Microsoft Security Essentials

The most obvious answer is that MSE didn't check because it didn't think that the file was suspicious.

 

I was thinking so.

 

Cracks aren't trojans, and uploading it to VT is in no way an identifier of it to be a trojan. In most cases you can upload any harmless crack and it will be identified as a "trojan" by certain anti-virus vendors on VT.

Microsoft submitted files are prioritized according to an automated analysis system on their side.

 

@softtouch
I think ronjor is implying that since MSE uses the AU and BITS services you should check svchost connections during the scan? When MSE detected something it tried to connect to a SpyNet IP. I just forgot if svchost made this connection.

@elapsed
softtouch said the crack he found was fake. Most cracks today I have seen are either rogue downloaders/installers or file infectors like Virut. Even MSE detects these harmless cracks you speak of as suspicious (Obfuscator) since most are packed.

 

I was doing a little firewall shopping and downloaded the Security Software Testing Suite from www.matousec.com.


A rather disturbing discovery was made.

There are a bunch of test trojans in this package.

AntiVir picked up 15 on them on a scan.

MSE running on my X64 Win 7 box, ZERO.

How is this possible?

I invite you to download the test suite and see for yourself.

http://www.matousec.com/downloads/

 

@jdavis77....even Nod32 with database of 11/22 did not pick up the trojans....said all 233 file were clean :|

 

http://www.matousec.com/downloads/

bsodhook.zip 1/41 (2.44%)

ssts.zip 23/41 (56.1%)

~Virus Total links removed per Policy.~

 

Anyway, the file in question is a trojan, something with krap in the name, and still, 2 days after submitting, not detected by MSE. Its still under "Active Investigation"...

And yes, MSE should have connected to their spynet, but did NOT. There was no connection established at all. There's is something wrong with my MSE I think...

 

Seems impossible. Could they have whitelisted those TEST files? I mean if these programs can't pick up obvious stuff like this, what good are they on the hard ones?

I see kaspersky also with zero hits. Very bizarre.

Anyone have a clue what the deal is ?

 

They are not the EICAR test file. Why would vendor waste time classifying test files as malicious when there are plenty of real malicious stuff going on?

 

If that was related to my post, I DID submit it properly, and I DID get emails from M$.

Now, 3 days after submission, its confirmed by M$ as:
TrojanDownloader:Win32/Harnig.EK, Aler Level: Severe

3 days is a little too long in my opinion.

 

I think you are in big trouble.

 

They are not real trojans. Many vendors will not detect such files. It,s simple as that.

 

Can't really blame av companies for not detecting these types of downloads. Otherwise they get into the business of trying to detect every single test download available.

 

I totally disagree, like I said these files are analyzed on a priority. If you seriously think your infect 1 user trojan requires a higher priority than a rogue or fast spreading koobface variant then you need to change your outlook on the anti-virus world.

 

Lets get this straight. You think that a test trojan, which is testing for a vulnerability , should not be picked up by a scanner?

So the scanners are so smart they know the trojan is 'just kidding'. Aha.

I think my whitelist idea makes a lot more sense than simply ignoring trojan code. And quite a few scanners do pick them up. I would deeply suspect a scanner that bypasses these UNLESS a whitelist is at work.

 

does this antivirus has on the cloud thecnologgy?thanks

 

Some people call it cloud, I don't.

It's a means of collecting file information/behaviour and submitting it to Microsoft servers to improve detection algorythms. No scanning happens on their servers.

 

thanks,this antivirus is good cause has a huge database,too bad at this moment is not compatible with defensewall

 

cloud doesnt purely mean cloud scanning, it can be several things...

 

Um, I mention cloud scanning and you automatically think that I view cloud computing as a virus scanning resource? lol?

http://en.wikipedia.org/wiki/Cloud_Computing

This does not coencide with the description of MSE.

Anyway, like I said in my previous post, I really don't care what you classify MSE as nor am I interested in debating it.

 

I don't have a problem with a behavior monitor or heuristics picks them up. But I could see why they don't have a signature for each and every test download unless it is just some generic.

 

had to bump this thread since creating a new thread for what i am posting seemed a bit unneeded...

I also had the same update issue with MSE where it would never update on its own, what i did was create a scheduled task running mpcmdrun.exe (in the MSE installation dir) with the arguments "-SignatureUpdate"... triggering it 3 times a day.. and never had the issue since.
I do wish tho MS would come out with a concrete solution though.

 

Dont know if its just my pc but i find MSE very slow to start (show in system tray) and it also seems to prevent other start up apps from starting as quickly as they used too.Even tried it with just the windows firewall but no improvement in speed.Back to ZA and avast for me
ellison