" A Missing Security Update is required to update MB": What still updates?

[eliuri]

Running Windows 7 SP1

I get above notice stating last night, which in turn prompts me to update Windows 7 with following update:

https://support.malwarebytes.com/hc/en-us/articles/1500004670861?affiliate=&uuid=74b90ce000b8ff274e737ea02fcc22f60b97ab4d&lang=en_US&staging=false&x-prodcode=MBAM-C&x-source=&version=4.3.0.98

 

I have chosen to not update Windows 7 for quite a while because WU was creating much system instability.

Question:

I see in fact that Malwarebytes package update version does continue to update. It is now at Update Package Version: 1.0.39503. Updated at 4/17/21 2:03 PM.

Am I correct that even when this Windows Update continues to be missing, MB does  continue to update its malware detection updates but just not its product updates?

So is it fair to say that MB is still relatively functional in terms of detecting new exploits and malware? Even without that missing Windows Update..

The above link states:

Quote

"For existing Malwarebytes users: If you cannot apply this Microsoft update or choose not to update, you can continue to use your installed Malwarebytes version which automatically remains compliant."

Just seeking clarification as to what "compliant" actually means in this context

Thanks

eliuri

Windows 7 SP 1

Malwarebytes 4.3.0.98

Update Package Version: 1.0.39503

Component Package Version: 1.0.1251

Edited April 17, 2021 by eliuri
typos and clarification

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

1 hour ago, eliuri said:

Just seeking clarification as to what "compliant" actually means in this context

I think that it means you are stuck with Malwarebytes 4.3.0.98 and when the next full version is released, you will not be able to install it.

It also means if you need to uninstall/ reinstall MB for any reason, you an only use the legacy version when reinstalling.

Quote

For new installs: You can download a compliant version of Malwarebytes for Windows below. This legacy version does not include all of the latest version features or functionality. The following installer applies for both Malwarebytes Home and Malwarebytes for Teams users:

• Malwarebytes for Windows legacy build

Over time more dirt will be thrown on the coffin of Windows 7 and more software company's will let support go for Windows 7.

[eliuri]

Thank you, Porthos

So it does update malware/exploit detection files, but just not  MB product updates? Do I have that right?

[Porthos]

1 minute ago, eliuri said:

Thank you, Porthos

So it does update malware/exploit detection files, but just not  MB product updates? Do I have that right?

From my understanding yes.

I understand everyone has their reason for keeping Windows 7 but in my normal repair capacity, All Windows 7 computers get upgraded or replaced when presented to me for service and since I deal only with home users, 99% of the time it is what they have heard (mostly misinformation) about Windows 10 or, the user can not afford the labor for me to do the "free" upgrade or replace the system.

I then respectfully tell that potential client I can not help them. I can understand some small businesses have software that will not work on 10 and cant or wont spend sometimes thousands  to upgrade that software. I am glad to hot have that user base.

[lmacri]

8 hours ago, eliuri said:

Running Windows 7 SP1

I get above notice stating last night, which in turn prompts me to update Windows 7 with following update:

https://support.malwarebytes.com/hc/en-us/articles/1500004670861?affiliate=&uuid=74b90ce000b8ff274e737ea02fcc22f60b97ab4d&lang=en_US&staging=false&x-prodcode=MBAM-C&x-source=&version=4.3.0.98

I have chosen to not update Windows 7 for quite a while because WU was creating much system instability...

Hi eliuri:

You might want to read Lawrence Abrams' 12-Mar-2019 BleepingComputer article Windows 7 Gets SHA-2 Support To Enable Future Updates as well as Microsoft's 14-Apr-2021 announcement Microsoft to Use SHA-2 Exclusively Starting May 9, 2021.  I don't have a Win 7 SP1 OS but my understanding is that if you turned off your Windows Update before September 2019 and did not receive KB4490628 (the Windows 7 Servicing Stack Update released 12-Mar-2019) and KB4474419 (SHA-2 Code Signing Support Update for Windows 7, released 23-Sep-2019) then you might find that you will soon see issues with other software besides Malwarebytes if that software also requires SHA-2 code signing support. The section titled "Current Status - Windows 7 SP1 and Windows Server 2008 R2 SP1 " in the MS support article 2019 SHA-2 Code Signing Support Requirement for Windows and WSUS has more information about these two updates.

If you go to Control Panel | Programs and Features | View Installed Updates and search for KB4490628 and KB4474419 do either of those updates appear in your list of installed updates? When searching, enter the full KB number in the search box (e.g., "KB4474419" and not a partial string like "4474419").
----------
64-bit Win 10 Pro v20H2 build 19042.928 * Firefox v87.0 * Microsoft Defender v4.18.2103.7 * Malwarebytes Premium v4.3.0.98-1.0.1251
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

Edited April 18, 2021 by lmacri

[lmacri]

Hi eliuri:

Further to my previous post <here>, I noticed that NortonLifeLock also posted an announcement in their user forum on 16-Apr-2021 at SHA 2 Code Signing Support for Windows 7 that states in part:

Quote

What action is required for Norton users running Windows 7?

Norton recommends that users install KB4474419 - SHA-2 code signing support update on their PC to continue receiving Norton product updates. Any product updates above 22.21.3 will not be sent if the security patch in not installed. However, security updates will still be applied.

That seems to suggest that installing the  standalone .msu installer for KB4474419 from the Microsoft Update Catalog at https://www.catalog.update.microsoft.com/Search.aspx?q=kb4474419 windows 7 should be all you need to add SHA-2 support to your unpatched Win 7 SP1 machine if you want to continue receive Malwarebytes product updates beyond v4.3.0.98-1.0.1251.  To install these standalone .msu installers I normally download the the correct 32-bit (x86) or 64-bit (x64) .msu file and save it to my desktop, close my browser, and then double-click the .msu file to run the installer.

Support for Win 7 SP1 ended 14-Jan-2020 but you said in your original post that "I have chosen to not update Windows 7 for quite a while because WU was creating much system instability".  I don't know when you turned off Windows Update on your Win 7 machine but if you still haven't received KB4490628 (the Windows 7 Servicing Stack Update released 12-Mar-2019) someone who knows more about Windows 7 SP1 than I do might be able to tell you if it's advisable to manually install the KB4490628 Servicing Stack Update first before installing KB4474419.
----------
64-bit Win 10 Pro v20H2 build 19042.928 * Firefox v87.0 * Microsoft Defender v4.18.2103.7 * Malwarebytes Premium v4.3.0.98-1.0.1251
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

[eliuri]

I believe I had  turned off Windows Updates well before that 2019 KB4490628  update. And I don't see it in my Control Panel list of updates.

Where would be best place to ask about proper sequence of downloading and installing those two?

I have had relatively few issues so far running Windows 7 SP 1--with Windows Updates disabled. And those updates were creating issues. Forget exactly what was going wrong with them, because it was so long ago. But if it's one or two standalone Windows Updates, I'd do it...Would u happen to know if those can be uninstalled if something goes wrong with the updates?

This Dell Inspiron does not have the capacity for Windows 10 I'm afraid. Which is why I havent upgraded to the current OS

Thanks

eliuri

Windows 7 SP1

64-bit

 

Edited April 18, 2021 by eliuri
typos

[AdvancedSetup]

I would recommend following these links and updating  your Windows 7 system.

How to obtain and install Windows 7 SP2
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/how-to-obtain-and-install-windows-7-sp2/c2c7009f-3a10-4199-9c89-48e1e883051e

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

 

[lmacri]

19 hours ago, eliuri said:

I believe I had  turned off Windows Updates well before that 2019 KB4490628  update. And I don't see it in my Control Panel list of updates....

Hi eliuri:

Could you just confirm that both KB4490628 (the Windows 7 Servicing Stack Update released 12-Mar-2019) and KB4474419 (SHA-2 Code Signing Support Update for Windows 7, released 23-Sep-2019) are missing from your list of installed updates at Control Panel | Programs and Features | View Installed Updates? I don't have a Win 7 SP1 OS but this is an example of what I see when I search for KB4018466 on my old Vista SP2 machine:

Could you also let us know the approximate date you turned off Windows Update on your Win 7 SP1 machine? When you said in your original post that "WU was creating much system instability" do you recall what issues you were seeing on your system that made you decide to turn off Windows Updates?

If you aren't sure when you turned off Windows Update go to Control Panel | Programs and Features | View Installed Updates and sort by the Installed On column to view the last date that security updates were installed for your Windows 7 SP1 OS (ignore dates for any virus definition updates that might have been delivered to a Microsoft security program on your system).  Your Windows Update history at Control Panel | System and Maintenance | Windows Update | View Update History is less accurate (especially if you reset your Windows Update components while troubleshooting) but might also indicate when your last Windows 7 SP1 updates were installed.
----------
64-bit Win 10 Pro v20H2 build 19042.928 * Firefox v87.0 * Microsoft Defender v4.18.2103.7 * Malwarebytes Premium v4.3.0.98-1.0.1251
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Free v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Edited April 19, 2021 by lmacri

[lmacri]

12 hours ago, AdvancedSetup said:

I would recommend following these links and updating  your Windows 7 system.

How to obtain and install Windows 7 SP2
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/how-to-obtain-and-install-windows-7-sp2/c2c7009f-3a10-4199-9c89-48e1e883051e

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

Hi AdvancedSetup:

The OP eliuri might already have those updates installed, depending on when they turned off Windows Update on their Win 7 SP1 machine. The convenience rollup for Win 7 SP1 (referred to as "Windows 7 SP2" in the MS Answers article at https://answers.microsoft.com/en-us/windows/forum/windows_7-update/how-to-obtain-and-install-windows-7-sp2/c2c7009f-3a10-4199-9c89-48e1e883051e), for example, notes that:

Quote

..."The convenience rollup only contains the updates released after Service Pack 1 and before April 2016. Any updates for Windows 7 that Microsoft has released since then will not be installed, so you should run Windows Update to install any other available updates."

Also, is the KB3140245 update (released June 2016) that adds TLS 1.1 / TLS 1.2 support to Win 7 SP1 required for users like eliuri who wish to continue updating Malwarebytes v4.x (i.e., in addition to SHA-2 code signing support), or are you just recommending that eliuri install that update to improve the security of their system if it wasn't delivered by Windows Update?

[lmacri]

On 4/17/2021 at 1:19 PM, eliuri said:

Running Windows 7 SP1

I get above notice stating last night, which in turn prompts me to update Windows 7 with following update:

https://support.malwarebytes.com/hc/en-us/articles/1500004670861?affiliate=&uuid=74b90ce000b8ff274e737ea02fcc22f60b97ab4d&lang=en_US&staging=false&x-prodcode=MBAM-C&x-source=&version=4.3.0.98

I have chosen to not update Windows 7 for quite a while because WU was creating much system instability.

Hi AdvancedSetup:

What is the best method for users like the OP eliuri to add SHA-2 code signing support when they have a Win 7 SP1 machine that is not fully patched to end of support on 14-Jan-2020 and see the message "A Missing Security Update is required to update MB"? The Malwarebytes support article Windows 2019-09 Security Update for Windows Devices Running Malwarebytes Home Products is very vague and only directs users to the Microsoft support article 2019 SHA-2 Code Signing Support Requirement for Windows and WSUS, which states in part:

Quote

Windows 7 SP1 and Windows Server 2008 R2 SP1

The following required updates must be installed and then the device restarted before installing any update released August 13, 2019 or later. The required updates can be installed in any order and do not need to be reinstalled, unless there is a new version of the required update.

• Servicing stack update (SSU) (KB4490628). If you use Windows Update, the required SSU will be offered to you automatically.

• SHA-2 update (KB4474419) released September 10, 2019. If you use Windows Update, the required SHA-2 update will be offered to you automatically.

Does that mean that eliuri must add both KB4490628 (the Windows 7 Servicing Stack Update, released March 2019) and KB4474419 (SHA-2 Code Signing Support Update for Windows 7, released Sept 2019), and can both these updates be uninstalled from Control Panel | Programs and Features | View Installed Updates if they cause eliuri's system to become unstable?  I can't tell from that MS support article if the SSU KB4490628 is required or simply recommended - the KB4490628 article <here> notes that this SSU "Addresses an issue in the servicing stack when you install an update that has been signed by using only the SHA-2 hash algorithm" but it is not listed <here> as a prerequisite for KB4474419.

I would suggest that eliuri install the appropriate 32-bit (x86) or 64-bit (x64) standalone .msu installers for both KB4490628 and KB4474419 for Windows 7 from the Microsoft Update Catalog, assuming they can be uninstalled if they cause cause eliuri's Win 7 SP1 system to become unstable, but I'm not sure what Malwarebytes recommends.

Edited April 19, 2021 by lmacri

[AdvancedSetup]

I don't @lmacri

I don't personally like to play games deciding which security fix should be installed or not. Unless proven otherwise that something is obviously wrong with a security fix from Microsoft I highly recommend that all users install them.

Again, I don't care to spend time guessing what is what. In most cases there are often multiple fixes that are missing for all users on Windows 7 that have never turned off updates as Microsoft in my opinion sort of dropped the ball and part of why it's difficult nowadays for users to turn off updates in Windows 10. Microsoft tries very hard to get users to install updates now.

I'm willing to help get the system fully patched but I'm not willing to spend time on piecemeal of updates.

Thanks

 

[eliuri]

1 hour ago, lmacri said:

Hi AdvancedSetup:

What is the best method for users like the OP eliuri to add SHA-2 code signing support when they have a Win 7 SP1 machine that is not fully patched to end of support on 14-Jan-2020 and see the message "A Missing Security Update is required to update MB"? The Malwarebytes support article Windows 2019-09 Security Update for Windows Devices Running Malwarebytes Home Products is very vague and only directs users to the Microsoft support article 2019 SHA-2 Code Signing Support Requirement for Windows and WSUS, which states in part:

Does that mean that eliuri must add both KB4490628 (the Windows 7 Servicing Stack Update, released March 2019) and KB4474419 (SHA-2 Code Signing Support Update for Windows 7, released Sept 2019), and can both these updates be uninstalled from Control Panel | Programs and Features | View Installed Updates if they cause eliuri's system to become unstable?  I can't tell from that MS support article if the SSU KB4490628 is required or simply recommended - the KB4490628 article <here> notes that this SSU "Addresses an issue in the servicing stack when you install an update that has been signed by using only the SHA-2 hash algorithm" but it is not listed <here> as a prerequisite for KB4474419.

I would suggest that eliuri install the appropriate 32-bit (x86) or 64-bit (x64) standalone .msu installers for both KB4490628 and KB4474419 for Windows 7 from the Microsoft Update Catalog, assuming they can be uninstalled if they cause cause eliuri's Win 7 SP1 system to become unstable, but I'm not sure what Malwarebytes recommends.

2 hours ago, lmacri said:

Hi AdvancedSetup:

What is the best method for users like the OP eliuri to add SHA-2 code signing support when they have a Win 7 SP1 machine that is not fully patched to end of support on 14-Jan-2020 and see the message "A Missing Security Update is required to update MB"? The Malwarebytes support article Windows 2019-09 Security Update for Windows Devices Running Malwarebytes Home Products is very vague and only directs users to the Microsoft support article 2019 SHA-2 Code Signing Support Requirement for Windows and WSUS, which states in part:

Does that mean that eliuri must add both KB4490628 (the Windows 7 Servicing Stack Update, released March 2019) and KB4474419 (SHA-2 Code Signing Support Update for Windows 7, released Sept 2019), and can both these updates be uninstalled from Control Panel | Programs and Features | View Installed Updates if they cause eliuri's system to become unstable?  I can't tell from that MS support article if the SSU KB4490628 is required or simply recommended - the KB4490628 article <here> notes that this SSU "Addresses an issue in the servicing stack when you install an update that has been signed by using only the SHA-2 hash algorithm" but it is not listed <here> as a prerequisite for KB4474419.

I would suggest that eliuri install the appropriate 32-bit (x86) or 64-bit (x64) standalone .msu installers for both KB4490628 and KB4474419 for Windows 7 from the Microsoft Update Catalog, assuming they can be uninstalled if they cause cause eliuri's Win 7 SP1 system to become unstable, but I'm not sure what Malwarebytes recommends.

At "Installed Updates" in CP, I do see only updates to Microsoft Office and an  update for Microsoft  .NET Framework 4.8.

Sorry, I cannot recall exactly when I disabled WU or exactly what the issue was. Possibly Windows Updates were not installing or not installing properly. Windows 7 worked way better after I disabled WU

I would much prefer going with standalone updates--if possible. And as long as possible. Then getting a new PC when this is no longer feasible.

I guess I can try those 2 standalones--as the MS article suggests- and hope it works.

[AdvancedSetup]

Again, you're already on an operating system that has holes in it. Sort of like taking a boat out on the ocean with known holes in the boat. Why would you not want to patch the holes as best as possible? Malwarebytes is not going to protect you from all known exploits if Windows itself is not patched and is allowing an attack in.

I would recommend you try to follow the advice from these posts below.

How to obtain and install Windows 7 SP2
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/how-to-obtain-and-install-windows-7-sp2/c2c7009f-3a10-4199-9c89-48e1e883051e

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

 

Then if you need further help let me know and I'll assist you

Thanks @eliuri

 

[eliuri]

OK..thanks...will read the article on how to update to SP 2

I did find my update history just now. There was a long series failed updates back in April 2017. I probably wasnt able to fix that. And was going around in circles back then. So I disabled WU altogether

Thanks again

eliuri

 

[AdvancedSetup]

If you do need help let me know and I'll be happy to assist you in getting the updates installed.