Microsoft Security Essentials

I did search this thread, but don't see an answer to my question, which is
For the realtime protection, does MSE do memory scanning?
The 2 options I see are

1. Monitor file and program activity on your computer
2. Scan all downloaded files and attachements.

Both of those can be accomplished without scanning memory, depending on what is included in those activities.

Thanks

 

No. You are wrong, this means exactly that neither HTTP nor POP nor IMAP are being scanned. These are protocols that would _require_ a proxy (or a browser/mail client plugin) to be scanned.
With 'EVERYTHING' is meant, every file saved to disk. So if you download a file manually and click 'SAVE' it will be scanned upon saving, not during transfer as a proxy would do. This means: data reaches your browser/mailclient without being scanned.
In case of a drive-by exploit to your browser, MSE might notice the exploit when it gets saved to the cache (after the exploit already kicked in). It _may_ be able to detect files additionally downloaded by the exploit, if they get saved to disk. If the do not get saved to disk (in-memory execution), MSE will be blind.

 

If FRug's assertion is correct then my question, or at least my real concern is also answered.
Please note that I am not challenging FRug's assertion, but I am waiting to see if someone else does.

 

FRug's assertion is incorrect, MSE can detect files before the transfer has finished, and most of the time, before you even click save.

 

Elapsed you are correct.

Here is quote from MSE forums.

 

Here's the link for remove-malware.com switching to MSE.

 

But keeps DW for his own pc.

 

I would also if I was running 32-bit OS.

 

As an Eset reseller....I even have more success cleaning clients infested PCs with MSE. Most of our SMB clients are protected by NOD Biz Edition. I see rogues/variants of fake security alerts, such as PersonalAV, make it past NOD on a regular basis now.

Since cleaning an infected PC can take up quite a bit of time, depending on which tools you use to clean them, I've had the most success in using a combination of just MSE and MalwareBytes. Keeps things easy for me, and they've proven to do a good job in cleaning.

It's quite light also, hardly any system impact..even on older PCs.

 

I think FRug is correct. Change the MSE settings, by going to Default Actions and set the Severe rating to quarantine so a pop up box will show instead of immediately removing the threat. Go to eicar.org and attempt to download the eicar file without clicking save - a MSE download threat box will show up. One can click 'show details' and a larger threat action window will appear where you can click 'show details' again. Note that the item identified is listed as a file saved to the IE cache in the attachment. The file is found at that point - not with a HTTP stream analysis. If it was a stream intercept, it wouldn't be listed as a file in the Temporary Internet Files folder since Save has not yet been selected. This is on Vista SP2 x64 with IE8.

 

I've never seen an AV finding a threat that doesn't list it in the temporary internet files folder.

 

Well, take a look at the found item (eicar file) in the above graphic and the path to it. A first time for everything.

 

I think you misinterpreted what I said ^^

What I'm trying to say is every AV I've used will list a catch as being in the temporary internet files folder.

 

Excellent discussion and well done MS for this product.

Right, my ques.

Is there an exclusion option in MSE, to exclude user defined files / folders from being scanned?

Thnx in advance.

 

Yes it is in the settings.

 

Thanx for the quick response.

 

NOD32 does. The first result is with the web scanner disabled.

13/10/2009 00:04:09 Real-time file system protection file C:\Users\John\AppData\Local\Opera\Opera\cache\opr03CBX probably a variant of Win32/Injector.ACC trojan cleaned by deleting - quarantined Neptune\John Event occurred on a file modified by the application: C:\Program Files (x86)\Opera\opera.exe.

13/10/2009 00:04:35 HTTP filter file http://<snip>/sam.exe probably a variant of Win32/Injector.ACC trojan connection terminated - quarantined Neptune\John Threat was detected upon access to web by the application: C:\Program Files (x86)\Opera\opera.exe.

 

Yeah I actually do on a few larger clients where I have a WSUS server to manage that. It's still a decent product.

 

Is anyone experiences any sluggishness when accessing other internall hd's?
Or other functions such as accessing programs and features after installing MSE on Vistax64. Any sluggishness at all from anyone with Vistax64 and MSE?

 

Well i have Vista 32bit, but the only sluggishness i notice is when i start a game called Loki...otherwise i can not say i notice any slow downs.

 

JD, I have MSE installed on a 64 bit with ShadowDefender beta and it is working about as smooth as things can get. That is just my setup though.
MSE is really going to hurt a lot of people this year and SD 64 bit just made owning a 64 bit PC something you had to hide from your neighbors.

 

That is good to hear. How much ram you got in that pc? I got 8gigs and according to process explorer the private bytes used by MSE when idle is averaging around 135-140megs on mine. Which is no big deal to me as far as ram goes. I have noticed though after installing it when the final was released, that performing some actions seem to be delayed and slower than when I had Nod32 installed.

 

I have 6GBs, but you might want to encase it in SD because for some odd reason, I find things virtualized seem to respond better. But I am weird, I leave SD in shadowmode for days before even rebooting.

 

In SD, MSE is using about 74 megs. I think, so dont take me to court over it. What processes are you looking at.

 

MsMpEng.exe