MSE?

[Daveski17]

Quote:

Originally Posted by STV0726

Great question, mate.

I'm not going to sugar coat it. It's very concerning if you run full-time as an administrator or you have disabled UAC.

If you are using MSE, your best bet is to:

1) Never ever disable UAC. In fact, you'd best bump it up to Always Notify.
2) Use a standard user account for daily computing
3) Always keep Windows up-to-date automatically. Use Microsoft Update.
4) Leave the Windows Firewall on at all times and preferably unless you are using file sharing specifically, use public setting.
5) Do NOT for any reason modify the file access permissions of any MSE related folders.

That list may sound relatively generic and maybe even over-stated, but when dealing with an AV that relies fully on UAC and integrity control for self-protection, it becomes just that much more necessary imo.

OK, thanks. I think I should be OK. I have layers of security & never just rely solely or totally on an AV. It is a bit disconcerting to discover that MSE has a bit of a design flaw though.

It still won't deter me from using it.

[STV0726]

Nah you should be fine, sounds like...

...what I will say is that I don't sugar coat it but at the same time I understand a lot of us on here (hopefully) use a layered approach anyway so I do take that into consideration.

The real people in danger are people who have disabled UAC and run full-time as an admin and use MSE. But then again, I don't condone doing that even if your AV has the best self-protection module known to mankind.

[Daveski17]

Quote:

Originally Posted by STV0726

Nah you should be fine, sounds like...

...what I will say is that I don't sugar coat it but at the same time I understand a lot of us on here (hopefully) use a layered approach anyway so I do take that into consideration.

The real people in danger are people who have disabled UAC and run full-time as an admin and use MSE. But then again, I don't condone doing that even if your AV has the best self-protection module known to mankind.

Yes, it is definitely food for thought though. I tend to agree with Hungry Man about the efficacy of an enabled UAC, as it is only really as good as the user is informed on how to utilise it (some people will run any .exe). Although having said that, I always have it enabled. I would have thought that it would be relatively difficult to get past software & hardware firewalls, Firefox/SeaMonkey with NoScript & RequestPolicy in conjunction with a decent adblocker, let alone using WOT. Plus, I have MBAM to remove anything nasty if anything does get through. I've never totally trusted an AV since Norton let a trojan through once (admittedly I didn't use NoScript or an adblocker then). A trojan that SpyBot, MS Defender & SpywareBlaster missed also. As I said earlier, there are a variety of reasons why I run MSE, IMHO any disadvantages like lack of self protection modules are outweighed by the advantages of simplicity of use & overall lightness.

[Hungry Man]

So you're saying that if I let malware elevate to admin that WSA can still stop the malware from turning services off/ killing WSA?

Quote:

I tend to agree with Hungry Man

A wise choice!

[HKEY1952]

Quote:

Originally Posted by Daveski17

It is a bit disconcerting to discover that MSE has a bit of a design flaw though.

According to Rob Koch at Microsoft Answers, the side effect of adding an self-protection module adds 'bloat', to the
anti-malware program because the self-protection module by necessity, increases the size and complexity of the
anti-malware program as an whole.

Also according to Rob Koch at Microsoft Answers, no one has yet been able to successfully add one hundered percent
self-protection because no process in the Microsoft Windows Operating System can truly be 'protected', the process
can only be restarted, and that there is absolutely no such thing as true process 'protection' available within the
Microsoft Windows Operating System, only an few core Windows modules are not allowed to be terminated.

Rob Koch at Microsoft Answers also emphasizes that Microsoft Security Essentials has added some file system level
security configuration to the installation process, and together with Microsoft Security Essentials behavioral
monitoring, can detect and attempt to block such attempts to disable Microsoft Security Essentials, but in reality,
it just can not be done by anyone with one hundred percent success, but is being attempted by Microsoft in Microsoft
Security Essentials without the addition of an useless module that would simply add overhead.


So it is not an design flaw.....


Source:
http://answers.microsoft.com/en-us/p...e-10d15a1546ba


HKEY1952

[funkydude]

Quote:

Originally Posted by STV0726

Yes, v4 also has no self-protection technology.

Rob Koch's statements were shooting down my suggestion for v4 and beyond.

I probably sound like a broken record with this but lets not forget (again) that if you're running a 64bit system (MSE 64bit) then MSE is already protected against 99% of malware "naturally", seeing as 99% of malware is 32bit, and as so, cannot even see 64bit processes.

[Daveski17]

Quote:

Originally Posted by HKEY1952

According to Rob Koch at Microsoft Answers, the side effect of adding an self-protection module adds 'bloat', to the
anti-malware program because the self-protection module by necessity, increases the size and complexity of the
anti-malware program as an whole.

I assumed that this was the reason, in my experience MSE is only slightly heavier on my notebook than The Panda Cloud (free) was. I chose MSE over Panda because of Panda's tendency towards false-positives, something incredibly rare on MSE.

Quote:

Originally Posted by HKEY1952

Also according to Rob Koch at Microsoft Answers, no one has yet been able to successfully add one hundered percent
self-protection because no process in the Microsoft Windows Operating System can truly be 'protected', the process
can only be restarted, and that there is absolutely no such thing as true process 'protection' available within the
Microsoft Windows Operating System, only an few core Windows modules are not allowed to be terminated.

Well, nothing is 100% when it comes to software.

Quote:

Originally Posted by HKEY1952

Rob Koch at Microsoft Answers also emphasizes that Microsoft Security Essentials has added some file system level
security configuration to the installation process, and together with Microsoft Security Essentials behavioral
monitoring, can detect and attempt to block such attempts to disable Microsoft Security Essentials, but in reality,
it just can not be done by anyone with one hundred percent success, but is being attempted by Microsoft in Microsoft
Security Essentials without the addition of an useless module that would simply add overhead.

Thanks for letting me see the other side of the coin, I can well understand MS not wanting to add bloat to MSE, it's one of its main attractions. Again, I think Hungry put his finger on this; MSE is now so popular malware writers are deliberately trying to get around it, just as they probably target the other most popular AVs.

Quote:

Originally Posted by HKEY1952

So it is not an design flaw.....

'Design flaw' was probably a poor choice of words. It is interesting to note though, if MSE is being regularly disabled by malware (although not with any computer of mine & I've ran MSE for over 18 months) how many other AVs are being disabled by similar malware?

[Daveski17]

Quote:

Originally Posted by funkydude

I probably sound like a broken record with this but lets not forget (again) that if you're running a 64bit system (MSE 64bit) then MSE is already protected against 99% of malware "naturally", seeing as 99% of malware is 32bit, and as so, cannot even see 64bit processes.

Well, that's great news for my 64 bit desktop. Not so great for my other 32 bit computers.

[Montmorency]

Quote:

According to Rob Koch at Microsoft Answers, the side effect of adding an self-protection module adds 'bloat',

According to whichever mod at MSE's forums anything apart from their product is one app too much.
MBAM (or others) is not "officially" approved
Third Party FW's are not recommended
HIPS, Behaviour Blockers, Anti Keyloggers... run from them as from Hell itself
Browser ad-ons (they only know about IE) slow you down
etc....

I could use MSE, I find it a good program... but this culture of "if you don't agree with us..." really puts me off.
Just roam their forums to understand.

[Daveski17]

I've just been reading the thread Is Malware Targeting Norton?, so everything that can be said about MSE being targeted can just as easily be said about Norton. Although personally, I know which AV I prefer, *hint*, it isn't Norton.

[Daveski17]

Quote:

Originally Posted by Montmorency

According to whichever mod at MSE's forums anything apart from their product is one app too much.
MBAM (or others) is not "officially" approved
Third Party FW's are not recommended
HIPS, Behaviour Blockers, Anti Keyloggers... run from them as from Hell itself
Browser ad-ons (they only know about IE) slow you down
etc....

I could use MSE, I find it a good program... but this culture of "if you don't agree with us..." really puts me off. Just roam their forums to understand.

In my experience on Microsoft Answers all of the mods have always stressed the importance of a layered approach to malware prevention. I'm pretty sure some of them have mentioned MBAM in a positive light or that they in fact use it themselves. I've always found them to be pretty helpful. They are bound to be a bit biased towards Microsoft though.

[Victek123]

Quote:

Originally Posted by HKEY1952

Also according to Rob Koch at Microsoft Answers, no one has yet been able to successfully add one hundred percent
self-protection because no process in the Microsoft Windows Operating System can truly be 'protected', the process
can only be restarted, and that there is absolutely no such thing as true process 'protection' available within the
Microsoft Windows Operating System, only an few core Windows modules are not allowed to be terminated.

These "nothing is 100%" comments are meaningless - that can be said for pretty much everything. The fact is that processes can be hardened. I don't see how anyone can make a rational argument against hardening security processes against termination. Calling added self-protection code "bloat" is just nonsense.

[Hungry Man]

You're right that a 32bit process can't load into a 64bit process. I'm not sure that it can't read it, and it could still effect files on the system associated with MSE.

[funkydude]

Quote:

Originally Posted by Hungry Man

You're right that a 32bit process can't load into a 64bit process. I'm not sure that it can't read it, and it could still effect files on the system associated with MSE.

1. No they can't, the 32bit "emulator" has no access to 64bit processes whatsoever.
2. Not when they're in use.

[STV0726]

Quote:

Originally Posted by Victek123

These "nothing is 100%" comments are meaningless - that can be said for pretty much everything. The fact is that processes can be hardened. I don't see how anyone can make a rational argument against hardening security processes against termination. Calling added self-protection code "bloat" is just nonsense.

Sorry guys, but as much as I want to like MSE, this pretty much sums it up. +1

Whether or not it is a design flaw...well that's a different story kinda...because the vendor considers it a non-issue so it's up to you whether or not it's a deal breaker. It's a deal breaker for me because their lack of self-protection is becoming evident in their protection results from testing orgs.

@HungryMan: I am fairly certain that the self-protection/response cloaking module of WSA can still protect itself even if malware has gained admin privilleges. Is this an ideal situation? No, it is not. Ideal is always non-admin plus self-protection module. However, that being said, WSA's self-protection is good.

But, with default settings, even if the admin-elevated malware bypassed the main self-protection/response cloaking module, it would still be impeded by CAPTCHA confirmation if it tried to shut WSA down, regardless of admin or non-admin. And CAPTCHA I do believe is a good approach.

[Daveski17]

Quote:

Originally Posted by STV0726

Whether or not it is a design flaw...well that's a different story kinda...because the vendor considers it a non-issue so it's up to you whether or not it's a deal breaker.

Well, this has been an interesting thread for me as I have MSE installed on every computer I have online. This has been for at least 18 months & AFAIK I have had no malware in that time. Over the past few months I have read several articles denigrating MSE over various different faults & generally criticising it in a direct contrast to the praise heaped on it when it was first released. Having said that, these are essentially all subjective opinions. For instance; I think that Norton is the worst AV I have ever used & its detection rate is questionable, yet I can find a variety of reviews highly praising it.

Quote:

Originally Posted by STV0726

It's a deal breaker for me because their lack of self-protection is becoming evident in their protection results from testing orgs.

I am never totally sure that these tests are that applicable in the real world. Aren't many of them run on virtual machines? Norton is also being targeted in a similar fashion according to this thread. Isn't this to be expected if both Norton & MSE are very popular AV solutions?

[Cudni]

ot posts removed

[HKEY1952]

Quote:

Originally Posted by Daveski17

I am never totally sure that these tests are that applicable in the real world.
Aren't many of them run on virtual machines?

I agree Daveski17, 'these tests' should only be used as tools for reference, 'these tests' are not the final and
absolute conclusive evidence of the security products protection capabilities in the real world, whether the security
product passes, fairs, or fails any or all of 'these tests'.

Now lets say one particular security product exists an history of 'fairing' on most of 'these tests' that were
preformed by several different testing organizations, using 'these tests' as an tool for reference would suggest
that that particular security product may not be the security product one is looking for, however, in the real world,
that same security product may perform much better than 'fair'. An virtual machines emulation of the real world is
far from being the real world.

The best 'test' for any security product is to install the Trial Version and draw ones own conclusion whether the
security product is worthy of being installed on their computer.


HKEY1952

[STV0726]

By all means trial it out - especially when it's free - but be careful with how you draw your conclusions.

I don't agree with such logic of formal/efficacy self-evaluation. MSE looks great on the surface until you realize it has performed DCJ (doesn't catch jack) in some recent tests. If you are to disregard these 3rd party testings and instead think it's good based on your own throwing of "malware" at it from MDL or what not, you've entered the dangerous and ignorant territory of homegrown testing and your results are not meaningful. Lastly, just because you're yet to be infected, doesn't mean the product is good.

I'm not trying to be overly hard on MSE. I'm just trying to keep it real. There seems to be a mini-trend going on right now of people distrusting known-reputable and known-valid testing body results, and instead turning to their own superficial self-evals or even worse, YouTesters. Really, the opposite should be happening. I am a proponent of 3rd party testing and almost all of them now do some kind of test(s) that which specifically emulate "real-world" scenarios for those so concerned about that.

[HKEY1952]

I am an firm believer of placing the network, even if it exists only one computer, behind an properly configured
reputable firewall router. With the firewall router alone, and practicing safe surfing, chances of encountering an
infection is almost nil.


HKEY1952

[Daveski17]

Quote:

Originally Posted by HKEY1952

I agree Daveski17, 'these tests' should only be used as tools for reference, 'these tests' are not the final and
absolute conclusive evidence of the security products protection capabilities in the real world, whether the security
product passes, fairs, or fails any or all of 'these tests'.

Yes, I agree. It's not like the results from all testing agencies all completely agree with each other either.

Quote:

Originally Posted by HKEY1952

Now lets say one particular security product exists an history of 'fairing' on most of 'these tests' that were
preformed by several different testing organizations, using 'these tests' as an tool for reference would suggest
that that particular security product may not be the security product one is looking for, however, in the real world,
that same security product may perform much better than 'fair'. An virtual machines emulation of the real world is
far from being the real world.

I think that this is often the case, how many times & with how many different types of malware do these tests actually run different AVs on virtual machines? Just how close are these tests to a real-life situation?

Quote:

Originally Posted by HKEY1952

The best 'test' for any security product is to install the Trial Version and draw ones own conclusion whether the
security product is worthy of being installed on their computer.

It's like I said before, malware has to get past my router firewall, my software firewall, browser hardening (NoScript & RequestPolicy, all depending on which browser I am using at the time, of course, not forgetting ad & flashblockers) as well as MSE. I feel pretty safe with MSE on my 64 bit desktop. My 32 bit machines also have other protection, including SpywareBlaster & MBAM. I'm pretty certain I have a good defence strategy against the likes of drive-bys & infected flash ads, probably the two most predominant causes of computer infections. A good light AV is the logical top to all that. If MSE is being disabled with an alarming regularity surely other light AVs are equally vulnerable?

It's not happened to me yet.

[Daveski17]

Quote:

Originally Posted by STV0726

I don't agree with such logic of formal/efficacy self-evaluation. MSE looks great on the surface until you realize it has performed DCJ (doesn't catch jack) in some recent tests.

You could equally apply the same logic to the idea that 'not catching jack' on recent tests is a statistical aberration. How many other AVs are in the same situation?

Quote:

Originally Posted by STV0726

If you are to disregard these 3rd party testings and instead think it's good based on your own throwing of "malware" at it from MDL or what not, you've entered the dangerous and ignorant territory of homegrown testing and your results are not meaningful.

Well, I'm not a homegrown tester, but I do know that 3rd party testings can often vary considerably. AV Comparatives.com still give MSE an ADV (Advanced rating).

Quote:

Originally Posted by STV0726

Lastly, just because you're yet to be infected, doesn't mean the product is good.

It doesn't mean it's rubbish either.

Quote:

Originally Posted by STV0726

I'm not trying to be overly hard on MSE. I'm just trying to keep it real. There seems to be a mini-trend going on right now of people distrusting known-reputable and known-valid testing body results, and instead turning to their own superficial self-evals or even worse, YouTesters. Really, the opposite should be happening. I am a proponent of 3rd party testing and almost all of them now do some kind of test(s) that which specifically emulate "real-world" scenarios for those so concerned about that.

I'm not so sure that those 'real-world' scenarios can ever actually be that. How many 'paid for' AVs are equally as vulnerable as MSE allegedly is to being bypassed? Last night I spoke to the bloke who built my last two desktop computers for me. He tells me that most people who take their computers to him (he owns a shop/store) to be relieved of various forms of malware that they have contracted are running Norton or McAfee. He has never personally known of a computer infected that was running MSE. What am I to make of that statistic?

well probably because there are considerably less users of MSE

[m00nbl00d]

But, the reality is not how any knowledgeable user has his/her system configured. It's how millions of Windows user don't have theirs.

What's the point for these users to have MSE, if any piece of malware can break it? Worst, if the user elevates something, then what's there to protect MSE? MSE settings are protected by the administrator's account password. When any of these millions of users are the administrators... well...

The bottom line is that MSE should be hardened against termination. I believe I mentioned at some Prevx forum thread that, recently the rootkit ZeroAccess was able to force antimalware apps to kill themselves (priceless) and then change file system permissions, so they could no longer run.

Security vendors had to harden their antimalware apps against this behavior. If they didn't harden their tools, then how could their tools protect their users? I suppose Microsoft didn't? Is ZeroAccess still efficient to kill MSE?

[Daveski17]

Quote:

Originally Posted by general_zerohour

well probably because there are considerably less users of MSE

It's a distinct possibility. There again, it's supposed to be the most popular & used freeware AV.