Definition updates for Windows Defender Antivirus and other

Definition updates for Windows Defender Antivirus and other

Postby Fred928 » 04.04.2019, 20:50

Hello,
since March 18, the 64-bit versions of the Definition updates for Windows Defender Antivirus and other Microsoft antimalware software are no longer updated with the file "mpam-fex64.exe" or "mpas-feX64.exe".

A page to read: https://www.microsoft.com/en-us/wdsi/definitions

A new naming seems to be active in the form "mpam-fe.exe" and "mpas-fe.exe"

Despite an update with "wsusoffline", I was able to update these files manually by downloading via the above page.

thank you for everything :D :D
Fred928
 
Posts: 3
Joined: 04.04.2019, 20:30

Re: Definition updates for Windows Defender Antivirus and ot

Postby Dalai » 04.04.2019, 21:46

Seems like you're right that MS changed something - again. Our server also didn't download files newer than March 17th/18th. But I very much doubt we can use any of these download URLs. Why? Because
  • they contain a version number, and
  • they use the same file name regardless of architecture (although this could be solved somehow)
Example URL:
Code: Select all
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.291.1162.0/x86/mpas-fe.exe

It never gets boring with MS software, does it? :roll:

Regards
Dalai
Dalai
 
Posts: 949
Joined: 12.07.2016, 21:00

Re: Definition updates for Windows Defender Antivirus and ot

Postby Fred928 » 06.04.2019, 21:24

Hi dalai !

thank you for your reply,

To ensure a level of security on a private network, I tried to make a small code, by copying the link provided on the site.
Then, once the two files are copied, I start the update of wsusoffine, and I have the impression that it works,
the downloaded files remain in the directories, I will see later, if the isolated posts update the microsoft antivirus.

Code: Select all
#!/bin/bash
wget -O /wsusoffline/client/wddefs/x64-glb/mpas-feX64.exe https://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092

wget -O /wsusoffline/client/msse/x64-glb/mpam-fex64.exe https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64


Regards
Fred
Fred928
 
Posts: 3
Joined: 04.04.2019, 20:30

Re: Definition updates for Windows Defender Antivirus and ot

Postby hbuhrmester » 07.04.2019, 11:22

With the download links from the page https://www.microsoft.com/en-us/wdsi/definitions , the downloads for msse are both mpam-fe.exe, and the downloads for wddefs are both mpas-fe.exe. But it is not necessarily a problem, that the filenames for 32-bit and 64-bit are the same, because the four virus definition files are downloaded to different directories:

Code: Select all
wsusoffline/client/msse/x64-glb
wsusoffline/client/msse/x86-glb
wsusoffline/client/wddefs/x64-glb
wsusoffline/client/wddefs/x86-glb


This works well for the download, but the installation scripts would probably need to be changed to use the same filenames in different directories.

The script DownloadUpdates.cmd can automatically rename downloaded files, if the local filename is appended to the URL after a comma. This is already used in the static download files:

Code: Select all
wsusoffline/static/StaticDownloadLinks-msse-x64-glb.txt
wsusoffline/static/StaticDownloadLinks-msse-x86-glb.txt


The server file nis_full.exe is renamed to either nis_full_x64.exe or nis_full_x86.exe, and the file MSEInstall.exe is renamed to MSEInstall-x64-enu.exe, MSEInstall-x64-deu.exe, MSEInstall-x86-enu.exe or MSEInstall-x86-deu.exe, or to any other language.

But this does not work for the download links in https://www.microsoft.com/en-us/wdsi/definitions , because the remote filename can not be deduced from the URLs.

wget needs the option --trust-server-names, to use the last filename after several redirects on the server:

Code: Select all
~/Downloads$ wget --trust-server-names "https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86"
--2019-04-07 08:08:26--  https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86
Resolving go.microsoft.com (go.microsoft.com)... 2a02:26f0:d5:481::2c1a, 2a02:26f0:d5:4a5::2c1a, 104.81.43.109
Connecting to go.microsoft.com (go.microsoft.com)|2a02:26f0:d5:481::2c1a|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86 [following]
--2019-04-07 08:08:26--  https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86
Resolving www.microsoft.com (www.microsoft.com)... 2a02:26f0:d5:28f::356e, 2a02:26f0:d5:282::356e, 23.52.13.90
Connecting to www.microsoft.com (www.microsoft.com)|2a02:26f0:d5:28f::356e|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Cookie coming from www.microsoft.com attempted to set domain to adl.sr.wd.microsoft.com
Location: https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.291.1324.0/x86/mpam-fe.exe [following]
--2019-04-07 08:08:27--  https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.291.1324.0/x86/mpam-fe.exe
Resolving definitionupdates.microsoft.com (definitionupdates.microsoft.com)... 23.52.14.91
Connecting to definitionupdates.microsoft.com (definitionupdates.microsoft.com)|23.52.14.91|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 118207152 (113M) [application/octet-stream]
Saving to: 'mpam-fe.exe'

mpam-fe.exe         100%[===================>] 112.73M  2.72MB/s    in 41s

2019-04-07 08:09:08 (2.72 MB/s) - 'mpam-fe.exe' saved [118207152/118207152]


Earlier versions of wget would just use the resulting filename on the server anyway.

Aria2 doesn't need any additional options:

Code: Select all
~/Downloads$ aria2c "https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64"

04/07 08:27:06 [NOTICE] Downloading 1 item(s)
[#14272c 111MiB/113MiB(98%) CN:1 DL:2.7MiB]
04/07 08:27:49 [NOTICE] Download complete: /home/hb1/Downloads/mpam-fe.exe

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
14272c|OK  |   2.7MiB/s|/home/hb1/Downloads/mpam-fe.exe

Status Legend:
(OK):download completed.


So, if the URLs on the page https://www.microsoft.com/en-us/wdsi/definitions stay the same, they can probably be used, but they require some changes to the download scripts and/or the installation scripts.

A standalone script to download the four virus definition files, with proper renaming of the files for timestamping and compatibility with the installation scripts, and with building the integrity database of hashdeep files, could look like:

Code: Select all
#!/bin/bash
#
# filename: get-virus-definitions.bash
#
# Get the latest virus definition updates using the URLs on the page:
#
# - Definition updates for Windows Defender Antivirus and other Microsoft
#   antimalware
#
#   https://www.microsoft.com/en-us/wdsi/definitions

# ========== Shell options ================================================

set -o errexit
set -o nounset
set -o pipefail
shopt -s nocasematch

# ========== Functions ====================================================

function setup_working_directory ()
{
    local kernel_name=""
    local canonical_name=""
    local home_directory=""

    if type -P uname >/dev/null
    then
        kernel_name="$(uname -s)"
    else
        printf '%s\n' "Unknown operation system ${OSTYPE}"
        exit 1
    fi

    # Reveal the normalized, absolute pathname of the running script
    case "${kernel_name}" in
        Linux | FreeBSD | CYGWIN*)
            canonical_name="$(readlink -f "$0")"
        ;;
        Darwin | NetBSD | OpenBSD)
            # Use greadlink = GNU readlink, if available; otherwise use
            # BSD readlink, which lacks the option -f
            if type -P greadlink >/dev/null
            then
                canonical_name="$(greadlink -f "$0")"
            else
                canonical_name="$(readlink "$0")"
            fi
        ;;
        *)
            printf '%s\n' "Unknown operating system ${kernel_name}, ${OSTYPE}"
            exit 1
        ;;
    esac

    # Change to the home directory of the script
    home_directory="$(dirname "${canonical_name}")"
    cd "${home_directory}" || exit 1

    return 0
}


function download_file ()
{
    local download_dir="$1"
    local download_link="$2"
    local remote_filename="$3"
    local local_filename="${4:-}" # optional parameter

    # Rename local filename to remote filename, to allow timestamping
    if [[ -n "${local_filename}" \
       && -f "${download_dir}/${local_filename}" ]]
    then
        printf '%s\n' "Rename local filename ${local_filename} to remote filename ${remote_filename}"
        mv "${download_dir}/${local_filename}" \
           "${download_dir}/${remote_filename}"
    fi

    wget --timestamping --trust-server-names \
         --directory-prefix="${download_dir}" "${download_link}"

    # Rename remote filename to local filename
    if [[ -n "${local_filename}" \
       && -f "${download_dir}/${remote_filename}" ]]
    then
        printf '%s\n' "Rename remote filename ${remote_filename} to local filename ${local_filename}"
        mv "${download_dir}/${remote_filename}" \
           "${download_dir}/${local_filename}"
    fi
    return 0
}


function get_virus_definitions ()
{
    local download_dir=""
    local download_link=""
    local remote_filename=""
    local local_filename=""

    # Virus definitions for Microsoft Security Essentials and the Defender
    # of Windows 8, 8.1 and 10
    # - 32-bit
    printf '%s\n' "Get virus definitions for msse, 32-bit"
    download_dir="../client/msse/x86-glb"
    download_link="https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86"
    remote_filename="mpam-fe.exe"
    local_filename=""
    download_file "${download_dir}" "${download_link}" \
                  "${remote_filename}"

    # - 64-bit
    printf '%s\n' "Get virus definitions for msse, 64-bit"
    download_dir="../client/msse/x64-glb"
    download_link="https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64"
    remote_filename="mpam-fe.exe"
    local_filename="mpam-fex64.exe"
    download_file "${download_dir}" "${download_link}" \
                  "${remote_filename}" "${local_filename}"

    # Virus definitions for the Defender of Windows Vista and 7
    # - 32-bit
    printf '%s\n' "Get virus definitions for wddefs, 32-bit"
    download_dir="../client/wddefs/x86-glb"
    download_link="https://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092"
    remote_filename="mpas-fe.exe"
    local_filename=""
    download_file "${download_dir}" "${download_link}" \
                  "${remote_filename}"

    # - 64-bit
    printf '%s\n' "Get virus definitions for wddefs, 64-bit"
    download_dir="../client/wddefs/x64-glb"
    download_link="https://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092"
    remote_filename="mpas-fe.exe"
    local_filename="mpas-feX64.exe"
    download_file "${download_dir}" "${download_link}" \
                  "${remote_filename}" "${local_filename}"

    return 0
}


function todos_line_endings ()
{
    local line=""

    # IFS is set to an empty string, to read a complete line including
    # leading and trailing spaces.
    while IFS="" read -r line
    do
        printf '%s\r\n' "${line}"
    done

    return 0
}


function build_integrity_database ()
{
    local download_dir=""

    printf '%s\n' "Creating integrity database..."
    pushd "../client/md" >/dev/null
    for download_dir in msse wddefs
    do
        hashdeep  -c md5,sha1,sha256 -l -r "../${download_dir}"  \
        | tr '/' '\\' | todos_line_endings > "hashes-${download_dir}.txt"

        # Empty files should be deleted
        if [[ -f "hashes_${download_dir}.txt" \
           && ! -s "hashes_${download_dir}.txt" ]]
        then
            printf '%s\n' "Deleting file hashes_${download_dir}.txt, because it is empty."
            rm "hashes_${download_dir}.txt"
        fi
    done
    popd >/dev/null
    printf '%s\n' "Created integrity database."

    return 0
}

# ========== Commands =====================================================

setup_working_directory
get_virus_definitions
build_integrity_database

exit 0
hbuhrmester
 
Posts: 388
Joined: 11.10.2013, 20:59

Re: Definition updates for Windows Defender Antivirus and ot

Postby Dalai » 07.04.2019, 17:15

But how do you rename files when you don't know their filenames beforehand? Any MS link could download a file named "foo.bar". How should a script know that this file is supposed to be renamed to mpam-fe.exe? Sure, you could specify another filename in the static text files (like in your bash script), which works until MS decides to rename the files again.

Sometimes scripting can be a PITA...

Regards
Dalai
Dalai
 
Posts: 949
Joined: 12.07.2016, 21:00

Re: Definition updates for Windows Defender Antivirus and ot

Postby hbuhrmester » 07.04.2019, 20:45

The msse files are downloaded as mpam-fe.exe. This is the name on the server, after following all redirections. Unlike Fred928, I didn't tell wget to use that name – wget figured that out itself. The 32-bit version is just kept as is and not renamed afterwards. The 64-bit version is renamed to mpam-fex64.exe, but only for compatibility with existing scripts.

I assume, that the installer just looks for a file mpam-fex64.exe. If it would looks for msse/x64-glb/mpam-fe.exe, then the file would not need to be renamed either.

The name mpam-fe.exe is used for some time now. I don't expect, that it changes soon, because all Microsoft anti-virus products use these filenames as well.

Regards,
hbuhrmester
hbuhrmester
 
Posts: 388
Joined: 11.10.2013, 20:59

Re: Definition updates for Windows Defender Antivirus and ot

Postby Matjes » 09.04.2019, 07:58

Microsoft Security Essentials wurde aktualisiert:
Code: Select all
Microsoft Security Essentials
https://www.microsoft.com/en-us/wdsi/definitions

32-bit
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.291.1457.0/x86/mpam-fe.exe

64-bit
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.291.1457.0/amd64/mpam-fe.exe


Gruß Matjes :-)
Matjes
 
Posts: 76
Joined: 16.06.2010, 17:56

Re: Definition updates for Windows Defender Antivirus and ot

Postby WSUSUpdateAdmin » 09.04.2019, 10:49

Moin!

Hab' ich nicht gesehen, dass die die Versionsnummer in die "deep link"-URL eingebaut haben...
Bessere ich nach.

VG Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2234
Joined: 07.07.2009, 14:38

Re: Definition updates for Windows Defender Antivirus and ot

Postby Fred928 » 09.04.2019, 20:09

Good evening,
I would like to thank hbuhrmester greatly for the script published on 07 04 2019, it allowed me to update the virus databases isolated posts, directly using wsusoffline.

It is surely necessary to foresee in the next version of wsusoffline, to stop using the x64 format, to just have the new name multi architecture (mpam-fe.exe or mpas-fe.exe).

You can close the subject if you do not find it useful.
A big thank you to all, nice team
Fred928
 
Posts: 3
Joined: 04.04.2019, 20:30

Unnecessary DNS resolution error using proxy

Postby vcarrer » 09.05.2019, 15:16

unnecessary DNS resolution error using proxy,
When proxies are used, the DNS search is performed by the proxy. It is assumed that behind a proxy there is no DNS resolution

Renaming file ..\client\msse\x64-glb\nis_full.exe to nis_full_x64.exe...
Cleaning up client directory for Microsoft Security Essentials...
Downloading/validating Windows Defender definition files...
--2019-05-09 09:55:28-- http://go.microsoft.com/fwlink/?LinkID= ... E5EB378092
Connecting to 10.20.0.50:3128... connected.
Proxy request sent, awaiting response... 302 Found
Location: https://www.microsoft.com/security/ency ... E5EB378092 [following]
--2019-05-09 09:55:28-- https://www.microsoft.com/security/ency ... E5EB378092
Resolving http://www.microsoft.com (http://www.microsoft.com)... failed: Éste es normalmente un error temporal durante la resolución de nombres de host y significa que el servidor local no recibió una respuesta de un servidor autoritativo. .
wget64: unable to resolve host address 'www.microsoft.com'
Warning: Download/validation of Windows Defender definition files failed.

Skipping unneeded determination of superseded updates.
Determining static update urls for win glb...
Last edited by vcarrer on 10.05.2019, 12:54, edited 1 time in total.
vcarrer
 
Posts: 1
Joined: 09.05.2019, 13:35

Next

Return to Fehlende Updates / Missing updates

Who is online

Users browsing this forum: No registered users and 3 guests