Sunday, September 27, 2015

GSD QuickTips for Malwarebytes

I don’t have the energy tonight to post my travails in attempting to install Windows 10 on two of our family systems.

Long story short, I ended having to roll them back to Windows 8.1 and Windows 7 Ultimate. Although it was a “pleasant” upgrade experience at the onset, serious stability and functionality issues arose quickly that rollbacks were required. The rollbacks were successful and also “pleasant” -- all things considered.

Anyway, on the Windows 7 Ultimate upgrade to Windows 10, it lasted one week. The Malwarebytes Anti-Exploit behaved just fine after the upgrade.

However on the Windows 8.1 upgrade to Window 10, MBAE had all kinds of issues from the get-go. Uninstalling/reinstalling it fixed nothing, despite being being Windows 10 supported. Specifically it was displaying a “Anti-Exploit is not started” error message after the upgrade.

In the end -- due to other issues -- I did roll back to Win 8.1 and it began working just fine.

I did find these forum threads that point (at this time) to a beta version of MBAE that should address persistent issues in Win 10 for some users.

The fix above (uninstall/reinstall MBAE) didn’t fix the issue which led to these readings:

That finally hops to this:

Sadly, I didn’t get a change to try this preview version as my rollback to Win 8.1 (due to more serious Win 10 system issues than MBAE) fixed the issue with MBAE working properly again. However if you do have issues with MBAE after upgrading to Win 10, try that beta version.

In other news, I had been doing some good Samaritan work on a family’s Win 7 netbook that was so infected with toolbars, PUPs, malware, and other “stuff” that it took me the better part of a week’s time (after hours) to get it cleaned up. I’ve got some good cleaning logs collected so maybe that will eventually rate a post of it’s own.

One challenge I had was getting it cleaned up enough to get it on a network.  It took multiple passes but thanks to my handy write-protect switched Kanguru USB drive I was finally able to use a combo of manual and automated cleaning techniques to get it restored to an almost pristine and healthy state.

One of the first automated tools I ran against it was Malwarebytes Anti-Malware but while I had the installer on my USB drive, I couldn’t get the netbook on the network to get the def file updates. So I had to do my first round of scanning/cleaning with outdated files.

There does seem to be a semi-regularly updated “DAT file updater” package available like from other vendors, but was only found post response. That need led me to find these tips on where I can get a super-current set of data files from a working system and then copy them over onto the borked one; thereby achieving a manual update. Or keep a semi-updated definition updater package tucked on my USB as well. Of course…having both options may be best!

Via that forum post:

the Windows 7 path to rules.ref is C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\rules.ref

Just copy/paste that address location in your Windows explorer address bar and jump right to it.

This bleepingcomputer post has some additional information about the other Malwarebytes definition files you might also want to copy of the updated computer and over onto your USB drive to drop back in the same location on the impacted one:

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\rules.ref
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\actions.ref
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\swissarmy.ref
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Configuration\database.conf

Note: at some point it looks like earlier versions of the application had a patch with an “apostrophe” character “ ‘ “ in the path. That seems to be gone now in the versions I use and I’ve edited it out of these quoted forum references to avoid confusion.

Later I also found this.

From that forum post:

Just very recently available there has been a change were you can now download an offline updater.

There is a new mbam-rules link:

The link is to a download of 1 zip file, where the name is

Something to note:
• There are 2 files now:
o Mbam-rules.exe
o Mbam2-rules.exe
•They are specific to the version, so mbam-rules is for any MBAM 1.x installation whereas mbam2-rules is for any MBAM 2.x installation.

•In the future it will have a README included with instructions for users, but for now it is only the executables.

As of tonight (2015-09-27) that download link above is working fine and produces a rules update file dated 2015-09-10 so it is lagging behind a bit from the current def dates found in a “live” Malwarebytes application update.

In either case…the whole point here is to get enough updated files on the system for Malwarebytes to use to get a thorough cleaning and your system back on the network. Once on the network, then you should run the internal update process for Malwarebytes to ensure you have everything updated the way it should be, normally.

Hope this helps in a pinch.


Claus Valca

GSD QuickTip: Reloading & Editing Old posts in WLW

I still think Windows Live Writer is one of the best blogging tools that has come out in a very long time.

Although not updated for some time, it remains just about the only post editing software I use.

I do have a few gripes, but they are generally minor; like doing complex outlines first in KompoZer Portable then pasting the page-code into WLW for tweaking.

Anyhow, I had a very old blog post I needed to make an edit to and there wasn’t any easy way I could find to reload the post in WLW and then re-edit/post it.

So, I dropped into the Blogger web-GUI and made my edit there. Once I posted the (very minor) change, I checked the page in my browser…and all my nice formatting had been stripped out. Thanks Blogger!

So I ended up doing some searching and found this quite old and possibly forgotten “trick” to now give me the needed functionality:

Once the plug-in is installed in your system, copy the URL to your blog post into your browser address bar, change the lead URI scheme of the post URL to the custom “wlw” and “go”.  That will pop up a URI handler asking to load the redirect in WLW. Do so and bammo.  There is your post ready to edit.

I’ve installed it successfully on both my Windows 7 x64 bit OS versions and it works perfectly with my WLW installation.


Claus Valca

Tuesday, September 01, 2015

Windows Telemetry and Tracking Linkpost: Extended Edition

Call it bad timing.

I had only recently composed a rant post about privacy issues in Windows 10.

…and my RSS feed was growing with posts on new tracking issues spotted in Windows 7/8/8.1.

So when my firewall monitoring application GlassWire popped up an alert for a new network connection on my Windows 7 system with a suspicious sounding name -- I was all over it.

2015-08-29 07_31_46-bin

What the heck is diagtrackrunner.exe and what it is doing on my system?!!

Turns out it is yet another telemetry and diagnostics “feature” that has crept into Windows systems including Windows 7 and 8/8.1 versions via recent Windows Updates.

Here is a round-up of recent posts out of my RSS feed list that highlight and discuss Microsoft’s move to stealthy diagnostic and telemetry data collection on Windows 7/8 systems.

On the one hand it is very easy to toss the baby out with the bath-water and just pile on rants regarding Microsoft’s ongoing data-collection practices and techniques. Nobody likes a leaky boat and privacy sensitive computer users are easily offended and suspicious when new tracking features are discovered. Microsoft isn’t doing itself any favors either when information on these updates/features is nebulous, general, or even next-to-impossible to find. Even under the best of intentions and conditions -- assuming that the data collection is truly anonymized and used for best practices with diagnostics and system configuration improvements -- there is always the possibility that these features can be exploited and create a security risk; Lenovo and the Windows Platform Binary Table (WPBT) fiasco ring any bells?

Ars Technica’s writer Peter Bright sums it up nicely:

The concern with the new Diagnostic Tracking service is much the same as with Windows 10's tracking: it's not clear what's being sent, and there are concerns that it can't be readily controlled. The traffic to Microsoft's servers is encrypted, sent over HTTPS, so it can't be easily examined. While the knowledge based articles describing the new service list the DNS names of the servers that the service connects to, there are reports that the service ignores the system HOSTS file. As such, a traditional and simple method for redirecting the traffic doesn't work.


As with the other privacy concerns around Windows, our feeling is that the major issue at stake here is not that Windows is collecting data, but that it put the user in control. Collecting information about application errors and the way the operating system is used is reasonable. Having an accurate picture of how people use the operating system is likely to produce a better platform in the future; knowing which applications crash, and why, is obviously invaluable if those apps are to be fixed.

But we continue to believe that people who do not wish to be a part of such data collection should have a clear and unambiguous way of opting out, and these opt-outs should be rigorous. Disabling CEIP, for example, should not only prevent systems from sending CEIP data, but it should also prevent systems from retrieving even configuration data from Microsoft's own systems. We would also argue that these settings should be made simpler; at the moment there are many individual controls each governing a particular behavior. Some kind of global control to supplement these fine-tuning switches would be an improvement. We like cloud connectivity and online features, but these should be paired with clear user control.

So in the interest of informing Windows users so they can make there own decisions, here is a current roundup of Windows 7/8.1 and Windows 10 privacy, telemetry, and diagnostic information and resources.

In Windows 7/8.1

The first articles (Link#1, Link#2) I posted above mentioned a handful of Microsoft KB’s that point to Windows Updates containing telemetry and diagnostic information collection call-backs to Microsoft.

In tracking down my “diagtrackrunner.exe” mystery, I found the following website that listed those, plus many more Windows Updates for Windows 7/8.1 systems that contain those same features according to the author.

I cannot confirm or validate if all of these are problematic. I can confirm I found most/all of them in auditing my Windows 7/8.1 systems since like a good sysadmin we religiously apply Windows updates to our home systems for security and stability benefit.

The website author didn’t link to the actual Microsoft KB’s. That would have been helpful but it isn’t too hard to do a Google.

But to make things easy, I used a combination of Google searches and the WinUpdatesList utility to provide links to each of the Microsoft KB’s I could find for those listed. This should allow you to do your own additional research and evaluation and decide if you want to keep the update or not, or at least (where possible) opt-out of some of the diagnostic and telemetry data reporting.

The article also provided uninstall “scripts” to use via an administrator-level command-line session to pull them off -- unless you want to do it the long way and use the Windows Control Panel > Programs and Features > Installed Updates panel to remove them.

Also note that while you may consider fully uninstalling and hiding (do not show) some/all of those updates from your Windows 7/8/8.1 system, another option would to be find/disable the service manually rather than fully remove the update.

As a free PSA for Microsoft, let me add that removal or disablement of some/all of these updates could potentially cause stability, security, or reduced feature support for your Windows system. And could possibly impact your ability to upgrade your current Windows system to Windows 10; either smoothly, safely, or at all. M’kay?

Here’s the list/link of the current roundup of subjects under suspicion; re-sorted in KB order.

To be clear, I’m not endorsing the removal of some/all of these updates from your system. Do your own research first and make your own educated decision.

All things considered, I’m currently going with Mr. Peter Bright’s angle and will give Microsoft the benefit of the doubt for now. But will keep in mind the sage wisdom of a certain one-eyed auror, “Constant Vigilance!”

Post update 2015-09-18 - TinyApps blog brings GSD notice of a Windows 7/8-focused privacy and telemetry squashing tool.

From the included README file:

The Microsoft Telemetry Removal Tool (or MTRT) is an automated script that aims to be the most current and complete collection of knowledge found on the internet pertaining to helping Windows 7/8/8.1 users rid themselves of as much Windows 10 "features" and notifications as possible.

== Features ==

This tool covers many areas of the decontamination process, such as:

   - Windows Update Settings: Changed to notify but not download update, optional updates are not packaged with important updates, and PC will not auto-reboot after update.
   - Disable Gwx/Skydrive/Spynet/Telemetry
   - Disable Telemetry scheduled tasks
   - Uninstall Diagnostic Tracking Service and attempt to lock down log file
   - Disable Remote Registry
   - Block hosts: Through the HOSTS file and PersistentRoutes
   - Delete the Windows.~BT, Windows.~WS and Windows.old folders, then attempt to lock them.
   - Remove and block evil updates: updates are uninstalled and then ignored in windows updates.

In Windows 10

You might want to just hop over and re-read this GSD post that addresses Windows 10 privacy issues:

But I decided to try to repackage it again here for more of an updated “all-in-one” resource.

The same team that brought the extended Windows privacy KB listing above also provides a very extensive step-through for increasing the privacy settings in Windows 10.

I’ve previously mentioned here at GSD that there are a number of guides on how to modify the Windows 10 settings -- either during a custom installation upgrade or after the upgrade has gone on. For more information and cross-checking/validation I encourage you to read these articles as well.

Likewise, there are a growing number of Windows 10 scripts and utilities that allow you to lock down many privacy settings in Windows 10, including some not easily accessible to the user.

More attempts at scary-sounding PSA notices first:


I’ve seen the following post comment issued out by Microsoft to a number of bloggers referring to the tools that will be discussed below. So let me save them some time by reposting it here.

“We strongly suggest customers do not install applications of this nature. These types of third-party apps can alter the way the system operates, creating future problems and changing important settings and features.”


Different tools take different approaches and some could significantly cause performance, stability, or security issues of their own if applied. Some whack into the Windows Registry. Some stomp on Windows services. A few even make (or block) specific network communications.  Few make backups of the system settings before changes are applied restricting your ability to roll-back the changes if something breaks.

Proceed at your own risk. I really encourage you to spend some time evaluating and understanding each of the tools listed or linked below before actually using.

Windows 10 Privacy Utilities and Scripts

Still determined?

OK. I did warn you.

Martin Brinkmann’s post provides links and overviews to (currently) six maybe-ready for primetime utilities that can help Windows 10 users manage and take (some) control of privacy in Windows 10.

I highly recommend starting out there, and he has done a great job and a lot of work comparing the features and issues each of them present.

I’ve built a list below using Martin Brinkmann’s initial Windows 10 privacy utility list and have further supplemented it with additional script-based and/or utilities I’ve found.

  1. Destroy Windows 10 Spying - by Nummer. (appears to support Windows 10/8.1/7 versions)
  2. Disable Win Tracking - by “10se1ucgo” on github
  3. DoNotSpy 10 - by pxc-coding
  4. Windows 10 Privacy and Shit - by “A Guest” - (BATch file fix format)
  5. Windows 10 Privacy Fixer - by “lordfiSh” on github
  6. W10 Privacy - German utility but supports German, English, & French languages
  7. O&O Shut Up 10 - by O&O Software - Note that this app provides the ability to set a system restore point before applying settings. That’s a feature that isn’t offered in many of these tools and can be challenging for some users to first do manually themselves. (review #1, review #2)
  8. Spybot Anti-Beacon for Windows 10 and forum download and update notice page. By creators of the SpyBot S&D anti-malware utility.
  9. Windows 10 Enterprise LTSB - Mother of all tweak scripts - App Scripts - by “ericgl” on
  10. Ultimate Windows Tweaker 4 for Windows 10 - The Windows Club - this app contains a wide range of Windows 10 system tweaks, but specific to this post, includes a “Privacy” tab that addresses telemetry, biometric, advertising, search, Cortana, Windows Update sharing, feedback polls, password reveals, Steps Recorder, Inventory Collector and the Application Telemetry gathering. ghacks review
  11. WindowsLies/BlockWindows · GitHub or via Block Windows Spying Simple Script to Stop Spying - Windows batch (BAT) file script (and other stuff) to do a bunch of privacy settings and tweaks. What is nice about this approach is that you can review and modify/REM stuff you don’t want or need if you would like.
  12. AntiSpy for Windows 10 - Ashampoo Windows 10 privacy and tracking configuration utility. (via)

Of course…if all these tracking, telemetry, and privacy issues in Windows is giving you a headache, you could follow the advice of and decide to chuck-it-all for a truly free OS: List of Free GNU/Linux Distributions - GNU Project - Free Software Foundation

Or if you are willing to try to find a balance between some open and closed source options, but still retain more control that Microsoft has been willing to provide you with, there are many, many good Linux based OS builds that are modern and easier to install/use than ever before on most (but not all) hardware platforms that run Windows.

And you will meet some really great people and communities in the process!

Constant Vigilance!

Claus Valca

Windows 10 Linkpost: Unspecified Update Version

More GSD Windows 10 post linkage at the post bottom.

Nope. Still haven’t upgraded out Win 7 systems (x3) to Windows 10 here at home.

Still waiting to be sure the Dell systems have a chance to use as many “custom” Dell drivers for Win 10 feature support as possible.

As of the time of this blog post..

  • My Dell Studio 15 (1558) isn’t listed anywhere on the page.
  • Nor is my Dell XPS L702X laptop model.
  • Nor is Lavie’s Dell Inspiron 15 (3520).

Non In-Place Upgrade “Clean Install” of Windows 10 Tip

Ask most any Windows 10 sysadmin or enthusiast and they will say that the “best” way to install Windows is to do a “clean” install rather than an in-place upgrade.

The downside is that can require a lot of work; backing up user profiles/data. Reinstalling of applications and software. Re-tweaking of all the settings, configurations, and adjustments you have done over the years (if you even remember them all).

The positive is that you get rid of all the extra “stuff” you have accumulated while running your Windows system and start with a “fresh” system load to build on. Something like that parable about having a firm foundation before building.

Anyway, while feedback is quite positive on the Windows 7/8.1 in-place upgrade process to Windows 10, and there are already documented ways to do a “clean install” upgrade of Windows 10 for a qualifying system, this new “clean install” method is slick and looks really good for those who are interested.

Ready, Steady, Prepare!

When you are ready to do your Windows 10 upgrade you may want to first review this post:

Update to Windows 10 Headache Free With A Pre-Upgrade Checklist - HowTo Geek

Also, BetaNews has a post about a free offer for software to assist with data-transfer between a current system and a Windows 10 system (personal use restriction).

It looks like it is kinda like the Microsoft EasyTransfer or USMT but from a third-party application.

Windows 10 Updates

Microsoft can now update your Windows 10 system at will, use your system to seed other Win 10 system updating (inside and outside your own network/ownership), and may be vague about what those forced updates actually do. Granted you do have some limited control over those items, and enterprise builds of Win 10 have even more control, but still…

Windows 10 How-To and Tips

Like any new Windows system release, it takes a while to learn a new set of tricks and tweaks to get a measure of control back and set the system back up like you like it. Here are some more links to that end.

GSD Windows 10 Linkpost list

Listed chronologically from most recent posting downward.


Claus Valca

This week in browser bits: roll-backs, upgrades, and changes

Ever since Mozilla released an upgrade of Firefox to version 40.x I seem to been seeing frequent and persistent crashing of my Firefox browser.

As of the time of this post, I am running version 40.0.3.

The issue seems to occur most when I grab an open tab handle and drag/drop the tab into my bookmark side-bar to “save” a bookmark of that page.

It got so bad that I began to look at rolling back (downgrading) my Firefox version to an older version, say the last 39 release version, to see if that would help.

Making a bookmark the “long way” by clicking the “star” icon or using the Ctrl+D key-combo worked fine but was a lot of work due to my deep folder structure in the bookmarks.

Fortunately, I found that by grabbing the small icon on the far left of the address bar, I could drag and drop that to also create a bookmark at will without the crash I get from using the same technique but with the page-tab item.

I’ve not yet filed a bug report, but will shortly.

Firefox Version Roll-Back

The process to roll back to an older version of Firefox is fairly simple, as long as you know where to get the bits. In my case it is a touch more complicated as I use Mozilla Firefox, Portable Edition via Portable Apps. For installed versions of Firefox, head over to Index of /pub/ and download the version you want and reinstall. Sure, you should first back up your profile, etc. before doing it, just in case. For portable apps versions, head over to Mozilla Firefox, Portable Ed. at project page, and find the earlier version, download, and over-install.

Here are some more guides on the process to roll-back Firefox:

My recent and growing frustrations with Mozilla/Firefox have led me to invest even more heavily that normal (and that’s saying something) in spending considerable more time using and testing alternative web-browsers; specifically Vivaldi (based on Chromium) and Pale Moon (based on Mozilla).

Add-On Support for Pale Moon and Firefox

Pale Moon (portable) has been very stable and runs very well on my systems in the testing work I’ve been doing more and more.

I don’t have a lot of Firefox Extensions/Add-ons and found that almost all of them were compatible in Pale Moon. Listed below are my current Firefox Add-ons and I’ve noted the ones that ARE NOT Pale Moon compatible -- at least directly installable via the Mozilla Add-ons store.

- about:addons-memory 10.1-signed  (not offered for Pale Moon / Firefox 24.9)
- Adblock Plus 2.6.10 (didn’t bother to try as I like/prefer uBlock Origin)
- CoLT 2.6.5
- Copy as HTML Link 3.2.1-signed
- Download Status Bar

- Extension List Dumper 2 1.0
- FiddlerHook (installed on system by Fiddler, but doesn’t seem to pick up in Pale Moon / Firefox 24.9)
- Firebug 2.0.11 (not offered for Pale Moon / Firefox 24.9)
- Greasemonkey 3.3  (I didn’t bother to try to install yet in Pale Moon)

- HttpFox

- Linky

- NoScript

- Search By Image (by Google)

- Tab Memory Usage 0.1.8 (Disabled)

- TinEye Reverse Image Search 1.2.1

- uBlock Origin

Pale Moon project provides a list of known incompatible Add-ons you may wish to consult.

The FiddlerHook item is not a real deal-breaker as I have lots of network sniffers/tracers to use, and isn’t “required” as you can just run Fiddler, then manually/temporarily set Pale Moon to use the system proxy.

Having said that, this extension isn't really needed in modern versions of Firefox. Instead, simply set Tools > Options > Advanced > Network > Proxy Connection to "Use System Proxy."

Likewise Firebug is a very powerful tool to inspect web page elements and code. However the “F12” web developer tools natively provided in Pale Moon are a sufficient alternative.

More Firefox Gripes News and the “Contextual Identity” Project

That last one really has me conflicted.

For full details see this Security/Contextual Identity Project/Containers - MozillaWiki feature draft page that Martin Brinkmann alluded to in his article.

Also, take a look at the Security/Contextual Identity Project mainpage for full context.

As a browser user, I can see the draw and benefit of having a feature allowing for concurrent “persona” sandboxing while browsing at work; that way I can browse all the cat sites I want at work under one “persona” while concurrently monitoring all my embedded network appliance and nodal dashboards in the same browser under my other “persona”, while doing all my personal secure on-line banking transactions in a third “persona”.  See how handy that will be? I can separate all those browsing activities while doing them at the same time in my browser -- at work -- and never will they need to inter-mingle.

Oh. Wait.  Why am I doing personal web-browsing at work on my work-provided systems?


I guess it comes down to the workplace internet usage policy, but I just don’t see it a good idea to mix personal web browsing on work-provided equipment and networks; even if permissively allowed by the employer policy. That activity is fraught with security and privacy issues.

But then again, I’m an old security curmudgeon.

Like I say, read the feature draft page for full details. I’m confident many “modern” browser users will totes love this feature if it gets folded in. I get it and it does look like it will be slickly delivered. However as a sysadmin I think that while the feature looks good it may provide a false-sense of security and provides less benefit from a network administrator/security perspective for the organization’s benefit.

Oh well, I probably don’t have to worry because as we all know, only Internet Explorer is approved for use in the workplaces right?

Vivaldi Developments and Tab Tiling!

The Vivaldi team remains focused on regular snapshot updates to their project. It’s still at “technical preview” release level so not yet ready for prime-time use. But the fixes and features keep coming strong.

Snapshot was pretty cool for me as it brought in tab-tiling.

Basically, you select more than one tab that is opened, hit a little tab-tiling option icon in the bottom right corner and select the layout, then the browser opens (tiles) them in a single window for concurrent viewing of all the tab pages side-by side!

In the example below, I’ve got the Phil Are Go!, Google Art Project. and Vivaldi Team Blog tabs all opened (tiled) in a single page window in Vivaldi. Cool!


For data-hungry sysadmins monitoring multiple web-pages on a super-screen sized monitor this could be handy.

And no, it’s not the same think as the “contextual identities” feature as Mozilla is discussing, thank you very much.

IE 11/ Edge browser

Just had to toss this one out there to make up for my cheeky comment about IE browser in the workplace.


Claus Valca