Windows Security Essentials

[Innuendo]

Every single Anti-EvilWare solution on the market today is at best (just like birth control) only 98% effective. Why? (lawyers, true) Because (sh)IT happens...and there just isn't (cycle) time to check for every little thing right down to the very last detail so everybody just picks their best rendition of hitting the high-spots and calls it good.

-Stoic Joker (October 16, 2009, 05:16 PM)

This is why I always preach running a layered defense system. Start with your router. Make sure it has a firewall & not just NAT. NAT is not a firewall or a substitute for a firewall. Run a good AV & HIPS solution. Doesn't matter if they are both integrated in one program or not, but it's good to run them. Choosing to run a software firewall isn't a bad idea, either. If something ever does make it through your defenses chances are you'll be alerted when it tries to phone home.

Take the time to run MBAM & A-Squared from time to time as insurance. As crazy as it may sound, I recommend running a good ad-blocker as well. All those banner ads and pop-ups are increasingly an attack vector into the systems of unsuspecting users.

The good ole days of when a person could just not use a resident scanner & just do an AV scan once a month to stay secure are over & it's only going to get worse.

[mwb1100]

Start with your router. Make sure it has a firewall & not just NAT. NAT is not a firewall or a substitute for a firewall.

-Innuendo (October 16, 2009, 06:11 PM)

Can you expand on this?  My understanding is that unless you configure a 'open host' or some specific port forwarding(s), incoming connections to a NAT router don't even have anywhere to go so there's nothing to do but drop them.  What is a firewall going to do above that, at least for your typical home environment where there's no reason for an incoming connection?

[Innuendo]

Can you expand on this?  My understanding is that unless you configure a 'open host' or some specific port forwarding(s), incoming connections to a NAT router don't even have anywhere to go so there's nothing to do but drop them.  What is a firewall going to do above that, at least for your typical home environment where there's no reason for an incoming connection?

-mwb1100 (October 16, 2009, 11:14 PM)

The most obvious distinction between a firewall and NAT is that a firewall can be configured to control outgoing as well as incoming connections. The other most important distinction is that firewalls (the ones that do stateful inspection) analyzes incoming packets to make sure they are what they say they are before passing them on to the destination. Most NAT implementations, however, are considerably dumber and usually just blindly send through a packet to where it's supposed to go without any analysis.

It's been some time ago, but I recall reading some tests on dumb NAT routers where a carefully crafted spoofed packet could make it through NAT allowing an attacker access to the computer behind the NAT.

For those who are really security-conscious and have data on their PCs that definitely should be protected from getting out into the real world (corporations, high profile people, etc.), these people should settle for nothing less than an ICSA-certified firewall.

[Innuendo]

This just in.....Paul Thurrot and Leo LaPorte are idiots. Cliff Evans, Microsoft UK's security chief, has stated that MSE does indeed have heuristic detection abilities. However, the way I read the article, all things are not rosy as Microsoft has implemented a procedure where MSE will study the behavior of suspicious programs, but it has to contact Microsoft's servers to check against known malware signatures. This, in my mind, seems like a design flaw as laptop users are obtaining new files all the time & they are not always in a position where they have access to the internet.

First the quote from Cliff Evans:

"MSE uses a higher amount of heuristic detection techniques than OneCare, Evans said. The software studies the behaviour of suspicious applications, then reports back to a central server to check the behaviour against that of known malware.

The Dynamic Signature Service technology uses the most recent virus definitions to check applications for risks, rather than relying on the last batch of definitions downloaded, Microsoft said.

The suite also emulates programs before they complete their execution, and looks for behaviour such as carrying out operations without user permission, Owen said. If a program is behaving suspiciously, MSE will ping the Dynamic Signature Service to see whether the program should be submitted for analysis or terminated."

And the article link:

http://news.zdnet.co...0189,39778759,00.htm

It's unknown if MSE will fall back to the current definitions downloaded to analyze if the Dynamic Signature Service server is unavailable. Personally, I'm wondering why if MSE is checking the server for "the most recent virus definitions...rather than relying on the last batch of definitions downloaded" why it doesn't just download the most recent virus definitions, do the analysis locally, and be done with it.

[Stoic Joker]

I'm wondering why if MSE is checking the server for "the most recent virus definitions...rather than relying on the last batch of definitions downloaded" why it doesn't just download the most recent virus definitions, do the analysis locally, and be done with it.

-Innuendo (October 17, 2009, 10:46 AM)

I'm guessing it's a tip of the iceburg Cloud Computing thing. ...Which is not IMO a good sign.

On the Firewall thing I've yet to see an SPI implementation in a residential class device that wasn't more trouble than it was worth (performance under load = dropped connections). Sure on the SMB and up comercial side there are some nice devices...but you'll be looking at $500+ on sale of you're lucky which is a bit steep for most folks.

[Innuendo]

I'm guessing it's a tip of the iceburg Cloud Computing thing. ...Which is not IMO a good sign.

-Stoic Joker (October 17, 2009, 02:39 PM)

When someone mentions "Cloud Computing" I always picture a dark cloud. Raining on me.    Cloud computing seems to me like a method to take away control and choice from the end users.

On the Firewall thing I've yet to see an SPI implementation in a residential class device that wasn't more trouble than it was worth (performance under load = dropped connections).

For home use I recommend people seriously look into buying a router that's capable of running one of the community-driven firmware products like DD-WRT, OpenWRT, or Tomato. They're all based on Linux which is a pretty solid foundation to build upon when it comes to firewalls, routing and such.

Sure on the SMB and up comercial side there are some nice devices...but you'll be looking at $500+ on sale of you're lucky which is a bit steep for most folks.

Yes, $500...plus who knows how much more for a support contract if you want tech support & firmware upgrades. I used to run a Cisco router here at the house, but a few months ago I moved to a Linksys WRT610N w/ DD-WRT firmware and haven't looked back. I've got all the features my old Cisco had, but on a faster platform that's easier to manage and configure.

[IainB]

On the 1st October 2009, I deinstalled AVG (which I had installed some time ago, on my son's advice) and installed WSE (Microsoft's Windows Security Essentials virus/spyware detection program) - just to try it out. It didn't seem too obtrusive.

The other day, I noticed that the WSE tool had been sitting on 50% CPU of my Centrino Duo for several minutes at a time, making the CPU overheat and the fan come on full. (MsMpEng.exe is the AntiMalware Service Executable.) AVG never did that.

So, yesterday I decided to de-install WSE and install AVG again or Avast 9 FREE virus checker. However, before deinstalling WSE I just checked its log.

Surprise, surprise. Seems that WSE had quietly found, identified and removed two "severe" viruses:
    * BrowserModifier Win32-Hijacker.A
    * TrojanDownloader-ASX-Wimad.BD

These were in files that had been sitting around on my hard drive for some time - and yet AVG had never found them.

So I decided against deinstalling WSE, meaning that AVG will have to wait.

Today, before I went out shopping, I started a full disk scan with WSE. It took about 5hrs to complete and it identified 3 more viruses/malwares and removed/quarantined them. This was in files that had been around for a while and which AVG had evidently missed.

I even downloaded again one infected installer file for Unlocker, just to double check. I was curious as to  whether that downloaded file had the virus in it, or whether the virus had been somehow put into it after the file had arrived at my laptop. Well, it was corrupted on download.

Looks like the "more well-known anti-virus companies" - including AVG - might be asleep on the job. Kudos to M/soft on this one.

[f0dder]

Looks like the "more well-known anti-virus companies" - including AVG - might be asleep on the job. Kudos to M/soft on this one.

-IainB (October 18, 2009, 10:03 AM)

Or perhaps WSE suffering form false positives?

[Bamse]

False what?   Is this one http://www.microsoft...ThreatID=-2147338578 I think "severe" category is a bit hefty. Malwarebytes dont like it too though. Besides A-squared, ESET, Norman I dont think anyone cares. "without user consent" is probably the trigger.

IainB, you should change default actions to "Quarantine" from "Recommended" and untick box beneath with "apply recommended actions:...". Go to Settings, Default actions. Is safe and you get option of allowing and chance to know what is going on. First 2 categories (I think, definitely "Severe") are just swept away so if you don't sit at computer you will never know since action is automated. At least untick box so you become the decider, they see that as a security risk File becomes "suspended" and untouchable until you have made up mind. You are not supposed to care, doubt, know but some day it might come in handy not to trust program. Will probably not delete system files but who knows. Unless you check history tab regularly you dont know what MSE has been doing. You might hear cpu fan go off because computer is working hard some minutes but that is it.MSE developers must be brave men because setup can potentially go very wrong  

There is a new AVG out btw. Now has "basic" rootkit protection but not "advanced" Difference is ? The one you used has zero. Not the most interesting infection to get. I read email protection is non working, like in not at all. Speaking of bugs in security software, never stops. If tired of MSE Avast will soon release a new version as well. Looks very promising, news are Behavior shield and I think also much more ip blocking like Malwarebytes. Practically a new program compared to old version 4.

[Innuendo]

Or perhaps WSE suffering form false positives?

-f0dder (October 18, 2009, 10:22 AM)

Yes, I wish Iain had uploaded the files to VirusTotal before deleting them, but I can totally understand his "get these files off my PC *NOW*!" reaction.

[IainB]

Thanks for the feedback on my post.
@f0dder: I went to M/soft virus Encyclopedia and looked at those "viruses" detected by MSE. None of them seemed to be false positives, though they were not too nasty-looking.
e.g. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FYabector.gen&ThreatID=-2147338578

As @Bamse ponted out - "without user consent" would be the trigger, or "Potentially harmful or otherwise unwanted" as I think M/soft describe it.

Mind you "unwanted" could include Adware, M/soft Windows Genuine Advantage and all those annoying and unnecessary plugins (e.g., DRM and Windows Media Player plugins) that M/soft has been quietly forcing into Firefox without telling you, every time you run Windows Update. One of those plugins Mozilla now blocks as it introduces a security risk and destabilises Firefox performance.   

@Bamse: Thanks for the advice - I have taken it and have changed the default actions in MSE to "Quarantine" from "Recommended" and unticked the box beneath for "apply recommended actions:...".

@Innuendo: I had not known of VirusTotal before now, thankyou. I shall use that in future now that I have set MSE actions all to "Quarantine". Actually, the file containing one of the viruses (I forget which one) found by MSE was uploaded to M/soft - the program requested permission to do so first, and I gave it. I also sent an email to the author of Unlocker with a snapshot of the MSE details screen describing the Trojan that MSE had found in the Unlocker install file.

I generally mistrust M/soft as they are a perfect example of a corporate psychopath (per the film "The Corporation") and I therefore use their software with well-advised caution. I try to control that software by, for example, stopping it from "phoning home" in ZoneAlarm. When you see how M/soft have forced those Firefox plugins on you, it speaks volumes about their motivation and shows their deliberate intention to put their needs/desires first and their often crass disregard for the needs of the customer/victim.   

[Innuendo]

Thanks for the feedback on my post.
@f0dder: I went to M/soft virus Encyclopedia and looked at those "viruses" detected by MSE. None of them seemed to be false positives, though they were not too nasty-looking.

-IainB (October 18, 2009, 05:22 PM)

I think F0dder's point wasn't how nasty-looking they were but MSE might have though the virus code was in those files when in reality there might have been nothing there. Every AV program has a false detection like that once in a while. Nobody & nothing is perfect, after all...

[Bamse]

That is true http://www.virustota...af6cda647-1255977409

4 hours later perfect again http://www.virustota...af6cda647-1256013326

[IainB]

@Innuendo:

Yes, I wish Iain had uploaded the files to VirusTotal before deleting them, but I can totally understand his "get these files off my PC *NOW*!" reaction.

Anything to oblige!    As it is a long weekend here in NZ and because I am very curious about such things, I took the time to search out those infected files from my backup drive and then run them through MSE and submit them to Total Response as you had suggested.

There were 5 viruses detected by MSE:

• 1. BrowserModifier Win32-Hijacker.A in file ico_printui0008.ico ("removed" by MSE).
• 2. TrojanDownloader-ASX-Wimad.BD in a partially donloaded Frostwire file T-3410427-connected barbie.mp3 (virus in ASF_Script_Commands)  ("removed" by MSE).
• 3. TrojanClicker:Win32/Yabector.gen and TrojanClicker:Win32/Yabector.A in 2 separately obtained copies of file unlocker1.8.7.exe (quarantined by MSE).
• 4. VirTool:Win32/Obfuscator.XY in file FreeskyVideotoMPEG.exe (quarantined by MSE)
• 5. Trojan:JS/Loop in filr 1stpage2.zip (quarantined by MSE).

I was unable to locate backup copies of infected files Nos. 1 and 2, but I did have Nos. 3, 4 and 5, and I have detailed them below:

3. My copy of MSE detected TrojanClicker:Win32/Yabector.gen in my Archive copy of File unlocker1.8.7.exe
Virus Total report:
File unlocker1.8.7.exe was already a known file, received on 2009.10.24 22:11:12 (UTC)
Result: 4/41 (9.76%)
Microsoft 1.5202    2009.10.24    TrojanClicker:Win32/Yabector.gen
NOD32    4539       2009.10.24    a variant of Win32/Adware.ADON
Prevx    3.0       2009.10.25    Medium Risk Malware
VirusBuster 4.6.5.0    2009.10.24    Trojan.CL.Yabector.C

This file was downloaded from http://ccollomb.free...er/unlocker1.8.7.exe
When I downloaded a fresh copy of the same file from the same location, my copy of MSE detected TrojanClicker:Win32/Yabector.A
Virus Total report:
File unlocker1.8.7.exe received on 2009.10.25 06:19:07 (UTC)
Result: 5/41 (12.2%)
Ikarus   T3.1.1.72.0   2009.10.25   Trojan-Clicker.Win32.Yabector
Microsoft 1.5202   2009.10.25   TrojanClicker:Win32/Yabector.A
NOD32 4539      2009.10.24   a variant of Win32/Adware.ADON
Prevx   3.0      2009.10.25   Medium Risk Malware
Sunbelt   3.2.1858.2   2009.10.24   Trojan.Win32.Generic!BT

Firefox did not block or give any cautions for http://ccollomb.free.fr/unlocker/
_____________________________________

4. My copy of MSE detected: VirTool:Win32/Obfuscator.XY in file FreeskyVideotoMPEG.exe
Virus Total report:
File FreeskyVideotoMPEG.exe received on 2009.10.24 22:03:46 (UTC)
Result: 2/41 (4.88%)
Kaspersky   7.0.0.125   2009.10.24   Packed.Win32.Black.d
Microsoft   1.5202      2009.10.24   VirTool:Win32/Obfuscator.XY

This file was downloaded from www.freeskyvideo.com.
When I browsed to the FreeskyVideotoMPEG link, Firefox blocked www.freeskyvideo.com and told me it is a "reported attack site".
_____________________________________
5. My copy of MSE detected: Trojan:JS/Loop in filr 1stpage2.zip
Virus Total report:
File 1stpage2.zip was already a known file, received on 2009.08.22 12:13:58 (UTC)
Result: 5/41 (12.20%)
Contained viruses:
BitDefender    7.2    2009.08.22    JS.Trojan.Winbomb.F
F-Prot    4.4.4.56    2009.08.21    File is damaged
GData    19       2009.08.22    JS.Trojan.Winbomb.F
Microsoft    1.4903    2009.08.22    Trojan:JS/Loop
Panda    10.0.0.14    2009.08.22    Generic Trojan

This file was downloaded from http://www.evrsoft.com and is for setting up a program called "1st Page 2000".
Currently, this file is advertised as being available from http://www.evrsoft.com, but neither the download function nor any mirrors seem to work for that file.
Firefox did not block or give any cautions for http://www.evrsoft.com.
_____________________________________

Hope this information helps or is of use. I think it shows that MSE seems to be doing its job quite well.

[Innuendo]

I think it shows that MSE seems to be doing its job quite well.

-IainB (October 25, 2009, 02:22 AM)

Microsoft has already started beta-testing the next version & already has a new version out to testers. It appears they are very serious about improving MSE. I can't wait to see how the next release performs.

EDIT: Oh! And thanks for digging out those files for us, Iain. I know that had to be a pain to do.

[Carol Haynes]

When I downloaded a fresh copy of the same file from the same location, my copy of MSE detected TrojanClicker:Win32/Yabector.A
Virus Total report:
File unlocker1.8.7.exe received on 2009.10.25 06:19:07 (UTC)
Result: 5/41 (12.2%)
Ikarus   T3.1.1.72.0   2009.10.25   Trojan-Clicker.Win32.Yabector
Microsoft 1.5202   2009.10.25   TrojanClicker:Win32/Yabector.A
NOD32 4539      2009.10.24   a variant of Win32/Adware.ADON
Prevx   3.0      2009.10.25   Medium Risk Malware
Sunbelt   3.2.1858.2   2009.10.24   Trojan.Win32.Generic!BT

-IainB (October 25, 2009, 02:22 AM)

Strange - I am running NOD32 build 4541 (and have run all previous builds since version 2) and it doesn't object to unlocker at all (and never has). I am also running AVAST on other computers and again no objection. Unlocker runs in the background on my system all the time and I use it often. Having said that a manual scan of the installer by NOD32 now flags up a 'potentially unwanted' and 'variant of ...' which suggests that it is using heuristics catch rather than an actual known trojan.

If you look at the changelog you can see:

Unlocker 1.8.7 - 01/05/2008

- Fixed bug: Unlocker should not create event logs anymore.
- Fixed bug: Unlocker should not take minutes to close on certain configurations anymore.
- Fixed bug: Unlocker should not lock DLLs not used by Unlocker anymore.
- Fixed bug: Fixed potential driver bug.
- Fixed bug: Miscellaneous handle leaks.
- Improved behavior: Improved deleting/renaming/moving files such as C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx for example.
- Improved behavior: When right-clicking files or folders and selecting Unlocker, those are automatically deselected. It helps with movie files and removable drives.
- Improved UI: Icon looks correct now on Windows Vista
- Promotional feature: Added fully optional shortcuts to eBay during the installation. Simply untick "eBay shortcuts" in the choose components page during install if you do not wish to have those.

(my emphasis).

The file causing problems is an ebay_shortcuts file whis is copied to the application folder but not executed if you opt-out during installation.

Unlocker itself doesn't have any problems with AV products - it is just the promotional add-on they have stupidly chosen to include.

If you are unhappy with this simply uninstall Unlocker and remove the Program Files\Unlocker folder

If you didn't opt-out you can use the following to clean up any unwanted crap (cut and paste into a text file and save with a .BAT extension then run it from a command prompt or download it from the attached ZIP file):

[Select]

#From http://www.msfn.org/board/lofiversion/index.php/t116627.html
start /wait unlocker1.8.7.exe /S
ping -n 2 127.0.0.1 > nul
DEL /F /Q "%ProgramFiles%\Unlocker\eBay_shortcuts_1016.exe"
DEL /F /Q "%UserProfile%\Application Data\Desktopicon\eBayShortcuts.exe"
DEL /F /Q "%UserProfile%\Desktop\eBay.lnk"
DEL /F /Q "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.lnk"
DEL /F /Q "%UserProfile%\Start Menu\eBay.lnk"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v UnlockerAssistant /f

If you want to use unlocker without the money making add-on download version 1.8.5 from:

http://ccollomb.free...ld/unlocker1.8.5.exe

which doesn't contain the eBay bits.

[IainB]

@Innuendo:
Thanks for the appreciation of effort. Yes, it was very tedious - doing what I did - but I reckon I benefited from it: as can often happen when you take the time to investigate and analyse something in detail, the result can be an increase in knowledge of the thing being studied.

@Carol Haynes:
What you say is interesting, and, if you had installed Unlocker from the version 1.8.7 installer, then I can offer no explanation as to why your copy of NOD32 did not detect it in the installer file, as per the VirusTotal report. Curious, that.

I would just like to clarify/confirm that Unlocker.exe is not the problem file. I have Unlocker running as a shell all the time too, and MSE never objects to it. MSE only detected the Trojan Yebector.gen and .A in the two separate installer files. Thanks for emboldening the bit about the change log - I had not read that. In any event, as I wrote above:

I also sent an email to the author of Unlocker with a snapshot of the MSE details screen describing the Trojan that MSE had found in the Unlocker install file.

Nice work in detailing how to decrap the installer file containing the eBay Trojan bits. I won't bother doing that, having just deleted the installer file, and I wouldn't recommend going back a version step to Unlocker v1.8.5 either, since v1.8.7 evidently has some bugfixes, according to the change log that you pasted above.

The thing here is that, as you say:

...it is just the promotional add-on they have stupidly chosen to include.

(My emphasis.)

[IainB]

Just an update on the Unlocker install file.
The author told me he had fixed the problem and put up v1.8.8, but when I downloaded it, MSE reported that "unlocker1.8.8.exe" contains TrojanClicker:Win32/Yabector.A

I politely suggested to him that "Maybe embedding the eBay component was not such a good idea."

[Bett]

no,it's really free?

[IainB]

Correction to my earlier post:

...but when I downloaded it, MSE reported that "unlocker1.8.8.exe" contains TrojanClicker:Win32/Yabector.A

I didn't read the MSE report closely enough. When I did, what it actually said was "unlocker1.8.7.exe contains TrojanClicker:Win32/Yabector.A" - i.e., it kept using the old file version name, even though I had given it v1.8.8 to analyse. I repeated this, changing the file name to "Fred" etc. each time, but always the report was for v1.8.7.

I then deleted all the quarantined references in MSE to v.1.8.7, and then gave it the v1.8.8 file to analyse again. This time, it reported that the file was v1.8.8 (which was correct) and that it had no viruses.

I think this means that I have just discovered a quirk - if not a bug - in MSE.

[Bamse]

If interested in breaking MS distribution laws new beta can be downloaded here http://cid-afe12d66a...SE/1.0.1743.0%20beta I read it is sent off to OEM partners for final test so not much of an experiment. Can't see they have changed much about cpu usage in "resident" protection. How many notice is another question. If majority does not they probably don't care too much.
 

[Innuendo]

If interested in breaking MS distribution laws new beta can be downloaded here http://cid-afe12d66a...SE/1.0.1743.0%20beta I read it is sent off to OEM partners for final test so not much of an experiment.

-Bamse (November 08, 2009, 05:51 AM)

I know someone who is an MSE beta tester & he's been running this version with no complaints so far.

[Bamse]

Yeah more of the same but I still see massive cpu usage when dealing with many or big files, particulary archives. To a "not responding" level in Total Commander when really crazy. Too aggressive and makes me think of Avast 5 options of selecting resident action on each "packer" type, including self-extracting exe-files. Ok manual scan go after all files regardless it take a bit longer than Avast or whatever, but resident roller coaster feature is annoying. I also notice even when entering desktop from a boot. Slowly, slowly. With Avast and its temp + static cache there is no noticeable delays. I dont sense MSE is a tractor, just needs regular gasonlin instead of methanol. If someone from MS said yes that might be true but 1. We actually delete/repair files without notifying user so tool must check at all times and 2. Ever wondered how few notice this or even care? - I would probably see his point.

[JavaJones]

Interesting, I've actually found MSE on my older dual core laptop to be pretty snappy, in comparison to AVG. I can't be sure there's a direct corollary, but I do find the system waking up from hibernation faster, and I find less slowdown in dealing with the massive amount of multiple-brand browser windows I tend to have open at any given time (currently 13 Chrome windows, 9 Opera windows, and something like 20 IE windows). I've only had it on a week or so now, but so far I'm very happy.

I'm also curious to try the new Avast when it comes out. I have Avast running on my media machine, another recent convert from AVG, and so far it seems fine, but somehow I'm more impressed by MSE at this point. Maybe I expected less.

- Oshyan

[Bamse]

Well, except for approaching big files MSE does not seem to be consistent when doing pit stop. Most of the time it is transparent though or nobody would use it. Anyway, pic show some of the reasons why Avast feel/is lighter. Less will do but I had hoped control over resident scanning of archive files would be added in new beta. Not an easy one to ignore. Avast looks like a high tech wonder in comparison, even more options than in version 4. GUI will now sell Avast, not make people think Winamp. Should appeal members of computer forums. Need to check behavior blocker once it actually works but for now I think many will go Avast 5 once finished. Avira is annoying with updates/nags, AVG not all like/"recommend" - a little Norton story there perhaps. So important these 2 are available and foolproof in their own way.

Windows Security Essentials