Who says MSE doesn't have heuristics??

Discussion in 'other anti-virus software' started by PunchsucKr, Mar 4, 2010.

Thread Status:
Not open for further replies.
  1. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    123
    Having read numerous posts here and elsewhere i thought i should just post this.. :p Please have a look at the screenshot attached.

    This vbs virus succesfully infected me while i was on Avira free, and it was me who sent the sample to them for detection, some months back.

    It again showed up in a pen drive and MSE detected it through its heuristics. :-*
    MSE ftw :thumb:
    (I'm in no way saying that it'l detect everything, but still a very good free product.)
     

    Attached Files:

  2. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Good Read Indeed
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Maybe it has heuristics as outlined

    Heuristic --> alert --> blacklist scan --> positive of family recognition ==> alert

    Because MSE could recognise it (a worm), ismy quess

    Stiil a good find
     
  4. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    123
    Thanks guys

    dunno bout that but was good to see it detect that pesky file.
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Who said MSE doesn't make use of heuristic techniques? :blink:
     
  6. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I was thinking this too? Did people actually think MSE was a simple blacklist program..? I thought the "CPU Spikes" some people have would have shown them that it's obviously doing deep file analysis...

    But agreed, good find anyway.
     
  8. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    123
    I've seen comments all over the place...! Even look at that thread that NAMOR posted. Funny why this is so hard to believe... :D
     
  9. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    I agree, I should have taken a screenshot earlier in the week. Full scan from MSE reported all clean, but heuristics detected two severe files while browsing through some media folders.
     
  10. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    So says Microsoft but others don't accept Microsoft's definition of heuristics:
     
  11. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    As a newbie trying to understand good security software attributes, I find this very confusing. I have been using MSE for only a few months on a new laptop and yes it does not update daily (sometimes 8 days have passed and nothing). This bothered me as Norton/360 on my desktop always updates as soon as definitions are available. I asked around on forums and was told that all other security AVs update as soon as new defs are available. And what else is the role of the responsible user? Scan your PC regularly to make sure the PC is not infected (update to the latest defs file prior to this activityo_O)

    Now if I read this post correctly, Microsoft is saying that everybody else has it wrong? MS have made use of heuristics in a manner that is unique and innovative. No other vendor endorses MSE's concepts because they are mired in old methodologies. The user has been trained or manipulated to believe an outdated process.

    Are other AV testing labs other than PSA responding to the MSE claim (if I have interpreted this correctly)?
     
  12. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    emmjay, there is a registry tweak which will allow MSE to update a few times or more a day. Microsoft claim an update of their product however, might make the product not perform correctly if this 'tweak' is enabled.

    But, if you set the product to scan daily, and un-check the setting 'start the scheduled scan only when my computer is on but not in use', MSE will update and perform a quick scan daily. (Having that feature checked is delaying the scan each day when the computer is either in use or off - meaning possible several days without updates)

    MSE settings.png

    Don't worry about the quick scan each day, takes less than 5 minutes. Make sure you set the scan time to a time when you know your computer will be on.
     
  13. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    I've read through the entire MSE thread, and its still not clear to me if MSE monitors behaviors in real time and makes a GOOD/BAD decision on the fly based on these behaviors.

    It does monitor behaviors in real time but only does that to report silently to the backend. It does not have SONAR capability is my understanding.
     
  14. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Tough one to answer Zombini, as microsoft developers say their product does make decisions based on file behaviour. Even prevx staff above imply this.

    The original poster and I were surpised by browsing through explorer, for example without even clicking on the target files (I was 100 files up from the two files), and a couple of seconds later malicious files were detected (these files were trojan downloaders).

    Symantec's product would be more robust against threats, and more advanced in terms on malicious file detection. I can't answer your question, but I can say I've been impressed with MSE over the past several days when downloading all sorts of rootkits/trojans and launching problem files. I was one of the more critical of this product when it came out.

    What I want to know, does 'advanced membership' to microsoft's online community spynet provide better detection than basic? Advanced membership states MSE sends more information about malicious software, spyware and potentially unwanted software including location, file names, how the software operates, how it is impacting on your computer.

    What I'm trying to get at, does this apply only to detected threats, or does advanced membership affect the way the program operates (like it seems to with windows defender)?
     
  15. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    Thank you Saracento,

    I have a temp workaround setup for getting auto updates (tnx to JohnnyDollar). As a test, today I turned off the temp. workaround & set MSE as you suggested. I will see if MSE does its thing over the next week. If not I will go back to the temp fix.

    I am most concerned about this 'heuristics that nobody else understands' claim being made by MSE. This is what this thread is about. If MSE is making unsubstantiated claims, why aren't they being challenged on it?

    AV-Test.org has lobbed a salvo across their bow. I have seen nothing on this anywhere else.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    In an odd way, yes. It doesn't increase your detection on the spot. But sending MS data about files will obviously improve the detection in general for all MSE users. Hence why I always set it to advanced when recommending this software.
     
  17. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Thanks FD. I agree, helps the overall product.

    emmjay, you can set the quick scan/update for an hour ahead of your current time to see if it works. It might not be right on the hour, might be 30 minutes before. I've tested it on a few machines, some vista, some XP, and all work now.

    IMO, I think microsoft knows their product better than anyone else, so if they make simple claims, then they have more to lose by it not being true. Notice the recent example where people (so called experts) claimed Windows 7 to be using a ton of resources, and that Microsoft has fooled everyone with a dud operating system, turned out everyone had egg on their face but Microsoft.

    Sometimes developers don't want to let others know how their product works entirely. Either way, it's a solid program. Might not be as good as Kaspersky, or Symantec's paid programs, but if you look at funkydude's setup, or use MSE with a backup program or a program such as sandboxie (or behaviour monitoring such as ThreatFire, or firewall such as Online Armor with run safer on the browsers etc etc), and you'll have a setup as good or better than a paid product.

    You might try MSE and sandboxie down the track. No slowdowns, and files are still scanned/detected while browsing sandboxed.
     
    Last edited: Mar 7, 2010
  18. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    880
    Location:
    Triassic
    I will give it a try on my W7 laptop & see what happens


    ===> use MSE with a backup program or a program such as sandboxie (or behaviour monitoring such as ThreatFire, or firewall such as Online Armor with run safer on the browsers etc etc), and you'll have a setup as good or better than a paid product. You might try MSE and sandboxie down the track. No slowdowns, and files are still scanned/detected while browsing sandboxed.

    I am not familiar with these products but am willing to try stuff. I noticed that MSE stated on their forum that I should only use windows firewall. Other firewalls are not compatible with MSE. I was looking at Privatefirewall as an option (HIPS being a major interest) but I thought MSE might get all prickly and I would end up with a W7 brick. As a newbie I would be lost (no, devasted) if this were to happen.

    Is the firewall the real player in this scenario?

    I'll get to sandboxie and all that stuff later ... not now as I am just inching along. I must say you have been very helpful to date and I very much appreciate your assistance.
     
  19. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    :thumb: backup as drive/image backup
    who says Other firewalls are not compatible with MSE :D ....for they are

    its a very good choice
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    This is a pretty bad statement in my eyes. I'm sure what they meant to say is that you *might* experience compatibility issues with other firewalls, because many these days try to be a monster "all-in-one" and bundle some kind of malware detection, instead of sticking to their roots and being a firewall, like the Windows Firewall.

    In any case, there most definitely are firewalls that work with MSE, unfortunately being a Windows Firewall user ever since I started using MSE, I can't help you in knowing which 3rd party firewall would work with MSE. Thankfully I'm sure someone else here on Wilders can provide us with this information.
     
  21. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    funkydude is right, the more elaborate your setup, the more freezes, crashes, blue screens you should see. And a lot of firewalls are bundling other behavioural monitoring into their program, not that it's a bad thing, just means you might get more hard drive activity, or 'clashes' between programs.

    With sandboxie, say you download and install the free version from www.sandboxie.com

    It will automatically put a desktop icon for your default browser. Which means, you can run Opera, or Firefox normally just as how you are doing now, or click on the sandboxed browser icon (a yellow diamond symbol), and your browser could download 50 trojans, and they won't bust out of the sandboxed browser.

    Once you install the free version, I recommend some basic settings below (plenty more, but this is adequate):

    Open up sandboxie by double-clicking on tray icon, and go to settings.

    sb1.png

    Add a coloured border around an application, such as a browser, so you're reminded you're in a sandboxed session.

    sb2.png

    Go to quick recovery, and add your desktop for example, as the place where you save your important files to be kept. For example, if you save a file to the desktop during a sandboxed session, once you close the browser, a prompt will ask you if you'd like to recover the file to the desktop.

    sb3.png

    I disable immediate recovery, as I don't want a 'prompt' right-away asking me to recover the file/s to the desktop, I'd rather the 'quick recovery' at the end of my browsing sessions. You can also access 'quick recovery' any time through the tray icon, say if you've saved 10 pdfs to the desktop, and want them recovered now, just right-click on tray icon and go to 'quick recovery'.

    sb4.png

    I enable automatically deleting contents of my messaging program, browser, whatever is sandboxed, once the browser/messenger is closed. Everything will be deleted (except what you saved to the desktop, where you'll receive a prompt to 'recover' the following files).

    sb5.png

    cont...
     
  22. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Cont...

    You can go to the following setting, to allow your bookmarks to be kept, while everything else will be removed.

    sb6.png

    Same thing for internet explorer, if that's your browser of choice. Has options for firefox, Opera, etc.

    sb7.png

    To run 'ANY' application in the sandbox, just right-click and run sandboxed. As simple as that, that means, an mp3, a PDF, files from a USB drive, an installer from the internet to see what it does, and so on. (Paid version allows you to always run certain programs/folders sandboxed)

    sb8.png

    To recover files saved to desktop anytime, right-click on sandboxie icon, and select 'quick recovery'.

    sb9.png

    You now have the option of recovering the file to the desktop, or any folder you choose.

    sb10.png

    Cont...
     
  23. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Final...

    Or if you close your browser, messenger, word program, or whatever you're using that's sandboxed, and saved a few files to your desktop for example (which we listed as our quick recovery location), you will see the option to recover the file/s, or delete the sandbox altogether.

    sb11.png

    Once you do the initial setup, you can browse and run any files, go to websites you wouldn't normally for fear of malicious files, knowing they won't harm your system. Anytime you feel something might have downloaded, pop-ups start appearing, you can terminate all sandboxed processes, and delete files in an instant.

    All you do, is right-click and select 'terminate all programs'. The sandbox will go from the 'speckled' yellow icon below, to 'empty' to show everything has been removed.

    sb12.png

    Try the free version, has a short delay when right-clicking and opening a browser (free version has this, not paid), but use it for any google searches to unknown places. Hope that helps. :)

    Massive apologies for another 'thread hijack'. Two in two days from me! :(
     
    Last edited: Mar 8, 2010
  24. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Just for your interest, MSE and sandboxie work well.

    See Chrome for example, sandboxed with blue border, and MSE intercepting a threat. Now I can allow MSE to clean the threat, or ignore MSE and just terminate the sandbox, and all would be removed. But at least I know the site I visited was definitely 'unsafe'.

    Sandboxed applications can also be identified by the 'hashes' # # in the system tray and title bar of an application.

    mse.png

    mse2.png
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    A very thorough and well presented write up there Saraceno, well done!
     
Loading...
Thread Status:
Not open for further replies.