Significantly improved scanner of malicious updates.

BlockWindows.bat

@@ -9,76 +9,7 @@ if not %errorlevel% equ 0 (
 SETLOCAL
 
 REM --- uninstall updates
-echo uninstalling updates, be patient...
-echo Delete KB971033 (license validation)
-start "title" /b /wait wusa.exe /kb:971033 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB2902907 (Microsoft Security Essentials)
-start "title" /b /wait wusa.exe /kb:2902907 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB2952664 (Get Windows 10 assistant)
-start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB2976978 (update for windows 8.1 and windows 8)
-start "title" /b /wait wusa.exe /kb:2976978 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB2977759 (update for windows 7 rtm)
-start "title" /b /wait wusa.exe /kb:2977759 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB2990214 (Get Windows 10 for Win7)
-start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3012973 (Upgrade to Windows 10 Pro)
-start "title" /b /wait wusa.exe /kb:3012973 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3014460 (Upgrade for windows insider preview / upgrade to windows 10)
-start "title" /b /wait wusa.exe /kb:3014460 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3015249 (Upgrade that adds telemetry points to consent.exe in Windows 8.1 and Windows 7)
-start "title" /b /wait wusa.exe /kb:3015249 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3021917 (update to Windows 7 SP1 for performance improvements)
-start "title" /b /wait wusa.exe /kb:3021917 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3022345 (telemetry)
-start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3035583 (GWX Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1)
-start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3044374 (Get Windows 10 for Win8.1)
-start "title" /b /wait wusa.exe /kb:3044374 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3050265 (update for Windows Update on Win7)
-start "title" /b /wait wusa.exe /kb:3050265 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3050267 (update for windows update client for windows 8.1 june 2015)
-start "title" /b /wait wusa.exe /kb:3050267 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3065987 (update for Windows Update on Win7/Server 2008R2)
-start "title" /b /wait wusa.exe /kb:3065987 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3068708 (telemetry)
-start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3075249 (telemetry for Win7/8.1)
-start "title" /b /wait wusa.exe /kb:3075249 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3075851 (update for Windows Update on Win7/Server 2008R2)
-start "title" /b /wait wusa.exe /kb:3075851 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3075853 (update for Windows Update on Win8.1/Server 2012R2)
-start "title" /b /wait wusa.exe /kb:3075853 /uninstall /quiet /norestart
-echo  - next
-echo Delete KB3080149 (Telemetry)
-start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart
-echo  - done.
-timeout 5
-
-REM --- Hide updates
-echo Hiding updates, may take a while be patient...
-
-start "title" /b /wait cscript.exe "%~dp0HideWindowsUpdates.vbs" 971033 2902907 2952664 2976978 2977759 2990214 3012973 3014460 3015249 3021917 3022345 3035583 3044374 3050265 3050267 3065987 3068708 3075249 3075851 3075853 3080149 
+start "title" /b /wait cscript.exe /nologo "%~dp0CleanMaliciousUpdates.js"
 echo  - done.
 
 REM --- Disable tasks

CleanMaliciousUpdates.js

@@ -0,0 +1,102 @@
+"use strict";
+// Inspired by Opmet and Colin Bowern: http://serverfault.com/a/341318
+// rewritten by KOLANICH
+var shell = new ActiveXObject("WScript.Shell");
+var fs = new ActiveXObject("Scripting.FileSystemObject");
+
+function getFileText(fn) {//<reads text from file and puts into JS string
+	fn = fs.OpenTextFile(shell.ExpandEnvironmentStrings(fn), 1, false);
+	var text = fn.ReadAll();
+	fn.Close();
+	return text;
+}
+eval(getFileText("./libMSUpdater.js"));
+var cfgText = getFileText("./config.js");//<loads config
+eval("var config=" + cfgText); //Sorry, there is no JSON.parse in WSH, so we have to use evil
+WScript.Echo("Current config:\n" + cfgText);
+
+
+function detectMaliciousUpdates(updates){//<detects malicious updates in 2 ways: db of malicious kb and heuristics
+	var  res={
+		toUninstall:[],//<needed to be uninstalled
+		toHide:[],//<needed to be hidden
+		suspicious:[]//<suspicious updates, we need to check them manually
+	};
+	for (var i = 0, j; i < updates.length; i++) {
+		var update = updates[i];
+		var badUpdate = false;//<flag to exit loop
+		for (var name in update.kbs) {//one update can have multiple kbs
+			for (j = 0; j < config.blacklists.kbs.length; ++j) {//checks wheither kb number of update is within blacklist
+				if (name == config.blacklists.kbs[j]) {
+					if (update.installed) {
+						res.toUninstall.push(update);
+					}
+					if (!update.hidden) {
+						res.toHide.push(update);
+					}
+					badUpdate = true;
+					break;
+				}
+			}
+			if (badUpdate) break;
+		}
+		if (
+			!badUpdate //<already blacklisted update, doesn't need to check
+			&& (
+				!update.cves.length //< update fixes security vulnerabilities, so it is not very probable that it is related to surveillance
+				&& config.heuristics //< heuristics enabled
+			)
+		) {
+			for (var prop in config.blacklists.keywords) {//enumerating blacklists, each blacklist corresponds to property of MSUpdate
+				try {
+					var target = (prop.indexOf("get") ? update[prop] : update[prop]()).toLowerCase();//< if the blacklist's name starts with get, we call getter. Also we make text lowercase to make case-insensitive matches.
+				} catch (x) {
+					WScript.Echo("Warning: there is no property/method " + prop + " in the lib");
+				}
+				for (j = 0; j < config.blacklists.keywords[prop].length; ++j) {
+					if (target.indexOf(config.blacklists.keywords[prop]) > -1) {
+						badUpdate=true;
+						res.suspicious.push(update);
+						break;
+					}
+				}
+				if (badUpdate)break;
+			}
+		}
+	}
+	return res;
+}
+
+function main(simulate) {
+	if ("undefined" == typeof simulate) {
+		simulate = 1;
+	}
+	function updatesToKbs(updates) {//<convert array of update objects to array of kb codes
+		var kbs = [];
+		for (var i = 0; i < updates.length; i++) {
+			for (var update in updates[i].kbs) {
+				kbs.push(update);
+			}
+		}
+		return kbs;
+	}
+	WScript.Echo("Getting list of updates...");
+	var project = new MSUpdater;
+	var updates = project.getUpdates("IsHidden=1 OR IsHidden=0");
+	WScript.Echo(updates.length + " updates found. Filtering ....");
+	var res=detectMaliciousUpdates(updates);
+
+	WScript.Echo(
+		"Following updates will be uninstalled:\n" + updatesToKbs(res.toUninstall).join(", ") +
+		"\nFollowing updates will be hidden:\n" + updatesToKbs(res.toHide).join(", ") +
+		"\nThe following updates are suspicious (you may want to examine them manually):\n" + updatesToKbs(res.suspicious).join(", ")
+	);
+	if (!simulate) {
+		project.uninstall(res.toUninstall);//ms update (un)installs bunch of updates at once
+		i = 0;
+		for (; i < res.toHide.length; i++) {
+			res.toHide[i].hide();//hide the updates
+		}
+	}
+}
+main();

README.md

@@ -17,7 +17,11 @@ hostlist MS Hosts file to blocking for router or firewall use
 
 hosts-dnsmasq Hosts file for dd-wrt and other routers 
 
-HideWindowsUpdates.vbs Hides blocked updates, to reinstall click 'show hidden updates'
+CleanMaliciousUpdates.js Hides blocked updates, to reinstall enter 'show hidden updates'. Also detects suspicious updates.
+
+libMSUpdater.js A wrapper to deal with updates from WSH
+
+config.js A JSON config for ```CleanMaliciousUpdates.js.``` Extension ```.js``` is used because there is no ```JSON.parse``` in WSH
 
 DisableWiFiSense.reg Adds registry to disable WiFi Sense, which steals your wifi password without your consent.
 

config.js

@@ -0,0 +1,13 @@
+{
+	blacklists : {
+		kbs : [971033, 2902907, 2952664, 2976978, 2977759, 2990214, 3012973, 3014460, 3015249, 3021917, 3022345, 3035583, 3044374, 3050265, 3050267, 3065987, 3068708, 3075249, 3075851, 3075853, 3080149],
+		keywords : {
+			title : ["telemetry", "assistant", "license"],
+			getReleaseNotes : ["telemetry"],
+			getEULA : ["grant", "privacy", "telemetry", "government"],
+			getDescription : ["assistant", "telemetry"]
+		}
+
+	},
+	heuristics : true
+}