Unacceptible Update Procedure!!!! :(

[Digerati]

The logic and policy for the way the updates are distributed is flawed and unacceptable - especially for a security app. Are the servers really that busy (inadequate?) that roll-outs need to take many days, or even  weeks? I am not buying it and do not accept it as standard procedure, or as an acceptable security practice.

Here it is, a full 2 weeks after the release of V3.2 and I still have not been offered the update. I am still at 3.1.2.1733 and when I manually tell Malwarebytes  to "Install Application Updates" it incorrectly and falsely reports I am "Current" and "No updates are available". This is very frustrating when I know it simply is not true!

And it is very misleading!

Yet I can visit https://www.malwarebytes.com/ (or other download sites) and download the full package with the latest build, no problem. I am a paying customer and I feel, as a paying customer, the concern is all about getting new customers, not supporting me.

What sort of confidence am I suppose to get from my security program when I know it is out of date? Am I really supposed to tell my elderly friends and clients (who I convinced should buy this program) that it is okay their security is outdated? When, for years I've been harping at them to keep Windows AND their security programs current as their #1 user responsibility for "practicing safe computing"?

I have been a long long time supporter (and buyer) of Malwarebytes (since my ComputerCops/CastleCops days working with many of the founders). And I really like the program and think it one of, if not the best out there. But this unacceptable and severely flawed update distribution policy is making me reconsider what I use, and what I recommend my clients use.

I should not, and certainly "normal users" should not have to constantly check the website for new updates because the program itself is incapable of keeping itself current.

[Firefox]

I will let staff reply to your concerns... as for application updates.... If I am not mistaken it is now fully implemented in version 3.2.2 as mentioned in the release notes...

Usability

• Clicking ‘Install Application Updates’ button now downloads available component updates and releases regardless of limits in place for automatic update delivery

I think I updated my 3.2.1 using this feature but I really don't remember... (so your not getting any update when you click that?)

 

[Digerati]

Please note I clearly stated above when I click "Install Application Updates", I get, "No updates are available". That's my complaint. And this is not a new complaint, BTW. It has been this way since 3.x was first released with the typical reason given being to prevent swamping the servers. 

If you are saying once users finally get fully updated to 3.2.2 they will always be offered the latest update when they click that button, then great. But of course how would users know that if they never knew 3.2.2 was out there? I note when I look here, 3.2.2 is not listed and the notes that are there for 3.2 just released Aug 22 don't address the issues I brought up. 

[Firefox]

Totally understand your complaint... and I will let staff address all your concerns... I know that Application updates is new, and I also know its fully implemented in version 3.2.2 going forward.  It was introduced in the previous versions however I don't believe it was fully functional at that time.

I agree with you on the updates, they should be rolled out to all users in a more timely manner. 

[Digerati]

 

15 minutes ago, Firefox said:

I agree with you on the updates, they should be rolled out to all users in a more timely manner. 

Yeah, I don't know if they just need to buy more bandwidth or server space, or just change the policy, but users need to feel confident their security is protecting them - especially since more and more "new" threats occur every day, with many being "zero-day". It does not matter if they really are fully protected, if confidence is lost (and it is for many) then they will move to other options. 

Thanks.

[Porthos]

4 minutes ago, Digerati said:

but users need to feel confident their security is protecting them - especially since more and more "new" threats occur every day, with many being "zero-day".

That is part of the 10-20 definitions updates pushed each day. Program updates are not that often.

 

[Digerati]

11 minutes ago, Porthos said:

That is part of the 10-20 definitions updates pushed each day. Program updates are not that often.

That makes perfect sense. 1000s of new malicious code hits the "wild" every day. But when a program update is officially released and announced, IMO my installed application should alert me to it almost immediately - certainly not weeks later. And certainly, it should alert me to the new program update when I manually tell it to check for one. It should not be telling me I am current and no updates are available when I know that is not true. It is almost like Sylvester, with yellow feathers sticking out of his mouth, claiming he does not know where Tweety Bird is. He is lying right to our faces. Only with a security app, it is very serious.

[dcollins]

As mentioned, we did address this in the 3.2.2 release. While our updates are generally staggered out for a few different reasons, when a user clicks "Check for Updates" it should show them if there are updates available. Once 3.2.2 is installed, this is how it behaves

[Digerati]

That's great. Thanks for stepping in Devin. I really hope it works as suggested. If it does, that will end a lot of anguish.

Manually updating to 3.2.2 works for me because I know my way around computers. But many of my senior (or more senior than me) clients don't. So I often end up going to visit and, "Oh by the way, while I'm here, let me make sure everything is updated." Some have asked me why it was out-of-date, or worse, if they had done something wrong.

So how long should users of 3.1.2 be expected to wait until the program alerts them to such program updates? Like I said, some, like me with my main computer, are still waiting after 2 weeks for 3.2 and now we seem to be at 3.2.2.

[dcollins]

@Digerati every release is different. We usually start our release slowly to try and catch any issues that QA may have not seen and then gradually open the flood gates more. However in some releases where we have issues, we'll slow down the release while we try to fix the issues so more people aren't impacted.

[bru]

Couldn't agree more with the OP.  Really shouldn't have to stay on top of when the program is updated and manually do the updating, it should happen automatically.  IME since v3 was released one can not be be sure if it will automatically update.  I was never offered the update to 3.0 from 2.x on one computer.  I guess I could have kept going to see if it would have eventually showed but after several months I decided I would update myself.  There is no way this was due to metering.  All of my other computers had gotten the update in a reasonable amount of time.

Same thing happened going from 3.0->3.1, eventually manually installed on all.  All computers are on 3.1 and none have gotten 3.2 (or 3.2.2).  

[dcollins]

The updates from 2.x to 3.x were extremely limited, because we didn't want to introduce new issues. With 3.2, we started making the updates more readily available to 2.x users. That being said, 3.2.2 hasn't been out that long, and with some of the issues we've been seeing, updates are coming out slowly to users.

You will get the application updates eventually, it's just a matter of time. The most important updates are the database updates, and those comes out multiple times a day to all users.

[bru]

3 minutes ago, dcollins said:

The updates from 2.x to 3.x were extremely limited, because we didn't want to introduce new issues. With 3.2, we started making the updates more readily available to 2.x users. That being said, 3.2.2 hasn't been out that long, and with some of the issues we've been seeing, updates are coming out slowly to users.

You will get the application updates eventually, it's just a matter of time. The most important updates are the database updates, and those comes out multiple times a day to all users.

If there are "issues" causing the release to be sent out "slowly" should it really be recommended to download the update as it is?  Hearing this maybe it is best to wait until the update is offered, but as I said I never was offered updates, even going from 3.0 to 3.1 iirc.

 

[Digerati]

19 hours ago, dcollins said:

@Digerati every release is different. We usually start our release slowly to try and catch any issues that QA may have not seen and then gradually open the flood gates more. However in some releases where we have issues, we'll slow down the release while we try to fix the issues so more people aren't impacted.

Let me start by saying I suspect you, dcollins, are stuck between a rock and hard place - that is, you are stuck defending Malwarebytes while having to deal with upset, sometimes irrational users, but often with legitimate complaints. I have worked tech support for many years. I feel your pain. So just wanted you to know I appreciate the position you are in, and the support you give to us upset, sometimes irrational users.

*****

[Rant on]

I guess I just have a different concept of how software development should work (as a hardware guy, one of my "other hats" for 10 years at a major software development company was as an alpha and beta tester). It just seems like there is not enough "in-house" beta testing going on since 3.0 first came out. I mean 3.0 was pushed out before the holidays last year and it clearly was not even finished - evidenced by all the features (like "?" buttons) that did not work. I accept and fully understand that in-house beta testing cannot foresee every possible scenario that may be encountered out in the field. But that's what external or "out-sourced" beta testers are for. Surely those problems were noticed but the program was pushed out anyway. Again, I accept and understand that even with extensive out-sourced beta testing, some bugs will get through. But is just seems like, instead of thorough pre-release beta testing, regular end-users (us consumers) are being relied on to beta test too. It should not be that way.

The disappointment really stems from the fact these are lingering problems. That is, it "seems" like the update release issues have not really improved and here it is almost 10 months since 3.0 was released.   You likely have access to the analytics so maybe from your side, they have gotten a lot better. But not from our side. It just "appears" many of the same problems either keep happening over and over, or they just are not being addressed. And appearances count for a lot.

I said it before but it is worth repeating; Malwarebytes is a great program. I still use, support and recommend it to friends, family and clients. Perhaps that's why it stings so much to see and experience these recurring issues. My reputation with my clients is on the line here too.

Again, if 3.2.2 really addresses the issue of the program claiming "No updates are available" then that will be great. But that's just on the manual side. I am not confident consumers will not still be waiting days, perhaps weeks for the program to "eventually" report automatically that an update is available. I agree with bru, that sort of unacceptable delay cannot all be due to metering.

I will "hurry up and wait" to see if my 3.1.2 eventually reports a program update is available. And after 24 years in the military, I am a certified master at "hurry up an wait". But my patience is wearing thin.

[Rant off]

[dcollins]

2 hours ago, bru said:

If there are "issues" causing the release to be sent out "slowly" should it really be recommended to download the update as it is?  Hearing this maybe it is best to wait until the update is offered, but as I said I never was offered updates, even going from 3.0 to 3.1 iirc.

 

The issues people are seeing aren't related to the product stability, it's related to the install process. You can see quite a few threads where MB3 is uninstalling itself. Luckily it's an easy fix for most people where re-installing fixes it, so rather than shut off upgrades completely we're slowly rolling them out as most people aren't experiencing this issue, just a select number. In cases of larger issues or stability issues, like the Vista 64-bit issue we had, we stop updates entirely.

[Porthos]

1 hour ago, Digerati said:

in-house beta testing cannot foresee every possible scenario

There was also open testing many of us regulars did in a section you have not yet reached enough posts to access. Plus public Beta testing open to all before it was officially released on Dec 8, 2016. During my testing on 4 different Win 10 systems, I found no show stopping issues.

But after the floodgates opened and  MB encountered so many different computer hardware and more importantly software configurations things became more apparent.  These issues were fixed and metering was increased and then more things became apparent and were fixed.  so on and so on.

 

[Digerati]

20 hours ago, Porthos said:

Plus public Beta testing open to all before it was officially released on Dec 8, 2016. During my testing on 4 different Win 10 systems, I found no show stopping issues.

We are really talking several different issues here - some developmental, others clearly on the management side. I am actually okay with "bugs" because "stuff happens". And the more complex the program, the greater the potential for bugs sneaking in. What I am not okay with is known bugs and broken/incomplete features that have taken months to address.

The program reporting various protection features were turned off was a big problem that should have been caught in in-house beta. If not in-house, then in open and/or public beta. When it comes to in-house beta testing, it should be all hands on deck - that's over 170 employees on a lot more computers than that.

The various incomplete features (like the "More Information" and "Get more information" buttons not working) should have been fixed BEFORE the program was even sent to in-house beta. But somebody decided to rush it out the door before the holidays. Even now, while a nit-noid issue, why is it "More Information" on one page and "Get more information" on another page? Note the inconsistencies in the upper and lower case letters used. These dot the i's and cross the t's little details reveal a lack of attention to the details and those are things that detract from the over all excellence of the program.

Install issues should be found during beta but what happens so often in beta is testers manually install (often uninstalling old versions first). But that's not proper testing because that is not how normal users do it. So problems go unnoticed.

I just checked my notebook and admittedly, it only gets powered up 2 or 3 times a week. But I note it is still on 3.0.6 and when I tell it to look for updates, it says there are none. And this problem is just now being addressed in 3.2.2 -  a full 9 months after 3.x was released. And actually the problem (the program staying current in a timely fashion) is only partially addressed as the fix only addresses manually checking for application updates. I note today on this computer (which is on 6 - 8 hours every day, 7 days a week) it tells me "No updates are available". I don't accept that do to metering. Having to wait weeks for the program itself to alert us to new application updates is just unacceptable.

Again, I do appreciate what you guys in the forums are doing. And I do have great respect for everyone at Malwarebytes. I guess part of the problem is MBAM (2.x) was such a great program, it established a reputation hard (too hard?) to live up to. And the "appearance" is, standards have dropped. That probably is NOT fair. But no one said life is fair.

Any way, I have 3.2.2 on my secondary/test system and hopefully will see the "Install Application Updates" works as reported. But in reality, what I really hope to see is the program automatically alerts me to a new application update first - instead of having to wait weeks before being offered the update (assuming I "eventually" will get it).

[Porthos]

10 minutes ago, Digerati said:

But in reality, what I really hope to see is the program automatically alerts me to a new application update first - instead of having to wait weeks before being offered the update (assuming I "eventually" will get it).

18 minutes ago, Digerati said:

I don't accept that do to metering. Having to wait weeks for the program itself to alert us to new application updates is just unacceptable.

I would hate to see a faulty release offered to over a million users even over a week when we have a working program running with current definitions protecting out systems. Better to break a few at a time then all at once.

13 minutes ago, Digerati said:

Install issues should be found during beta but what happens so often in beta is testers manually install (often uninstalling old versions first). But that's not proper testing because that is not how normal users do it. So problems go unnoticed.

We were specifically asked to install over the top.  Not to clean install. But again I can not link you to that because you are not yet part of that user group.

16 minutes ago, Digerati said:

The various incomplete features (like the "More Information" and "Get more information" buttons not working) should have been fixed BEFORE the program was even sent to in-house beta. But somebody decided to rush it out the door before the holidays. Even now, while a nit-noid issue, why is it "More Information" on one page and "Get more information" on another page? Note the inconsistencies in the upper and lower case letters used. These dot the i's and cross the t's little details reveal a lack of attention to the details and those are things that detract from the over all excellence of the program.

I agree with the above.

 

[Digerati]

2 hours ago, Porthos said:

I would hate to see a faulty release offered to over a million users even over a week when we have a working program running with current definitions protecting out systems.

I agree but that is not the point or case here. That suggests 3.2 and  3.2.2 are so flawed they should not be offered to the public at all! They are not so flawed - that I am aware of. If they were faulty, it would be irresponsible for Malwarebytes to provide it on their download page - which they did with 3.2 and are doing now with 3.2.2. Instead, they should have been pulled and the last known good release put in their place.

But they didn't pull them.

So why am not being offered the latest updates weeks later?

2 hours ago, Porthos said:

We were specifically asked to install over the top.

Glad to hear that, but then I wonder why the many install issues dcollins mentioned weren't discovered. ??? Not enough testers? Testers not reporting problems?

2 hours ago, Porthos said:

I agree with the above.

[dcollins]

@Digerati the reason you aren't being offered the update is because the meter has been limited. You're right, the issue isn't enough to stop the release entirely, but it's enough that we want to wait for a solution before we start offering the in-app upgrades again. If users want to manually download 3.2 and install it, they can still do that though as those users are taking a direct action to make sure that MB3 is installed versus running an in-app upgrade that they are expecting to work.

As for how issues are missed, the simple answer is that there is never enough testers to catch every bug. Primarily because there are so many different possible combinations of software on machines that it's impossible to make sure every scenario is tested. The internal MB3 QA team has a list of scenarios we test against, and that list is always growing based on new issues that get reported from the field. But again, we'll never be able to test every scenario.

This is why we asked for beta testers, but even in this scenario, we won't catch everything. No software does. We do our best to catch as many issues as we can and try to fix any other issues in an efficient manner.

[Digerati]

6 minutes ago, dcollins said:

@Digerati the reason you aren't being offered the update is because the meter has been limited. You're right, the issue isn't enough to stop the release entirely, but it's enough that we want to wait for a solution before we start offering the in-app upgrades again.

I hear you. I am just finding it hard to understand why the upgrades are good enough for new users trying out the program, but not good enough for existing users. You say it is stopped for in-app upgrades but many are offered the upgrade automatically through the app. Letting it trickle out like this just seems odd to me. And again, we are talking weeks, not days.

6 minutes ago, dcollins said:

Primarily because there are so many different possible combinations of software on machines that it's impossible to make sure every scenario is tested.

I understand that completely too - as I myself stated above. I still beta test for Microsoft (with many beta testers) and Firetrust (with few testers) so this is not foreign to me. Plus I fully understand that virtually every single one of the 1.5 billion Windows computers out there becomes a unique system with minutes after the first boot as users configure their networking, user accounts, desktops, security, installed apps, etc. So I know it is a challenge.

[dcollins]

@Digerati the reason it's "good enough for new users" is that they're most likely doing a clean install of MB3. The issue is happening during the upgrade process where MB3 uninstalls itself. So if you don't have MB3 installed yet, then you shouldn't have any issues.

As for the in-app upgrades, I just confirmed that the updates haven't been stopped entirely, they're just very limited. This is because this issue doesn't impact the majority of users, just in specific upgrade scenarios. Also, anyone who has already received the update notification will continue to get the prompt until they install the latest version or remove the already downloaded package.

[Digerati]

Your explanations make sense. Thanks. I generally am more patient these days, but waiting weeks seems too long - plus this seems to be a recurring issue. Thus my frustration.

[TheThornWithin]

I am running 3.1.2.1733 and am perfectly happy to wait. I know my computer is protected. I have had to wait for each incremental update and I will continue to do so. Especially when there is an issue ensuing. I am not a newb that MUST have the latest, greatest immediately. I have never needed to keep up with the Joneses.

[Nate-Dogg]

This is a bit over the top Bill.

Since you are, as you say, a "Microsoft MVP" I'm curious to know how you feel about Microsoft's Windows Update schedule. Especially the security updates they roll out, or more importantly the security updates which patch 'zero-day' exploits as they do not roll out globally within 24 hours.

 

I can't understand why you're trying to pick a fight with Malwarebytes.

As a consultant for I.T you should understand that nearly all customers have little to zero knowledge about technology, if Malwarebytes rolled out 3.2.2 to everyone immediately and all your customers installed it, but were affected by the uninstall bug then you would be even more livid than you are now purely because they are now worse off as they are more exposed. (I know it's only impacting a minority, but it doesn't mean there will not be another issue like this in the future)

Even though there is an issue with the in-built updater not issuing the latest update, as someone who knows something about tech, visiting a website to download the latest version is not foreign to you. Exactly like browsing Microsoft's catalogue for the latest Windows Update before it reaches specific countries/computer builds.

I will admit, I stopped reading when I saw the text [rant on] as I thought it was already laid on too thick, but I just had to comment on what I read.

 

Edit: Windows is not free, we're all paying customers here. Even if it is a one off fee.

Edited September 7, 2017 by Nate-Dogg
Added that Windows also is not free.