Microsoft Security Essentials

That is kinda how I feel about it.

 

Good question! Please read this source, especially from post #47 onwards (pay special attention on post #50 by Rejzor and post #53 by Zombini.

 

Might find this interesting. Courtesy of JagsLive posting this link on the MSE newsgroup.

Microsoft anti-virus software dawdles over updates.
http://www.h-online.com/security/ne...rus-software-dawdles-over-updates-838203.html

 

Again, you don't seem to understand. If there is a vulnerable exploit in a plugin, you need to run the code on the page to exploit it, to do that the page with the code needs to download to your PC where it is scanned by MSE before it's run. Again I repeat myself, you cannot run any code without it being scanned by MSE.

You cannot magically take advantage of an exploit without running code, to do that, the code needs to be downloaded and run by your CPU. Before that happens, MSE suspends and scans it, and yes it also scans processes in memory and registry.

 

(I was signed in) I really hope it's not a locale based only beta again, if so, host me up a copy somewhere

I guess the beta is to fix this bug.

 

Thanks, dude, although I knew that folder, I wanted someone who had excluded that folder to confirm that that will work. Anyway, thanks !

 

I just quoted Vlk's explanation that some types of malware are capable to, for example, hijack the browser NO MATTER if the malicious file is written to the hard disk. Let's read his explanation again: (the source):

When the code is downloaded and scanned by MSE it could be too late because there are exploits that can be, for example, executed directly in the memory of the browser before they are downloaded to the disk and scanned by MSE. That is the purpose of web scanners. Web scanners are a kind of "quarantine" between internet and your pc.

Here is what another AV expert, Stefan Kurtzhals from Avira says about this issue (the source)

 

@Zimzi & Elapsed -

I guess you two will never agree - please let's end it there!

 

Hmm, why?

Your quotes are assuming an on-access guard, MSE can suspend and scan file on create also. I've explained it it pretty "special - simple" terms but you cannot seem to understand. For code to be run even in the browser process it needs to be stored somewhere, anywhere, hard drive, RAM, whatever. This is how MSE is able to catch the Fake "XPA" scripts on webpages and stop them from running. I'm seriously struggling to think of a more basic way to explain this to you. Please help me out here.

 

Unfortunately I did not get answer from you why Avast, Avira Premium (as opposed to the free Avira), NOD32, Kaspersky Antivirus and many others have web scanners at all? If it were true that any malicious code must be downloaded somewhere to the disk before do any damage, on-access scanners of these programs could detect and remove malware as well as on-access scanner of MSE and the web scanners would not have purpose at all.

Unless MSE on-access scanner does not have a features of unknown capacity which I did not find any information about.

@ Ade 1

I apologize and finish with further discussion about this issue.

 

Incorrect. Firstly, I never stated there was no advantage to using a web scanner, I stated there is no real need for one to stay protected. Second is my quote from earlier:

Some would argue they don't want threats being written anywhere (web scanner) I argue I don't really care where it's written as long as it's caught, which assuming Microsoft have detection for it (as the do heuristically for PDF's etc) doesn't make a difference to me as I stay protected.

If this argument is seriously bothering people that much, feel free to PM me.

 

I agree I have yet to see any good information in the last few pages. Please take it to PM as the bickering back and forth at this rate will never stop.

Or and admin could just close it and end it here and there.

 

I seem to be experiencing the automatic update problems others have been having. I installed MSE in an XP virtual machine on the 26th and haven't received any updates since the initial one (I'm hibernating the VM, so no reboots). I have some koobface samples sitting on my desktop that MSE isn't detecting via heuristics and/or sigs from the 26th, but MS have since added detection in updated sigs that are sitting on MS servers waiting to be downloaded.

 

Isn't this simple to test? I'm sure there are sample sites which have malware that executes as the browser loads the page - test this against MSE and an AV that has http scanning and compare what happens. This will settle the debate.

If in fact http scanning is needed, then competitors who do have this feature should publicise this and prove it with a test page that will bypass MSE and do something harmless like execute local code that shows a message box.

 

There are many Metasploit exploits to try this with

 

This problem and the frequency of updates is IMHO, MSE's Achilles heel.

 

Mine wasn't updating either for a few days. Only until I switched scheduled scanning back on, with a 'quick' scan to be performed each day and virus definitions to be checked before performing a scan. Now it seems to work.

 

A web scanner is not good only for its url blocking. Some even don't have url blocking. The web scanner caches then scans a web page first before your browser can display it (or any downloaded data/content for that matter). Thus protecting your browser from automatically accessing/triggering whatever exploit is embedded in the page and crashing it. It's like a prevention thing. The eunuch eats first before the king. With MSE, it allows the browser to cache the file with the exploit (and hopefully detects it ). The exploit already ran when the page was loaded! The browser has already crashed and the attacker might be already using your browser to do some remote code execution, etc. The damage was done so what's the sense of detecting a used exploit? Maybe as a sort of late warning? Take note though that some exploits don't even need to be written to disk and just execute in memory (of the browser?); so no trace. They are not like rogues avinstall123~xxx.exe that need users to actually click open/install. Although some rogue downloaders (that download the real mb-in-size installers) are now executed automatically by scripts. But not all scripts are exploits, hence the prefixes js/, exploit/js:. Some just serve as the trigger. This is just an observation on my part.

MSE does update daily. Maybe just leave it alone like elapsed said? However I noticed that delays do sometime occur. Maybe the newish update has not replicated yet to the server contacted by MSE.

 

Thanatos I think you just didn't read the last 2 pages of debate, the exploit cannot even be processed by your browser unless it is stored somewhere, anywhere, so it can be processed. Hence getting scanned.

I'll just say this, It would be pretty damn useless of Microsoft to add detection of Exploits if it could even use it, don't you think?

Here is a perfect example of detection of an exploit in a plugin that is in most browsers, shockwave flash: http://www.microsoft.com/security/p...Entry.aspx?Name=Exploit:Win32/APSB08-11.gen!A

 

Again, some exploits run without the need to be written to disk like jpeg exploits. Jpeg exploits are parsed in ram by the browser. This exploit runs in the browser even before the file with the exploit is cached. So without http scanning, MSE will only catch it after being cached (if the crashed browser can still do that) which is too late as the browser has already been compromised. I want my AV to detect the exploit before it crashes my browser or reaches my machine.

Maybe lurking AV experts can chime in and explain this more in detail...

 

Let me make this simple for you, because it is becoming severely frustrating explaining it over and over, you are clearly not reading my posts.

 

I've been told them about this bug about 4 months ago and all I got was to report it to them, which I did. It works sometimes on a 24hr schedule and then other times you don't get updates for days.

Maybe this beta corrects this. It happens on both my pc's, Win XP pro (sp3) and Vista Home (sp2).

Ice

 

so what about vlk's statement that was linked somewer around here?

 

Again I repeat myself, I was not referring only to browser cache. It is simple rules of computing, to run code you must have it stored somewhere, hence it being scanned.

 

I guess I'm just lucky I've never experienced it, or maybe because I never use sleep on my laptop?