Review: Microsoft Security Essentialsby Steve Ragan - Sep 29 2009, 21:30
The Tech Herald takes Microsoft Security Essentials for a spin. (IMG:MSFT)
Microsoft Security Essentials, formerly known as Morro, is the latest effort from Redmond to protect the masses. While the news leading up to the launch of this free security suite from Microsoft has been mixed, The Tech Herald downloaded it anyway, just to see if it can stand up to the hype.
Note: If you updated from the Security Essentials Beta, the final verion 1.0 is exactly the same with regard to looks and feel. Scan testing offered no major improvement to the previously tested results. We did notice that after updating, the main controls seemed to load faster.
Along with our written review and thoughts, we have included videos showing installation, the initial update and scanning process, a walkthrough of the software and more. Those are on page four of this review.
[Updated on 9-29-2009 1:30 p.m. EST to add noted on version 1.0.]
[Updated on 6-23-2009 7:36 p.m. EST to add video of Rogue AV test.]
Microsoft Security Essentials (MSE) is a free anti-Virus that is “cloud-based” including a basic community layer of protection called SpyNet. As it stands now, MSE will work on XP, Vista, and Windows 7. However, the basic requirements will vary for each operating system.
The Tech Herald reviewed MSE on a Windows XP system running SP3, and all current updates as of 6-23-2009. The system is a Dell with a Pentium 4 2.80 GHz CPU and 2048 MB of RAM.
For testing, the C drive on the lab system has 102 GB total space with 92.7 GB free. The G and H drives, used for the testing of the Full System Scan, are 97.6GB in size each, with 81.1GB and 84.2 GB free respectively. Before installation, the system was used to surf various sites to collect usage related files such as temp files and if the site was malicious, Malware. The sites visited were both legit commercial sites and illegal Warez related sites.
Installing MSE is a snap. Once the software is downloaded and the installation process launched, it checks for a validated copy of Windows and downloads anti-Malware signature updates. The entire process took less than 50 seconds to complete. Once that was finished, you have the option to launch a Quick Scan of the system. This is an optional, but a highly recommended step.
The Quick Scan, which launched after installation, took over ten minutes (10m 38s) to complete. Not the fastest scan in the world, but not that bad either. It scanned 22,973 items in that time.
Using the Custom Scan option to scan only the C drive, MSE more than tripled its previous scanning time, completing the process in 32 minutes and 42 seconds. The Custom Scan examined 269,467 items in all. A Full System Scan was then launched, including all system partitions and registry settings, this took almost two hours to finish (1h 47m), scanning 1,285,083 files.
It’s important to note that a Quick Scan will scan sensitive areas of the C drive only. The Custom Scan was set to scan the C drive as well. However, the Custom Scan took a deeper look at the drive. During the Custom Scan, this deeper look led to the discovery of Adware that was missed during the Quick Scan.
By default, a Full System Scan will scan all of the partitioned drives on the system, plus the registry. This scan will always take longer. The reason that the Full System Scan took as long as it did had more to do with the number of archives (Zip, Gzip, RAR, ISO, etc.), and sheer file volume, than it did with the scanning engine. This deep scan also detected two Trojans and one piece of Spyware. However, it did flag an archive with the RealVNC.exe as a Medium risk.
While not an excuse for such a long scan, as other applications have gone much faster, it does explain the reason. You can use the settings within MSE to limit the file types scanned, as well as how deep the scans go. This will improve scan times, but during our review all software settings remained at default levels.
When it comes to resources, we had no real issues during our test. At the same time, MSE jumped around a bit when it came to resource usage during scanning. In each of the three scan tests, MSE used various amounts of RAM and CPU. Two of MSE’s processes stood out during testing, MSMPENG and MSSECES.
For example, during the Custom Scan, MSE used 94MB of RAM on average. MSMPENG, which used 99MB of RAM at peak and 76MB of RAM on the low end, averaged 82MB while the scan was taking place. MSSECES, during the entire process, remained at 12MB usage.
During the Full Scan, MSMPENG used 129 MB of RAM at peak and 74MB of RAM on the low end, averaging 84MB of RAM usage. MSSECES, as was the case during a Custom Scan, remained at a steady 12MB of RAM usage during the entire process.
CPU usage during scanning peaked at 100 percent, but would jump around. We observed it going from 40 percent to 100 percent, down to 30 percent and then to 73 percent during the Full System Scan. The average CPU usage always remained around the low to mid 40 percent range.
When no scans were running, MSMPENG uses about 72MB of RAM (72,056K) while MSSECES lowered its RAM usage to about 5MB (5,024K). The CPU usage during this inactive period remained at 4-5 percent with the occasional spike into the teens.
Overall, MSE is easy to navigate. There are four main tabs; Home, Update, History, and Settings. The Home tab has a simple to read status monitor. Interestingly enough, this status monitor is an image of a monitor with Green, Orange, or Red displays to allow for quick status updates. On the lower part of the Home tab is a notice detailing the scheduled scan settings. You can launch an on demand scan from this tab as well.
Once an issue is discovered, you will see a large Clean Computer button on the Home tab, which will clean things automatically using the settings you assign by threat level, or you can clean things by hand by selecting show details. [See 2nd video.]
The Update tab is self explaining, aside from the status of the AV and Spyware definitions, there is a large Update button to launch updates. The History tab will show three types of data, based on previous scans. You can view everything at once, items that have been quarantined or items that have been allowed after they were flagged. When viewing quarantined items, you can delete them completely from the same tab if you wish or when viewing allowed items remove their exemption status.
The Settings tab has the most options available. Here you can schedule scans, determine the default actions MSE should take when something is flagged, exclude file types, processes, or drive locations, as well as determine how MSE will scan archives and removable media such as USB drives.
Oddly enough, considering all of the hype from the Conficker Worm, scanning USB devices is disabled by default. Even if enabled, MSE will only scan USB drives on a Full System Scan.
Finally, the Settings tab is where you can select your membership to SpyNet.
SpyNet is Microsoft’s online community that collects information based on two levels of membership. The first is Basic, set by default, which sends information on items flagged by MSE including where the item came from, the actions you opted to take on that item once it was flagged or actions taken automatically, and if those actions were a success.
The Advanced membership into SpyNet includes all of the things the Basic membership includes, but with more details. That extra information includes, the location of where the item was located on the system when it was flagged, the file name, how it operates, and how it impacted your computer. Microsoft warns that personal information might end up in SpyNet submissions, but that it is not used to identify you or contact you.
The help offered by MSE is straight forward and easy to navigate. You have the option of getting help online or offline. Online is default, if you click the word help, which takes you to the Microsoft Security Essentials website, linking to traditional support or community support.
There is also a link in the help area to submit malicious samples to Microsoft. That link leads to a web form and upload area.
As discovered during the scan tests, detection on MSE is solid, it's good to see that the Malware placed on the system during the pre-install browsing session was picked up. After MSE discovered no other infections, those results were checked against two online scanning engines, as well as Malwarebytes Anti-Malware. The secondary scanning showed the system clean.
To add to the detection tests, a password protected Zip file with 50 samples of Malware was loaded on to the system. The samples were all from attachments in malicious email, as well as downloaded from the Internet in the form of fake codec files from video sites.
The password protected Zip was not detected as a threat after scanning it with MSE. However, once unpacked to a folder named Infected, MSE detected and removed every sample, leaving only the folders behind.
Based on the scanning of known Malware, MSE did great on this part of the test. However, as mentioned, this was a test of 50 known samples; so failure would have been inexcusable. With that said, to double check detection, we pointed the test system to a few malicious and newly active domains.
[Note: as of 6-23-2009 the sites listed below are active and harmful. Do not visit them.]
http //browsehistory cn/go php?id=xxxx&key=xxxxxxxxx&p=x
Once this site loaded, as you can see in the image below, the screen filled with gibberish. However, that did not stop the Trojan it serves from attempting to load. MSE flagged this and prompted us to remove it immediately.
[An interesting note, while taking the screen capture for the second image below and editing it, MSE removed the threat automatically, without waiting for us to do it on our own.]
http //cmdnet2 89 80000web com cn/admin
This site attempted to install a file that was flagged instantly with the same recommendations as the previous alert offered.
http //w-transcorp com/so399x/xxxx.php
Once loaded, this site prompted a download of a PHP file. Once the file was downloaded and executed, two versions of the Sailty family of Viruses were installed on the lab system, as well as a Trojan. MSE detected all three.
The final two sites led to Malware that once removed by MSE required a system restart.
Based on testing, the detection offered by MSE is great for a free product. It was far better than we expected in all honestly. Yet, that does not mean it is infallible. New threats, and new methods to expose users to them, appear hourly. A little caution while surfing the Web, and good maintenance routines – like applying system patches and software updates regularly – will offer you far more protection than any AV engine or product.
Not to mention, regardless of how well MSE performs, or any other security application for that matter, it should only be counted as a single layer of protection for the computer.
Still, for a free AV product, MSE impressed us, and this is just the beta. The only downside was the slow scanning. If you can live with that, and are looking for a free security application, then Microsoft Security Essentials is a great choice.
You can download the beta online now. Click here to get it.
Install and scanning:
[Note: The URL in the video below is live and active. It was first discovered on 6-23-2009 during a scan of honey pot logs. It delivers Rogue anti-Virus, designed to scam you out of your money and personal information. In addition it will download and install Malware to the system. Again, DO NOT visit the URL you see in the video as it will infect your system.]