If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
Secunia PSI 3.x is warning me about end of life of Microsoft Framework
..NET 1.x (32-bit) and 2.x (32- bit and 64-bit). 'click to update' leads me to https://www.microsoft.com/net/download/framework Weird thing is: Geek Uninstaller, Revo Uninstaller and Program and Features only show 1.1 and 4.6.1 installed. Where PSI states I have 1.x, 2.x (32 and 64 bit), 3.x /and/ 4.x installed. I have no idea which programs need 1.x and 2.x. I can delete 1.x with Program and Features (or use Geek or Revo), but I have no clue on how to get rid of 2.x. There's a Cleanup Tool he https://blogs.msdn.microsoft.com/astebner/2008/08/28/net-framework-cleanup-tool-users-guide/ But there's a warning to only use it as a _last resort_. I did some research, but not many useful results, so I'm a bit clueless atm. I can use Macrium Reflect to create a backup image and see what happens when I remove 1.1 (is this advised?), but how to proceed with 2.x? I can imagine that *not* removing both versions is a safety risk. (?) Any help will be appreciated. -- s|b |
Ads |
#2
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
s|b wrote:
Secunia PSI 3.x is warning me about end of life of Microsoft Framework .NET 1.x (32-bit) and 2.x (32- bit and 64-bit). 'click to update' leads me to https://www.microsoft.com/net/download/framework Weird thing is: Geek Uninstaller, Revo Uninstaller and Program and Features only show 1.1 and 4.6.1 installed. Where PSI states I have 1.x, 2.x (32 and 64 bit), 3.x /and/ 4.x installed. I have no idea which programs need 1.x and 2.x. I can delete 1.x with Program and Features (or use Geek or Revo), but I have no clue on how to get rid of 2.x. There's a Cleanup Tool he https://blogs.msdn.microsoft.com/astebner/2008/08/28/net-framework-cleanup-tool-users-guide/ But there's a warning to only use it as a _last resort_. I did some research, but not many useful results, so I'm a bit clueless atm. I can use Macrium Reflect to create a backup image and see what happens when I remove 1.1 (is this advised?), but how to proceed with 2.x? I can imagine that *not* removing both versions is a safety risk. (?) Any help will be appreciated. I don't get rid of old software just because PSI bitched that they were unsupported. Yeah, big deal. Being unsupported does NOT mean they are vulnerable. Even if they were, something would actually have to use that vulnerability. This is like no one is home and a window was open and someone happens to walk by with an raw egg to hurl in hoping it goes through the window despite my guard dogs are outside trying to get at the candidate attacker (my antivirus). When I used PSI, it would bitch that SamSpade was vulnerable. Nope, not vulnerable, just old. You won't know which of your programs require the old .Net version until you remove them and later try to run those programs. There is no backward linkage from any library to indicate who might want to use it. If you want to see what .Net versions are installed, read: https://msdn.microsoft.com/en-us/lib...v=vs.110).aspx |
#3
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
"s|b" wrote
| I have no idea which programs need 1.x and 2.x. I can delete 1.x with | Program and Features (or use Geek or Revo), but I have no clue on how to | get rid of 2.x. V. 2 was the standard for a long time. People were having a lot of trouble because the Frameworks were getting massively bloated and it wasn't always easy to get software customers to install them. (I only have any .Net at all on my XP box because I had to install it for the graphics applet and the printer. To this day I've never installed either .Net or Java software.) Microsoft dealt with the problem of lacking .Net support in two ways: 1) They moved toward installers that would go online secretively, installing .Net runtimes without asking. (Though I don't know the exact details of who pushed that approach and when.) 2) MS started offering "backward targetting". Visual Studio was allowing people to target the v. 2 runtime in order to extend compatibility and reduce the number of people who would need to install a new version. (Again, I don't remember the dates when it was common to target v. 2.) In other words, people writing software with later versions of .Net had the option to make their software v. 2-based, as long as they didn't need functionality specific to v. 3, 4, or whatever. So if you have any .Net software it may be .Net 2-based. I wrote a tool some time ago to check .Net dependencies. It was mainly designed to see whether one can afford to remove .Net, and it was mainly targetted at XP, where any ..Net at all was optional and generally not necessary: http://www.jsware.net/jsware/scrfiles.php5#peops You can try that tool if you want. It just goes through files, reading the headers of executables to see if they have a .Net dependency. But it's probably not necessary. The older versions of .Net are smaller and harm nothing by being installed. While in later years MS started forcing the whole thing onto people by pre-installing the runtimes. What does all that mean? If it's even true that .Net 1 & 2 are being "end-of-lifed" then I suspect it's probably just a way for Microsoft to push developers not to support XP and Vista, as part of their desperate effort to make Win10 the current version in more minds than their own. And I can't think of any reason to remove v. 2. I think it's only about 70 MB. Considering that Win7 is a bloated pig weighing in at 7-9 GB to start off, and growing from there, and later .Net versions are far more bloated than 1 & 2, there's no notable saving in removing that 70 MB. There have been some security problems with .Net, but there's no reason to allow it online. And Silverlight has actually been the main problem. And you can't remove all of .Net from Win7, anyway. Note that end-of-lifing a runtime is unprecedented and really means nothing. As of Win10, VB6, which dates to 1998, still has its runtime pre-installed. Microsoft stopped pre-installing the VB5 runtime, but it can be installed if people want to run VB5 software. There's no such thing as an "end of life" for it because it's not something that gets regular patches in the first place. A similar case holds with Visual C++, the most common tool for writing Windows software. The VC++ 6 runtime is still pre-installed, even though there hasn't been a new version for many years and Visual Studio 6 has not been supported for many years. They stick around because Microsoft's main customer is business and businesses have used these tools to write in-house Desktop software that needs to be supported. (Such as custom database programs.) .Net, by contrast, was never a success on the Desktop. It's a tool for server-side applets on corporate intranets, like Java. Microsoft originally envisioned also using it for "web services", starting in 2001, but web services never took off. So MS pretended .Net was for normal software, which it wasn't. In 2005 they tried to make a version of Windows (Longhorn) that would be .Net-based. It was the precursor to Metro, running ..Net trinkets in a sandbox. But Longhorn was such an inefficient pig that they had to give up at the last minute -- which is why Vista was years late and rough around the edges. .Net is essentially a superfluous, bloated wrapper around the Windows API (Windows functions used by software) and as the Microsofties put it at the time, there didn't yet exist hardware in 2005 that could handle such a bloated load on resources. By the time web services really became a thing, they were being done mainly with script. Even Adobe AIR, Flash and Silverlight turned out to be overkill for what was needed. So ..Net was used chiefly by MS partners who were apparently pushed into it. Thus, you may need any, or all, or none of the .Net versions. And there's little benefit on Win7+ in removing any of them. |
#4
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
s|b wrote:
Secunia PSI 3.x is warning me about end of life of Microsoft Framework .NET 1.x (32-bit) and 2.x (32- bit and 64-bit). 'click to update' leads me to https://www.microsoft.com/net/download/framework Weird thing is: Geek Uninstaller, Revo Uninstaller and Program and Features only show 1.1 and 4.6.1 installed. Where PSI states I have 1.x, 2.x (32 and 64 bit), 3.x /and/ 4.x installed. I have no idea which programs need 1.x and 2.x. I can delete 1.x with Program and Features (or use Geek or Revo), but I have no clue on how to get rid of 2.x. There's a Cleanup Tool he https://blogs.msdn.microsoft.com/astebner/2008/08/28/net-framework-cleanup-tool-users-guide/ But there's a warning to only use it as a _last resort_. I did some research, but not many useful results, so I'm a bit clueless atm. I can use Macrium Reflect to create a backup image and see what happens when I remove 1.1 (is this advised?), but how to proceed with 2.x? I can imagine that *not* removing both versions is a safety risk. (?) Any help will be appreciated. I don't know if I can successfully describe the relationships or not any more. So this is just a best guess. Some layers are installed (by default) as part of the OS. And some are add-ons (a tick box in Programs and Features, or otherwise). Some are pushed relentlessly by Windows Update. https://en.wikipedia.org/wiki/.NET_Framework Public CLR (electronic) Built-In ??? Version Version 1.0 1.0 Yadda 1.1 1.1 Yadda * * * * * * * * 2.0 2.0 ... 3.0 2.0 3.5 2.0 Windows 7 * * * * * * * * 4.0 4.0 4.5 4.0 Windows 8 4.5.1 4.0 Windows 8.1 4.5.2 4.0 4.6 4.0 Windows 10 It doesn't really make sense for Microsoft (or anyone else) to manage the 2/3/3.5 set separately. They should really live or die as a set. For the 4 series, some are considered to supersede others. The 2/3/3.5 set do not supersede one another, and they sit on top of one another. The libraries have a CLR version. Version 1.0 and 1.1 are pretty old, and orphan. The 2.0, 3.0, 3.5 are a "set", intended to take the place of 1.0 or 1.1. However, older software, coded using 1.0 or 1.1, does not automatically get updated. If you want such old software to work, you would keep those old versions in place. You cannot make a 1.0 or 1.1 program work, by merely installing 2.0. So 2.0, 3.0, 3.5 give a developer an opportunity to re-compile against the newer stuff. If your software was abandoned, this might not be possible (or available for purchase). When we get to 4.0 or higher (up to 4.6.1), I don't really know what the relationship is. Obviously, new software can be compiled against 4.0. You can apparently install a higher version, which might supersede 4.0 . And this is a departure from how previous layers in the cake worked. Versions 2.0, 3.0, 3.5 were layers is a software stack. Maybe 4.0 involved something like multithreading or multiprocessing. But part of the reason for the upper ones to exist, is to "obsolete" older OSes which can no longer have those installed. That appears to be their only purpose, as near as I can tell. The latest versions seem to be used as "gates". I would first have to determine, how 1.1 got onto the machine, before I could remove it. For 2.0, 3.0, 3.5, I don't really think it's all that practical to ditch them. For example, the ATI CCC control panel uses 2.0 (or higher). Maybe the last one I installed (a CCC2 driver) needed 4+. In theory, you could scan the machine for CLR version of each .NET executables. Another possibility, would be an NGEN log, if it generates one. Any time .NET is updated with a security patch, assemblies are recompiled on the spot. This isn't absolutely necessary, as an assembly can be "recompiled on demand", but you will find cases where it has an adverse affect on performance. For example, maybe your Windows Firewall won't start, because it happens to use ..NET, needs to be recompiled, but for whatever reason, it's not happening. The ngen program can be used to trigger recompilation of known assemblies. If this process throws errors (for whatever reason) the errors are ignored, as this is mostly a "best effort" operation. Re-compilation means not having to do it at runtime, so an assembly can start faster. Maybe if these things didn't "jam", I wouldn't need to know the details :-( Note - you cannot remove the "built-in" version. Say an OS shipped with 3.5 - then if the .NET library "breaks" and won't pass Aaron Stebner's program that tests the libraries, you'd need to do a DISM RestoreHealth, an SFC ScanNow, or a repair install or something. You should not be able to use Stebners "cleaner" to remove the built-in either. And this is because parts of Windows rely on those, and Windows is compiled against them. You will notice in this exercise, that nobody thought about the end user, in the least. All I can wish you is... Good luck, Paul |
#5
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
In message , s|b
writes: [] get rid of 2.x. There's a Cleanup Tool he https://blogs.msdn.microsoft.com/ast...framework-clea nup-tool-users-guide/ But there's a warning to only use it as a _last resort_. [] I have used a .net cleanup tool; I can't remember if it was that one, but I believe (a) it _was_ from Microsoft, (b) from some sort of forum or blog, so it probably was. It was a very tedious process, but if followed exactly, _did_ remove all trace of .net; you had to install all of it (that you wanted) again afterwards. I'd be inclined to agree - last resort only. (It took _ages_.) Read what Paul and VanguardLH have to say. I wouldn't worry about "end of life"; as others have said, it's pretty meaningless for .net, as it doesn't receive updates anyway. I have a valve wireless (tube radio receiver) for which even the companies who made the valves/tubes passed their end of life years ago (possibly some before I was born), but it still works fine (-: -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf By most scientific estimates sustained, useful fusion is ten years in the future - and will be ten years in the future for the next fifty years or more. - "Hamadryad", ~2016-4-4 |
#6
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
On Mon, 03 Apr 2017 21:26:34 +0200, s|b wrote:
Any help will be appreciated. So I've read pretty much every follow-up (my head is spinning) and I think the safest thing to do is ignore PSI and leave things how they are. I've set up PSI to ignore those versions of .NET and now I have a perfect score of 100% again. :-) -- s|b |
#7
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
s|b wrote:
So I've read pretty much every follow-up (my head is spinning) and I think the safest thing to do is ignore PSI and leave things how they are. I've set up PSI to ignore those versions of .NET and now I have a perfect score of 100% again. :-) Be careful about such scoring. Belarc Advisor also has their scoring on how secure is your system. If you follow all or even some of their suggestions, things will break. For example, they recommended changing to FIPS for encryption but made very HTTPS web site inaccesible. I could not figure out why "all of sudden" I could not visit any HTTPS web site until I recalled a day before of making the Belarc Advisor suggested change. Undid that and, voila, HTTPS sites worked again. They also tell me that I should configure Windows to auto-expire all Windows account passwords. No thanks. I'm the only one that has physical access to it but ignoring their suggestions results in a lower "security score". While the libs won't tell you who used them, Mayayana mentioned a tool that crawls through files looking for lib calls to those .NET libs. That way, you could tell if you have any programs that use them. If not then I'd uninstall the old .NET libs since they aren't being used and just wasting disk space - and products, like PSI, alarm their users about trivials. I thought there might be a deficiency in that tool as it scans executables for the exports (lib calls). For a long time now, developers have made their .exe files smaller by moving functions out into a .dll file. The calls to the .NET libs may be in the DLLs instead of back in the main .exe. However, for its .NET scanner, they also look inside the DLLs (probably by listing their imports). There are other dependency walkers (e.g., http://www.dependencywalker.com/); however, they show all dependencies, not just those targeting .NET libs. |
#8
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
VanguardLH wrote:
s|b wrote: So I've read pretty much every follow-up (my head is spinning) and I think the safest thing to do is ignore PSI and leave things how they are. I've set up PSI to ignore those versions of .NET and now I have a perfect score of 100% again. :-) I thought that PSI was no longer being updated and we were to switch to another source. -- Zaidy036 |
#9
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
Zaidy036 wrote:
I thought that PSI was no longer being updated and we were to switch to another source. Secunia got acquired by FlexeraSoft. http://www.infoworld.com/article/298...-software.html http://www.crn.com/news/security/300...management.htm Sometimes when an enterprise-oriented company acquires another that the consumer-oriented products of the prior company end up as only enterprise-grade products. The acquirer isn't interested in the consumer market. Another aspect of the tool is that it must phone home to divulge your software repository to them. This lets them aggregate data on what software their customers are using. I don't recall having to divulge an e-mail address to get the PSI download - but you do now. So make sure to use a temporary (disposable) one or an alias (that is truly an alias and not some prepended string onto your existing username). The latest version that I can get from somewhere OTHER than Flexera (http://www.softpedia.com/get/System/...nspector.shtml) is dated back to Feb 2, 2016 for version 3.0.0.11005. download.com won't tell me what version they offer for download, and the offered file does not include a version substring in its filename. The download from Flexera's site also has no version shown in the download filename. I donwload their file and use Peazip to open the .exe as an archive. Didn't find anything inside that told me what version was that software. I did notice their Readme.rtf file listed Windows 7 as the latest supported OS yet their web site claims Windows 8 and 10 are supported. Considering the download is only 3.8 MB in size, it is likely a web installer: a stub of code to connect back to them to then retrieve the real product. Could be the program is small since it relies on retrieving info from their servers for it to work. The datestamps of the files in the .exe were dated back to Nov 2015 with the sua.exe file dated Feb 2016. https://secuniaresearch.flexerasoftw...port/download/ According to Flexera's page, version 3.0 is the latest version available for their acquired PSI product. Well, as mentioned above, that was back in Feb 2016 with most of the installer files dated much older. That would be the program version. I don't know what is their latest version from the Flexera web site because they don't tell you what they will download to you. Although there may have been no further program updates, that does not preclude database updates on software, their versions, age, etc., that gets retrieved by their program when it phones home. "To function correctly Personal Software Inspector needs to be able to connect to our servers." If you don't have an Internet connection or allow PSI to connect to their servers, PSI won't work. Their FAQ doesn't say the program will continue using the previously retrieved database until whenever it can later retrieve an updated one. They say PSI won't work ("won't load the interface or complete scanning") without an Internet connection. I suspect that I last trialed PSI before the acquisition so it's been awhile. However, from the OP's message, still sounds like they bitch about old software. They bitch because it is old, not because it was or is vulnerable (and under YOUR current deployment of it). End-of-life or abandoned does NOT equate to vulnerable. Secunia, now Flexera, does not know if the old software is vulnerable. They're just scaring you about something that's old and will no longer be included in their database to show an update schedule. I consider Secunia PSI like I do for driver update notification softwa they break too many computers. Stuff that was working before gets broke with the introduction of new code, the new code has its own bugs and vulnerabilities, and for changed behaviors or even losing some features previously available. Fixing something that is not broke may end up breaking it. Instead of relying on wasting memory and CPU cycles along with bandwidth on alarms (too many of which are false) about out of date software (which is what PSI measures, not whether the old version is actually vulnerable or broken), I allocate my own selected time for when I save an image backup and review my software to see which ones have updates and of those which ones I want to update. I'm the admin of my computer so I do that job, not relegate it fixed code decided by someone else guessing what should get updated. |
#10
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
On Tue, 4 Apr 2017 14:30:56 -0500, VanguardLH wrote:
Be careful about such scoring. Belarc Advisor also has their scoring on how secure is your system. If you follow all or even some of their suggestions, things will break. I don't use Belarc Advisor and so far, I haven't caused any problems by following Secunia's advice. But I will keep the warning in mind. For example [Belarc Advisor] I haven't tried Belarc, but based on your experience I think I'll pass. -- s|b |
#11
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
On Wed, 5 Apr 2017 05:48:10 -0000 (UTC), Zaidy036 wrote:
I thought that PSI was no longer being updated and we were to switch to another source. I got a warning version 2.x was end of life, so I switched to 3.x which is still working. -- s|b |
#12
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
s|b wrote:
I haven't tried Belarc, but based on your experience I think I'll pass. I don't use Belarc Advisor for its security scoring (for the reasons given). I do use it as a more convenient means to list all the updates applied to my computer plus it gives me the product and license keys for several programs. I use it for information only, not for tweaking. Nothing mandates that you use all features of a program. Hell, MS Word users often only touch about a third, if that much, of its features. |
#13
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
In message , VanguardLH
writes: s|b wrote: I haven't tried Belarc, but based on your experience I think I'll pass. I don't use Belarc Advisor for its security scoring (for the reasons given). I do use it as a more convenient means to list all the updates applied to my computer plus it gives me the product and license keys for several programs. I use it for information only, not for tweaking. Nothing mandates that you use all features of a program. Hell, MS Word users often only touch about a third, if that much, of its features. +1. I ignore Belarc's security advisories (as I do most - I wouldn't be using an XP computer, would I ... [yes I know where I'm writing this]). But I find Belarc very handy for getting a reasonably accurate summary of the hardware (including, e. g., memory - not just total, but how many sticks of what capacity each), as well as software summaries, and as VLH says, some keys. It's not foolproof (e. g. some software-created hardware can be shown as hardware, and some hardware with the wrong drivers can appear as the hardware the drivers are for), but reasonably good (and of course free). The _format_ of the report is also somewhat pleasing to me. -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf What is the point of a really good degree, if you're just like Harold Wilson? That really cut me down to size. - Sister Wendy Becket, on DIDs 2012-12-16 (She, like he, got one of the best degrees at Oxford in her year.) |
#14
|
|||
|
|||
.NET Framework 1.x and 2.x - End of life
On Thu, 6 Apr 2017 13:45:08 -0500, VanguardLH wrote:
s|b wrote: I haven't tried Belarc, but based on your experience I think I'll pass. I don't use Belarc Advisor for its security scoring (for the reasons given). I do use it as a more convenient means to list all the updates applied to my computer plus it gives me the product and license keys for several programs. I use it for information only, not for tweaking. Ditto. Nothing mandates that you use all features of a program. Hell, MS Word users often only touch about a third, if that much, of its features. For programs of almost any complexity at all, there is probably nobody who uses all their features. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|