More In-Depth Look at Microsoft Security Essentials

Talk about internet security, computer security, personal security, your social security number...
Locked
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

More In-Depth Look at Microsoft Security Essentials

Post by GµårÐïåñ » Mon Nov 23, 2009 1:52 am

In light of some recent excellent performance by Microsoft's Security Essentials program, I felt it would be only fair to give them a few minutes of in depth look and taking a visual tour of the software for those considering it. It also goes to help with some questions and less than accurate assumptions about the software. I am in no way a supporter of M$, everyone knows that, but I think it is the only honorable thing to do; giving credit where its due. Take what you want from this and choose as you wish, this is simply to help provides perspective, not trying to change anyone's opinion or choice, free will is the cornerstone of my belief system, but so is truth and fairness.

Microsoft Security Essential was built from the ground up and does not rely on any previous paradigms as they did with their Live OneCare system, which was a remake of a software solution they had acquired. This is more built on the framework of their Defender program, with expanded functionality that was included in their Malware Removal Tools that would be regularly released and everyone should be familiar with. You can get more information from the horses mouth by going to the dedicated support/product page for it here:
http://www.microsoft.com/security_essentials/support.aspx

The opening screen is the [ HOME ] tab which looks as follows:
Image
As you can see, there are the options for Quick, Full and even Custom scanning which gives you granular control on the depth of your preferred digging. It also shows you the status of your services, the status of your definitions and even allows for changing the automatic scheduled scanning.

The next tab of note is the [ UPDATE] tab which looks as follows:
Image
This is where you can manually check for updates and check the status of your definitions (the version number and date it was last updated). However, one noteworthy feature of this program is that it will check for updates quite often and quite consistently, and will keep up to date in response to new threats at a much faster rate than I have seen in comparable programs; so you probably won't need to spend much time on this tab, but it's there just the same.

The next tab, and by far the most helpful tab, is your [ HISTORY ] tab which looks as follows:
Image
You can filter your history by categories, and it will show you the item, the description, the level of threat, the date, and what action was taken on it. The actions taken can be automated as you will see later, but in my case, I like to be the one to decide what is done, and so it is configured to respond to my choice while it freezes it in its tracks until I decide, so no damage is taking place.

As you can see in this screenshot, it shows the latest trojan of note that was discussed in another thread. It detected this item while being downloaded, and it never even had a chance to reconstitute on my end before being flagged. It's impressive, actually. As you can see, I chose to quarantine it so I can go back later and play with it and see what's inside. One really interesting point of note that makes this program exceptional is that as you can see, there are two entries. One was in regular profile; the other was INSIDE a "sandbox", or restricted and quarantined area, which makes this even more powerful.

On the first, normal download, here are the details it provides to you:

Code: Select all

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{06DC7884-086C-4883-BE0E-06D930F5A57B}-files.zip
file:C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{06DC7884-086C-4883-BE0E-06D930F5A57B}-files.zip->goored/{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}/chrome/content/overlay.xul->(SCRIPT0000)
filelocalcopy:C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{06DC7884-086C-4883-BE0E-06D930F5A57B}-files.zip->goored/{393297E4-C74B-47DE-A2F4-E1E2EE8C39A8}/chrome/content/overlay.xul->(SCRIPT0000)
webfile:C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{06DC7884-086C-4883-BE0E-06D930F5A57B}-files.zip|http://rs439gc.rapidshare.com/files/309460848/8192462/files.zip

Get more information about this item online.


On the second one, it was done inside a sandbox (Sandboxie) which shows this:

Code: Select all

Microsoft Security Essentials encountered the following error: Error code 0x80070002. The system cannot find the file specified. 

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:C:\Sandbox\Michael\DefaultBox\user\current\AppData\Local\Temp\Rar$DI04.019\overlay.xul
file:C:\Sandbox\Michael\DefaultBox\user\current\AppData\Local\Temp\Rar$DI04.019\overlay.xul->(SCRIPT0000)

Get more information about this item online.


It shows an access error, but it was due to the fact that I closed the sandbox BEFORE it had a chance to take action, but I would have and could have accessed it, had I let it continue.

The next tab where you get to modify the options under the hood is the [ SETTINGS ], which looks as follows (please note that each option on the left column of the settings has been shot separately so that you can see each item for itself):

Settings 1
Image
This is where you decide when it runs a scheduled scan, what type, and so forth, pretty self-explanatory.

Settings 2
Image
This is what I mentioned earlier: you can choose what the default actions are, and it will do it automatically, or you can uncheck that option and decide for yourself each time; the choice is up to you. For the average user, I often setup as above, but for more advanced users, I leave the last checkbox undone.

Settings 3
Image
This is where you control your real-time protection options, which many seem to think this tool does not provide, but it does, and it does it very admirably. You can choose to have it check each program that runs AS it runs (which surprisingly, compared to Avast and Comodo, does NOT hang your machine or notably slow it down), and the second option pretty much has the same effect as the Avast stream scanning and also works with emails, macros, web traffic, IM traffic, etc,; ANY network activity, which is excellent.

Setting 4
Image
This is pretty self-explanatory, and it's things you want to exclude from a scan. The next two options give you more granular exemption control for file types and even processes, as follows:

Setting 5
Image

Setting 6
Image

Setting 7
Image
In this section you get to choose several other options, like archive scanning (this also does packed MSI, exe installers too -- very cool -- WITHOUT the annoyance provided by Avast and Avira, which require you to decide how many levels inside you want checked. This will check it ALL, and another cool feature is that when it looks inside installer files or compressed files, if you have OTHER MSI, EXE, zip, or whatever INSIDE it as well, it will check them and their internals too, so it is very systematic in crawling through EVERYTHING. Very cool and not too much difficulty in setting the option.

You also can have it check external drives, like USB thumb/key drives. When they are plugged in, they are scanned immediately, before introducing the possibility of infection by something on them that might try to execute using Autorun, a common way for malware to run using external media. You can also choose to create system restore points, in the event that a fix that might break something, so you can roll back to your previous state with no loss to your configurations and environment. You can even limit who can see the history.

Setting 8
Image
This is an option from which you cannot opt out, and it is a core of why the heuristics used are so effective, because it has the "community hive" system of detection, which makes it a very powerful repository that allows for best possible detections. This is probably the key to their success. The basic setting is fine for most, but for software developers, or those that are involved in dealing with security threats, the advanced setting, allowing for sending of raw files for processing, is an admirable function to consider. Initially, I was hesitant about it because of privacy concerns, but quickly realized that they truly use it for the good of the public, nothing else; so this one-time trusting of them is not a total leap of faith.

I hope this brief walk-through has been helpful, and if anyone has anything to add, to correct, or has questions, feel free to contact me via PM and let me know, since I will be locking this already-long thread to avoid it becoming unreasonably long. Just email or PM me (or Tom T., if I am not available for a reasonably prompt response), and I will take care of any corrections, additions, clarifications, or expansions. I hope that Tom will proof me on this and help me correct any ambiguous language or improper writing that might be difficult to understand. (Done -- Tom T. Very nice post, GµårÐïåñ'.)
Last edited by Tom T. on Wed Nov 25, 2009 3:18 am, edited 3 times in total.
Reason: copy-edited by request
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Locked