Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to stop WSUS Server and remove all downloaded patches ?

4,923 views
Skip to first unread message

Patrick

unread,
Mar 31, 2009, 6:52:09 AM3/31/09
to
We suspect that the WSUS Server is infected.

We would like to stop the WSUS Server from pushing updates to client. We
have searched the web and it seems that we have to stop 2 serves - "Update
Service" and "World Wide Web Publishing Service". Is it correct ?

Besides, we would like to know whether it is possible to remove all updates
on that server, check for virus again AND download updates from MS. We are
not able to find out how to remove all approved updates. Is it possible to
do so and is there any pitfall ?

Thanks

Lawrence Garvin [MVP]

unread,
Mar 31, 2009, 2:24:19 PM3/31/09
to
"Patrick" <Pat...@discussions.microsoft.com> wrote in message
news:%23Zn0C8e...@TK2MSFTNGP02.phx.gbl...

> We suspect that the WSUS Server is infected.
>
> We would like to stop the WSUS Server from pushing updates to client. We
> have searched the web and it seems that we have to stop 2 serves - "Update
> Service" and "World Wide Web Publishing Service". Is it correct ?

Yes. You need to stop the "Update Services" service to terminate client
detections, and you'll need to stop the W3Svc to terminate client downloads.

However, virus infections on WSUS_based update content is not a risk, as all
updates are digitally signed by Microsoft, and the signature is verified by
the WUA prior to installation. If any update file were infected by a virus,
the installation at the client would fail on the signature being invalid.

> Besides, we would like to know whether it is possible to remove all
> updates on that server, check for virus again AND download updates from
> MS.

Absolutely (although, as noted above, definitely *not* required). To achieve
this objective, delete the *contents* of the ~\WSUSContent folder (do not
delete the WSUSContent folder itself).

When you're ready to download fresh content, start the "Update Services"
service, and run the command 'wsusutil reset' to download new content files.
Anything that currently has a status of "Approved" will be downloaded.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Harry Johnston [MVP]

unread,
Mar 31, 2009, 5:32:31 PM3/31/09
to
Patrick wrote:

As Lawrence said, it isn't necessary to worry about the clients being infected
by the WSUS service.

However, if you believe your server is infected I would recommend against trying
to repair it. The safest course is to reformat the disk and reinstall.

Harry.

Patrick

unread,
Apr 2, 2009, 12:16:41 AM4/2/09
to
Dear Harry and Lawrence,

Many thanks for your reply. I have scanned the WSUS Server and no virus is
found.

The main problem is because some end users machines are scanned and found
that the Windows Update Directories are infected. My supervisor claims that
nothing they have done (His machine has the same problem) and it must be due
to Windows Update from WSUS Server. In this way, he suspects that the WSUS
Server must be the cause of virus.

I believe that we can still run the WSUS Server as Lawrence has mentioned
that all updates are digitally signed.

Regards,
Patrick

"Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz> wrote in message
news:%23Pzqzgk...@TK2MSFTNGP02.phx.gbl...

Dave Warren

unread,
Apr 2, 2009, 3:14:03 AM4/2/09
to
In message <eIVKao0s...@TK2MSFTNGP04.phx.gbl> "Patrick"

<Pat...@discussions.microsoft.com> was claimed to have wrote:

>Many thanks for your reply. I have scanned the WSUS Server and no virus is
>found.
>
>The main problem is because some end users machines are scanned and found
>that the Windows Update Directories are infected. My supervisor claims that
>nothing they have done (His machine has the same problem) and it must be due
>to Windows Update from WSUS Server. In this way, he suspects that the WSUS
>Server must be the cause of virus.

Then flatten those machines and start from scratch. I'd still work on
finding out the source of the infection, although I'd look at something
like Conflicker that can enter via flash memory and then travel via
network from there.

>I believe that we can still run the WSUS Server as Lawrence has mentioned
>that all updates are digitally signed.

Yes, even if the content were corrupt it wouldn't matter, it wouldn't
deploy from the server to clients.

Also keep in mind that as much as I don't ever recommend trusting AV
software, if you can find the infection on one machine then the same AV
software should find the same infection on other machines.

Asher_N

unread,
Apr 2, 2009, 4:53:04 PM4/2/09
to
Dave Warren <dave-...@djwcomputers.com> wrote in
news:hum8t4p4g7kt5v83o...@4ax.com:

And if you find an infection in folders like windows update, I'd scan
with a different AV software just to make sure you are not seeing a false
positive.

Dave Warren

unread,
Apr 3, 2009, 12:15:24 AM4/3/09
to
In message <Xns9BE1ABC21EA90...@207.46.248.16> "Asher_N"

<compg...@hotmail.com> was claimed to have wrote:

>And if you find an infection in folders like windows update, I'd scan
>with a different AV software just to make sure you are not seeing a false
>positive.

Not a bad idea -- Once identified, upload an infected file to
VirusTotal.com, that service will scan it against multiple scanners.

If you ever want to find out just how bad a job the AV industry really
does, try scanning some actual malware using VirusTotal then watch in
shame as many popular scanners miss many common infections.

0 new messages