few updates were pulled due being bad

Reply | Quote

“In some cases, I re-installed systems that were so badly infected that it wasn’t worth the effort to clean them. Actually I favour that idea a lot because it always results in a PC that performs amazingly well.”

This is generally good advice, unless a user spends a lot of time and effort highly customizing a PC, then hasn’t got a recent system image backup, or if the recent backup image fails to restore. Then a rollback or reinstall would be only the beginning of a long and painful recovery process. Been there, done that, both with Windows and Linux.

Reply | Quote

The fix is included only because the relevant component got security fix as well

Reply | Quote

@Woody — you post
“If we ever get a bad bug…”
Ever had a good bug? 😉

Reply | Quote

Ah, I remember one… it was 1963… oh, wait, no. Wrong bug.

Reply | Quote

Likely. But what about fixes for bugs introduced by Security-only patches?

Reply | Quote

+1

Reply | Quote

I’ve done so many re-installs that for me it is not a pain at all. Mostly, not hands-on time. Takes from 6 to 12 elapsed hours. I’ve got it down to a check list that I created. The result is always so rewarding, and you know for sure the system is clean as it can ever be. That is when I make an image on DVD +Rs and hand it to my client and tell them this is like a valuable insurance policy. If I need to do it again, saves about 6 hours. Another valuable thing is the Windows Easy Transfer tool.

Reply | Quote

I have noticed the very same thing. 10% is a lot of PCs. Its been 2.5 years since they had an “update”, and somehow they still run. Maybe even better because they have not been subject to defective and duplicitous “updating.”

This fact gives me some comfort in following W.

2.5 years past January 2020 is a long time from now.

Reply | Quote

1) People are worried that small bugs will not be fixed that are caused by the security only updates. I have to ask, if the business world is only getting security updates and MS is true to businesses, are the other posters here saying that MS will not do anything to correct those problems? I don’t think so. MS will have a patch to repair any bad issue they caused in a security only update and it may be that an IT person reveals this one day that they got a patch from MS and the KB number is 1234 and the place they got it from was from “some MS download site”. I don’t think MS will not fix problems in the business world. Or so I hope. If they don’t they will loose credibility and trust.

2) People are jumping into the Group A because they think Group B is hard to do. How hard is it to look up the month in question for updates then get the one for your OS? Besides, we have Woody that will post the information and the download link. So why is this so hard to do?

3) Yes there are good bugs. A bug that allows a discount promo code to be used when 123 is entered instead of the proper code or you click free shipping and you get it although your amount is too low. Some errors can be seen as good bugs to some.

Reply | Quote

Thanks TonyS,
Spybot Antibeacon works rather well and presented me with a few telemetry reg entries I had missed. No adverse effect on system yet.

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

It’s a question of degree. Microsoft has posted manual fixes – easy for admins, not easy for normal people.

Still, I recommend Group B for anyone who can follow the download and installation instructions – which should be most of the people reading this post.

Reply | Quote

?

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

Question Rob. I downloaded it. Win7 machine. When it starts, it shows 16% PROTECTED 7 OF 44. No blocks on telemetry hosts. I can start those by clicking apply under options. Bitdefender complains. But then it still shows only 7 of 44 and no blocks yet on telemetry hosts.

What happens if I click Immunize?

Do I need to leave it running continuously?

Reply | Quote

These particular systems with video updates were Win10 systems so not optional. I included that info in my post because I’m just so fed up with the whole situation regarding updates.

Reply | Quote

Mike, my feelings exactly. I still have some clients on XP and interestingly enough, none of them have gotten infected since the end of support. Yet nearly every week I’m called upon to clean up malware on Win10 systems that had every patch and good, up to date, security software.

Reply | Quote

Maybe its because they have not updated their XP systems?????

Reply | Quote

That would be most useful to know and add to the router’s block list.

I’ve only been able to find domain names, not IP’s. I know this can turn into a proverbial whack-a-mole, but with enough people monitoring for changes, it could benefit those of us in Group B’s who would prefer to be in Group A.

Reply | Quote

Using Spybot Anti beacon on two win7sp1 and one win8.1 laptops.

No problems with it so far. Log reports: Telemetry Hosts (extensive list): 107 entries found in hosts file (C:WindowsSystem32driversetchosts.).

What’s simplest way for this non-tech to see what it’s blocking.

Reply | Quote

I wonder, what’s the issue with the group B patches not being cumulative? If you miss a month, simply install it later?

Reply | Quote

Yep.

Reply | Quote

Same here – it doesn’t complete the Hosts file immunization on Win10. Perhaps it’s permissions on the Hosts file.

Reply | Quote

@Canadian Tech,

Is that checklist something that you have published on your personal site?

Reply | Quote

Re: “I am downloading and saving the security-only updates and the Monthly Quality Rollups each month (just in case MS removes them).”

If later you do decide that you want to install some of those updates or rollups, before installing the versions that you have saved, it would be a good idea to see if current versions are still held in the Update Catalog, and if they have a later date/version number on them, because it is my understanding that Microsoft often refines them over time, correcting small bugs and so forth.

Reply | Quote

1. What is the “redir” lane?

2. Does Microsoft “punish” people who don’t allow telemetry data to be sent back?

Reply | Quote

http://www.canadiantech.info/for-techies/re-build-windows-7/new-hard-drive/

Reply | Quote

This hasn’t been a cultural shift, where people have changed their values. This is a marketing push, where the minimal choices being offered are purposefully muddled in order to optimize marketing of the consumers.

We are no longer Microsofts customers. When facts are presented to any age people, at least the friends and family I know, the malware that Microsoft has become is resoundingly rejected. Many people are unaware of what the problems are, and unaware of what their options are.

I am personally heartened by a local supermarket that is part of a large chain. Large enough numbers of customers complained that sales were being offered only to their card holders (so info can be collected and marketed) that they did away with the cards completely. It took several years of only going in when I had to have something immediately and buying only what I absolutely had to at that time… and lots of us doing that… and telling the store that was what we were doing… that the store changed their data collection policies. Now I am happily shopping there, again. I don’t think I could do that, ever again, with Microsoft, because their bad behavior has been so totally predatory and self-serving. From what I’ve seen, their references to serving their customer base is completely at odds with what customers have actually purchased (bait and switch) or want. Hey, Microsoft… how about a way to completely opt out of any telemetry and still have all the security updates? How about a way to completely opt out of any advertising on my operating system, not just targeted advertising? How about a way to get the long term stability you already offer to educational and enterprise customers?

Again, it isn’t a lack or change of culture… it is undermining and perverting what good customer service is. If I’d had the current choices when I’d bought my present laptop, Windows 7 would not have ever been placed on it. No Microsoft product will be my next operating system. I really appreciate all the technical knowledge shared on this site, because it allows me to stay at choice without totally trashing my laptop (which I really can’t afford to do). I have always been on Windows since XP… (skipped Vista). There are programs I need Windows for… but I am exploring alternatives to Windows programs, switching gradually, but steadily…

If Microsoft cared they would have a more meaningful response, that would facilitate people making their own choices, rather than limiting them. They don’t care, they continue to herd us like domesticated animals than offer a product to the free and human beings we are… the people I know won’t buy it ever again. From my small scale that might mean influencing a local church, my friends, their small businesses… but over time, Microsoft will be shunned! It is the only thing that Microsoft has left us to do…

The technical support here has been awesome. I truly couldn’t get along without it… thank you so very, very much. Happily, so far, Group B… but moving to Group W if necessary.

Reply | Quote

Great story about the supermarket. And to think back to the times when I gladly signed up for store cards…

Reply | Quote

@Canadian Tech,
You might have meant to place this comment in a different spot in the thread?

Reply | Quote

(Because it looks like a reply to a comment that isn’t nearby.)

Reply | Quote

@Legolas,

The issue for Canadian Tech about the Group B patches not being cumulative is that the people he helps with their computers are not technical people, and they are not always careful and diligent with their Windows updating, so if the Group B monthly Update is not cumulative, that type of non-techie person will sometimes forget a month and won’t even know it, so he/she will not understand that he/she must later go into the Update Catalog and obtain the missing month’s update.

Canadian Tech’s statement which Woody quoted in the blogpost was a statement to his non-techie customers, saying that Group B is not a safe path for *them*, for a couple of reasons, and one reason is that it’s not cumulative, so it is going to be very easy to miss a month, which would not be rectified automatically by Microsoft (in the way that Microsoft is doing for Group A people who will have cumulative patching every month).

It was not a recommendation that Canadian Tech was giving specifically to the readers of AskWoody.com, who are a different group of people who generally are more technically-proficient and who are diligent about keeping track of their Windows updates every month.

Reply | Quote

Woody,

Procedures, like new machines, are only mystifying on the 1st or 2nd attempts. Then, routine sets in and we are left wondering, what was so tough about that?

That is, from an operators point of view, as long as we have detailed instructions on how to proceed, which you are always kind enough to provide.

However, it is always beneficial to give a couple of careful, slow readings of said instructions, to make sure that the process is well understood before doing it “live and on line”. It doesn’t hurt to do a dry run either. Go through the steps on the machine, but just don’t hit the “go” trigger.

It’s an interesting process: to become aware of a new problem or procedure, be baffled by it, study it, then perform the operation, then have the satisfaction of getting it right. Then on to the next challenge.

Happy Bird Day, everyone.

Chip

Reply | Quote

+1

Reply | Quote

Well put, Poohsticks.

Reply | Quote

That is correct. Sometimes there is no Reply link to click, leading to the necessity to click some nearby link. Sorry.

Reply | Quote

I think the relevant comment string is this

https://www.askwoody.com/2016/the-case-for-not-updating-windows-7-ever/comment-page-2/#comment-108635

@Canadian Tech yes you do have to immunize and no you don’t have to leave it running, but you can set it to re-immunize at each boot What did Bitdefender complain about, I’m using it on W7x64 and haven’t seen anything?

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

@Noel Carboni

“The cultural shift is what I find most disturbing.”

Spot on!
+1

Reply | Quote

Woody,

I have seen you mention that for Group B users, Windows Defender will still update automatically. On my x64 Windows 7 machine, this is certainly not the case. I disabled automatic updates the “normal” way through Control Panel / Windows Update. I have had to manually check for Windows Defender definition updates for over a month, since joining Group B. Any thoughts? Very helpful blog, by the way!

Reply | Quote

Spybot Anti-Beacon

Clicking on ‘optional’ then ‘show details’ lists Registry keys and actions such as ‘enable file obfuscation’, ‘enable upload’ etc. I can’t figure out how to copy/paste to askwoody. Just screenshot.

Reply | Quote

@rzero

“I have had to manually check for Windows Defender definition updates for over a month, since joining Group B.”

same here

Reply | Quote

@Canadian Tech: This is a reply to an email I sent to Woody about a possible trojan. Sorry to bother you on turkey day. 🙁

“Actually, I don’t have his email address.

Could you post this as a reply to his post?

Thanks, and happy turkey day!

— Woody”

On Thu, Nov 24, 2016 at 3:37 PM, wrote:
Hi Woody, this is “Manaka” from your Askwoody.com site. I can prove that by telling you that the email I use in your post submission form is “[redacted],” and also by the fact you slightly edited my post from the other day in the “The case for not updating Windows 7. Ever.” thread. I had written “the dipstick from M$ chirping about Windows as a service” and you redacted “dipstick” to [garbled].

I really, really hate to bother you on turkey day, but I was revisiting that post earlier this AM [7:37 CT, to be exact], and clicked on the link in one of CT’s posts on the first page of comments where he was responding to a query from poohsticks if CT had documentation on his personal site about starting from scratch on a new hard drive. When I clicked the link, my Kaspersky Internet Security immediately popped up, quarantined, and deleted “Trojan-Downloader.JS. FakejQuery.b”

Again, I hate bothering you today, but you might want to let CT know; I’m assuming you have his address.

Yours,
Manaka

Reply | Quote

It’s odd. Probably worth running down…

Reply | Quote

When I open it, it shows telemetry hosts no blocks yet. I click on optional, then click Apply on the Telemetry hosts (extensive list): 7 of 70 blocked currently. Bitdefender antivirus + 2016 says virus detected

Reply | Quote

Elly, that is stunning story! I have shared it with others. Thank your for this.

Reply | Quote

Thank you Manaka and Woody.

I rarely give links to my web site. I will contact the web service to have them fix that. Thanks for the warning.

By the way, Thanksgiving in Canada was early last month. That is one holiday we do not share with Americans.

FYI, I use that web site every day and so do some of my clients and never have had a problem. Sorry you got that warning. I will look after it immediately.

Reply | Quote

@Canadian Tech

Any results on the inquiry ““Trojan-Downloader.JS. FakejQuery.b””

Reply | Quote

Working on that now. Thanks again.

Reply | Quote

@Canadian Tech

Thanks for reply.

I downloaded/saved your hard drive checklist before Manaka’s post.

Just completed full scan (197,000 items) with ESET online scanner. Results indicate zero malware.

WinDefend active…no alerts.

Reply | Quote

This is a little easier to follow…

https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history

The analog for Windows 8 is in the “related info” at the bottom of the page.

Then, all you need to do is search the Catalog for .NET Framework updates.

Reply | Quote

Yep. The analogous page for Win 8.1 is https://support.microsoft.com/en-us/help/24717/windows-8-1-windows-server-2012-r2-update-history

and for Win10 it’s https://support.microsoft.com/en-us/help/12387/windows-10-update-history

Reply | Quote

Definitions for about everything, MSE/FEP/SCEP, MSRT, Office are regularly pulled and maintained correctly, keeping only few old versions.
Windows 10 old updates are pulled as well.
It will likely happen soon with Windows 7 and the other operating systems updates, once the rollup system is proved to be fully working.
The Security only patches will likely to be discontinued at some stage because they should have never existed in the first place.
No other company than Microsoft does this so granularly and as it appears they realised it and are working to rectify the flawed concept.

Reply | Quote

With a caveat which may be initially slow scanning if there are too many updates to be installed. But if the Monthly Rollup will be fully working as expected and old patches pulled so only few are available at the same time, then there should be no issue.

Reply | Quote

Website cleaned WordFence installed. Thanks again.

Reply | Quote

@Canadian Tech

“Website cleaned WordFence installed. Thanks again.”

Does that mean I downloaded the file with the malware, but my Win Defend and ESET scanner did not catch it?

Reply | Quote

@Canadian Tech;

Q restated. Was Trojan-Downloader.JS. FakejQuery.b actually in the downloaded hard drive file?

Reply | Quote

I honestly do not know. I use Bitdefender which is one of the best and it reported nothing. I suspect it may have been a false positive. No problem, though. I am happy I got the protection installed.

My site is a very simple one. It is pure WordPress, 132 pages all told. Nothing but text. No two way like in this one. Nothing confidential, proprietary or personal. No email.

Reply | Quote

WSUS Offline gives you the ability to pre-download all Windows Updates, before installing Windows…

http://download.wsusoffline.net/

Good video tutorial on how to use it…

https://www.youtube.com/watch?v=aXAOvbNJYyE

Reply | Quote

@Canadian Tech

Thanks again;

I’ve run Full scans on my Win8.1 laptop with WinDefender, ESET online Scanner and November MSRT. Nothing found.

Anyone; Is there a specific recommended searcher for that family of malware? (Trojan-Downloader.JS. FakejQuery.b)

Reply | Quote

@Canadian Tech & Clueless: I’ve used ESET for more years than I can recall. I’m using its Smart Security (Version 9) at the present time.

Good luck to us all in avoiding these threats!!

🙂 🙂

Reply | Quote

@Walker

Much obliged.

Reply | Quote

@Canadian Tech
What is your web page?
It’s a ton of results to “Canadian Tech” in Google

Reply | Quote

It is not a place I advertise. It there for my clients when they ask me questions. There is a section for the more technically inclined.

http://www.canadiantech.info

No responses permitted. Just text.

Reply | Quote

From “Hackers detail the blood and guts of the 2016 Pwn2Own exploit expo” (http://www.theregister.co.uk/2016/08/04/hackers_detail_the_blood_and_guts_of_the_2016_pwn2own_exploit_expo/):
‘”The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state-of-the-art techniques in software exploitation” the quartet says in a 65-page technical paper [PDF] published after the talk.

“Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plug-in … attained through the exploitation of the Microsoft Windows or Apple OS X kernel.”‘

Reply | Quote

Thank you

Reply | Quote

An example: malware that exploits Windows vulnerability CVE-2015-0057 or CVE-2013-3660 to increase its privileges: “Dyre Banking Trojan Exploits CVE-2015-0057” (https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html)

Reply | Quote

Thanks Woody, this is great news!

But help: partly out of frustration and partly because I was too busy with eldercare (and couldn’t risk having the machines I use to monitor the granny cams “upgraded” without my consent), I moved to Group W a couple months ago.
How do I move back to Group B now?

Thanks,
Nezbine

Reply | Quote

Just download and install the Security-only patches.

http://www.infoworld.com/article/3136173/microsoft-windows/how-to-cautiously-update-windows-7-and-81-machines.html (with the download links in
https://www.askwoody.com/2016/ms-defcon-3-time-to-get-the-first-post-patchocalypse-patches-patched/ )

https://www.askwoody.com/2016/ms-defcon-4-get-windows-and-office-patched/

Reply | Quote

Thanks Woody!!! I really appreciate this info.
I’ll do it today.
Nezbine

Reply | Quote

Woody, it would be great if you kept a running list of instructions/links for people who wish to move from Group W/C to Group B. I haven’t updated since October 10 and already fear I’ll be lost if ever I want to move to Group B.

Reply | Quote

That’s on my checklist for a Knowledge Base article, when we get the new Lounge off the ground.

Anybody else want to tackle it?

Reply | Quote