Malwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup

Topic

New Reply

Thanks to SC for the heads up. Looks like those of you running Malwarebytes on a Win7 system using Group A updating are in for a rocky ride. Symptoms
[See the full post at: Malwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup]

Reply | Quote

Replies

“Malwarebytes stumbles with false positive…”

“This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)”.”

Really?? “Malwarebytes stumbles”?

I’d trust MB any day over microsoft…MB did its job, it flagged microsoft’s 500 unsigned certificates.

Microsoft, and its partisans, want users to allow microsoft free reign (Group A) to download and install patches every month based on the good faith that microsoft knows what it is doing? That’s laughable, really, based on everything we’ve seen over these last many months.

How does a company, so concerned with security, forget to digitally sign 500 certificates? And how does Malwarebytes get blamed for that?

This new MS patch system is a disaster waiting to happen.

Reply | Quote

I’m Group A and installed this update the day you went to Defcon 3. As usual, Window Updates take a very, very long time to download and install updates except for Windows Defender. I just keep the update running during the night and in the AM it has been installed. Anyway, I have Malwarbytes on Win 7 and did not have this problem. Maybe this was occurring and fixed before your Defcon 3 notice.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

I used to be a dedicated Malwarebytes user. About 2 years ago I learned of an alternative ADWcleaner. ADWcleaner is faster and I think better at cleaning up unwanted malware. It is a scanner, not an application.

I should note that Malwarebytes has taken over ADWcleaner recently.

I have seen instances in which Malwarebytes ver 2 and up have conflicted with legitimate AV systems. When the came up with ver 2, they graduated to a sort of AV in and of itself.

Consequently, I have removed Malwarebytes from all my clients’ PCs and regularly use ADWcleaner.

Reply | Quote

Someone please correct me if I’m wrong but this seems to me to be a “stumble” by Microsoft, not Malwarebytes. Shouldn’t an anti-malware program trigger on an unsigned file being installed on the system?

Reply | Quote

It isn’t just Group A. I had a problem with my machine refusing to shut down last night. When I rebooted and later shut down the computer, the problem had disappeared; but this is the first time in several years of owning this computer that it ever refused to shut down (Windows 7, SP1, Pro).

Reply | Quote

Debatable. Certainly Microsoft should’ve signed all the files. Whether Malwarebytes should hiccup on that – open to discussion.

Reply | Quote

This is a Group B computer running Malwarebytes?

Reply | Quote

There’s been a problem with conflicts between MS security products (MSE in particular) and MBAM. At the worst case, it’s killing the boot, but ror me, it was slowing down MBAM scans by a factor of 2 or 3.

The support forum thread on this is:

https://forums.malwarebytes.org/topic/190771-malwarebytes-and-microsoft-security-essentials-conflicts/

with advise on what to do to mitigate the problems. By doing this, I was able to get threat scans working correctly, but custom scans (looking at everything, and a rootkit check) still take a long time. (about 2X before MS released the Friday morning virus definitions.)

Reply | Quote

I’m a novice at this so I hope I’m explaining my situation clearly enough. Background: Even though I keep opting for the “never check for updates” my computer defaults to ” check but let me decide…” When I installed the November update (Window 7/64) I chose the link provided by Woody. This had 88 Mb. The one that was suggested by Windows update had 134 Mb. So I wonder what extra things were included in that update. When I check the update history, I have a file KB3197867 (note the 7) installed. So far I have not had any of the problems described. I’m still curious about what was bundled in the KB3197868 which is still on the list of important updates on my computer.

Reply | Quote

Just my opinion, but I don’t see the need for Malwarebytes real-time protection.

I have been running their free on-demand scanner-only version for years without issues.

I believe that for a stable Windows system, to avoid conflicts, it is essential to only run one real-time protection system that you like and trust.

Then run as many on-demand second opinion scanners as you feel is necessary.

Anti-virus/anti-malware is really only useful as an alerting system to the fact that you have been compromised. Once you have ruled out false positives and confirmed the infection, you need to move to plan B.

Bottom line, cleaning up an infected system is debatable as far as effectiveness, and can be very time consuming.

My plan B is to restore my system from an image taken prior to the compromise. That also works if my system is ever crippled by my dumb*** AV software

Reply | Quote

I still use MBAM ver 1.75 because it has served me well and doesn’t have the extra problems that seem to come with ver 2. I also stick to the free version as that requires manual scanning rather than running in the background, again safer in my view so far as possible conflicts are concerned. Very importantly it also allows manual quarantining whereas the paid versions do not allow any effective means of avoiding automatic quarantining and the dangers of false positives that can wreck a system. I run a quick manual scan twice a week for malware with MSE running in the background as my AV protection.

Reply | Quote

My shutdown went from 15 secs to 5 minutes. It was caused by MalwareBytes Anti-Ransomware. The workaround is to bring up the Anti-Ransomware Dashboard and then click on “Stop protection”. Either that or stop the MB3Service.

Reply | Quote

Group B (security patch only) with MWB Pro and no problems to date. Let’s hope it continues that way.

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

This is way past “waiting to happen.” It has happened and it will get worse.

I have made a decision on the A, B, C thing. It is a hybrid.

Essentially C with .net and office using WU, with a plan to review later and decide if a switch to A is important enough to make. B is an impractical alternative for the vast majority of people.

Read about it at:
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-how-will-it-change-your-system/6d2ee7f8-908f-4ddb-8fd9-1eab55773141?tm=1476461665170

Reply | Quote

Thanks, SC. Looks like Malwarebytes has a big problem on their hands – and I bet they’re none too happy with Microsoft and its unsigned files.

Reply | Quote

KB3197867 is the “Group B” Security-only update.

KB3197868 is the “Group A” Monthly rollup, which contains both security and non-security patches. See http://www.infoworld.com/article/3128983/microsoft-windows/how-to-prepare-for-the-windows-781-patchocalypse.html

What’s in the non-security part of the Monthly rollup? There’s a web page here

https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history

which gives details in two different places. Ultimately, you can see that the non-security part of this month’s Monthly Rollup includes

This update includes security updates and quality improvements. No new operating system features are being introduced in this update. Key changes include:

Security updates to Microsoft Graphics Component, kernel-mode drivers, Microsoft Video Control, Common Log File System driver, Windows authentication methods, Windows operating system, Windows File Manager, Windows registry, OpenType, Internet Explorer 11, and Windows Component.

and

This update also includes these new quality improvements and is a preview of the next Monthly Rollup update:

Addressed issue with revised daylight saving time.
Addressed issue that prevents pushed-printer connections and printer connections from trusted servers from being installed in Point and Print scenarios after installing MS16-087.
Added a new Root Certificate type needed to support Catalog V2 for Windows 7 Embedded systems.
Improved support to specify proxy and enable upload of telemetry and download of settings in an authenticated proxy environment.

as well as the non-security part of the preceding Monthly Rollups.

A lot of effort for not a whole lot of info, eh?

Reply | Quote

@Canadien Tech,

“It has happened and it will get worse.”

I agree…and when it happens, it’s going to be a semi-disaster and it will be widespread. I don’t wish to be overly dramatic, but it’s going to be home users, Group A, that are going to get hurt first.

I have made a similar decision as well…I am group C…with .NET Security Only updates from the catalogue the exceptions.

Somebody has to say enough is enough…

Reply | Quote

Thank you. That’s very helpful. I have counted on this site to help me navigate since Microsoft started pushing Win 10.

Reply | Quote

It shouldn’t take so long to scan and update if you have KB3172605 installed.
Do you have a lower spec computer?

Reply | Quote

My experience as a Group B (installed KB3197867 on Nov 15th). Windows 7 Pro 64bit, MSE, MBAM Pro 1.75, and MBAE. Serious issues began for me on Nov 18th after updating MBAM and MSE and then rebooting. By serious I mean painfully slow, taking 10+ minutes to get to the desktop and after getting to the desktop the system acted hung. By waiting a long time (several minutes) for each command, I was able to make changes to disable active MBAM protections gaining control over the OS. There is information on the MBAM forum to help those currently having problems.

Reply | Quote

Have a link?

Sounds like 3197867 wasn’t as benign as I thought.

Reply | Quote

So is your advice getting revised to hold off updating for now?

Reply | Quote

Here is the link, be sure to read past page 1, advice was revised/updated later in the post.
https://forums.malwarebytes.org/topic/190771-malwarebytes-and-microsoft-security-essentials-conflicts
I wonder if there is more than one issue going on, since I did not experience any problems right after installing the update kb3197867. My issues occurred 3 days later on Nov 18th the only changes on that date were the update of MBAM at 11:13 am and MSE at 12:25 pm. This is very puzzling – hope it gets resolved soon.

Reply | Quote

Interesting. Thanks.

Reply | Quote

No. Malwarebytes has bypassed the issue.

I’m embarrassed, though, that I didn’t pick up on the problem before moving to MS-DEFCON 4. Usually stuff this big shakes out very early in the cycle – I didn’t wait long enough.

Reply | Quote

Woody, The problem was not your defcon rating or waiting log enough. You did fine. The MS Updates appeared on the 8th and these malwarebytes – MSSE issues happened on the 18th, or a week later. Other users are doing fine with 3197867. Maybe an MSSE update?

Reply | Quote

@Louis,

Re: “Really?? “Malwarebytes stumbles”?
I’d trust MB any day over microsoft…MB did its job, it flagged microsoft’s 500 unsigned certificates”

Yes, Microsoft was the one that stumbled, by making a stupid error;
Malwarebytes was simply working accurately.

Reply | Quote

I’m thinking that consumer-grade Windows is essentially “abandonware.”

Sure it’s still “supported” but that’s similar to someone who’s received a lethal dose of radiation. Even though they’re not dead yet… the bottom line is their time is running out.

Reply | Quote

@Canadian Tech,

Thanks for your update about what you have decided to recommend to ordinary computer users.

I am not sure if you have mentioned this somewhere else – if so, I have missed it (due to how easy it is here to miss new posts) — is there a specific alternative browser that you are recommending that your people switch to from Internet Explorer?

Reply | Quote

@Seff: I use the paid version of MBAM 2 (though not always with the real-time protection turned on). Actually, there is an option in the “Advanced Settings” to disable “Automatic quarantine of detected items”. Like you do, I use MSE as my anti-virus. Never had any conflicts.
I’m still a fan of MBAM. However, it started very recently to flag as PUP a safe and known program that has been installed in my Win7 laptop for years but I can excuse this occasional hiccup.

Reply | Quote

The MalwareBytes Anti-Ransomware is still beta. I think we should not use security programs in beta phase.

Reply | Quote

Are you still keeping it on “4”?

Reply | Quote

Understand that my problem of the shutdown delay mentioned above was caused by the Anti-Ransomware(beta) not Anti-Malware.

Reply | Quote

@Louis,

Is it pretty easy to know which .NET security-only updates from the Catalog are correct for one’s computer, or would that be something that only a ‘techie’ would know about?

Reply | Quote

Well,
MSW7 Pro x64,
Installed KB3197867 11/18 @ 10:52am;
Manual run of MWB V2.2.1 @7:21pm.
No problem seen.
Hypothetically speaking, would it be possible for someone were come up with a method to break the rollups into there KB update components for individual installation?

Reply | Quote

Woody, I think you are OK.
It was not MS-DEFCON 5

Reply | Quote

As far as I can tell, it’s a separate problem. I had not installed KB3197867, but after I got the MSE update Friday morning (it was the first of the 1.233.xxx definition updates), my MBAM threat scan went to pieces. I’m on MBAM 2.2.1, and the problems seem less severe than the 1.8 Pro versions.

From the thread, other MS security products caused the same issue, so it looks like they did something in the new series of definitions that screwed things up for Malwarebytes. Last I looked, there hadn’t been a published response from MS, though they were in touch.

Reply | Quote

@Louis & Canadian Tech – Any update system that does not allow fine grain control of the process will lead to a disaster. Louis, I agree, home users will be the hardest hit as they do not have the skills to fix the inevitable problems. People reading AskWoody are typically more advanced and usually have these skills. If MS thinks we are the typical user they are sadly mistaken.

Reply | Quote

How do u know it was not intentional? Think what could have motivated it.

Reply | Quote

Reply | Quote

Abbodi has already done this, but for just one rollup.

Reply | Quote

As I understand it, Windows Update goes through some pretty complex steps to determine which .NET updates to show.

Reply | Quote

Yep.

Reply | Quote

Yes, but the Malwarebytes announcement and discussion seem to cover Anti-Malware as well.

Reply | Quote

Maybe its like a no fault car collision? Both should have seen it coming

Reply | Quote

I apologize if this has already been answered (I did check through previous comments), but does this affect users of the Free version of Malwarebytes Anti-Malware?

I last updated the database and ran a threat scan on 11/17 and did not have any “positives” and haven’t had any problems.

– Win7 Home Premium user, “Group A” and 3197868 was installed on 11/15. I use Avast (which disables Windows Defender) and just run MBAM free on-demand once a week or so.

Reply | Quote

It’s better than nothing.

Reply | Quote

I am group A and have a laptop (windows 7) with MBAM and a Lenovo tower (windows 7 Pro) with MBAM and MBAE. I always update the laptop first so did this at the weekend. Updates were quick and I thought all was well until booting again later in the day when I was left with a blank screen. Rebooted in safe mode and seems to be booting ok again now. If I update my MBAM files is it likely to create problems again?
I have not applied Nov updates to my Lenovo tower yet. Think I will hold off for a while. I am definately non techie so looking at Malwarebytes forum the suggested workrounds are confusing me.

Reply | Quote

Not all system files get individually digital signed, that’s security catalogs files job

btw, security-only update contains exactly the same bits as monthly-rollup in regarding to security fixes
so the issue “if it’s actually Microsoft fault” would effect both Group A & B

Reply | Quote

Yikes.

It looks like some large installations with Malwarebytes Anti-Malware are having a very hard time getting the “fixed” version of MBAM installed. https://forums.malwarebytes.org/topic/190771-malwarebytes-and-microsoft-security-essentials-conflicts/?page=2

Reply | Quote

Based on what I’ve seen on the Malwarebytes forum, my guess is that you should update Malwarebytes prior to installing the Group A November Rollup.

See https://forums.malwarebytes.org/topic/190771-malwarebytes-and-microsoft-security-essentials-conflicts/?page=2

https://support.malwarebytes.com/customer/portal/articles/2647220-what-can-i-do-if-i-have-been-affected-by-the-kernel32-dll-false-positive-?b_id=6442

I don’t know how widespread the problem is, and I’m updating the post right now.

Reply | Quote

If you aren’t showing any symptoms, I’m sure you’re not affected.

Reply | Quote

That’s likely the case. I don’t think there’s a clear “culprit” here. My main concern is that people understand what’s messing up their machines – and how to fix them.

Reply | Quote

Am I right in saying that the problem with MWB only occurs if MSE is being used as well? I’m also running MWB AntiExploit but don’t use MSE and have experienced no issues so far. (I may regret that statement!)

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

I don’t know. Wish I did!

The discussion on the Malwarebytes forum would lead me to believe that it’s a conflict between Malwarebytes Anti-Malware and the Nov. Win 7 updates. But there doesn’t seem to be a detailed discussion of the symptoms, or the exact source of the conflict. It’s also not clear if this is a minor problem or something more far-reaching.

What is clear: Malwarebytes says the problem’s been fixed. So if you update Malwarebytes AM and AE, you’ll be fine.

Reply | Quote

I have MWB scheduled to scan every day and it checks for updates regularly, so either I’ve been lucky on the timing or it’s ‘cos I’m not running MSE.

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

@Woody,

Really,….how is the average user supposed to deal with those instructions from the Malwarebytes forum? Are techies living in a bubble when it comes to home users?

Until MS released the november updates, including MSSE, there were no issues with MB and users machines.
There were no Bluetooth problems until KB3172605 was installed (which basically HAD to be installed to deal with the MS problem of getting update scans back to normal) and then Bluetooth was either broken on your machine and you had normal scans, or, you kept your Bluetooth and had multiple hour scans for updates.

First it’s Intel’s fault, then it’s Malwarebyte’s fault. It’s a pattern, and yet we, users, keep trying to normalize this irresponsible microsoft behavior and place blame everywhere and anywhere else.

It’s time for serious consideration for Group C, not as an outlier, but as a real, viable alternative for the average home user ( see CanadienTech’s users). With helpful hints from Woody, and other knowledgeable AskWoody readers, people should be given not only the option of moving to Group C but advice, directions and counsel on the safest way to do so and how to maintain it.

These Malwarebytes / MS, MS / Bluetooth conflicts weren’t the first and, with the new patch system, won’t be the last. May I humbly suggest that InfoWorld/AskWoody do a full article on what it takes to become a “responsible” member of Group C; if/how to scan for updates, what second line of defenses should a user use, explaining how to use VirusTotal, the Google online URL virus checker, hints about user behavior changes that would be required as a Group C member…etc.

I’d very much like to see an article like that and I’m sure there are countless other who would as well.

Thanks for the soapbox.

Reply | Quote

I don’t see what the Malwarebytes problem is all about. I am using it in my Win7 x64, Group B, system and it is and has been working quietly and effectively.
So what the heck is going on?

Reply | Quote

My only criticism of Malwarebytes on this occasion is the complete lack of up-front information about it. You really have to dig deep on their forum and knowledge base to find any reference to recent problems and it isn’t clear at all whether the problem affecting a false positive alert on the kernel32.dll file and the slowdown problem affecting MSE are different problems or one and the same.

It’s also not clear whether these problems relate solely to MBAM Business Version 1.8 or whether the domestic 1.75 and 2.x versions are affected too. The only forum reference I can find is under the Business section and specific comments seem to be related to ver 1.8 which is a purely business application as I understand it.

It seems to me that the clear moral of the tale is that everyone should hold back on installing monthly Windows Updates for at least not less than two weeks after Patch Tuesday so as to allow time for such problems to become apparent and in order to give all other application developers time to ensure continued compatibility between their products and Windows.

Reply | Quote

+1

I, too, am remiss for giving the go-ahead before I became aware of the Malwarebytes problem. Had I known about it, I would’ve stalled MS-DEFCON 4. As it stands, though, simply updating Malwarebytes eliminates the problem, so we’re sticking with MS-DEFCON 4.

Reply | Quote

No idea, really. Documentation on it is sketchy….

Reply | Quote

No, Poohsticks, I have not selected a browser to recommend. Most of my clients already have Chrome installed even if they do not use it because of the saturation campaigns both Java and Adobe have conducted over the past years. Every time there is an update (many), you get something else unless you specifically reject it. Chrome is one of the most common of these.

However, I understand from Woody and other people I admire that Firefox is their choice.

I have concerns with both of these for ordinary people because of things I have read about add-ons that can lead to problems.

I am very interested in advice on this topic.

Reply | Quote

This “solution” is very popular on the Microsoft Forum. It describes how to make WU work faster.

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c

Reply | Quote

I’ve been posting and following the MSE/MBAM conflict thread, and the following things have been clear:

On the home version of MBAM (2.x), some scans go south when MSE is updated to the 1.233 series of definitions. (Other MS security products have been involved, especially Defender.) Applying the exclusions to MSE will fix the threat scans, but custom scans will take a long time. In my case, going through the Windowswinsxs directory takes 2 hours with the slowdown.

The business versions of Malwarebytes products get the massive slowdowns at boot. The exclusion process works, too, but apparently not perfectly.

Again, this problem is separate from the November rollups, either group A or B. They showed when MSE was updated.

And yeah, Malwarebytes can be a pain when things go wrong…

Reply | Quote

Thank you Louis. I am in complete agreement.

Reply | Quote

Isn’t a little bit surprising that they say KB3197868 lack the digital signing, then they instruct users to download the same update and extract/replace files from it?
i would say the whole issue is Malwarebytes fault, otherwise, why no other AV products had it?

Reply | Quote

Actually, I use both, and have both open all day, every day. I do work on InfoWorld and AskWoody in Firefox, and my mail (Gmail), Twitter, calendar, RSS feeds in Chrome.

No particular reason why. It’s just easier to balance them on the screen that way, and my fingers have grown used to the differences.

Reply | Quote

Thanks @Dimk. My understanding of the setting to disable automatic quarantine in the paid ver 2.x is that it gives you a matter of seconds only in which to opt out of the quarantine, and failing which it goes straight into quarantine. That’s why I said it lacks an “effective” means of avoiding automatic quarantine because it necessitates you staring at the screen continuously – nip out of the room to make a coffee and you’ll miss any notification and chance to opt out. As I say, that’s my recollection of the way it operates but maybe either I’m wrong or they changed it.

Reply | Quote

Thanks for the advice

Reply | Quote

From what i noticed, the morning people started having this problem, miscrosoft had released a engine update for MSE, could that be the cause for the conflict? would be interesting to see if those afflicted could check their eventlog for thatand see if the timelines are related

have not seen anything mentioned other then the definition they had when it started 1.233.51.0

but in my evenviewer i see the mse engine was updated at same time as that update to 1.1.13303 from 1.1.13202 and looking at the malwarebytes forum its the same time people started having issues. this being the crash and slowdown issues, not the kernel false positive one

Reply | Quote

But what would such a Group W bench post look like?

I refrain from recommending Group C (or B- or W) because I’m genuinely concerned that someday there’ll be a killer hole in Win7 that’s patched, but used to take over the universe.

Reply | Quote

That certainly could be the source of the problem.

Of it’s possible that some of the symptoms (there are many) are caused by one set of circumstances, and other by a different set of circumstances.

Or it’s possible that the latest definitions for Malwarebytes get rid of all of the problems, and this was just a temporary blip that few witnessed and even fewer understood.

I sure hope Malwarebytes gets this sorted out and documented.

Reply | Quote

Good point.

Reply | Quote

The key here is that there is an easy fast way back to A. As I now understand it, and it was confirmed by you, I can at any time in the future, switch to group A by simply invoking Windows Update fully.

That means I can move to group C and wait and see what happens. It may turn out that there are no serious problems at all. Or, it may turn out that there are serious problems, in which case I can easily and quickly move back to the mainstream. My best guess is that Windows 7 in an unpatched state will work just fine for the vast majority.

I discount B because it is too complicated and risky for the vast majority of people.

Reply | Quote

I believe that the switch to Group A really is that easy.

But that means those in Group C need to remain ever vigilant for a hair-trigger call to arms. Not an ideal scenario.

Basically we’re caught between a rock and two hard places, eh?

Reply | Quote

@louis Completely agree.

Reply | Quote

@John W
Are you more than a regular (power) user, i.e are you working in IT?
I have been reading your posts here for a while and I consider that they should be taken as perfect example of how Windows should be maintained.
Most other posters just try to find faults and complain about something, while their systems are not working in part because of their actions.

Reply | Quote

Hypothetically speaking, it would be possible for someone to come up with a method to compromise rollup update components.
According to https://support.microsoft.com/en-us/kb/3185330
October, 2016 Security Monthly Quality Rollup for Windows 7 (KB3185330) http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/10/windows6.1-kb3185330-x86_6322ad8e65ec12be291edeafae79453e51d13a10.msu
SHA1 hash should be 144DCA4FE73AE9B7E9A1BCE1F331F2D97D019377 Doesn’t match

According to https://support.microsoft.com/en-us/kb/3185330
October, 2016 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3185330) http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/10/windows6.1-kb3185330-x64_8738d0ef3718b8b05659454cff898e8c4f0433d7.msu
SHA1 hash should be: A321E5CCA6A4415D4CBF1F7D34D86690B2BB14B0 Doesn’t match!

According to https://support.microsoft.com/en-us/kb/3185331
October, 2016 Security Monthly Quality Rollup for Windows 8.1 (KB3185331) http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/10/windows8.1-kb3185331-x86_c08624c0d240816b3b4555fd1a40ca7762df63e2.msu
SHA1 hash should be: C08624C0D240816B3B4555FD1A40CA7762DF63E2 Match.

According to https://support.microsoft.com/en-us/kb/3185331
October, 2016 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB3185331) http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/10/windows8.1-kb3185331-x64_002b4adeeedca7cd33b827b6531a0ebee9c0d404.msu
SHA1 hash should be: 002B4ADEEEDCA7CD33B827B6531A0EBEE9C0D404 Match.

According to https://support.microsoft.com/en-us/kb/3197868
November, 2016 Security Monthly Quality Rollup for Windows 7 (KB3197868) http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/11/windows6.1-kb3197868-x86_654e073e00c76a3a7dd01dee8fc2e4fb9a75c931.msu
SHA1 hash should be 654E073E00C76A3A7DD01DEE8FC2E4FB9A75C931 Match.

According to https://support.microsoft.com/en-us/kb/3197868
November, 2016 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3197868) http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/11/windows6.1-kb3197868-x64_b07be176e165c11b9ccbcf03d014b2aef9a514b6.msu
SHA1 hash should be B07BE176E165C11B9CCBCF03D014B2AEF9A514B6 Match.

According to https://support.microsoft.com/en-us/kb/3197873
November, 2016 Security Only Quality Update for Windows 8.1 (KB3197873) http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/11/windows8.1-kb3197873-x86_b906109f30b735290a431fdc8397249cfcc3e84b.msu
SHA1 hash should be B906109F30B735290A431FDC8397249CFCC3E84B Match.

According to https://support.microsoft.com/en-us/kb/3197873
November, 2016 Security Only Quality Update for Windows 8.1 for x64-based Systems (KB3197873) http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/11/windows8.1-kb3197873-x64_cd0325f40c0d25960e462946f6b736aa7c0ed674.msu
SHA1 hash should be CD0325F40C0D25960E462946F6B736AA7C0ED674 Match.

Reply | Quote

Step 1) Compromise Windows Update Catalog
Step 2) Use some tricks to deliver malicious payload in the October Patches, which will allow installing unsigned system files. https://www.youtube.com/watch?v=yG4wj_0iVkQ#t=02m33s
Step 3) Infect the Windows 7 PCs which are used by the KB Support site maintainers. –> Compromise https://support.microsoft.com/
Step 4) Include an unsigned Kernel32.dll (which Microsoft guidelines would never allow).
Step 5) Convince Malwarebytes to treat it false-positive.

Reply | Quote

I’d like to rename Group C to W for Wait and See.

There seems to be huge turmoil with WU right now. Its hard to know the right timing and the screw-ups are coming fast and many. The Wait and See (Group W) makes all kinds of sense. At least wait till this mess straightens its self out.

Reply | Quote

HA! Love it. Sittin’ on the Wait and See bench…

Reply | Quote

I thought the “wait and see” would appeal to you, Woody. What do you mean by see bench…?

Reply | Quote

@Woody, @CanadienTech…

I don’t know if going from Group C to Group A is really that easy. If a Group C person decides a couple of months down the road they need to get to group A, one would have to go the catalogue and download all the W7 Security Only updates and install them -as far as I understand it- in the correct order. Depending on how long one has been a C member, that could mean a bunch of downloads and installs while “unprotected”.

If we run into a situation where Group C MUST get to Group A because of a nightmare exploit scenario, turning on Windows Update only sets us back to the beginning, which we were originally trying to get away from; forced acceptance of the dreaded Rollups. That could mean telemetry, BSODs, compromised software and who knows what else…

The “for now solution” that I’ve decided on as a Group C user is, each month I have downloaded the Security Only update (W7 SP1) from the catalogue and have placed them (october and november thus far) in a doomsday folder. If word gets out about a nightmare exploit I’ll disconnect from the internet and spend however many hours installing the Security Only Updates one at a time and hope for the best. That is my fall back approach, if needed. No guarantees it’ll work but it’s the best idea I’ve had thus far.

(And I do not have great confidence in what might take place installing multiple 75-150mb security updates one after another but I also don’t have confidence installing individual monthly Security Updates as they are released even after an AskWoody green light. There is no method with MS updates that one can be confident about. And that’s really the essence of the problem).

Keep in mind, I had previously mentioned I am currently installing .NET Security Only updates from the catalogue.

Now, all that being said, I have previously pointed out that I have a friend who is an IT guy and a lawyer, and he has been telling me for years, “don’t do any windows updates”. And he has followed that practice himself all the way through W8.1 with NO problems. (And CanadienTech seems to support that idea and both of them are way smarter than I am).

The irony is now that my friend has moved to W10 he really can’t follow his own advice.

Bottom line…I believe we need a step by step guide on how to be a “responsible” Group C user…and I do believe that Group C can be done. It’s the best way to do group C that needs to be talked about and refined.

Reply | Quote

Classic man-in-the-middle attack. It’d be interesting!

Reply | Quote

I described this in some detail in my update to this discussion on the Microsoft Answers Forum:

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-how-will-it-change-your-system/6d2ee7f8-908f-4ddb-8fd9-1eab55773141?tm=1476461665170

Reply | Quote

Ah, but the procedure you describe in the first paragraph goes from Group W&C to Group B.

Going to Group A is as easy as installing the latest Monthly Rollup. I’m sure Microsoft thought of that when they came up with the framework.

I’ll certainly consider writing up the Group C patching/non-patching approach, but I have to have some meat to it.

Reply | Quote

It’s a takeoff on “Group W bench” – Arlo Guthrie. Group W&C bench has a ring to it…

Reply | Quote

Woody, the meat I recommend I in that link I gave you a few moments ago. Here it is:

It now appears that B is an impractical strategy for 99% of users. And, here is the reason why: When an error is made in a security-only update, if the error turns out not to have a security affect, it may be corrected in a non-security update. In that case if you were following B strategy, you would be left with an un-corrected defective update installed on your computer. If you were extremely diligent and knew about it, you may be able to get the correction in specific cases. This would entail an extreme amount of diligence that few would be willing or able to provide.

The new rollup style of updates that Microsoft is now providing to what we would call Group A, which include all kinds of updates (security and non-security), are cumulative. That means if you miss a month or even more, it will not matter because by installing the latest month’s rollup, you would be up to date.

NOTE well, that Security-only updates are NOT cumulative. Which means if you miss a month, you may never get the missed updates.

So one strategy that you may wish to consider is following Group C, but still updating .net and Microsoft Office through Windows Update, but installing no Windows updates at all. It would be advisable in this case that you stop using Internet Explorer because you would not be getting those updates, but instead use an alternative browser.

Then, after following this strategy for some time, if things take a turn for the worse, and you decide you made the wrong choice (Group C with .net an Office updates), you can easily shift to A by simply using the latest offered Rollup offered in Windows Update.

So, as things have evolved, it looks like the vast majority have really only two choices: A as described above or C (modified as described above). The good news is that if you follow the modified C strategy, you have a way back to the Microsoft way, that is easy to implement.

Reply | Quote

OK if I publish this as a main blog post?

It’s well thought out and succinctly presented. I don’t agree, but that isn’t the point…

Reply | Quote

Woody, ran out of Reply links.

That’s great that you would publish it. However, I would really like to understand why you disagree.

Reply | Quote

“Ah, but the procedure you describe in the first paragraph goes from Group W&C to Group B.”

Anyone in Group W&C is in there because they don’t want to be in Group A. So, if a W&C user has to get out of W&C they, like me, would want to go to Group B.

I mean, this all started because no one wanted to be in group A to begin with, for any number of reasons. And those here, who decided on being in Group A went there very reluctantly.

“Going to Group A is as easy as installing the latest Monthly Rollup. I’m sure Microsoft thought of that when they came up with the framework.”

OK…let me be frank. Do you really believe a W&C user who has been W&C for 12 months is going to survive installing the latest monthly rollup (in this case the 13 month)? That rollup could be at least 5-10GB, if not more. I would never call moving to group A from W&C through the latest Monthly rollup easy. That is a potential nightmare. And imagine a small business with 20-30 machines which have been W&C going through that procedure? How willing would the owner be to do 5GB Rollup update on all their machines?

I have no answers…and I participate here hoping to find some. I have found answers here in the past but somehow I think this time may be different.

Reply | Quote

The answer is the one you gave. To go from Group C to Group B involves manually downloading and installing all of teh Security-only updates that you’ve missed.

Not for the faint of heart.

Reply | Quote

Let me cogitate on it overnight….

Reply | Quote

Thank you. That is what I feared.

Reply | Quote

I wondered about that:
why is Malwarebytes the only program that seems to have had this problem with Microsoft’s unsigned files?

But maybe it’s because they are more careful than their competitors?

…Even if something seems to be from a trusted source, if not everything is perfect with it, then it is reasonable to flag it as a potential problem.
Otherwise, if they let imperfect things “slip” through because they appear to be from reputable companies, it would be easier for malevolent hackers to get something past the defenses.

Reply | Quote

@CH100,

Re: “Most other posters just try to find faults and complain about something, while their systems are not working in part because of their actions.”

That is not true.
You are mischaracterizing most of the readers and contributors of AskWoody.com.
You are misunderstanding most of their situations and positions.
You are blaming them for more than they are responsible for, while you absolve Microsoft of many issues that it is either knowingly or mistakenly causing.

AskWoody.com is a place that Woody set up for people come to ask for computer help.
That’s why it is called “ASK Woody”.
It is not set up to be a place for people to come and praise Microsoft and say that their computer system is working great.
This crucial fact might help you realize that your repetitive, smug criticism that the other contributors of AskWoody.com seem to “find faults and complain” is like criticizing the Microsoft Support Forum for mainly having threads where people are seeking support for problems with their Microsoft computers.

Reply | Quote

Below his blogpost about it, I remember asking Woody why he didn’t mention group C/W in his major InfoWorld article about the choice between the Group A and B paths. He didn’t respond to that particular question, I don’t think, but I assumed his reason for leaving out the option of Group C was that the problem with telling the ‘general public’ (via a site like InfoWorld.com) or even telling the more-techie readers of this site that Group C is a ‘valid’ option that Woody in some way, shape, or form _endorses_ is that there are so many things that could go wrong in the future, and it seems that the protective safety barriers and safe computing behaviors are going to have to be cobbled together by each person will be different for each situation/each computer.
When we all scatter and hunker down in our own trenches, it’s like “every man for himself”.
Which is why it’s concerning and uncomfortable.
I don’t want to be in C, but at the moment it seems to be the least worst choice for me, while I see how Group B is working out for the B’ers.

I can’t really see anything else I could do to stay safe that I am not already doing, except for stopping the use of IE 11. I am one of the diehard users of it, so this is a transition I don’t want to make, but I understand the reasons for it, if I cannot update IE with Windows Update.

Another thing I could possibly do is have an airgap, keeping my files and whatever on one computer that is never again connected to the internet, and using a different computer that doesn’t have much else on it to connect to the internet. This is not easy to do, and I don’t know if it would work that well for me. I am not going to go full tinfoil-hat, it would take all my time and concentration, and is probably beyond my technical capability.

Being able to read here what other people are thinking and what issues they are running into does help me to feel safer, as if I’ve got some kind of group protection whilst being in Group C, even though it is just a mental thing.

Reply | Quote

You hit the nail on the head. More in the morning.

Reply | Quote

@Woody and @Canadian Tech,

Yesterday, when I read Canadian Tech’s entry just above about recommending Group C to his clients (which he originally posted on his Microsoft Support Forum thread),
I almost asked him a follow-up question about it,
but in the end, I decided not to ask the question,
because knowing the answer probably wouldn’t change anything for me (since I am a non-techie).

However, if Woody is going to publish this advice from Canadian Tech, I think I will ask the question after all.

It is regarding the following part of Canadian Tech’s statement:
“When an error is made in a security-only update, if the error turns out not to have a security affect, it may be corrected in a non-security update. In that case if you were following B strategy, you would be left with an un-corrected defective update installed on your computer.
If you were extremely diligent and knew about it, you may be able to get the correction in specific cases.”

I understand the sort of situation that is being described —
it happened just recently with a July “security” update where a bug in that was fixed in the recent Group A Rollup but not in the recent Group B Security-Only Update, ostensibly because the bug in the July patch was not considered to be a “security” level bug, even though it had occurred in a “security” rated update.

However, I don’t understand how a person who was “extremely diligent” could “get the correction in specific cases”,
because there is no way to pull anything out of a Rollup without installing the whole Rollup, and if a whole Rollup is installed, that puts one into Group A.

What other way would there be for a person to obtain a bug fix that Microsoft has included only in a Rollup, yet in all other ways continue to keep her/his computer in Group B?

[Unless one happens to be Abboddi86 Then I believe it could be done! But otherwise, for the rest of us mere mortals…]

Reply | Quote

@louis,

I am not a “techie”. I may not understand the situation correctly.

But here are my thoughts on what you asked:

I. Canadian Tech and Woody really were telling people that if they have been in Group C for a period of time, then something so urgent and terrible “out there” in the world happens which threatens their computer and it makes them want to flee to the shelter of Microsoft’s Group A (regardless of their reasons for wanting to avoid Group A if they could possibly avoid it), then it will be easy for them to move from Group C to Group A.

Woody and Canadian Tech were not talking about a situation where people would want to move from Group C to Group B; it was from Group C to Group A.

And that would be relatively easy. It would be easy because Group A Rollups are cumulative.

At the moment, as far as I know, they are cumulative just from the October 2016 patch Tuesday onwards.

However, in a few months from now, Microsoft has said that the Group A Rollups will be cumulative from the very beginning of Windows Updates.

So after that happens, and Microsoft adds all historical updates to every month’s Rollup, then the computer owner who has been in Group C until, let’s say, for example, May 2017 — if something so terrible sweeps across the internet that the computer owner is willing to go from Group C to Group A in order to be sheltered from it, then the computer owner can install the May 2017 Group A Rollup and be confident that every single historical patch that Microsoft ever thought was appropriate for her/his computer would be put on that computer, within the singular May 2017 Rollup installation process.

(As to the size it would be and the time that this one Rollup would take to download and install itself on the computer, I think they have ways of compressing this so that the bundle isn’t going to be nearly as big as every single update had been individually, but that is beyond my level of understanding.)

In terms of the ease of updating though, it would simply be one Rollup that the person would need to obtain, because it would cover many months of not updating.

II. If a person wanted to be in Group C for a number of months and then to quickly move from Group C to Group B, this is not what Woody and Canadian Tech were hypothesizing about, but I don’t see how it would be as complicated as you sketched out.

Yes, it would take some time, but it’s only a matter of installing every missed month’s Group B Update, in turn, from the Update Catalog

The person who had been in Group C had already “saved” herself/himself that time every prior month when not downloading anything, sitting there whistling a tune while everyone else was stressed out about installing the monthly Group B Update, so the amount of time that suddenly moving from Group C to Group B would require is not going to be more than the ordinary Group B path has taken other people, and arguably it will be less than the ordinary Group B path, because a lot of small momentary problems that Group B people are running into if they do the Group B path in ‘real time’ (such as the Malwarebytes issue that some people have run into recently) will have been straightened out by that later date.

Reply | Quote

Well put.

Reply | Quote

Abbodi is a magician and he doesn’t count.

Many of the bugs in security patches can be worked around. I think that’s what Canadian Tech was thinking, eh?

Reply | Quote

Woddy,

Many of the bugs in security patches can be worked around. I think that’s what Canadian Tech was thinking, eh?

Yes that is what I was thinking. The issue is that ordinary users would never be able to navigate around these obstacles.

Reply | Quote

I have happily used Firefox for many years. I typically use a half-dozen add-ons, which have never caused me any serious problems. If Firefox deems an add-on to be problematic, either there will be a warning, or that add-on will be disabled.

If an add-on is not updated to conform to recent versions of Firefox, that add-on may not work properly. The solution in that case is to uninstall the offending add-on. In my experience, however, the authors of add-ons typically stay abreast of Firefox updates and update their add-ons accordingly.

Reply | Quote

Poohsticks. I hope Woody’s response answered your question. If not, just tell me so.

Reply | Quote

@poohsticks,

(There was no Reply available on your answer)

” if something so terrible sweeps across the internet that the computer owner is willing to go from Group C to Group A in order to be sheltered from it, then the computer owner can install the May 2017 Group A Rollup and be confident that every single historical patch that Microsoft ever thought was appropriate for her/his computer would be put on that computer, within the singular May 2017 Rollup installation process. ”

If people have been willing to have MS put every single patch MS thought was appropriate on their machine, then why would they be in Group C?
If people have been willing to have MS put every single patch MS thought was appropriate on their machine then why have people been visiting Woody’s site for years to check the Defcon level?

Why have certain patches caused problems and entered the “hidden” category? Why have Woody’s instruction been to not install Optional, not install unchecked?

I understood what Wody and CanadienTech were saying. I was answering Woody and CanadienTech’s statements that going from C to A would be “easy”. Yea, you click on the cumulative Rollup in May 2017, yea, that CLICK is easy, but there is no guarantee that once downloaded the installation and reboot is going to be “easy”.

The “solution” to something so terrible sweeping across the internet may be worse than what’s sweeping the internet.

Every KB over all the years will be installed on your machine. And every KB that we avoided for various reasons will be installed. Telemetry, snooping, kb’s that conflict with your personal software, kb’s that actually break commercial software…as you said ANYTHING microsoft thinks is appropriate.

We’re all here because we don’t believe Microsoft knows what is appropriate for every one of our machines.
Do you trust that after you install that May 2017 Rollup that you will have a functioning computer after you rebooted?

Bottom line…if one is currently in Group A, know what you are getting yourself into. You are giving up control of your computer to a company that you can’t trust, gave you headaches and misery for years, including, most recently, GWX, and “X” now means install, not close window, etc.

If you are in Group B and/or C, you are trying to defend yourself against a Bully. With a capital B. And I won’t trust a Bully to install what they think is appropriate.

Reply | Quote

@Canadian Tech

Few points here.

The .NET Framework and the Office updates are likely to be the least important of all. If you decide to recommend not updating Windows, then you may consider not updating at all.
While I don’t agree with the style C of (not) updating, your conclusions are 100% accurate.
Like you, I don’t understand what is not to agree with your conclusions, other than what I mentioned above…

Reply | Quote

@louis
You say: ” And those here, who decided on being in Group A went there very reluctantly.”

Thank only about abbodi86 and me. Have you notice any trace of reluctance in our posts?

Reply | Quote

@ch100 It’s nice that you consider John W’s comments to be ‘perfect example of how Windows should be maintained’ ……. BUT your further remarks are not worthy or becoming of you. Categorizing people is not really a good option. LT

“Keep high aspirations, moderate expectations, and small needs.” – H. Stein

Reply | Quote

Even though Canadian Tech has recommended only Group A and Group C, I am sticking with Group B at this point, with an option to be selectively in Group C depending on the situation each month.

If a certain month’s security update is found to cause problems for me, then I won’t install that month’s update (or remove it if it has been installed). I will deal with the consequences myself if need to.

I will never go to Group A myself, especially with the knowledge that Microsoft is going to add back the old updates (including the “bad” updates) to the “quality rollup” starting in 2017. If that means missing any number of security updates, so be it.

I also agree with Louis above who said that we should blame Microsoft for these problems as without the troublesome updates we won’t have the problems. In particular KB3172605 which causes problems with Intel Bluetooth users. If Microsoft had provided the update for Windows Update in KB3172605 as a separate update (which I believe is all most of us need to solve the slow Windows Update scans), I don’t think those with Intel Bluetooth would have problems.

Reply | Quote

OK. Let’s leave it at that.

Ideas are important. Personality conflicts, less so.

Reply | Quote

Quite true.

Reply | Quote

James Bond, please do not misunderstand. I do not regard B as invalid or a bad idea. For people like you, and I and many othera in this particular forum it will work just fine.

I am referring to my clientele which are a pretty good cross-section of pretty ordinary Windows owners who think of their computers more or less like a toothbrush or other appliance. For those people, I do NOT believe B is a practical strategy.

Reply | Quote

+1 and then some!

If/when a time comes that an individual patch needs to be extracted from a rollup as a last resort against giving up our Windows 7 ships to the M$ Gestapo fleet I’m confident that someone out there will step up to the plate and help bail us out. Again!

Josh Mayfield (and others) stepped up and helped bail us out through the entire GWX battle that initially looked like we were all doomed… at least this time we know in advance we can pull this one off. We know it IS possible to extract an individual patch from these rollups as abbodi86 has done it.

I store Great faith in my fellow warriors against the almighty MS to continue being there for us not-so-savvy technical folks through this next M$ battle too. The M$ war will likely continue forever but I’ll take each Windows 7 battle as it comes right into 2020. After that I won’t have anything M$ to be concerned about.

Reply | Quote

When this whole new patching system was announced, I fully intended to be firmly in Group B. But the more I thought about it, the more of a pain it seemed it would be for me personally. So, I’ve decided to just say screw it and stick myself in Group A, and just wait for a week or two after the updates drop to actually install them.

Reply | Quote

@louis,

Regarding your post to me
(we have run out of reply buttons at this level of the comment-nesting, so I’m putting this as close as I can to your post),

about how odious it would be for Group C people to move to Group A after already spending several months successfully abstaining,

you are preaching to the already-converted (with me)! I agree with you about A and C.

I know that going to A from C, if some sort of emergency happened “out there”, would not be without regret, hassle, and repercussions for Group C people.

But it is an _option_, and I think that is all Canadian Tech and Woody were pointing out.
Going to Group C now does not cut off all your options, they are still on standby.
If a Group C person later selected the option to move to Group A, it would be quick and easy on a practical level to move the computer to Group A.
(Not that it would be “easy” for the Group C person to later cope with the disappointment and downsides of being in Group A.)

Reply | Quote

Is Abboddi86 happy about being in Group A, and he thinks it’s great and nothing to be worried about, even for his own computers?
(Does he have any privacy concerns about the increased telemetry and so on?)

Or, does he have misgivings about Group A for his personal or business computers, feeling “reluctance” about it,
but despite that, he just thinks that the vast majority of the Microsoft consumer base is better off in Group A, since the options of Group B and Group C are so much more difficult and risky for the average computer user to correctly manage?

If it’s only the latter, I would argue that Woody also feels that way.

And I also feel that way, for the vast majority of the Microsoft consumer base.
…of course, I think that if a typical consumer Windows customer has little knowledge and has little motivation or spare time to stay on top of the information and react every few weeks to the situation as it unfolds, then that customer definitely should be in Group A.

That doesn’t mean that I’m not “reluctant” about Group A in a general sense.

Reply | Quote

@Canadian Tech,

I am still confused!

He wrote, “Many of the bugs in security patches can be worked around.” But I don’t know what that means.

Reply | Quote

I am far from the expert to have much detail. It is just the impression I have from reading a lot of posts in these columns.

Reply | Quote

Poohsticks, same problem, no way to put this in the right place. On your response to Louis…..

In fact moving to Group A from C would be pretty much like buying a new PC with Windows 10 at a lower cost. After all, if it is a Windows PC you want, Windows 10 is it!

Reply | Quote

Making a room for a new hierarchy discussion

https://www.askwoody.com/2016/malwarebytes-stumbles-with-false-positive-on-kb-3197868-the-win7-november-monthly-rollup/comment-page-1/#comment-108580
@poohsticks
although i follow Group A rules, but i don’t install any update untill i see its components

as for telemetry/privacy updates, i don’t have a big concerns for it, it’s not an espionage engine
i will avoid it if i can (like KB2952664/KB3080149), otherwise, i just accept and deal with it
and like i described before, telemetry effects can be easily disabled without overrating

i’m a regular individual user, i don’t advice or handle other than my two personal computers
but even before the Grouping model appeared, i was with the idea of having all possible updates as long as they function properly
and you actually explain Group B situation correctly, it’s a difficult route for non experienced users

Reply | Quote

If you ever want me to start a new blog, just email me or post something here.

The new forum should come onstream before too long – and you’ll be able to start your own Topic.

Reply | Quote

All good to me, thanks for your efforts

Reply | Quote

Woody whats the latest with this Malwarebytes problem? I am running MBAM and MBAE on Windows 7 Pro. I am in group A and havent yet installed Nov updates. Is it safe to install KB 3197868 now?
I have checked the Malwarebytes site and cant make head or tail of what is being said about it. Its all to techie for me.

Reply | Quote

If you have the latest versions of Malwarebytes, you’re fine. They corrected the problem almost immediately.

Reply | Quote

Well, it seems Malwarebytes was right after all
KB3197868 is withdrawn and no longer available from MU catalog

Preview rollup KB3197869 however, still available and i think it solves the problem

Reply | Quote

How about that!

Reply | Quote

I just installed the October 2016 monthly rollup in a Windows 7 x64 virtual machine that had previously been last updated in September 2016. Sigcheck reports that both C:WindowsSysWOW64kernel32.dll and C:WindowsSystem32kernel32.dll are unsigned. The older versions of those two files just before I installed the October monthly rollup were also unsigned according to sigcheck. So I’m not sure if I buy Malwarebytes’ explanation.

Why did I use sigcheck? – see “The Case of the Missing Digital Signatures Tab” (https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/).

Reply | Quote

‘Preview rollup KB3197869’??? I thought we were told to avoid all Previews? Does this mean we should install this one?

Reply | Quote

NO, no, no.

Previews should be avoided unless you know precisely what you’re doing – and you know why you want to run beta software.

Reply | Quote

The Security Rollup is back as-is, no need to do anything

Reply | Quote

No, Previews are only for experimenting. And abbodi86 is highly experimental

Reply | Quote

Thanks to Woody and all.
Will someone here be able to let us know when Mbam gets it ‘sorted out’, or is there another source we should use ?

Reply | Quote

They’ve already fixed it.

Reply | Quote

Thanks much !

Reply | Quote