Jump to content

[ RESOLVED ] Plans for Deprecation of SHA-1 Code Signing / Win XP and Vista

lmacri
 Share

Recommended Posts

lmacri

lmacri

Posted
Posted

I noticed that the 08-Apr-2021 release notes <here> for the new Component Package v1.0.1251 update state in part:

Quote

What's New:

  • Support for more automatic updates
  • Prepare for deprecation of SHA-1 Code Signing and support for SHA-2 requirements
  •  Improved messaging for Malwarebytes Teams for 1-9 users and 100+ user

Further to Microsoft's July 2020 announcement at Windows Update SHA-1 Based Endpoints Discontinued for Older Windows Devices, does this mean that Malwarebytes plans to end support for Win XP SP3 and Vista SP2 users who use the legacy Malwarebytes v3.5.1-1.0.365? I just downloaded a fresh copy of the latest v3.5.1 installer (mb3-setup-legacywos-3.5.1.2522-1.0.365-1.0.5292.exe) from https://downloads.malwarebytes.com/file/mb3_legacy and it's currently dual-signed with both SHA-1 and SHA-256 digital certificates.

2088130569_MBv3_5_1InstallerDualSHA1SHA256DigitalCertificates08Apr2021.png.f75635dc0f9ff4f7adff0a06585e78a8.png

Link to post
Share on other sites
  • Staff
Malwarebytes

Malwarebytes

Posted
  • Staff
Posted

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites
  • 2 weeks later...
lmacri

lmacri

Posted
  • Author
Posted

Hi AdvancedSetup:

I've been following eliuri's 17-Apr-2021 thread "A Missing Security Update is Required to Update MB": What Still Updates? and the 07-Apr-2021 Malwarebytes support article Windows 2019-09 Security Update for Windows Devices Running Malwarebytes Home Products seems to imply that Windows 7 SP1 users who have not patched their OS to end of extended support on 14-Jan-2020 must install the KB4474419 (SHA-2 Code Signing Support Update for Windows 7, released 23-Sep-2019) if they wish to continue receiving new Malwarebytes v4.x product updates.  However, there is a link in that support article for a dual-signed SHA-1/SHA-2 "legacy" v4.x installer at  https://downloads.malwarebytes.com/file/mb4_sha-1 that Windows 7 SP1 users will be able to use for new installs / re-installs that will allow them to stay on an older version of Malwarebytes v4.x and continue receiving malware definition updates if they don't want to add SHA-2 code signing support to their Win 7 SP1 OS.

That gives me greater confidence that Win XP SP3 and Vista SP2 machines that only support SHA-1 code signing will also be allowed to continue using the dual-signed SHA-1/SHA-2 legacy Malwarebytes v3.5.1-1.0.365 installer (mb3-setup-legacywos-3.5.1.2522-1.0.365-1.0.5292.exe) from https://downloads.malwarebytes.com/file/mb3_legacy once Malwarebytes begins releasing v4.x installers that are signed exclusively with SHA-2 digital certificates - at least in the immediate future.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @lmacri

Personally, I would highly recommend that you do update to the new SHA 2. I have a couple of Windows 7 Virtual systems that I've updated to all the latest greatest updates and all works pretty well for me.

 

Please see the following links to help you get updated.

How to obtain and install Windows 7 SP2
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/how-to-obtain-and-install-windows-7-sp2/c2c7009f-3a10-4199-9c89-48e1e883051e

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

 

 

 

 

Link to post
Share on other sites
lmacri

lmacri

Posted
  • Author
Posted (edited)
11 hours ago, AdvancedSetup said:

Hello @lmacri

Personally, I would highly recommend that you do update to the new SHA 2. I have a couple of Windows 7 Virtual systems that I've updated to all the latest greatest updates and all works pretty well for me...

Hi AdvancedSetup:

I don't have a machine with Win 7 SP1 , only Win 10 v20H2 (my main machine) and a Vista SP2 test machine patched to end of support on 11-Apr-2017 that I occasionally boot up  to help other Vista SP2 users troubleshoot their problems.

I am aware that there are Win Server 2008 SP2 (build 6.0.600x.xxxxx) updates released after 11-Apr-2017 that can add SHA-2 code signing and TLS 1.1/TLS 1.2 connection protocols to my Vista SP2 OS but as far as I know those Win Server 2008 SP2 updates aren't required as long as Malwarebytes continues to allow Win XP and Vista  users to download and install the legacy Malwarebytes v3.5.1 installer from https://downloads.malwarebytes.com/file/mb3_legacy that is dual-signed with SHA-1 / SHA-2 digital certificates.
----------
64-bit Win 10 Pro v20H2 build 19042.928 * Firefox v87.0 * Microsoft Defender v4.18.2103.7 * Malwarebytes Premium v4.3.0.98-1.0.1251
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Free v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

 

Edited by lmacri
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Again, as in my other post. It's your machine so obviously it's your choice to install updates or not. But for other users here on the forums or anyplace else I'd help someone I would highly recommend that a user install ALL security fixes from Microsoft unless proven that something was obviously wrong with the fix. (in those cases Microsoft will pull them on their own anyways) 

Unless you're running Windows 10 you're already running an OS that is either already unsupported by Microsoft or soon will be. Why wouldn't you want all the latest security updates if you're trying to stay on the older OS. Even that is difficult to understand for me since you can still get Windows 10 for free and it will run even on older hardware AND be supported by Microsoft.

 

Link to post
Share on other sites
lmacri

lmacri

Posted
  • Author
Posted
3 hours ago, AdvancedSetup said:

....Unless you're running Windows 10 you're already running an OS that is either already unsupported by Microsoft or soon will be. Why wouldn't you want all the latest security updates if you're trying to stay on the older OS. Even that is difficult to understand for me since you can still get Windows 10 for free and it will run even on older hardware AND be supported by Microsoft.

Hi AdvancedSetup:

As I stated <above>, I have a fully patched Win 10 v20H2 laptop and it is the only machine I use for browsing, email, word processing and other regular daily activities.

Quote

Personally, I would highly recommend that you do update to the new SHA 2. I have a couple of Windows 7 Virtual systems that I've updated to all the latest greatest updates and all works pretty well for me. Please see the following links to help you get updated....

I understand your point of view but I'm sill not clear what you're suggesting I do with my old Vista SP2 machine.  The links you posted <above> are for Win 7 SP1 updates.  I have an old Vista SP2 machine that is rarely booted up but it's fully patched patched to end of support for Vista SP2 (11-Apr-2017), and Microsoft never released SHA-2 code signing updates or TLS 1.1 / TLS 1.2 connection protocol updates for Vista SP2 before the end of support on 11-Apr-2017.  If you're suggesting I install Win Server 2008 updates released after 11-Apr-2017 to add SHA-2 code signing support and TLS 1.1 / 1.2 connection protocols I'd rather not do that since this is a test machine, and I want a "plain vanilla" Vista SP2 OS that closely matches what most other Vista SP2 users have so that I can see if I can replicate their problem when I'm helping them troubleshoot (e.g., when a web site is blocked, a software program won't install, etc.).

I also know that adding any Win 2008 Server update released after March 2019 will change my Vista SP2 build from 6.0.6002 to 6.0.6003 (see the MS support article Build Number Changing to 6003 in Windows Server 2008) and cause my Vista SP2 laptop to boot to a black screen.  See the June 2019 AskWoody.com thread Are Bluekeep Patches Causing BSODs with Server 2008 SP2 and Vista? for one example of how installation of the Win Server 2008 SP2 update KB4499180 causes problems on some Vista SP2 machines when the OS build is changed to 6.0.6003.
--------------------------------

When I started this thread all I wanted to know was whether Malwarebytes was going to remove the dual-signed (SHA-1 / SHA-2) legacy Malwarebytes v3.5.1.2522-1.0.365 installer from the download servers at https://downloads.malwarebytes.com/file/mb3_legacy now that future Malwarebytes v4.x installers will only be signed with SHA-2 digital certificates.  I gather the answer for now is "No" and that Malwarebytes will continue to support Win XP and Vista (at least in the short term) so I'm fine if you want to lock this thread now.
----------
64-bit Win 10 Pro v20H2 build 19042.928 * Firefox v88.0 * Microsoft Defender v4.18.2103.7 * Malwarebytes Premium v4.3.0.98-1.0.1251
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Free v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Just a bit of us being out of sync. You were replying to a user with Windows 7 so I assumed it was you. Then you posted about your Vista machine and saying it was not running latest. My point was that if you choose to run a computer at a lower than available security fix it's your choice but then saying please don't advise users here on the forums to do that.

If the update breaks your computer I can understand not using it. I've not researched it but there are many times that Microsoft will have an update that doesn't work right, but normally they either get fixed or pulled. Microsoft is not known to leave bad updates online and available.

Yes, we are not purposefully breaking or walking away from supporting XP, Vista, Windows 7, 8 but sooner or later at some point I'm sure we will as it gets harder and harder to support an older OS.

Okay then I'll go ahead and close the topic. If you do need anything else though please let me know

Cheers

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.