Microsoft Security Essentials

Discussion in 'other anti-virus software' started by Kees1958, Aug 9, 2009.

Thread Status:
Not open for further replies.
  1. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    I did search this thread, but don't see an answer to my question, which is
    For the realtime protection, does MSE do memory scanning?
    The 2 options I see are

    1. Monitor file and program activity on your computer
    2. Scan all downloaded files and attachements.

    Both of those can be accomplished without scanning memory, depending on what is included in those activities.

    Thanks
     
  2. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    No. You are wrong, this means exactly that neither HTTP nor POP nor IMAP are being scanned. These are protocols that would _require_ a proxy (or a browser/mail client plugin) to be scanned.
    With 'EVERYTHING' is meant, every file saved to disk. So if you download a file manually and click 'SAVE' it will be scanned upon saving, not during transfer as a proxy would do. This means: data reaches your browser/mailclient without being scanned.
    In case of a drive-by exploit to your browser, MSE might notice the exploit when it gets saved to the cache (after the exploit already kicked in). It _may_ be able to detect files additionally downloaded by the exploit, if they get saved to disk. If the do not get saved to disk (in-memory execution), MSE will be blind.
     
  3. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    If FRug's assertion is correct then my question, or at least my real concern is also answered.
    Please note that I am not challenging FRug's assertion, but I am waiting to see if someone else does. :)
     
  4. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    FRug's assertion is incorrect, MSE can detect files before the transfer has finished, and most of the time, before you even click save.
     
  5. hawkeen

    hawkeen Registered Member

    Joined:
    Apr 9, 2006
    Posts:
    78
    Elapsed you are correct.

    Here is quote from MSE forums.

     
    Last edited: Oct 12, 2009
  6. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    Here's the link for remove-malware.com switching to MSE.
     
  7. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
  8. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    I would also if I was running 32-bit OS.
     
  9. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    As an Eset reseller....I even have more success cleaning clients infested PCs with MSE. Most of our SMB clients are protected by NOD Biz Edition. I see rogues/variants of fake security alerts, such as PersonalAV, make it past NOD on a regular basis now.

    Since cleaning an infected PC can take up quite a bit of time, depending on which tools you use to clean them, I've had the most success in using a combination of just MSE and MalwareBytes. Keeps things easy for me, and they've proven to do a good job in cleaning.

    It's quite light also, hardly any system impact..even on older PCs.
     
  10. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    I think FRug is correct. Change the MSE settings, by going to Default Actions and set the Severe rating to quarantine so a pop up box will show instead of immediately removing the threat. Go to eicar.org and attempt to download the eicar file without clicking save - a MSE download threat box will show up. One can click 'show details' and a larger threat action window will appear where you can click 'show details' again. Note that the item identified is listed as a file saved to the IE cache in the attachment. The file is found at that point - not with a HTTP stream analysis. If it was a stream intercept, it wouldn't be listed as a file in the Temporary Internet Files folder since Save has not yet been selected. This is on Vista SP2 x64 with IE8.
     

    Attached Files:

  11. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I've never seen an AV finding a threat that doesn't list it in the temporary internet files folder.
     
  12. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Well, take a look at the found item (eicar file) in the above graphic and the path to it. A first time for everything. :)
     
  13. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I think you misinterpreted what I said ^^

    What I'm trying to say is every AV I've used will list a catch as being in the temporary internet files folder.
     
  14. as1m

    as1m Registered Member

    Joined:
    Jul 9, 2006
    Posts:
    23
    Excellent discussion and well done MS for this product.

    Right, my ques.

    Is there an exclusion option in MSE, to exclude user defined files / folders from being scanned?

    Thnx in advance.
     
  15. JohnnyDollar

    JohnnyDollar Guest

    Yes it is in the settings.
     
  16. as1m

    as1m Registered Member

    Joined:
    Jul 9, 2006
    Posts:
    23
    Thanx for the quick response.
     
  17. jmc777

    jmc777 Registered Member

    Joined:
    Aug 6, 2004
    Posts:
    244
    NOD32 does. The first result is with the web scanner disabled.

    13/10/2009 00:04:09 Real-time file system protection file C:\Users\John\AppData\Local\Opera\Opera\cache\opr03CBX probably a variant of Win32/Injector.ACC trojan cleaned by deleting - quarantined Neptune\John Event occurred on a file modified by the application: C:\Program Files (x86)\Opera\opera.exe.

    13/10/2009 00:04:35 HTTP filter file http://<snip>/sam.exe probably a variant of Win32/Injector.ACC trojan connection terminated - quarantined Neptune\John Threat was detected upon access to web by the application: C:\Program Files (x86)\Opera\opera.exe.
     
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yeah I actually do on a few larger clients where I have a WSUS server to manage that. It's still a decent product.
     
  19. JohnnyDollar

    JohnnyDollar Guest

    Is anyone experiences any sluggishness when accessing other internall hd's?
    Or other functions such as accessing programs and features after installing MSE on Vistax64. Any sluggishness at all from anyone with Vistax64 and MSE?
     
  20. Morro

    Morro Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    353
    Location:
    Netherlands
    Well i have Vista 32bit, but the only sluggishness i notice is when i start a game called Loki...otherwise i can not say i notice any slow downs.
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    JD, I have MSE installed on a 64 bit with ShadowDefender beta and it is working about as smooth as things can get. That is just my setup though.
    MSE is really going to hurt a lot of people this year and SD 64 bit just made owning a 64 bit PC something you had to hide from your neighbors.:cautious:
     
  22. JohnnyDollar

    JohnnyDollar Guest

    That is good to hear. How much ram you got in that pc? I got 8gigs and according to process explorer the private bytes used by MSE when idle is averaging around 135-140megs on mine. Which is no big deal to me as far as ram goes. I have noticed though after installing it when the final was released, that performing some actions seem to be delayed and slower than when I had Nod32 installed.
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I have 6GBs, but you might want to encase it in SD because for some odd reason, I find things virtualized seem to respond better. But I am weird, I leave SD in shadowmode for days before even rebooting.;)
     
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    In SD, MSE is using about 74 megs. I think, so dont take me to court over it. What processes are you looking at.
     
  25. JohnnyDollar

    JohnnyDollar Guest

    MsMpEng.exe
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.