Microsoft Security Essentials 2.0.657.0 Final

I've added mse v2 to my setup. Sadly, the bug on 32bit systems where one would encounter slow scans of many exe files encountered together is still there, but i just moved all my installers to one folder i rarely access and all is going well and there's no lag whatsoever.

It even removed a trace of some adware in some installer which i don't know how it came on my system... which was not detected previously on v1 when i used to use it.

 

IMHO, avast! 5.1 is the lightest av.

I use MSE 2 on my Win7x64bit system because I want to use x64 software.

Yes, I know there's little to no advantage using x64 av's over x32 av's that

work on x64 systems. Please excuse my vanity.

As you can see in my sig. , I use avast! on my XP sp3 x32 computer.

 

version 1 failed miserably with rootkits, hopefully V2 will be better.

 

Miserably

 

i will say mostly on 32 bit windows xp

 

I don't use xp so cant say.... but on vista and win7 it has been good for me. What were some of the rootkits it failed to detect?

 

What you use is up to you but avast! 5.1 services are x64. Only the UI is 32.

 

i dont use xp either. but i've seen more than a few come in with MSE installed and up to date and rootkit'd.
the majority though have been pc's with expired norton/mcafee.... subscriptions from when the pc's were new.

 

Limited (standard) user account = no rootkit

 

User-mode rootkit

 

This blog posting keeps getting dragged out of the closet and dusted off in regular intervals. It's obvious that some marketing is involved:

The suspense is mounting...

Well, well, who'd have thought of that. They don't say if Prevx detects 100% of the userland rootkits around. If it doesn't, then Prevx isn't enough either. They also don't mention supplementing the LUA with a software restriction policy and no autoruns for users (like kafu.exe), but that wouldn't do anything for their bottom line.

 

From the same source:

First: kernel. It is the first to take care about.
Then userland
BTW, how many userland rootkits in the wild?

 

how many normal people (we are not normal) use limited accounts?
when you buy a windows computer from a retailer isn't an administrative account the default setup?

 

Take it easy folks.

Sure, there is a marketing behind it (the article), but not based on a lie. But, when I provided the link I didn't even think about it; the purpose was to question why people think of administrative privileges when they talk about rootkits.

The purpose of a rootkit is to hide the malicious code. It doesn't matter whether or not it's kernel. Sure, if it can achieve such, even better (for the attacker), because it will have access to all accounts. But, if it's not possible, then what the attacker wants will still be achieved.

Times change, and the more people using limited accounts or accounts with reduced rights, such as the default Windows Vista/7 account with UAC, then the attackers need to play where they can. If they can go further, better (for them)... otherwise, play with what you have.

My sole intent was to show that using solely a limited user account to prevent all malware is unrealistic. Sorry, but it is.

Initially, with the introduction of Vista, maybe. But, soon attackers had to face a new reality - Microsoft introduced a default account with reduced rights, due to UAC.

Even not existing many user-mode rootkits, as questioned by Lucy, the provided security by a limited account would be through obscurity, IMO.

Because I ask: What if every Windows user was making use of limited accounts? Would you think attackers would stagnate? I wouldn't bet my money on it.

Also, is not a question of how many user-mode rootkits exist in the wild. The question I prefer to make myself is: Would I ever come across such? The answer is: Most likely. The only difference is what I have in place to prevent it.

Only using a limited account wouldn't suffice. Johnny123 mentioned SRP... Very good. But, what about those who don't have Windows versions that come with it? AppLocker the same deal. KAFU? Isn't that provided by a German magazine? How many people would know about it? I haven't heard about it in a very long time.

I'd personally go for something else, including SRP/AppLocker, as Johnny123 mentioned with some other flavor.

But, anyway, my point was to show that using just a limited user account to stop rootkits is not very realistic, because attackers also evolve; they don't stay put.

 

this thread is all over the place

 

Very few people use limited accounts; actually few people use true limited accounts.

Windows Vista/7 default account is an administrator account with reduced rights via UAC. But, not a true limited account, and UAC is not a security tool. It does create boundaries, but not to be taken under consideration to secure a system on its own.

Heck, I even forgot that, by now, there's still an unpatched vulnerability in Windows Vista/7 that could allow malware to obtain administrative rights, even if running in a limited account. All the user has got to do is to execute the malicious code, not knowing is malicious, and there you go, administrative rights.

So, again folks just a LUA isn't the answer for everything.

 

I don't run in LUA and have never tried it

 

Person A: Uses limited user account
Person B: Uses administrator account
Person A: Understands nothing of Windows system security
Person B: Understands of Windows system security
Person A: Happy clicker
Person B: Conscious clicker

Who's at risk? It's not just the tools, but also who uses them.

 

That depends, I would think that well-administrated corporate networks have almost everyone on a limited account. Of course there is the problem of [insert favorite crapware] that requires admin rights to run (hence "almost everyone"). What I find fascinating is the resistance to LUA right here on this forum, a security forum of all places. There's a lot of blah-blah here about layered approaches, which usually amount to lots of security applications. Seems to me that using the features provided in the OS would be your most logical first layer.

This discussion comes up every so often and there are always these types of statements, ones like yours, or "LUA isn't a panacea", etc. This might be true, but the bottom line, and I think you'll agree, is that you're much safer running as a limited user than you are as admin.

 

Human nature, we all disagree to agree

 

I don't think many people here (if anyone?) is against LUA, but merely stating it's not the "be all end all" of rootkits. I'm sure some will agree with me when I say I would rather use the functions of the OS than slow down my PC with "layers".

 

I must say that I was very impressed with MSE 1.0 & am equally with 2.0. It was a huge change on my Vista 32 bit laptop from Norton & McAfee. The difference in performance alone was amazing after changing from heavy suites to MSE. My 64 bit desktop (Win 7) only runs MSE as a realtime AV. Everything else security-wise is at the browser end with various security extensions on SeaMonkey/Iron, which are my main browsers. I feel quite confident.

 

I fail to understand at which moment I said I was against the use of limited user accounts? On the contrary... I said people shouldn't rely solely on a limited user account against everything.

Obviously, this doesn't mean to ditch limited user accounts; it means to harden it.

My reaction was towards Lucy "naked" reply

I just tried to show that there are rootkits that install to user space. Obviously, there is a need to harden the limited user account, with "tools" like SRP/AppLocker, DEP, SEHOP, EMET...

I never mentioned a user is less safer under an limited user account. But, I do not follow a security through obscurity, and this means not to blindly trust a limited user account to stop everything.

 

The more I think about it, the more it becomes obvious in my mind:
- Security is balanced with usability: setting up a SUA with a free anti-virus like MSE in our case should definitely be the by-default choice for every one (there is no difference in term of usability between UAC and SUA, except that you have to provide a password in the second case).

In Linux, the rare anti-virus focus on the user space, rather than the whole system, as this latter is not accessible for modification.

This should be the same in windows.

To come back on userland rootkits, you all agree that there is no policy or right management which can efficiently prevent them. And you all agree black list antimalwares will fail at one point or another. So if you really are paranoid (unlike moonblood, I believe that it is very unlikely that I will ever meet a userland rootkit), simply set up a SUA for banking only. And all problems are gone at once.

 

If I remember correctly, if UAC was accidentally turned off/shutdown maliciously or otherwise, you have full admin. Where as a LUA you don't, you simply can't run anything that requires an admin account. Wasn't this the reason behind still running a LUA?