I am going to learn not to sign up for Handler On Duty any day of the Microsoft Update week. It never fails there are issues to be dealt with. Today the issues to be dealt with are internal to my company. We got to work this morning to discover that we had a number of computers After attempting to contact the company today and getting voice mail for both the tech support and partner support lines I figured that this was a bigger So my question is: "Did Microsoft force an update despite our auto updates being turned off?" I have verified that the majority of the computers APPEAR to The good news is that in our case it was pretty easy to get our machines back online. We just had to boot to a repair disc and remove the driver file (.sys) that UPDATE: I have been in contact with Microsoft and they have insured me that there were no updates done outside of their normal updates. They said that if the Deb Hale Long Lines, LLC |
Deborah 279 Posts ISC Handler Feb 11th 2010 |
Thread locked Subscribe |
Feb 11th 2010 1 decade ago |
It is possible that MS pushed the update for the Aurora exploit. A few years ago, they had a nasty problem with (I may have this wrong) the way the image viewing software handled certain malicious images. The way they handled the exploitation was abysmal, and they wound up forced to do an out of band patch. A lot of our machines were in download-but-don't-install mode and were force-updated.
|
peter 17 Posts |
Quote |
Feb 11th 2010 1 decade ago |
My XP workstation rebooted this morning and I know I do not have auto-updates turned on. This sounds like a good forensic challenge for someone to ident what files were changed within the past 24 hours.
|
Anonymous |
Quote |
Feb 11th 2010 1 decade ago |
I assume you push patches from a central server, but MS patches from external sources are not blocked by your firewall or IPS?
|
hacks4pancakes 48 Posts |
Quote |
Feb 11th 2010 1 decade ago |
" We got to work this morning to discover that we had a number of computers that would not boot up "
and " most of our machines are setup to NOT download and install the updates " Did any of the systems that had automatic updating Disabled not boot up ? Have you checked the WindowsUpdate.log on the affected systems to see if *any* updates were installed ? Without an answer to both of the above it sure sounds as if an AV definitions update was the culprit. BTW, MS is busy cleaning up the fallout from KB977165, the update that has been identified as the cause of BSODs in XP. |
hacks4pancakes 10 Posts |
Quote |
Feb 12th 2010 1 decade ago |
Why do you trust the vendor when they say it's a MS problem and not trust Microsoft?
|
Don 1 Posts |
Quote |
Feb 12th 2010 1 decade ago |
Apparently you have a rootkit infection :) http://tech.slashdot.org/story/10/02/12/1455203/Rootkit-May-Be-Behind-Windows-Blue-Screen
|
oleksiy 34 Posts |
Quote |
Feb 12th 2010 1 decade ago |
"The file is a kernel level file for an anti-virus program that we have been using internally for quite some time"
My first gut tells me your antivirus freaked out. To see if computers updated, start, go to windows update, review the update history in the GUI window. It will tell you if something was updated. Your patching admins would confirm that they didn't update. I have never seen a windows machine spontaneously update. If you do not have auto updates on, they won't get updated. Microsoft cannot "force" updates if you have chosen to turn them off. Please do not spread FUD that this can even possibly occur. I then have to ask for windowsupdate.log files from folks to prove to them that no patches got pushed. Antivirus dat files get updated quite regularly. Are you sure there wasn't an update? |
Susan 34 Posts |
Quote |
Feb 13th 2010 1 decade ago |
So, looks like more information is available from Microsoft (http://blogs.technet.com/mmpc/archive/2010/02/17/restart-issues-on-an-alureon-infected-machine-after-ms10-015-is-applied.aspx). Do you guys really have rootkits on your systems? That would be ironic...
|
oleksiy 34 Posts |
Quote |
Feb 18th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!