Get free patching without Windows Update

Get free patching without Windows Update

By Scott Dunn My Sept. 20 and Sept. 27 articles about silent and flawed upgrades involving Windows Update have made many people wonder whether they should really trust Microsoft’s installer. Fortunately, there are alternatives to Windows Update that will keep your system fully patched without costing you a dime.

It’s easy to replace Windows Update’s functions

In my previous columns, I reported that Windows Update has been periodically installing at least a few small executable files without notice to users, even when those users have selected a do-not-install option in the Automatic Updates control panel. This stealthy behavior upsets many people, but they don’t want to completely do without a method of installing new security patches from Microsoft.

Windows Update (WU) does three things when it scans a PC: it determines which upgrades are needed, downloads the relevant files, and ultimately installs them. Fortunately, you can replace each of these tasks without spending any money.

In doing so, you give up some of the ease of automation offered by WU and Microsoft Update, WU’s big brother, which also upgrades Microsoft Office applications. But the good news is that using alternatives makes it easier to update software from all major vendors, not just Microsoft.

In two previous articles, I explained how to determine which security upgrades a system needs. The best free scanner to diagnose your patching needs is currently Secunia.com’s Online Software Inspector. My Sept. 9 article explains how to use the service with Internet Explorer. A Sept. 13 article explains the steps using Firefox.

I’ll show you today how to add to your monthly Software Inspector routine an alternative to Windows Update.

Not many completely free alternatives exist, but there are a few that are worth examining:

• The Software Patch
• Windows Updates Downloader
• Microsoft Download Center
• AutoPatcher
• WindizUpdate

The Software Patch is my number-one pick

The best updating tool I’ve found is a service called The Software Patch (SP). This Web site provides not only Microsoft security updates but also a great deal more. The site includes necessary hardware drivers and updates, Microsoft Office and WordPerfect service packs, patches for Adobe and Corel products, updates for games, and more.

Pros of using SP. The Software Patch has many positive attributes: The site is well organized, grouping its downloads hierarchically by product type (hardware or software), then by subcomponent, and finally by whether an update is “essential” or “optional.” The service links to the vendors’ own sites (Microsoft, Adobe, etc.) to download updates, so you don’t have to worry that the patches were somehow altered by a third party. Since SP doesn’t store patches on its own server, the service is unlikely to run into legal tangles with Microsoft. I was able to download and install a handful of Windows patches from Software Patch on a test machine. Windows Update had failed to install these same patches due to the bug I reported in the Sept. 27 issue. Cons of using SP. No site is perfect, of course. Among the downsides to using the Software Patch are the following: The site is supported by advertising, including pop-up ads, some of which manage to evade pop-up blockers. The site has no downloads for Windows 2000 or earlier versions of the OS. Navigating to Microsoft.com via SP doesn’t mean you’ll necessarily avoid being checked by Redmond’s servers for Windows Genuine Advantage (WGA) compliance. For example, if you download Microsoft’s Windows Defender, a WGA check is built into the program’s installer. (But also note that Microsoft.com doesn’t currently require WGA compliance to obtain most of its security patches rated “critical.”) Software Patch lacks some useful tools found at Microsoft’s Download Center — for example, MBSA (Microsoft Baseline Security Analyzer). In cases like this, you can usually find an alternative source for the program. For example, FileHippo.com offers a download of MBSA, both the current version 2.0.1 and the beta version 2.1.

Figure 1. The Software Patch site provides ways to upgrade a wide variety of products.

Other system-updating possibilities fall short

In addition to Software Patch, other solutions have may have value for some users.

The Windows Updates Downloader is Microsoft-only. If you find yourself downloading a large number of Microsoft updates every month, you may like a free utility called Windows Updates Downloader (WUD).

Created by Jean-Sebastien Carle, a frequent contributor to MSFN (Microsoft Software Forum Network), WUD makes it easy to select which patches you need and then download them all with a single click. Although WUD was designed to slipstream updates into new installs of Windows, it can also be used for downloading patches for existing installations.

Unfortunately, the tool is designed to download Microsoft patches only; it provides no options for getting updates for non-Microsoft products. In addition, keeping up to date requires you to download new Update Lists from the WUD site each month. And because the product automates downloading only, you still have to launch each update’s installer one by one.

Microsoft Download Center is disorganized. Another option that avoids using MU or WU is to use the Securities & Updates section of Microsoft’s own Download Center, where you can obtain patches, documentation, and other tools.

Unfortunately for the average user, the listings at this Microsoft site are not well organized, with important patches mixed in with optional utilities, technical seminars, and other content. Moreover, it offers no patches for non-Microsoft products.

AutoPatcher is out of commission. Until recently, one popular source of patches for Windows and other products was AutoPatcher. Unfortunately for the service’s fans, however, Microsoft requested that the site suspend its offerings in August. The software giant cited security concerns, because patches were being stored on AutoPatcher’s server instead of being downloaded directly from Microsoft.

Despite that setback, project leader Antonis Kaladis hopes to launch a comparable replacement service, perhaps as soon as this month, according to a post on the AutoPatcher site. Until then, users must content themselves with other sources for patches.

WindizUpdate isn’t up to snuff. Another patch-download site is WindizUpdate, owned by Phil Young of Auckland, New Zealand. Unfortunately, the site requires an unsigned plug-in for your browser, frequently asks to scan your Registry, and lacks updates for non-Microsoft applications. Editorial director Brian Livingston gave the service a tepid review in the Windows Secrets Newsletter on June 29, 2006.

Keeping your system up to date requires that you analyze, download, and install patches on a regular basis. Secunia’s Online Software Inspector does a great job of system analysis. In addition, The Software Patch gives you one-stop upgrades for a variety of platforms and applications.

The Software Patch is the clear winner for patch downloading. In combination with Secunia’s service, The Software Patch is a welcome solution. If you need to keep Windows 2000 patched, however, the Windows Updates Downloader can be a useful assistant as well.

Readers David Todd and Leland G. Whitlock will each receive a gift certificate for a book, CD, or DVD of their choice for their help in researching this topic. Have a tip to share? Send us your comments via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine’s Here’s How section.

A flustered Microsoft posts Windows Update trick

By Virginia Culler Our Sept. 27 story on problems caused by Windows Update’s stealth installs was widely circulated by other news sites. In the wake of the media coverage and user complaints, Microsoft quickly cobbled together a response that confirms the problem and provides a manual fix.

Microsoft scrambles to respond to negative press

Associate editor Scott Dunn’s lead story last week broke the news that executable files recently installed silently by Windows Update actually prevent further updates from working in some cases. Windows XP users who run the “repair” option from a CD-ROM of the operating system find that all security patches subsequently fail to install.

Many blogs and computer industry publications picked up on the trail. Several sources conducted their own tests and verified Scott’s findings. ZDNet confirmed that Windows Update does not repair itself in this problematic scenario, apparently no matter how long it’s left alone. Computerworld also released an article confirming the story.

In response to the flurry of comments, complaints, and criticisms, Microsoft jumped into action. Windows Update program manager Nate Clinton assembled a blog post, which went live at 2:11 a.m. Pacific Time the day after our newsletter went out. His report confirmed the problem, outlined a solution, and promised that a Knowledge Base (KB) article would be posted soon.

That article, KB 943144, appeared later that day. In addition to repeating the repair steps from Clinton’s blog, the piece discusses the source of the problem, indirectly admitting that the stealth update was at fault:

• “The latest version of Windows Update includes a file that was not available in the release version of Windows XP. This file is named Wups2.dll. … Because the registry files that correspond to the Wups2.dll file are missing, update installations are unsuccessful.”

Redmond identifies one DLL as the source of the problem

Last week, Scott listed seven separate DLLs that needed to be manually registered to enable a “repair” install of XP to receive patches. Microsoft researched the code and found that only one of these files is the hang-up: wups2.dll.

Microsoft’s official fix for the problem requires that you enter only three commands in a command window to register that one DLL. The other six DLLs don’t require this.

For 32-bit Windows, open a command prompt and enter the following lines:

net stop wuauserv
regsvr32 %windir%system32wups2.dll
net start wuauserv

For 64-bit Windows, the second line differs due to the location of the DLL file:

net stop wuauserv
regsvr32 %windir%syswow64wups2.dll
net start wuauserv

In each case, the first and last commands stop and then restart the Windows Update service. This is a precaution to keep the service from becoming unstable. In our tests on a 32-bit system, however, a single short command — regsvr32 wups2.dll — solved the problem without confusing the WU/AU service.

Side-stepping the primary issue

Although the KB article alludes to the stealth updates, Microsoft did not address the core issue or take responsibility for causing the problem in the first place. Basic pieces of the puzzle are still missing.

Users should be able to read a KB article discussing the executables that Windows Update silently installed and manually download the .381 version of the installed files (a procedure that’s typically available for other patches). It would also be nice for Microsoft to stop writing files silently to disk when users configure Windows not to install downloads without warning.

Until Microsoft steps up and addresses these issues, many customers will remain suspicious of Microsoft in general and Windows Update in particular.

Dial-A-Fix solves multiple update problems

When she has trouble with Microsoft Updates, reader Gabrielle Accatino relies on the free Dial-A-Fix utility from DjLizard.net. This software helped a number of users who ran XP’s repair option and then could not install security patches, as we described in the Sept. 27 newsletter.

Dial-A-Fix corrects a number of problems with Windows Update, Microsoft Installer (.msi) files, and more. However, the developer offers only limited support for the tool. The site strongly recommends that novice users seek experienced help before using this utility. Beta version 0.60.0.24, which is now available, is recommended over version 0.57.7.

Reader Accatino will receive a gift certificate for a book, CD, or DVD of her choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you comments on our recent articles. Virginia Culler is managing editor of WindowsSecrets.com.

How Halo 3 makes the world a better place

A video’s catchy tune offers a humorously cynical — and not politically correct &#8212 summary of the world’s ills that will be cured after the overhyped release of Halo 3. For those of us who wonder what it is that video games really contribute to humanity, the jokester called SarcasticGamer strikes again in this tongue-in-cheek presentation of the concerns of today’s society. Play the video

Part two: finishing the first Housecall

By Fred Langa In this second of eight installments about my travels, I finish helping a Windows Secrets reader by decluttering his Startup folder, sorting out an IP address issue, and testing his laptop’s firewall. In Part One last week, I described the beginning of my first Housecall (a free, day-long PC tune-up and tech session given to four contest winners).

Reducing start-up software shortens boot time

Longmont is the home of Windows Secrets reader John Rice, an engineer whose PCs were in excellent shape. He did, however, report three issues: slow boots, a networking problem, and security concerns. We began by decluttering his PC, thereby finding (and deleting) half a gigabyte of orphaned temp files that John’s standard disk-cleaning tools had left behind. (This process was described in last week’s article.)

Figure 1. Rocky Mountain High (click photos to enlarge). Not far from Longmont, the road through Rocky Mountain National Park tops out at around 12,000 feet (3,700 meters), well above the treeline and in truly alpine conditions. While in the Longmont/Denver area, I also rode over Independence Pass (12,000 feet/3,700 meters) and up Mount Evans (the highest paved road in North America) and Pikes Peak, both over 14,000 feet (4,300 meters). The views were amazing!

With John’s temp areas lean and clean, it was time to move on to the next steps in seeking a faster boot: uninstalling unneeded software — especially any that runs in full or in part at start-up — and thoroughly cleaning and compacting the Registry.

Most software publishers seem to think that everyone will want to run their software all the time. Take Apple, for example. Say you want to watch a QuickTime-format video. Apple kindly offers the QuickTime viewer for free; that’s a good thing. But Apple assumes that of course you’ll want QuickTime to start up every time you start Windows; and of course you’ll want it to phone home and check for updates on a regular basis; and of course you’ll want the QuickTime icon to appear as a permanent resident in your system task area; and of course you’ll want to install and run the totally unrelated iTunes software as well. These are cheeky assumptions if all you want to do is watch a video.

QuickTime is just one well-known and widespread example of software with aggressive defaults. (Yes, most of those behaviors are controllable, but it takes extra steps to invoke nondefault settings to get a relatively clean setup.) Over time, most Windows machines end up with software that needlessly attaches itself to the start-up process, stealing CPU time and lengthening the boot sequence. Removing these binary barnacles makes for smoother sailing at start-up.

On John’s PC, we used the Startup tab in msconfig, plus the Applications and Processes tabs in Task Manager, to see what was starting at launch and what remained running before John manually launched anything.

Some of the names were cryptic, so we used sites like the Windows Process Library to help identify mystery items and to determine which start-up items and processes were unnecessary. Then we used the Add or Remove Applications applet in Control Panel to delete the programs that were needlessly inserting themselves into the start-up. (In some cases, it might have been possible to reinstall the software and look for a “don’t launch at startup” option, but John could do that later on his own. For this initial cleanup, we simply uninstalled the unnecessary software.) We also stepped through John’s entire list of installed software in the Add or Remove Applications applet to identify and uninstall any other programs he rarely used or no longer needed.

If you’ve used Windows for any length of time, you’ve learned the sad truth: few software publishers have mastered the art of the clean uninstall. All too often, software that reports itself as uninstalled still leaves behind files, folders, and Registry entries. Even if these orphaned items are inert, they still can cause trouble if (for example) they must be parsed at start-up, even though they no longer do anything.

A good Registry cleaner is the solution. When John and I were finished uninstalling what we could, we downloaded a copy of JV16 PowerTools, my personal favorite cleaning tool.

The free trial version is fully functional for 30 days, and we set it to work on John’s Registry. As is normal on a system whose Registry hasn’t been cleaned before, the software found hundreds and hundreds of obsolete or otherwise bogus Registry entries. The software made a backup of the items it was about to work on (so a rollback would be possible in the event of trouble), and then either repaired or deleted the bogus items. Finally, we used the tool’s compacting function to make the Registry occupy as little space as possible. (A smaller Registry can be loaded and processed faster at start-up.)

Sleeping PCs need static IP addresses

Normally, the next step would have been a full defrag, because the work we’d just done — the cleanup, the uninstalls, and the file shrinking — would have created serious fragmentation of the disk structure. But defrags take time, and John opted to do the full defrag after I’d left. Although we could see some improvement in the boot time, the full effect wouldn’t be seen until the disk was nicely reordered by a full, thorough defrag. With the defrag pending, we moved on to other items.

John’s network sometimes ground to a halt when two PCs received the same IP address and sometimes even the same system name. I’d seen this kind of problem before. In some situations, a PC would enter sleep mode and the network would reassign the sleeping machine’s IP address to another PC. Things would work until the sleeping PC woke up and resumed network activity with its old address, now assigned to a second PC.

One simple fix for this is to use permanently assigned IP addresses. To do so, the network administrator — in this case, John — sets an unchanging, “static” IP address for each PC on the network. In such a scheme, the IP addresses always stay the same. Because no addresses get dynamically reassigned, addresses can’t fall into conflicts as various PCs wake, sleep, connect, and disconnect.

We set up static IP addresses, as described in Microsoft Knowledge Base article 309642, for John’s systems. This solved the address-conflict problem, but left another problem unresolved: The PCs could each now use the network to connect to the outside world, but they still couldn’t see each other on the network. No matter what we did, and despite all the network settings appearing OK, the PCs just couldn’t see or talk to each other.

I’d also seen this behavior before and suspected that some hard-to-get-at settings from the original setup were still in the way. We opted for a quick-and-dirty fix. To force the PCs to totally forget all previous network settings, we went into Device Manager (in Control Panel, select System, Hardware, Device Manager) and uninstalled the network adapter software.

Upon rebooting, Windows thought it had discovered a “new” network card and went about configuring it from scratch with all new settings. With that, John’s network worked fine. There were no address conflicts, and all the PCs could interconnect properly.

Vista default firewall protects tablet PC

The last item John wanted me to look at was the security of a new Vista-powered tablet PC. He was about to travel to a conference and wanted to make sure the tablet’s wireless connection wasn’t going to leave him open to easy hacking from the outside.

Vista ships with a reasonably good firewall built in as part of its Security Center, and the firewall is enabled by default. (It’s actually a slightly upgraded version of the firewall built into XP; the one in XP before Service Pack 2 is not enabled by default.)

We checked John’s firewall settings and they all seemed fine, so we put the firewall to a real-life test with the simple, free Shields Up tool provided by Steve Gibson at GRC.com. This tool probes your PC’s Internet connection from the outside, just as a hacker might, looking for weaknesses.

The tests turned up no vulnerabilities. Right out of the box, John’s Vista tablet would not be an easy target for malicious hacking. Nice!

With that, we were done. I left John to defrag his now-improved PC and headed west.

Traveling west through the Rocky Mountains

As the following photos show, even at high elevations, the mountainous landscape was freshly verdant in midsummer.

Figure 2. Early (or late?) spring arrives in mid-July. At high elevations, spring was in full bloom, many months after summer had arrived in lower regions. This profusion of tundra wildflowers was just off the road midway through the Rocky Mountain National Park. It was a gorgeous spot.

Figure 3. Watch your step! Near Gunnison, Colorado, the north rim of Black Canyon offers stunning — and vertiginous! — views into the deep gorge. Some of the lookouts have fences or guardrails, but others (such as this spot) do not. That’s my motorcycle’s mirror in the photo; I was able to ride right up to the edge! The Black Canyon’s north rim is seldom visited, and I had the place almost to myself.

Figure 4. Beauty at every turn. I went a little nuts with my cameras, averaging between 200 and 300 photos per day for most of the month-long trip. But with scenery like this, you can see why! (In case you’re wondering, I had three 1GB data cards for my cameras and would dump the photos to my laptop each night.)

Next week: On to Tacoma, Wash., and my second Housecall!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others. He edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets.

Excel 2007 bug generates wrong numbers

By Woody Leonhard Microsoft would have you believe that a recently discovered Excel 2007 bug amounts to little more than a display problem — a cosmetic glitch. You may be surprised to discover that the erroneous results can spread throughout your spreadsheets, because this bug is more than skin deep.

Excel 2007’s problems with 65,535

Last week, in his Introduction column, editorial director Brian Livingston reported on a newly discovered bug in Excel 2007. When a calculation should produce the number 65,535, the spreadsheet program can cause the result to appear on-screen as 100,000. This bug shows its slithery head in Excel 2007 and in the Sharepoint-based Excel Services. But Excel 2003 has some eerily similar problems, as I explain near the end of this article.

If you have Excel 2007 installed, you can replicate the problem quite easily. Start Excel 2007. Click in, oh, cell A1. Type:

=850*77.1

and press Enter. You see an incorrect result: 100,000. A quick trip to any calculator (or good ol’ pencil and paper) will verify that the answer should be 65,535.

Play with the result a bit and you’ll quickly come to the conclusion that Excel has calculated the result correctly. The calculated value was, indeed, 65,535, even though the displayed value reads 100,000.

You can see for yourself by going to cell A2 and typing =A1–1 or =A1*3. The result you see on the screen — 65,534 in the first case and 196,605 in the second — relies on the calculated value (the correct value) not on the erroneous displayed value of 100,000.

Similarly, using Excel’s max( ) or min( ) or average( ) functions on ranges that include A1 demonstrates quite conclusively that Excel “knows” the real answer and the calculation worked correctly. You could also incorporate cell A1 into a graph or lookup table. Each case suggests that Excel holds the correct, calculated value internally. Only the way the result displays on the screen seems to be a problem.

At least, that’s what you might think — if you didn’t dig deeper.

How to dissect the real Excel bug

The first report of this bug, as best I can tell, appeared in a posting by Molham Serry on the public Microsoft Excel newsgroup. Two days later, Excel group program manager David Gainer posted an official description of the problem.

There are actually two problems working in concert to turn 65,535 into 100,000. One is congenital — inherent in the way Excel operates. The other amounts to a plain vanilla bug in the way Excel displays numbers on the screen.

First, the congenital problem. Excel works internally with binary numbers (1’s and 0’s). It’s therefore subject to all the problems programmers encounter when they translate base-10 numbers into base-2 and back. (Wikipedia has a good article on the problems inherent in using floating-point decimals in a binary world.)

The number 0.1, for example, can’t be represented precisely in binary. When Excel multiples 850 by 77.1, Excel comes up with a number that’s close to 65,534.99999999995. It can’t get precisely 65,535. This is the congenital defect.

Second, the plain vanilla bug. David’s post explains that there are twelve numbers — I call them “The Dirty Dozen” — that Excel 2007 currently doesn’t display accurately on the screen.

If an Excel calculation results in any of six specific numbers between 65,534.99999999995 and 65,535, you’ll instead see the number 100,000 on your screen. If an Excel calculation results in any of six specific numbers between 65,535.99999999995 and 65,536, you’ll see the number 100,001 on your screen.

Remember, the results are in binary, and the numbers I’m showing here are in decimal. If you’re curious, long-time Excel expert Dr. Erich Neuwirth has posted for your edification a full list of affected decimal values, starting with the number 65,535–(2^–35), which is just a tiny amount short of 65,535.

The second, plain-vanilla bug supposedly doesn’t affect the results of the calculation — or does it?

There’s actually a big bug farm

Many, many other Excel 2007 calculations, it turns out, also result in 100,000 or 100,001 showing up on the screen.

For example, if you stick =850*77.1 in cell A1, and then enter =A1+1 in cell B1, you get the erroneous result 100,001. That’s because Excel is adding 1 to a number very close to 65,534.99999999995 (which displays in cell A1 as 100,000) and comes up with a number very close to 65,535.99999999995 (which displays as 100,001).

As you might expect, there are plenty of other calculations that churn out results on the Dirty Dozen list. Dana DeLouis compiled an early list. You can find many more examples online.

Excel 2007 sometimes stores the wrong number

Everything I’ve described so far rates as rather standard buggy stuff. Sure, you should be concerned if you have a spreadsheet that, once in every hundred blue moons, shows 100,000 when it should show 65,535. But if the the underlying number is correct — and thus any calculations that rely on the cell will come out right — the bug would be considerably more tolerable for most folks. Your totals would add up correctly and your graphs would look the way they should, bug or no bug.

Except.

There are specific situations in which this bug can jump out and bite you. For instance, if you use Excel 2007’s round( ) function — rounding, say, to two decimal places to get dollars and cents — Excel internally stores the bogus value.

If you’re following along in Excel 2007, try this. Select cell A1 and type:

=round(850*77.1,2)

Guess what? You not only see the bogus result of 100,000, but behind the scenes Excel changed the internal, calculated value of the cell to 100,000. If you type =A1*3 into cell B1, you get 300,000, not 196,605, the result you’d expect. Dr. Neuwirth has also reported that Excel 2007’s mod( ) function can produce nonsensical results when fed the Dirty Dozen numbers.

These calc errors can ripple through your entire spreadsheet. Now, that’s a problem.

What to do while waiting for a fix

With all due deference to Microsoft’s programming team, fixing the bug may not be as easy it looks. For starters, changing any calculation in Excel is likely to break something else. As always, the question is whether Microsoft can come up with a cure that isn’t worse than the disease.

More troubling, though, is that there may be other, lurking problems with numbers that are very close to specific integers — and Excel 2007 isn’t the only offender.

Dr. Neuwirth explains:

• “Let us use 65535–2(^–35) as a prototypical bad number. Excel internally does not round this number, so it knows it is not an integer. Nevertheless, =INT(65535-2^-35) comes out 65535, when it should be 65534. =MOD(65535-2^(-35),1) comes up negative, and the MOD function should never turn negative! These bugs appear in both Excel 2003 and 2007.”

If you’re serious about obtaining the most accurate answers possible, check out Dr. Neuwirth’s Rcom program. This is a free Excel add-in that binds Excel to “R,” the ultra-accurate, open-source statistics program. There’s an Excel-specific installation page, if you’d like to know all the technical details.

For those of us who just want to balance our checkbooks, we’ll just have to wait for Microsoft to release a patch. Heaven only knows when this will arrive — or what surprises it may contain.

In the interim, try this potentially lucrative experiment. Deposit $77.10 into your bank account 850 times and see if you’re credited with $100,000.

Hey, it might work!

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Three more rootkit scanners to consider

By Ryan Russell I’d like to introduce you today to three free rootkit scanning tools you can add to the ones I briefly reviewed on Sept. 20. Based on reader feedback, I’m covering this additional set of antirootkit tools and explaining some different schemes for rootkit detection.

The difference between anomalies and signatures

The antirootkit tools I reviewed two weeks ago were mostly anomaly detectors. That is, they look for hidden files, suspicious hooks, and general weirdness. This leaves the user with the job of deciding whether or not the detected items are really a problem.

The other major style of detection is signature-based. These applications store a set of signatures for known rootkits. Signature-based programs don’t typically flag something as suspicious unless they’ve determined exactly what it is.

Signature-based detection is the model that the vast majority of antivirus tools use to catch viruses and similar malware. There’s a lot of value in being able to identify a specific piece of malware. A vendor can write a much more specific algorithm to clean up an infection, for example.

If an anomaly scanner, by contrast, finds a suspicious item and blindly removes it, some piece of software you actually want might quit working, or Windows itself might no longer boot.

As a result, anomaly scanners typically don’t offer to remove things. If they do, they display dire warnings about doing things at your own risk.

The antirootkit tools in today’s roundup are mostly signature-based.

AVG Anti-Rootkit finds known malware only

Several readers wrote to ask about AVG Anti-Rootkit from Grisoft. This is a free product for 32-bit Windows 2000 and XP, and requires a reboot after installation.

For this review, I installed the program on the same system described in my previous column. I then ran both the “Search for rootkits” and “Perform in-depth search” scans. In both cases, the application reported nothing found and showed a small ad for the full product.

For a product designed to report only confirmed rootkits, this is exactly what you should expect. This also matches the results obtained by PC Magazine in the publication’s April 2007 review of AVG Anti-Rootkit and the other two programs I discuss in today’s column.

Panda Anti-Rootkit gets good rating

Panda Anti-Rootkit can be downloaded only via the company’s research and blog pages, as best I can determine.

The program’s help page indicates that the application runs on Windows XP and Windows 2000 Workstation SP4. The page also says you must contact Panda tech support if you want to run the app on Windows 2000 Server or Windows Server 2003. (Note: the blog entry I linked to in the preceding paragraph mentions version 1.07, but the link actually downloads 1.08, which is the version I tested.)

The results of my scan were similar to the AVG tool. The Panda program doesn’t install its full package onto a hard drive, but does request a reboot in order to perform an in-depth scan. It also checks via the Internet for some kind of update.

Since the program doesn’t actually install itself onto a PC, I’m left wondering how I might go about removing the few files it does leave behind after running. In case you were wondering, these tools want to reboot because they install drivers, presumably to give themselves kernel access. I know they’re installing drivers because Microsoft’s Windows Defender program tells me so while the tools are working.

The Panda application, like AVG’s, also found no known rootkits on my system. It didn’t find anything worth reporting, for that matter. The company’s blog entry suggests that the program has some anomaly-detection features, but these functions didn’t come into play in my case.

It’s definitely worth mentioning that PC Magazine gave its Editor’s Choice award to Panda in the magazine’s April review. Keep in mind that PC Mag installed a number of actual rootkits when conducting its shoot-out, so the publication’s results are a more extensive test than was possible for my overview here.

Sophos Anti-Rootkit finds ephemeral anomalies

Sophos Anti-Rootkit is free after you provide a small amount of personal information to get the download.

According to the manual, the Sophos product runs on NT4 (updated with the latest service pack) through Windows 2003, with some limitations on NT4. The manual doesn’t say so, but the list of supported operating systems seems to me to include only the 32-bit versions. You download an installer of sorts (it wants to unpack into the Program Files directory), but the app didn’t require me to reboot.

The Sophos product seems to do a little more anomaly detection than the other two programs I’m reviewing here. When I ran the app the first time, it identified several “hidden” files, all of which turned out to be innocuous in my case. On a second run, strangely, the program did not find the same files but instead found a hidden Registry key.

The hidden Reg key was related to Windows Media Player, and I happened to be using WMP at the time. Either the scanner got lucky and found a hidden key that’s used by WMP for a few moments, or some kind of false alarm related to object access is happening.

Sophos Anti-Rootkit, like the other two programs I discuss in this article, didn’t find any known rootkits on my system. PC Mag also reviewed this product, ranking it not quite as highly as the others, citing weaker removal. The magazine reported that Sophos was able to identify known rootkits, so the program must contain at least some signature technology.

Use both types of rootkit detectors

These brief tests lead me to the same conclusion that I reached in my previous column: you should use as many of these detection tools as you’re comfortable with, if you think you’ve got a rootkit.

In particular, I’d first try the anomaly tools myself. If I found something worrisome via anomoly detection, the next thing I’d reach for would be a few signature-based tools.

You may have noticed that for each of the three products mentioned, I linked to a PC Magazine review. That’s one of the few useful reviews of these tools that I could find. The main article is entitled Rooting out Rootkits. The only other review I found that’s worth mentioning is from InformationWeek: Six Rootkit Detectors Protect Your System.

The InformationWeek review includes some programs that are at the far end of anomaly-detection tools. From what I’ve seen, I’d classify them as advanced system tools. For instance, I briefly tried IceSword but felt a little lost. In addition, I couldn’t even find a downloadable copy of InformationWeek’s favorite choice, Rootkit Unhooker. The servers in Russia where the program can normally be found apparently got hacked into last week and all of the links are down. I’m not getting a warm, fuzzy feeling for the program here.

To me, signature-based tools at this point have a significant advantage over the anomaly detectors. If you don’t know much about Windows internals, signature-based antirootkit tools aren’t going to present you with a lot of false positives that you’ll have to interpret. That means you have fewer opportunities to make a mistake, deleting something that’s actually harmless or even necessary to your system.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.