Microsoft Security Essentials Released

Everyone...

In what I hope may be the biggest pro-security news in a LONG 
time, Microsoft's awaited "Security Essentials" 100% FREE anti-
virus & anti-spyware active filter and system scanner is now 
available for unrestricted download and use (by authentic 
Windows systems):

http://www.microsoft.com/Security_essentials/

I don't yet have much personal experience with it, but the 
reviews have, so far, been uniformly raving positive.  And
I *will* be getting extensive experience with it since it's
the first-ever A/V add-on that I plan to use.

Just an FYI heads-up.

-- 
________________________________________________________________
Steve.  Working on: GRC's DNS Benchmark utility:
        http://www.grc.com/dev/DNSBench.exe
0
Steve
9/30/2009 5:49:45 PM
grc.news.feedback 4181 articles. 0 followers. Follow

91 Replies
3287 Views

Similar Articles

[PageSpeed] 53

"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...
> Everyone...
>
> In what I hope may be the biggest pro-security news in a LONG
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus & anti-spyware active filter and system scanner is now
> available for unrestricted download and use (by authentic
> Windows systems):
-----------------------

Installed it yesterday on Vista 64. No problems.

-Bob 


0
Bob
9/30/2009 6:05:49 PM
"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...

....snip

> http://www.microsoft.com/Security_essentials/
>
> I don't yet have much personal experience with it, but the
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
>
> Just an FYI heads-up.

I'm sure I am not the only person who immediate wondered "why?"   I presume 
there are some value-added features that make it worthwhile for you to run - 
can you tell us? Others claim it does not scan incoming email (no idea if 
that is true) but there is already a predictable backlash from other vendors 
with counter-claims...

Kerry


0
Kerry
9/30/2009 6:25:33 PM
"Kerry Liles" <kerry.removethisandoneperiod.liles@gmail.com> wrote in 
message news:ha07r8$262l$1@news.grc.com...

snip
> Others claim it does not scan incoming email (no idea if
> that is true) but there is already a predictable backlash from other 
> vendors
> with counter-claims...

I don't know about counter claims but the A/V does not
specifically scan any email at least not in the legacy manner
we are used to, MSE does claim to prevent/stop any
malware or attachment from 'executing' so sorta' moot.

How MSE will deal with infected attachments or bad email
I've yet to see, but at least with MS involved they have an
edge working with their own file system and programs.

Plus they (MS) have setup a reporting ability in the
MSE to track malware etc., this should give them
and us a better/quicker response time for updates.

'Seek and ye shall find'
NT Canuck


0
NT
9/30/2009 6:35:28 PM
The program updates the virus defs through Windows Update.

no nym wrote:
> On Wed, 30 Sep 2009 10:49:45 -0700, Steve Gibson wrote:
> 
>> Everyone...
>>
>> In what I hope may be the biggest pro-security news in a LONG 
>> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
>> virus & anti-spyware active filter and system scanner is now 
>> available for unrestricted download and use (by authentic 
>> Windows systems):
> 
> Note that the first screen I saw while installing talked about turning
> on automatic updates. It also makes no secret of the fact fact that it
> will collect and send information to Microsoft. I did not go any
> further.  
0
John
9/30/2009 6:39:57 PM
"no nym" <temp@example.net> wrote in message 
news:ebdcfdgaz3yi.fny2rp8tmgli$.dlg@40tude.net...

> Note that the first screen I saw while installing talked about turning
> on automatic updates.

That is a 'no brainer', the program (MSE) requires updates
for both A/V database and malware database, and those
"updates" come from MS, also there's been a few 'upgrades'
already to the MSE engine.

> It also makes no secret of the fact fact that it
> will collect and send information to Microsoft. I did not go any
> further.

Yup, they collect data on infections...not rely on 3rd party
reports or delayed (and obscure) notifications from folks
about problems...the program doesn't do anything weird.

'Seek and ye shall find'
NT Canuck



0
NT
9/30/2009 6:43:42 PM
In article <MPG.252d3a0915986f8721c6@4.79.142.203>, news07_@_grc.com=20
says...
<snip>
> http://www.microsoft.com/Security_essentials/
>=20
> I don't yet have much personal experience with it, but the=20
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
>=20
> Just an FYI heads-up.

Lots of luck with that, Steve. The way MS screws with my system
when updating makes me think using them for security is not a
good idea :-) [still on WinXP SP2]

--=20
   R. Dave Lambert
   rdavelambert@shaw.ca
   49.1367=B0 N  122.8777=B0 W
0
R
9/30/2009 6:44:21 PM
Steve Gibson wrote:
> Everyone...
> 
> In what I hope may be the biggest pro-security news in a LONG 
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus & anti-spyware active filter and system scanner is now 
> available for unrestricted download and use (by authentic 
> Windows systems):
> 
> http://www.microsoft.com/Security_essentials/

In other words, you must have Genuine Advantage installed to get it?
0
F
9/30/2009 6:46:49 PM
On 9/30/2009 12:49 PM, Steve Gibson wrote:
> Everyone...
>
> In what I hope may be the biggest pro-security news in a LONG
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus&  anti-spyware active filter and system scanner is now
> available for unrestricted download and use (by authentic
> Windows systems):
>
> http://www.microsoft.com/Security_essentials/
>
> I don't yet have much personal experience with it, but the
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
>
> Just an FYI heads-up.
>

I am using it on XPH SP3 without problems now, but I had to add a long 
list of exclusions for third party software and the WMI service.

I hope it lives up to the "Key Principles" listed on this page:
http://blogs.technet.com/security/archive/2009/06/23/microsoft-free-anti-malware-morro-microsoft-security-essentials-released-as-beta.aspx

Key Principles

I�ve talked with the product teams about their driving principles and I 
think they are spot on for what home users need:

Essential Features that are necessary to enable a safer and more trusted 
Internet experience.
Real-time and scan detection and cleaning
Live Kernel Behavior monitoring (leveraging technology acquired from 
Komoku)
Improved anti-stealth functionality � (�rootkit revealer� style scanning)
Rootkit removal
Standalone boot scanning (boot to a preinstall environment to scan while 
completely inactive)
Frequent Dynamic Signature updates
Dynamic update capability (no wait for next �full signature� release)
Heuristics with pre-execution program emulation
Ability to quickly address false positives with the dynamic update 
capability
Easy to Get, Easy to Use
Will be easy to find from a trusted location on microsoft.com
No cost, not trials or expirations
Smart default configurations including a dark hours update schedule
Daily updates
Quiet Protection
Lightweight design, tuned for performance
CPU throtting
Fewer interruptions � no �information only� UI, only when action is needed
Deep and Broad Research Team
Led by Vinny Gullotto (long time personal colleague back to our days at 
McAfee)
One of the best, most experienced anti-malware research teams in the 
industry, built up by Vinny over the past few years.  Truly, though 
Microsoft has been in this space a short while, the team members that 
Vinny has assembled have been helping make the Internet safer for pretty 
much forever.
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
9/30/2009 6:57:08 PM
"F.C." <nobodys@bizz.nes> wrote in message 
news:ha092t$276g$1@news.grc.com...

>> http://www.microsoft.com/Security_essentials/
>
> In other words, you must have Genuine Advantage installed to get it?

If you can get the regular Windows Updates then you should
be able to install/run the MSE program. I have WGA disabled
and it installed/works fine. You do need a genuine Windows
as it is free to MS clients not specifically 'freeware'.

Remember it takes a lot of work (and updates) to keep
any A/V running, there are few programs that are so
heavily hit by attacks or harshly reviewed as an A/V
so it's a big deal for MS to open up that umm..window.

'Seek and ye shall find'
NT Canuck


0
NT
9/30/2009 7:03:31 PM
NT Canuck wrote:
> "no nym" <temp@example.net> wrote in message 
> news:ebdcfdgaz3yi.fny2rp8tmgli$.dlg@40tude.net...
> 
>> Note that the first screen I saw while installing talked about turning
>> on automatic updates.
> 
> That is a 'no brainer', the program (MSE) requires updates
> for both A/V database and malware database, and those
> "updates" come from MS, also there's been a few 'upgrades'
> already to the MSE engine.
> 
>> It also makes no secret of the fact fact that it
>> will collect and send information to Microsoft. I did not go any
>> further.
> 
> Yup, they collect data on infections...not rely on 3rd party
> reports or delayed (and obscure) notifications from folks
> about problems...the program doesn't do anything weird.
> 
> 'Seek and ye shall find'
> NT Canuck
> 
I use anti-spyware and anti-virus applications, but I do not have them 
updating automatically.  I find that manual update works very well, and 
see no need for automatic updates.  I would expect any software that I 
use to have the option of getting updates manually, otherwise it would 
not stay on my computer very long.  I have had bad luck with automatic 
updates disrupting whatever tasks I was doing when they started.
0
F
9/30/2009 7:04:16 PM
Steve Gibson wrote:
> Everyone...
> 
> In what I hope may be the biggest pro-security news in a LONG 
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus & anti-spyware active filter and system scanner is now 
> available for unrestricted download and use (by authentic 
> Windows systems):
> 
> http://www.microsoft.com/Security_essentials/
> 
> I don't yet have much personal experience with it, but the 
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
> 
> Just an FYI heads-up.
> 
Seems to be running and peacefully co-existing with Eeye's BLINK. 
Neither one of them is screaming bloody murder about the other ... Yet.

-- 
Louis "The Lip" Bone
0
LWB
9/30/2009 7:16:13 PM
"F.C." <nobodys@bizz.nes> wrote in message 
news:ha0a3l$28i2$1@news.grc.com...

snip
> I have had bad luck with automatic updates disrupting whatever tasks I was 
> doing when they started.

The MSE will not actively update the program or database
until other 'pending' and in operation updates/reboots have
been completed..it will notify you that it is 'waiting' for system
to complete those actions (Windows related).

hth

'Seek and ye shall find'
NT Canuck


0
NT
9/30/2009 7:17:43 PM
"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...

> http://www.microsoft.com/Security_essentials/
>
> I don't yet have much personal experience with it, but the
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.

A 5 page review on the MSE from PC Advisor..
<http://www.pcadvisor.co.uk/reviews/index.cfm?reviewid=117961&pn=1>
review updated on September 29, 2009

There have been afaict no 'bad' reviews on the product
other than a few quibbles over it's speed (full scan)
and that could be due to the built-in 50% cpu limit
of the A/V (some actually peg the cpu locking up)
and the fact MSE will (if connected) go online for
additional info 'during the scan', or to report their
is a new malware/infection to MS.  No personal
data of any kind (MS claims) is sent or collected.

Seems to test (so far) within top ranked freeware
type A/V editions so it's a contender to watch.

'Seek and ye shall find'
NT Canuck



0
NT
9/30/2009 7:42:10 PM
"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...
> <SNIPPED>
> http://www.microsoft.com/Security_essentials/
>
> I don't yet have much personal experience with it, but the
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
>
> Just an FYI heads-up.
>
Yep...THX Steve for your heads-up, is already running in 32 & 64 bit Vista + 
works smoothly with SaS & MBaM with
A-squared anti trojan in real-time protection ;-)))

0
parad0X
9/30/2009 8:36:38 PM
Steve Gibson wrote:
> Everyone...
> 
> In what I hope may be the biggest pro-security news in a LONG 
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus & anti-spyware active filter and system scanner is now 
> available for unrestricted download and use (by authentic 
> Windows systems):
> 
> http://www.microsoft.com/Security_essentials/
> 
> I don't yet have much personal experience with it, but the 
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
> 
> Just an FYI heads-up.
> 
I like it so far. PCWORLD's testing gave it 100% for rootkit detection 
and removal. So, Comodo's suite is gone (good firewall, but lousy virus 
protection), and I'm now using Windows Firewall too (with outbound 
protection configured). :) Ian
0
Ian
9/30/2009 9:06:39 PM
In grc.news, on Wed, 30 Sep 2009 10:49:45, Steve Gibson wrote:

>Just an FYI heads-up.

Thanks, I'll give it a trial...

-- 
Jim Crowther
0
Jim
9/30/2009 10:31:26 PM
In grc.news.feedback, on Wed, 30 Sep 2009 14:25:33, Kerry Liles wrote:

>Others claim it does not scan incoming email

Thank Deity for that.  AV scanners working on incoming (and outgoing) 
email have been a major source of headache (and incidental income) for 
me.  PITA.

Oh - unless you use a HTML capable email client, in which case - I give 
up.

-- 
Jim Crowther
0
Jim
9/30/2009 10:35:23 PM

"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...
> Everyone...
>
> In what I hope may be the biggest pro-security news in a LONG
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus & anti-spyware active filter and system scanner is now
> available for unrestricted download and use (by authentic
> Windows systems):
>
> http://www.microsoft.com/Security_essentials/
>
> I don't yet have much personal experience with it, but the
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.
>
> Just an FYI heads-up.
>
> -- 
> ________________________________________________________________
> Steve.  Working on: GRC's DNS Benchmark utility:
>        http://www.grc.com/dev/DNSBench.exe

Well it is not for unrestricted download  and use by "everyone" only for 
home users and home based business.

From the EULA 1.	INSTALLATION AND USE RIGHTS.
a.	Use. You may install and use any number of copies of the software on your 
devices in your household for use by people who reside there or for use in 
your home-based small business.
 

0
Billh
10/1/2009 1:26:55 AM
On Wed, 30 Sep 2009 14:03:31 -0500, "NT Canuck"
<remove_ntcanuck@hotmail.com> wrote:

>"F.C." <nobodys@bizz.nes> wrote in message 
>news:ha092t$276g$1@news.grc.com...
>
>>> http://www.microsoft.com/Security_essentials/
>>
>> In other words, you must have Genuine Advantage installed to get it?

Nope.

DLed fine without WGA.



0
The
10/1/2009 1:54:13 AM
NT Canuck wrote:
> "no nym" <temp@example.net> wrote in message 
> news:ebdcfdgaz3yi.fny2rp8tmgli$.dlg@40tude.net...
> 
>> Note that the first screen I saw while installing talked about turning
>> on automatic updates.
> 
> That is a 'no brainer', the program (MSE) requires updates
> for both A/V database and malware database, and those
> "updates" come from MS,

The app itself, however, can be updated manually from the UI (without requiring 
Admin privileges). For a user/administrator who does not use automatic updates, 
MSE is more of a hassle than it is worth. If I want to read about 
security/vulnerability updates before installing them, yet want automatic virus 
updates, I apparently have no way to accomplish this.

Regards,
Sam
0
Sam
10/1/2009 1:56:26 AM
"Billh" <menot@home.com> wrote in message news:ha10hc$2rue$1@news.grc.com...

> Well it is not for unrestricted download  and use by "everyone" only for 
> home users and home based business.

Yes, the "for Personal use' is getting bigger type now (fonts).

> From the EULA 1. INSTALLATION AND USE RIGHTS.
> a. Use. You may install and use any number of copies of the software on 
> your devices in your household for use by people who reside there or for 
> use in your home-based small business.

Fact is that afaik there aren't any top listed (free or paid) A/V that
will install on commercial networks which are server managed.
ClamAV being one exception that will install on anything afaict.

I suppose the onus should be likened similar to other free type
personal A/V solutions which all state free for non-commercial.

Plus most if not all commercially (Server/workstation) available
A/V are under annual fee or contract for services, which also
places more onus asto legal concerns and liabilities. That is
a bit much to ask of any free/donated type of A/V utility.

Since the MSE does have (under the hood) an apparent
ability to grow (multiple engine viability) one might be
able to use another A/V parallel with MSE but needs testing.

'Seek and ye shall find'
NT Canuck


0
NT
10/1/2009 3:47:58 AM
"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...

> In what I hope may be the biggest pro-security news in a LONG
> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
> virus & anti-spyware active filter and system scanner is now
> available for unrestricted download and use (by authentic
> Windows systems):
>
> http://www.microsoft.com/Security_essentials/

Thinking a bit more about it...MSE...

I would seriously consider downloading the install program
whether you intend to use it immediately or not
(some folks with paid subscriptions and others with free
but version/time limits), since just having a backup available
these days has solved many problems regularly occurring
with folks where some virus or trojan/worm has shut down
their online ability or occluded the ability to get updates
from their installed A/V or online vendor. Not everyone
has multiple computers to use for repairing/updating the
one infected or unavailable unit.

So I'd recommend Microsoft to have some minimal 'portable'
edition (run off usb key or CD) available if possible as well
as some way to download (for portables) a current database
that could be used when off-line.
Just a thought...it's a big problem for almost everyone.

That would save a lot of folks a complete re-install, or that lose
a few days time fighting to get back online. Meanwhile Kaspersky
and a few others (McAffee etc.) have small (need to actually
find/download) removers to use offline and updated regularly
(which means have to download latest tool) for emergencies.

By portable I mean 'stand alone', no installation required,
or a simple preconfigured off-line virus removal tool.
ie: http://www.free-av.com/en/download/3/avira_antivir_removal_tool.html

'Seek and ye shall find'
NT Canuck


0
NT
10/1/2009 4:16:28 AM
"no nym" <temp@example.net> wrote in message 
news:pvh5c09k9t8j.19h37kmrxnstd.dlg@40tude.net...

> On Wed, 30 Sep 2009 18:54:13 -0700, The Other Guy wrote:
>
>> DLed fine without WGA.
>
> And it will start to install without WGA being present.
> But since it seems to insist on turning on automatic updates, I would
> expect that one of the first such automatic updates would be WGA.

Nope, I checked and my WGA is still inactive.

> Once installed, is it possible to turn off automatic updates, or does
> MSE prevent such action ?

I dunno', these days I'm more happy about having the
patches before I run into a problem.. than about any
shortcomings with the MS update system.

> I have to praise Microsoft's recent marketing psychology. They have done
> an excellent job of shifting the blame for vulnerabilities onto their
> customers. It's now entirely the user's fault for not updating.

Somewhat correct, but if you aren't giving the info via the
A/V auto online info checker then you aren't helping MS
or others to get quickest responses for any troubles.

> But who
> created the leaky OSs in the first place ? Even Vista is turning up
> exploitable loopholes. So why would you place your trust in the company
> who created the OS to take care of your computer's security ?

Now be honest, much of that has to do with MS being forced
to allow open type architecture for other 3rd party (commercial)
vendors...and that also lets malware/junk hook same areas.

Also the public in general just don't know how or what
info is any good to explain or reproduce a problem so
MS keeps trying to make it easier to get the needed
info...otherwise I'd suspect a lot fewer, if any, exploits.

> I am sure that the gullible and hard of thinking will rush to adopt it,
> but it seems (to me) to offer little to anyone serious about securing
> their Microsoft OS.

First of all..anyone serious about securing their Microsoft OS
won't be using or installing a generic off the shelf product..
they will build/create their own iteration from or out of
one of the pre-install environments which houses the
core kernel and capabilities...then let MS know about
any 'revelations' and everyone is then on the same page.

It just isn't right to bellyache (even as I've often done)
about Microsoft or Windows and not take part when
they make an effort...or at least feed MS good info.

'Seek and ye shall find'
NT Canuck


0
NT
10/1/2009 8:59:54 AM
On Wed, 30 Sep 2009 14:06:39 -0700, Ian <1@1.com> wrote:

>Steve Gibson wrote:
>> Everyone...
>> 
>> In what I hope may be the biggest pro-security news in a LONG 
>> time, Microsoft's awaited "Security Essentials" 100% FREE anti-
>> virus & anti-spyware active filter and system scanner is now 
>> available for unrestricted download and use (by authentic 
>> Windows systems):
>> 
>> http://www.microsoft.com/Security_essentials/
>> 
>> I don't yet have much personal experience with it, but the 
>> reviews have, so far, been uniformly raving positive.  And
>> I *will* be getting extensive experience with it since it's
>> the first-ever A/V add-on that I plan to use.
>> 
>> Just an FYI heads-up.
>> 
>I like it so far. PCWORLD's testing gave it 100% for rootkit detection 
>and removal. So, Comodo's suite is gone (good firewall, but lousy virus 
>protection), and I'm now using Windows Firewall too (with outbound 
>protection configured). :) Ian

BOClean is supposedly in Comodo's package.  I looked and couldn't find
anything.  Did you ever look for it?
0
Slowered
10/1/2009 11:39:56 AM
On 9/30/2009 1:57 PM, Retired wrote:
<snip>
>
> I hope it lives up to the "Key Principles" listed on this page:
> http://blogs.technet.com/security/archive/2009/06/23/microsoft-free-anti-malware-morro-microsoft-security-essentials-released-as-beta.aspx
<snip>

Near the bottom of this thread, Joe Faulhaber [MSFT], outlines the 
behavioral monitoring features of MSE:
http://social.answers.microsoft.com/Forums/en-US/msescan/thread/5acc54c1-8459-42b3-914e-cb95b528d8b5

MSE includes several behavior monitoring features.

First, the real-time protection can detect many vulnerability exploits 
even for new previously unseen attacks.  This is a bit of a stretch from 
what you may think of as behavior, but trying to exploit a vulnerability 
is a behavior to me.  Also, the real-time protection will actually 
safely emulate software execution and can detect some malicious behavior 
before the software even runs, like killing antivirus products.

Next, there's runtime behavior montioring (controlled by the "Monitor 
file and program activity on your computer" setting) that looks for 
malware behaviors in running programs, and reports suspicious activity 
to the local event log and to Microsoft.  MSE may get back detection 
definitions in response to these reports.  Behaviors monitored include 
things like modifying disk boot sectors, using botnet communication 
channels, and changing key operating system structures (acting like a 
"rootkit").  More monitored behaviors are being added to MSE regularly.

The other setting to scan downloaded attachements isn't really behavior 
monitoring, but is very useful - it will scan deeply in downloaded zip 
files and other archives, and allow you to stop the download if it 
contains something you don't want.

The heuristics setting from OneCare was removed...but MSE definitely 
uses them(there's just no good reason to turn them off).  I wouldn't 
call heuristics behavior monitoring, quite, though they often catch new 
malware.

Thanks for using MSE,
Joe
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/1/2009 12:01:03 PM
[for the unabridged version, see Sam Schinke's post above]

I have Microsoft Security Essentials (MSE) set to check for
and obtain virus updates continually ... while my system's 
"Automatic Updates" wasn't changed after installing MSE. It's 
still set to "Download updates for me, but let me choose when
to install them."

Did you mean that you have Automatic Updates *completely* turned 
off?

It seems to me that "Download and notify" is a good compromise, 
especially since it's entirely possible, then, to chose what you 
want installed and what you don't.

-- 
________________________________________________________________
Steve.  Working on: GRC's DNS Benchmark utility:
        http://www.grc.com/dev/DNSBench.exe
0
Steve
10/1/2009 3:27:23 PM
On 10/1/2009 10:27 AM, Steve Gibson wrote:
> [for the unabridged version, see Sam Schinke's post above]
>
> I have Microsoft Security Essentials (MSE) set to check for
> and obtain virus updates continually ... while my system's
> "Automatic Updates" wasn't changed after installing MSE. It's
> still set to "Download updates for me, but let me choose when
> to install them."
>
> Did you mean that you have Automatic Updates *completely* turned
> off?
>
> It seems to me that "Download and notify" is a good compromise,
> especially since it's entirely possible, then, to chose what you
> want installed and what you don't.

You can also use Task Scheduler:
http://social.answers.microsoft.com/Forums/en-US/mseupdate/thread/35ce13dc-ed58-468f-a686-8f859d4c40c7
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/1/2009 3:43:15 PM
"Steve Gibson" <news07_@_grc.com> wrote in message 
news:MPG.252d3a0915986f8721c6@4.79.142.203...

> Just an FYI heads-up.

Same back. ;)

Although from (sort of ) a competitor in A/V I found
these tested program results very comprehensive..
includes the Microsoft offering.
http://www.prevx.com/

Click on any of the bars (specific A/V) for more detail
and it gives even the missed findings by vendor.

Note' I have no experience with Prevx but included
the link/info since it's the only good A/V comparison
I've seen perhaps in years (a bit different style)..

'Seek and ye shall find'
NT Canuck


0
NT
10/1/2009 4:38:57 PM
> I don't yet have much personal experience with it, but the
> reviews have, so far, been uniformly raving positive.  And
> I *will* be getting extensive experience with it since it's
> the first-ever A/V add-on that I plan to use.

I've been into the beta and while I was at it, I also performed
some "personal tests"; previously MSE was somewhat slow
to react to new threats, I reported it and as far as I can tell MS
fixed that and it's now one of the fastest to update when some
new critter pops out ... and I hope things will remain this way :)

That said; on the "lack" side, MSE doesn't have any kind of
heuristic or behavioural/fuzzy detection engine, it only works
using signatures; on the other hand, MSE has a "modular"
design so, any 3rd party may create modules for MSE and
add features or even new scan engines

I'm currently using (ok... it's still a test even if a "live" one)
MSE on some machines and as of today I think it's a viable
choice when it comes to getting a free AV and.. for sure it's
better than any expired and un-updated or cracked version
of any other AV around <g>

As a note, it sounds like someone got hurt from the fact
that Microsoft released MSE, at least that's the idea I got
after reading this

http://community.norton.com/t5/Norton-Protection-Blog/Microsoft-Security-Essentials-Reruns-Aren-t-Just-for-TV-Anymore/ba-p/155531#A374

:)


0
ObiWan
10/1/2009 5:06:26 PM
> By portable I mean 'stand alone', no installation required,
> or a simple preconfigured off-line virus removal tool.
> ie:
http://www.free-av.com/en/download/3/avira_antivir_removal_tool.html

running from USB won't help in many cases; if the malware
got DEEP inside the system, booting the system from the
infected OS won't allow you to clean it; in such cases it's
a better idea using a bootCD

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

so that the OS will be kept "sleeping" while the "rescue OS"
will be scanning and cleaning stuff; THEN and only THEN
one may boot the regular OS from disk and proceed with
further scanning and cleaning any leftover


0
ObiWan
10/1/2009 5:09:37 PM
"ObiWan" <sgr.20.trashsink@spamgourmet.com> wrote in message 
news:ha2nos$15nq$1@news.grc.com...

> running from USB won't help in many cases; if the malware
> got DEEP inside the system, booting the system from the
> infected OS won't allow you to clean it; in such cases it's
> a better idea using a bootCD

I myself use a homemade bootable OS CD with those
tools on it, and access to more online.
Also prefer to run the drive in slave mode off a known
good (and secure) system to clean and/or copy/test
file conditions for valid or needing replacements.
Best one (corrupted system) I found had over 4,300
infections, typically around 400 gremlins on systems
before I get called. ;)

> http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html
>
> so that the OS will be kept "sleeping" while the "rescue OS"
> will be scanning and cleaning stuff; THEN and only THEN
> one may boot the regular OS from disk and proceed with
> further scanning and cleaning any leftover

Most of the infected systems I've found lately (clients)
are still running but in a 'gasping for air' sort of manner.
They all responded well to usb insert/cleanup utilities
and new A/V, it may be different attacks your zones.

The most common ones here block downloads from
both MS (like updates/patches) and name A/V.
However those same A/V are just out of date
and responded to manually inserted databases.
Then a good manual registry scan/cleanup and
something like adaware just to nail leftovers.

If I have to there's always correcting the HDD bit
by bit but that's another topic and time consuming.
(and you get to see stuff doesn't show in OS)

'Seek and ye shall find'
NT Canuck


0
NT
10/1/2009 6:14:09 PM
On 10/1/2009 12:06 PM, ObiWan wrote:
<snip>
> That said; on the "lack" side, MSE doesn't have any kind of
> heuristic or behavioural/fuzzy detection engine, it only works
> using signatures; on the other hand, MSE has a "modular"
> design so, any 3rd party may create modules for MSE and
> add features or even new scan engines
<snip>

Hi ObiWan,

I posted this earlier in this thread, but it may be worth repeating:

Near the bottom of this thread, Joe Faulhaber [MSFT], outlines the 
behavioral monitoring features of MSE:
http://social.answers.microsoft.com/Forums/en-US/msescan/thread/5acc54c1-8459-42b3-914e-cb95b528d8b5

MSE includes several behavior monitoring features.

First, the real-time protection can detect many vulnerability exploits 
even for new previously unseen attacks.  This is a bit of a stretch from 
what you may think of as behavior, but trying to exploit a vulnerability 
is a behavior to me.  Also, the real-time protection will actually 
safely emulate software execution and can detect some malicious behavior 
before the software even runs, like killing antivirus products.

Next, there's runtime behavior montioring (controlled by the "Monitor 
file and program activity on your computer" setting) that looks for 
malware behaviors in running programs, and reports suspicious activity 
to the local event log and to Microsoft.  MSE may get back detection 
definitions in response to these reports.  Behaviors monitored include 
things like modifying disk boot sectors, using botnet communication 
channels, and changing key operating system structures (acting like a 
"rootkit").  More monitored behaviors are being added to MSE regularly.

The other setting to scan downloaded attachements isn't really behavior 
monitoring, but is very useful - it will scan deeply in downloaded zip 
files and other archives, and allow you to stop the download if it 
contains something you don't want.

The heuristics setting from OneCare was removed...but MSE definitely 
uses them(there's just no good reason to turn them off).  I wouldn't 
call heuristics behavior monitoring, quite, though they often catch new 
malware.

Thanks for using MSE,
Joe
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/1/2009 7:28:54 PM
[for the unabridged version, see ObiWan's post above]

> As a note, it sounds like someone got hurt from the fact that
> Microsoft released MSE, at least that's the idea I got after
> reading this
> 
> http://community.norton.com/t5/Norton-Protection-Blog/Microsoft-Security-Essentials-Reruns-Aren-t-Just-for-TV-Anymore/ba-p/155531#A374

Oh, of COURSE they did, and will!

I'll NEVER forget the dinner I once had with Microsoft's Brad 
Silverburg (a GREAT guy) and Brad Chase (heart of darkness).

They sat there, across from me, feeling very badly, but still 
telling me with a straight face that the new program in DOS v6.0 
-- called "ScanDisk" -- didn't do anything like what my SpinRite 
utility did and that it wouldn't cannibalize SpinRite's sales.

Yeah, uh huh ... sure.

Why, then, was the only question we ever heard after that: 
"Since I already have Microsoft's ScanDisk that came bundled
in with DOS v6.0, why do I need to buy your SpinRite??"

You can just bet your bottom dollar that all Symantec or McAfee 
will be hearing is... but, but, but... Microsoft's Security 
Essentials is FREE and it seems to work just fine.

-- 
________________________________________________________________
Steve.  Working on: GRC's DNS Benchmark utility:
        http://www.grc.com/dev/DNSBench.exe
0
Steve
10/1/2009 7:39:54 PM
On Wed, 30 Sep 2009 14:25:33 -0400, Kerry Liles wrote:

> Others claim it does not scan incoming email ...

I always disable scanning of incoming email in the regular AV applications,
anyway. Email scanning is/should be handled by the server, not the client.

-- 
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
0
Norman
10/1/2009 7:41:56 PM
Steve,
  Are you saying the Symantec and McAfee are superior to MS Security 
Essentials?

  I don't think the Scan disk comparison is the same.  Scan disk is a file 
level utility, they don't do the same task.  Whereas Symantec AV does the 
same task as MS AV.

What am I missing?

- Brad 

0
Brad
10/1/2009 8:09:49 PM
Brad schreef:
> Steve,
>  Are you saying the Symantec and McAfee are superior to MS Security
> Essentials?
> 
>  I don't think the Scan disk comparison is the same.  Scan disk is a
> file level utility, they don't do the same task.  Whereas Symantec AV
> does the same task as MS AV.
> 
> What am I missing?

The analogy confused me too, to be honest.

-- 
Dirk Engelage
to the house of a friend the road is never long
0
Dirk
10/1/2009 9:02:45 PM
I've already installed this on my mom's Windows XP machine (remotely of 
course) and her machine is already "snappier" than when under the thumb 
of AVG.  I hope it stays that way.
0
Sable
10/1/2009 9:20:11 PM
For some reason, Brad said:

> Steve,
>   Are you saying the Symantec and McAfee are superior to MS Security
> Essentials?
> 
>   I don't think the Scan disk comparison is the same.  Scan disk is a
>   file
> level utility, they don't do the same task.  Whereas Symantec AV does
> the same task as MS AV.
> 
> What am I missing?
> 
> - Brad

Would Microsoft's introduction of IE (for free), and the flap it caused, 
be a better analogy?
I thought he was perfectly clear.

-- 
Dale Beckett
0
Dale
10/1/2009 9:47:13 PM
[for the unabridged version, see Brad's post above]

> Steve,
> Are you saying the Symantec and McAfee are superior to
> MS Security Essentials?

I don't know one way or the other which is superior ... and the 
whole point of my analogy was that it doesn't matter whose 
better.  Even the fact that the question is being asked 
demonstrates that having Microsoft giving it away for free
is a game changing event.

In my case, with SpinRite, I obviously survived, and I fully 
expect Symantec and McAfee to survive.  But there was also never 
any doubt that ScanDisk hurt SpinRite's sales dramatically ... 
just as MSE will brutally damage Symantec and McAfee.

(There are many MANY personal firewalls being sold today now 
that Windows XP finally has one that's on all the time.  Even 
though Windows XP's built in firewall is arguably inferior to 
the level of control provided by 3rd parties ... the fact that 
"it's in there and it's free" changed the market overnight.)

-- 
________________________________________________________________
Steve.  Working on: GRC's DNS Benchmark utility:
        http://www.grc.com/dev/DNSBench.exe
0
Steve
10/1/2009 10:04:21 PM
Slowered wrote:

> 
> BOClean is supposedly in Comodo's package.  I looked and couldn't find
> anything.  Did you ever look for it?

No, I didn't. I've used BOClean as a standalone in the past before. I'm 
trying to remember, wasn't BOClean an AVG product that got axed?

Ian
0
Ian
10/2/2009 1:11:48 AM
In article <ha32av$1fpd$1@news.grc.com> Brad wrote:
> 
>   I don't think the Scan disk comparison is the same.  Scan disk is a file 
> level utility, they don't do the same task.  Whereas Symantec AV does the 
> same task as MS AV.
> 
> What am I missing?
> 
SpinRite and ScanDisk were considerably less sophisticated 
when DOS v6.0 was released than the either of them is today.

-- 
Alan
     The Perpetual Puzzle of Nature
< http://hermital.org/book/intro.htm >
0
hermital
10/2/2009 1:21:13 AM
Steve Gibson wrote:
> [for the unabridged version, see Sam Schinke's post above]
> 
> I have Microsoft Security Essentials (MSE) set to check for
> and obtain virus updates continually ...

How and where? MSE provides no such configuration option here.

The "Update" tab provides some information, and a big "Update" button. The only 
other update-related setting is to update prior to a scheduled scan.

[...]

Looking a bit closer today, MSE seems to have today's signatures, so something 
has changed since they went to 1.0. For a while I was getting daily WU "bubbles" 
prompting me to install important updates. Heh.

While we're on the topic, has anyone else found odd delays booting Vista since 
they installed MSE? A blank screen, with a mouse cursor, just prior to the login 
screen, is what I sometimes get. :( No HDD activity for a significant period (1 
minute at least) followed by a seemingly normal continuation of bootup.

Thunderbird also does not seem to play well with MSE's real-time scanning 
engine. When the engine is enabled, I get periods where T-bird is unresponsive. 
Usually after selecting a post to open or changing folders.

Regards,
Sam
0
Sam
10/2/2009 5:23:04 AM
>>
http://community.norton.com/t5/Norton-Protection-Blog/Microsoft-Security-Essentials-Reruns-Aren-t-Just-for-TV-Anymore/ba-p/155531#A374

> Oh, of COURSE they did, and will!

heh !

> I'll NEVER forget the dinner I once had with Microsoft's Brad
> Silverburg (a GREAT guy) and Brad Chase (heart of darkness).
>
> They sat there, across from me, feeling very badly, but still
> telling me with a straight face that the new program in DOS
> v6.0 -- called "ScanDisk" -- didn't do anything like what my
> SpinRite utility did and that it wouldn't cannibalize SpinRite's
>sales.
>
> Yeah, uh huh ... sure.
>
> Why, then, was the only question we ever heard after
> that: "Since I already have Microsoft's ScanDisk that came
> bundled in with DOS v6.0, why do I need to buy your SpinRite??"

Well... scandisk was a totally different critter from spinrite; sure,
I see the point and I understand that many "Average Joes" out
there would probably ask such a question not understanding
the differences ... but then... do you really think DOS shouldn't
have the "scandisk" tool ? Or are you saying that you'd rather
have Microsoft *acquire* your scandisk ? Remember that the
MSE (and the ForeFront scanner as well) descend from the
RAV Antivirus which Microsoft *acquired* some time ago !

> You can just bet your bottom dollar that all Symantec or
> McAfee will be hearing is... but, but, but... Microsoft's Security
> Essentials is FREE and it seems to work just fine.

Well... they could say the same about Avira or AVG or Avast...
all in all I think that Microsoft did the right thing; more; the MSE
has a modular architecture, so nobody forbids other "brands"
to create additional (pay) modules to add/extend the MSE
functionalities ... as for the XP firewall reference you made in
another post in this thread; sure, there are a lot of free firewalls
around but there's also stuff wich just uses the XP firewall as
a "core" and extends its functionalities adding (e.g.) outbound
and applications control; as I see it ... it's just a matter of
deciding "how to play the game" :)

Anyways... time (and users/market) will tell :)



0
ObiWan
10/2/2009 6:43:38 AM
>> running from USB won't help in many cases; if the malware
>> got DEEP inside the system, booting the system from the
>> infected OS won't allow you to clean it; in such cases it's
>> a better idea using a bootCD

> I myself use a homemade bootable OS CD with those
> tools on it, and access to more online.
> Also prefer to run the drive in slave mode off a known
> good (and secure) system to clean and/or copy/test

Hmm... it all depends from the kind of "critters" you're dealing
with; remember that even setting up an infected drive as "slave"
when scanning/checking it you may accidentally trigger some
"landmine code" (e.g. think to persistent handlers and the like)
which would then cause the system you're using to get infected
or damaged :( that's why I prefer using a bootcd; at least in
case you hit a landmine any effect will be limited to the current
session and rebooting will give back a "clean CD" (while an
USB key may get written/infected)

Also... a deep rootkit may just intercept system I/O calls at a
really LOW level, this means that you can't rely on running a
scanner from the infected OS since calls made to such a scanner
to the kernel would then be intercepted and mangled by the
malware and, most probably, the scanner won't find anything

YMMV btw


0
ObiWan
10/2/2009 6:49:14 AM
"ObiWan" <sgr.20.trashsink@spamgourmet.com> wrote in message 
news:ha47pl$2d4c$1@news.grc.com...

> Hmm... it all depends from the kind of "critters" you're dealing
> with; remember that even setting up an infected drive as "slave"
> when scanning/checking it you may accidentally trigger some
> "landmine code" (e.g. think to persistent handlers and the like)
> which would then cause the system you're using to get infected

Good, then I have them and the method of contagion
coralled and waiting interogation/remedy.

> or damaged :( that's why I prefer using a bootcd; at least in
> case you hit a landmine any effect will be limited to the current
> session and rebooting will give back a "clean CD" (while an
> USB key may get written/infected)

Don't you want to know/find the mine and not rely
on others to keep bailing your system out?

> Also... a deep rootkit may just intercept system I/O calls at a
> really LOW level, this means that you can't rely on running a
> scanner from the infected OS since calls made to such a scanner
> to the kernel would then be intercepted and mangled by the
> malware and, most probably, the scanner won't find anything

Well, then what is the problem to create/adapt a utility
to do these things you think aren't being found?
If you with all your time and effort inside programming
areas are having trouble enough to rely on outside
(and in your estimations unreliable) tools then what
about 'average joe user' and his predicament?

> YMMV btw

I don't get mileage, zero emissions engine in use.

'Seek and ye shall find'
NT Canuck




0
NT
10/2/2009 8:53:07 AM

>> when scanning/checking it you may accidentally trigger some
>> "landmine code" (e.g. think to persistent handlers and the like)
>> which would then cause the system you're using to get infected

> Good, then I have them and the method of contagion
> coralled and waiting interogation/remedy.

hm.... seems you're underestimating such issues; remember that
a "landmine" may just crash your scanner or may destroy your
system once triggered, so it's always a good idea performing
checks from a protected environment which isn't either "writeable"
by the dangerous code or which, if affected by it may quickly
recover and then DEAL with the issue and that isn't possible
if you use a regular system and/or writable boot media

> (and in your estimations unreliable) tools then what
> about 'average joe user' and his predicament?

heh "Leave All Hope Ye That Enter" there isn't so much the
"Average Joe" can do, aside having a "1st aid" boot CD to
attempt performing boot, deep-scan and clean; the point is
that once a system is infected you can't trust it ANYMORE
so whatever you'll run on it, if "unprotected" may fall under
the control of the "infector" and, at best, won't solve any
issue at all or may even let you believe that it found stuff
and that the system is clean... while the malware just went
hiding elsewhere; sure, the system may then run smooth
(at least for a while) but I won't call it "clean" nor would
I trust such a system

While cleaning up badware in a past was relatively easy,
with current rootkits, kernel hacks and stuff it became a real
black art *really* cleaning a system... assuming one wants
to really spend time and effort doing that instead of going
for a straight "wipe and rebuild"

Bottom line; don't let them IN since you can't be sure to be
able to let them OUT after; there are some guidelines which
DO WORK like NOT running "as admin" (same goes for
unix, never run "as root") having a decent firewall (the XP one
will suffice in most cases) and a decent AV/AT and, by the
way use the BRAIN before clicking :)

Ok... gotta put sumthin' under my belt now, stomach groaning


0
ObiWan
10/2/2009 11:02:40 AM
On 10/2/2009 12:23 AM, Sam Schinke wrote:
<snip>
> Thunderbird also does not seem to play well with MSE's real-time
> scanning engine. When the engine is enabled, I get periods where T-bird
> is unresponsive. Usually after selecting a post to open or changing
> folders.
>
> Regards,
> Sam

Try adding thunderbird.exe to the excluded files and locations list.
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/2/2009 11:27:26 AM
On 10/2/2009 6:27 AM, Retired wrote:
> On 10/2/2009 12:23 AM, Sam Schinke wrote:
> <snip>
>> Thunderbird also does not seem to play well with MSE's real-time
>> scanning engine. When the engine is enabled, I get periods where T-bird
>> is unresponsive. Usually after selecting a post to open or changing
>> folders.
>>
>> Regards,
>> Sam
>
> Try adding thunderbird.exe to the excluded files and locations list.

Also to the excluded processes list.  :)
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/2/2009 11:33:49 AM
"ObiWan" <sgr.20.trashsink@spamgourmet.com> wrote in message 
news:ha4mkr$2nri$1@news.grc.com...

>>> when scanning/checking it you may accidentally trigger some
>>> "landmine code" (e.g. think to persistent handlers and the like)
>>> which would then cause the system you're using to get infected
>
>> Good, then I have them and the method of contagion
>> coralled and waiting interogation/remedy.
>
> hm.... seems you're underestimating such issues;

I think you're underestimating this system, definately
from your responses you've had or had many
problems that wouldn't or shouldn't be an issue
if properly setup or maintained.

> remember that
> a "landmine" may just crash your scanner or may destroy your
> system once triggered, so it's always a good idea performing
> checks from a protected environment which isn't either "writeable"

Well perhaps your system, which of course is a concern.

> by the dangerous code or which, if affected by it may quickly
> recover and then DEAL with the issue and that isn't possible
> if you use a regular system and/or writable boot media

One has to use normal media in order to obtain the
data and methods to create protections for those
environments used by typical setups, I can if
needed get right down to base inspection or
writing of the HDD firmware itself so I don't
see where you can sneak anything lower.

>> (and in your estimations unreliable) tools then what
>> about 'average joe user' and his predicament?
>
> heh "Leave All Hope Ye That Enter" there isn't so much the
> "Average Joe" can do, aside having a "1st aid" boot CD to
> attempt performing boot, deep-scan and clean; the point is
> that once a system is infected you can't trust it ANYMORE
> so whatever you'll run on it, if "unprotected" may fall under
> the control of the "infector" and, at best, won't solve any
> issue at all or may even let you believe that it found stuff
> and that the system is clean... while the malware just went
> hiding elsewhere; sure, the system may then run smooth
> (at least for a while) but I won't call it "clean" nor would
> I trust such a system

You again skipped the part about doing 'your part'
about the resolutions, it's not a spectator event.

> While cleaning up badware in a past was relatively easy,
> with current rootkits, kernel hacks and stuff it became a real
> black art *really* cleaning a system... assuming one wants
> to really spend time and effort doing that instead of going
> for a straight "wipe and rebuild"

Depends on experience I suppose, there is really
nothing new that I've seen over the last few decades
other than method of transport and selected targets.
Certainly none of this is or was any more difficult
than repairing electrical or physical damage to media.

> Bottom line; don't let them IN since you can't be sure to be
> able to let them OUT after; there are some guidelines which
> DO WORK like NOT running "as admin" (same goes for
> unix, never run "as root") having a decent firewall (the XP one
> will suffice in most cases) and a decent AV/AT and, by the
> way use the BRAIN before clicking :)

You are repeating previously posted erratta, and not
adding any new or relevant idea's/data.

> Ok... gotta put sumthin' under my belt now, stomach groaning

Stomach must be listening to your posts. geez

'Seek and ye shall find'
NT Canuck


0
NT
10/2/2009 12:54:40 PM
> I think you're underestimating this system, definately
> from your responses you've had or had many
> problems that wouldn't or shouldn't be an issue
> if properly setup or maintained.

Uhm *I* am, you say ? Oh well... no problem, go on
that way; sooner or later maybe you'll realize what
I was discussing about <eg>

Bye


0
ObiWan
10/2/2009 1:20:44 PM
"no nym" <temp@example.net> wrote in message 
news:1k1rhqg857plz.rzsdnl8ttv5c.dlg@40tude.net...

> I haven't heard anyone mention the 'A-word' so far. Can't be far away.

Amiga didn't come with a browser. ;)

'Seek and ye shall find'
NT Canuck


0
NT
10/2/2009 3:39:12 PM
In message <ha47f5$2cr7$1@news.grc.com>, ObiWan 
<sgr.20.trashsink@spamgourmet.com> writing at 08:43:38 in his/her local 
time opines:-

>Remember that the MSE (and the ForeFront scanner as well) descend from 
>the RAV Antivirus which Microsoft *acquired* some time ago !

Yes; I just put 2 and 2 together and made 5 :-(

Running PeerBlock 1.0 (the ongoing development from the ashes of the now 
rather moribund PeerGuardian):

http://www.peerblock.com/

I found that MBAM wouldn't run because Limelight Networks Inc. was on 
the default blocklist.

And then, lo and behold, neither would MSE update, with the exact same 
name Limelight Networks Inc., albeit some slightly different IP 
addresses.

Hmm, I thought. You don't think.... ?

But then I looked up Limelight Networks on Wikipedia:

http://en.wikipedia.org/wiki/Limelight_Networks

and it seems that for what they do, Microsoft use them quite a lot.

MBAM too, it seems.

So just a coincidence after all, I guess.
-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
10/2/2009 7:10:04 PM
 
> http://www.peerblock.com/

hm... maybe it's cool, but I prefer other stuff, for example
this critter http://www.bothunter.net/ but btw maybe you
need something different <g>
 
> http://en.wikipedia.org/wiki/Limelight_Networks
[...]
> So just a coincidence after all, I guess.

most "big names" need some mirror system; not that they
couldn't set up their own, but since there are some around
they use them... that means that sometimes they live side
by side with nasty stuff btw <<sigh>>

0
ObiWan
10/2/2009 7:20:35 PM
In message <ha5jpm$fes$1@news.grc.com>, ObiWan 
<obiwan.try.to.spam.and.get.killed@mvps.org> writing at 21:20:35 in 
his/her local time opines:-
>
>> http://www.peerblock.com/
>
>hm... maybe it's cool, but I prefer other stuff, for example
>this critter http://www.bothunter.net/ but btw maybe you
>need something different <g>

Haven't met that one. But from reading about it, it sounds like 
something you'd use on a dedicated honey trap, rather than your everyday 
machine?

I could use WireShark, I suppose, but I just want a general idea of 
what's going where.

There is an amazing amount of traffic flowing, even when I turn off 
applications. like Skype, that do stuff like that.

I don't think any of it is unsuspected malware on this machine though.
Right now, there's a great deal of UDP traffic to 'unassigned' port 
21757; I'd love to know what that's all about.

But with PeerBlock, I can block any 'phoning home' I don't understand 
just by clicking on the entry and choosing to block it, for 15 mins, 1 
hour, or permanently.

Then I see what, if anything, stops working on my machine.

Re your <g>, I believe PeerBlock can be used to detect that nice Mr 
Mandelson of the British government, should he set up shop as a bogus 
purveyor of music downloads in order to snare those UK denizens in the 
market for such things, and take away their Internet service.

But I wouldn't know about that :-)

>
>> http://en.wikipedia.org/wiki/Limelight_Networks
>[...]
>> So just a coincidence after all, I guess.

>most "big names" need some mirror system; not that they
>couldn't set up their own, but since there are some around
>they use them... that means that sometimes they live side
>by side with nasty stuff btw <<sigh>>

PeerBlock's default blocklist seems to have some surprisingly 
respectable names on it.

-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
10/2/2009 9:53:40 PM
On Fri, 2 Oct 2009 20:10:04 +0100, Roy Brown
<Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:


>But then I looked up Limelight Networks on Wikipedia:
>
>http://en.wikipedia.org/wiki/Limelight_Networks

Yet another example of the nonsense you find on the Net..

The company operates a global fiber-optic network that helps content
publishers avoid sending files over the busy public Internet but still
deliver them directly to end-users.

I think they deserve to be in my Hosts file.



0
The
10/2/2009 9:59:26 PM
Retired wrote:
> On 10/2/2009 12:23 AM, Sam Schinke wrote:
> <snip>
>> Thunderbird also does not seem to play well with MSE's real-time
>> scanning engine. When the engine is enabled, I get periods where T-bird
>> is unresponsive. Usually after selecting a post to open or changing
>> folders.
>>
>> Regards,
>> Sam
> 
> Try adding thunderbird.exe to the excluded files and locations list.

Curious if you meant this as a temporary experiment?

If you meant this as a permanent "fix", then I wonder why you are 
proposing turning off an important security measure on that system?  You 
believe performance should be more important than security?

--FM /)`
0
FM
10/3/2009 12:23:22 AM
In message <9rtcc5heajd1mtchn963vmmmak7mpp652f@4ax.com>, The Other Guy 
<knewskgnus@gmail.com> writing at 14:59:26 in his/her local time 
opines:-
>On Fri, 2 Oct 2009 20:10:04 +0100, Roy Brown
><Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:

>>But then I looked up Limelight Networks on Wikipedia:
>>http://en.wikipedia.org/wiki/Limelight_Networks

>Yet another example of the nonsense you find on the Net..

>The company operates a global fiber-optic network that helps content
>publishers avoid sending files over the busy public Internet but still
>deliver them directly to end-users.

Yes, that made me wonder too. But taken with:

"As of December 2008, the company's network is directly connected to 
over 900 last-mile providers [3] and has over 2.5Tbps of egress 
capacity"

I guess we're supposed to think of them like uncrowded toll roads versus 
jammed-up freeways, or even spiderwebs of two-lane blacktop.

And getting the stuff there fast, to within the last few miles of 
'ordinary' roads makes sense, doesn't it?

>I think they deserve to be in my Hosts file.

Bye-bye MSE and bye-bye MBAM then.

And who knows bye-bye what else?

-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
10/3/2009 1:20:32 AM
FM wrote:
> Retired wrote:
>> On 10/2/2009 12:23 AM, Sam Schinke wrote:
>> <snip>
>>> Thunderbird also does not seem to play well with MSE's real-time
>>> scanning engine. When the engine is enabled, I get periods where T-bird
>>> is unresponsive. Usually after selecting a post to open or changing
>>> folders.
>>>
>>> Regards,
>>> Sam
>>
>> Try adding thunderbird.exe to the excluded files and locations list.
> 
> Curious if you meant this as a temporary experiment?
> 
> If you meant this as a permanent "fix", then I wonder why you are 
> proposing turning off an important security measure on that system?  You 
> believe performance should be more important than security?

As one who would consider uninstallation of the security software that raises 
the non-performance of daily use software to noticable levels, I guess my answer 
is yes.

I'm running a quad-core with 4GB of ram with over 1GB unallocated. If a 
news-reader is noticeably lagging, and getting (Not Responding) on the window 
title repeatedly, clearly something is _not_ right.

Adding my profile folder to the exceptions list seems to resolve the issue, so I 
would guess that MSE is diligently scanning the entire newsgroup database. Want 
to bet that they have integration with Live/Windows Mail in such a way that 
there is no noticeable performance degradation?

Regards,
Sam
0
Sam
10/3/2009 1:34:18 AM
On Sat, 3 Oct 2009 02:20:32 +0100, Roy Brown
<Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:


>Yes, that made me wonder too. But taken with:
>
>"As of December 2008, the company's network is directly connected to 
>over 900 last-mile providers [3] and has over 2.5Tbps of egress 
>capacity"
>
>I guess we're supposed to think of them like uncrowded toll roads versus 
>jammed-up freeways, or even spiderwebs of two-lane blacktop.
>
>And getting the stuff there fast, to within the last few miles of 
>'ordinary' roads makes sense, doesn't it?

I TOTALLY disbelieve that as well.  They DO NOT have any ability to
get 'there' WITHOUT using the same Net the rest of us use.

What they HAVE done is simply off-loaded the load to THEIR servers.
Nothing more.

Whoever WROTE that is either a liar (company shill), OR incredibly 
technology-impaired, I'll let you guess which I believe.





0
The
10/3/2009 5:13:25 AM
"The Other Guy" <knewskgnus@gmail.com> wrote in message 
news:abndc55gvc55cmv24eqcmthcl84cti4tdr@4ax.com...
> On Sat, 3 Oct 2009 02:20:32 +0100, Roy Brown
> <Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:
>
>
>>Yes, that made me wonder too. But taken with:
>>
>>"As of December 2008, the company's network is directly connected to
>>over 900 last-mile providers [3] and has over 2.5Tbps of egress
>>capacity"
>>
>>I guess we're supposed to think of them like uncrowded toll roads versus
>>jammed-up freeways, or even spiderwebs of two-lane blacktop.
>>
>>And getting the stuff there fast, to within the last few miles of
>>'ordinary' roads makes sense, doesn't it?
>
> I TOTALLY disbelieve that as well.  They DO NOT have any ability to
> get 'there' WITHOUT using the same Net the rest of us use.
>
> What they HAVE done is simply off-loaded the load to THEIR servers.
> Nothing more.
>
> Whoever WROTE that is either a liar (company shill), OR incredibly
> technology-impaired, I'll let you guess which I believe.

What's the difference between them and Akamai?

http://en.wikipedia.org/wiki/Akamai_Technologies

Am I mistaken if I say blocking Akamai used to block MS updates?

-- 
Robert


0
Robert
10/3/2009 12:20:56 PM
The Other Guy wrote:
> On Sat, 3 Oct 2009 02:20:32 +0100, Roy Brown
> <Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:
> 
> 

>> Yes, that made me wonder too. But taken with:
>>
>> "As of December 2008, the company's network is directly connected to 
>> over 900 last-mile providers [3] and has over 2.5Tbps of egress 
>> capacity"
>>
>> I guess we're supposed to think of them like uncrowded toll roads versus 
>> jammed-up freeways, or even spiderwebs of two-lane blacktop.
>>
>> And getting the stuff there fast, to within the last few miles of 
>> 'ordinary' roads makes sense, doesn't it?

> 
> I TOTALLY disbelieve that as well.  They DO NOT have any ability to
> get 'there' WITHOUT using the same Net the rest of us use.
> 

Perhaps they have an IPv6 network which doesn't carry IPv4 traffic.

When I surf using IPv6 and I run a tracert to a Paris IPv6 user, my
packets reach my ISP's local server, they leave my ISP's infrastructure
and the next hop is to Montreal... the next hop will be in Europe.

Using IPv6, the tracert shows five hops; using IPv4 the tracert has 15
hops... it is a different network...

> What they HAVE done is simply off-loaded the load to THEIR servers.
> Nothing more.
> 
> Whoever WROTE that is either a liar (company shill), OR incredibly 
> technology-impaired, I'll let you guess which I believe.
> 

Or, which may be the case here, you should read up on IPv6 and
experiment with it...

HTH

-- 
Le Flake
 In lightest, brightest Ottawa
0
Le
10/3/2009 12:43:46 PM
The Other Guy wrote:
> On Sat, 3 Oct 2009 02:20:32 +0100, Roy Brown
> <Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:
> 
> 
>> Yes, that made me wonder too. But taken with:
>>
>> "As of December 2008, the company's network is directly connected to 
>> over 900 last-mile providers [3] and has over 2.5Tbps of egress 
>> capacity"
>>
>> I guess we're supposed to think of them like uncrowded toll roads versus 
>> jammed-up freeways, or even spiderwebs of two-lane blacktop.
>>
>> And getting the stuff there fast, to within the last few miles of 
>> 'ordinary' roads makes sense, doesn't it?
> 
> I TOTALLY disbelieve that as well.  They DO NOT have any ability to
> get 'there' WITHOUT using the same Net the rest of us use.
> 
> What they HAVE done is simply off-loaded the load to THEIR servers.
> Nothing more.
> 
> Whoever WROTE that is either a liar (company shill), OR incredibly 
> technology-impaired, I'll let you guess which I believe.
> 

I would strongly recommend that you "cancel" the above post, and I'll
then cancel my replies.

What you have written is highly slanderous; GRC and yourself could be
open to litigation.

-- 
Le Flake
0
Le
10/3/2009 6:51:32 PM
On Sat, 3 Oct 2009 07:20:56 -0500, "Robert Wycoff" <rwycoff@gmail.com>
wrote:


>What's the difference between them and Akamai?

Akamai doesn't claim to be 'direct to user'.




0
The
10/3/2009 7:31:57 PM
On 10/2/2009 7:23 PM, FM wrote:
> Retired wrote:
>> Try adding thunderbird.exe to the excluded files and locations list.
>
> Curious if you meant this as a temporary experiment?
>
> If you meant this as a permanent "fix", then I wonder why you are
> proposing turning off an important security measure on that system? You
> believe performance should be more important than security?
>
> --FM /)`

Do you believe that thunderbird.exe is malware?  Every AV out there has 
an exclusion list for trusted apps, files and folders.  You sound as 
though you have never heard of this concept.
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/3/2009 7:37:16 PM
Retired wrote:
> On 10/2/2009 7:23 PM, FM wrote:
>> Retired wrote:
>>> Try adding thunderbird.exe to the excluded files and locations list.
>>
>> Curious if you meant this as a temporary experiment?
>>
>> If you meant this as a permanent "fix", then I wonder why you are
>> proposing turning off an important security measure on that system? You
>> believe performance should be more important than security?
>>
>> --FM /)`
> 
> Do you believe that thunderbird.exe is malware?  Every AV out there has 
> an exclusion list for trusted apps, files and folders.  You sound as 
> though you have never heard of this concept.

The issue being that thunderbird.exe could potentially be a vector for malware. 
Suppose one were to view a particularly nasty malformed email?

I _think_ that not scanning the profile folder would be safer (the profile 
folder being slightly random) and hope that any executables that run from that 
folder would still be scanned. But without more advanced configuration options, 
it is hard to tell.

Regards,
Sam
0
Sam
10/3/2009 9:03:19 PM
The Other Guy wrote:
> On Sat, 3 Oct 2009 02:20:32 +0100, Roy Brown
> <Roy_now_free_from_spam@acanthus.demon.co.uk> wrote:
> 
> 
>> Yes, that made me wonder too. But taken with:
>>
>> "As of December 2008, the company's network is directly connected to 
>> over 900 last-mile providers [3] and has over 2.5Tbps of egress 
>> capacity"
>>
>> I guess we're supposed to think of them like uncrowded toll roads versus 
>> jammed-up freeways, or even spiderwebs of two-lane blacktop.
>>
>> And getting the stuff there fast, to within the last few miles of 
>> 'ordinary' roads makes sense, doesn't it?
> 
> I TOTALLY disbelieve that as well.  They DO NOT have any ability to
> get 'there' WITHOUT using the same Net the rest of us use.

Actually, if their network only broadcasts routing capabilities in one 
direction, data to and from the "special" networks will indeed take different 
routes.

Regards,
Sam
0
Sam
10/3/2009 9:04:32 PM
The Other Guy wrote:

> On Sat, 3 Oct 2009 07:20:56 -0500, "Robert Wycoff" wrote:
> 
>> What's the difference between them and Akamai?
> 
> Akamai doesn't claim to be 'direct to user'.

In other words, you're basing your decision on the semantics of one
sentence in a Wikipedia article and with no actual knowledge of the
technology used in fiber-optic-based content distribution networks.

How droll...

-- 
When you don't know where you're going, every road will take you there.
-Dennis
0
Dennis
10/3/2009 9:23:06 PM
Retired wrote:
> On 10/2/2009 7:23 PM, FM wrote:
>> Retired wrote:
>>> Try adding thunderbird.exe to the excluded files and locations list.
>>
>> Curious if you meant this as a temporary experiment?
>>
>> If you meant this as a permanent "fix", then I wonder why you are
>> proposing turning off an important security measure on that system? You
>> believe performance should be more important than security?
>>
>> --FM /)`
> 
> Do you believe that thunderbird.exe is malware?  Every AV out there has 
> an exclusion list for trusted apps, files and folders.  You sound as 
> though you have never heard of this concept.

Oops.  I responded to what I *thought* Retired meant, not what he 
actually wrote.  Specifically, in my mind I thought he'd said to exclude 
the mail data, not the Thunderbird executable.

In my defense, I'll say that even now I cannot imagine how excluding the 
executable will help in the face of the performance issue at hand.  The 
virus scanner should only scan the executable when it is first being 
started, but not subsequently during its use.  And the performance issue 
described was not at Thunderbird's launch, but later during its use.

In any case, Sam responded with his take on his issue, and as near as I 
can tell, he also thought Retired meant exclude the data from scanning, 
not the executable.  Or at least, that's the direction Retired's 
suggestion apparently led him.

--FM /)`
0
FM
10/3/2009 9:23:44 PM
On 10/3/2009 4:03 PM, Sam Schinke wrote:
> The issue being that thunderbird.exe could potentially be a vector for
> malware. Suppose one were to view a particularly nasty malformed email?
>
> I _think_ that not scanning the profile folder would be safer (the
> profile folder being slightly random) and hope that any executables that
> run from that folder would still be scanned. But without more advanced
> configuration options, it is hard to tell.
>
> Regards,
> Sam

I just tried to send myself a known malware sample to see what MSE would 
do if anything and here's what I got:
"our AT&T Yahoo! Mail Virus Protection detected the virus 
'Packed.Generic.200' in the file 'IAInstall2.jpg', attached to the 
enclosed email message. We scanned the file using Norton AntiVirus but 
were unable to clean it. Therefore, we removed the content of the 
attachment from the message. Please contact the message sender if you 
want to receive the attachment. They must clean the file and resend it 
before we can deliver it to you safely."  :)

I may try again with another sample sometime and report back.  :)
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/3/2009 9:33:27 PM
On 10/3/2009 4:23 PM, FM wrote:
> Oops. I responded to what I *thought* Retired meant, not what he
> actually wrote. Specifically, in my mind I thought he'd said to exclude
> the mail data, not the Thunderbird executable.

Okay.

> In my defense, I'll say that even now I cannot imagine how excluding the
> executable will help in the face of the performance issue at hand. The
> virus scanner should only scan the executable when it is first being
> started, but not subsequently during its use. And the performance issue
> described was not at Thunderbird's launch, but later during its use.

I had the same problem as Sam and it worked for me.  Thunderbird.exe is 
the only thing I have excluded at the moment.  I used to have a bunch of 
exclusions but decided to remove them and start again with the 
installation of MSE, final version.

> In any case, Sam responded with his take on his issue, and as near as I
> can tell, he also thought Retired meant exclude the data from scanning,
> not the executable. Or at least, that's the direction Retired's
> suggestion apparently led him.
>
> --FM /)`

Apparently either solution works.
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/3/2009 9:41:33 PM
Retired wrote:
> On 10/3/2009 4:23 PM, FM wrote:
> <a little snip>
>> In my defense, I'll say that even now I cannot imagine how excluding the
>> executable will help in the face of the performance issue at hand. The
>> virus scanner should only scan the executable when it is first being
>> started, but not subsequently during its use. And the performance issue
>> described was not at Thunderbird's launch, but later during its use.
> 
> I had the same problem as Sam and it worked for me.  Thunderbird.exe is 
> the only thing I have excluded at the moment.  I used to have a bunch of 
> exclusions but decided to remove them and start again with the 
> installation of MSE, final version.

Hmmm.  Well, experience trumps "thought experiment" any day.  :-)

Still, where security is concerned, I'm not going to rule out the value 
of thought experiments.  So if you'll bear with me:

I'm going to guess that, if MSE has the ability to exclude 
programs/processes from scanning, what that *really* does is exclude the 
data accessed by such programs/processes.  In other words, the email 
itself is not being scanned for malware.

Don't get me wrong:  I'm not trying to say excluding the email from MSE 
scanning is wrong (or right for that matter).  But I am interested in 
understanding what it *means* if it is (or isn't) excluded.  The 
performance impact has been determined by your experience.  What about 
the security impact?

It would be nice to get beyond my "thought experiment" level in this. 
I'm not using MSE so your/others input to this will be needed.  But the 
discussion have me intrigued about the scanner I am using, I think I'll 
see what experiments I can try here.

--FM /)`
0
FM
10/3/2009 10:44:24 PM
On 10/3/2009 5:44 PM, FM wrote:
> Hmmm. Well, experience trumps "thought experiment" any day. :-)
>
> Still, where security is concerned, I'm not going to rule out the value
> of thought experiments. So if you'll bear with me:
>
> I'm going to guess that, if MSE has the ability to exclude
> programs/processes from scanning, what that *really* does is exclude the
> data accessed by such programs/processes. In other words, the email
> itself is not being scanned for malware.
>

Well, I managed to send a malware attachment to myself (twice) using 
Thunderbird (had to disable real-time protection first, send the file, 
re-enable protection) and here's what happened.

The attached malware was base64 encoded by Thunderbird upon sending. 
Upon receiving, it was therefore not detected by MSE whether 
thunderbird.exe was excluded or not!  When I tried to "open" the 
attached file, it was converted back to its original form in a temporary 
directory as a randomly named file and that file was detected and 
deleted by MSE, but only if thunderbird.exe was not excluded.

If thunderbird.exe *was* excluded, MSE did nothing when I tried to open 
the file, but all I got in that case was an empty file!  Go figure.

> Don't get me wrong: I'm not trying to say excluding the email from MSE
> scanning is wrong (or right for that matter). But I am interested in
> understanding what it *means* if it is (or isn't) excluded. The
> performance impact has been determined by your experience. What about
> the security impact?

After the above experiment, I don't know quite what to think (yet).

> It would be nice to get beyond my "thought experiment" level in this.
> I'm not using MSE so your/others input to this will be needed. But the
> discussion have me intrigued about the scanner I am using, I think I'll
> see what experiments I can try here.
>
> --FM /)`

Let us know what happens!  :)
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/3/2009 11:53:43 PM
On 10/3/2009 6:53 PM, Retired wrote:
> If thunderbird.exe *was* excluded, MSE did nothing when I tried to open
> the file, but all I got in that case was an empty file! Go figure.

This is not accurate.  The randomly named file was created in the 
temporary directory as before, but the final step of moving it to the 
"My Documents" folder resulted in an empty file there.  Perhaps a 
Thunderbird (beta) bug?
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/4/2009 12:07:56 AM
I will agree its much nicer than AVG... as it should be... that said I have 
been testing it with massive file transfers to an offsite backup and ended 
up having to add the backup program to the exception list based on the 
detection engine for malware in the app pulling 13-20 on the cpu usage

Win XP pro



"Sable" <sc137@rocketmail.com> wrote in message 
news:ha36eb$1j69$1@news.grc.com...
> I've already installed this on my mom's Windows XP machine (remotely of
> course) and her machine is already "snappier" than when under the thumb
> of AVG.  I hope it stays that way. 

0
Brent
10/4/2009 12:38:58 AM
Retired wrote:
> On 10/3/2009 5:44 PM, FM wrote:
> <snip>
> The attached malware was base64 encoded by Thunderbird upon sending. 
> Upon receiving, it was therefore not detected by MSE whether 
> thunderbird.exe was excluded or not!  When I tried to "open" the 
> attached file, it was converted back to its original form in a temporary 
> directory as a randomly named file and that file was detected and 
> deleted by MSE, but only if thunderbird.exe was not excluded.
> 
> If thunderbird.exe *was* excluded, MSE did nothing when I tried to open 
> the file, but all I got in that case was an empty file!  Go figure.

Most interesting.

Perhaps setting the MSE exclusion to the T'Bird profile (data) instead 
of the executable/process might get MSE to see the infected file when it 
hits the temp directory?  Just a thought.

I hope you're backing up your email data stores before doing these 
experiments.

Your experiments are already going way beyond what I've thought of 
trying here.  If I do find anything interesting I will, of course, publish.

--FM /)`
0
FM
10/4/2009 12:46:15 AM
On 10/3/2009 7:46 PM, FM wrote:
> Most interesting.
>
> Perhaps setting the MSE exclusion to the T'Bird profile (data) instead
> of the executable/process might get MSE to see the infected file when it
> hits the temp directory? Just a thought.

I solved the problem by adding .msf to the "Excluded file types" list 
and removing thunderbird.exe from the "Excluded processes" list.  Now 
MSE detects the malware file when it hits the temp directory and there 
is no impact on performance.

> I hope you're backing up your email data stores before doing these
> experiments.

I have a backup drive.  :)

> Your experiments are already going way beyond what I've thought of
> trying here. If I do find anything interesting I will, of course, publish.
>
> --FM /)`

Thank you!
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
10/4/2009 1:31:32 AM
FM wrote:
> In any case, Sam responded with his take on his issue, and as near as I 
> can tell, he also thought Retired meant exclude the data from scanning, 
> not the executable.  Or at least, that's the direction Retired's 
> suggestion apparently led him.

No, I had already excluded the data from scanning prior to Retired's suggestion.

My take on the issue is that a single unscanned folder is less risk than an 
unmonitored 'net-facing program. Even a "fine" piece of work like thunderbird. ;)

Regards,
Sam
0
Sam
10/4/2009 5:12:26 AM
 
>> hm... maybe it's cool, but I prefer other stuff, for example
>> this critter http://www.bothunter.net/ but btw maybe you
>> need something different <g>
> 
> Haven't met that one. But from reading about it, it sounds like 
> something you'd use on a dedicated honey trap, rather than your everyday 
> machine?

A dedicated *sniffer* (or probe, if you prefer)
 
> I could use WireShark, I suppose, but I just want a general idea of 
> what's going where.

wireshark is more "general purpose", bothunter sniffs the traffic but then
it uses a "correlation engine" and some other stuff to identify bot traffic

> But with PeerBlock, I can block any 'phoning home' I don't understand 
> just by clicking on the entry and choosing to block it, for 15 mins, 1 
> hour, or permanently.

You can do the same using a N-IPS :) just a matter of allowing it to
interact with your firewall or packet filter

0
ObiWan
10/4/2009 10:19:53 AM
In message <ha9srt$k4m$1@news.grc.com>, ObiWan 
<obiwan.try.to.spam.and.get.killed@mvps.org> writing at 12:19:53 in 
his/her local time opines:-
>
>>> hm... maybe it's cool, but I prefer other stuff, for example
>>> this critter http://www.bothunter.net/ but btw maybe you
>>> need something different <g>
>>  Haven't met that one. But from reading about it, it sounds like 
>>something you'd use on a dedicated honey trap, rather than your 
>>everyday  machine?
>
>A dedicated *sniffer* (or probe, if you prefer)
>
>> I could use WireShark, I suppose, but I just want a general idea of 
>>what's going where.
>
>wireshark is more "general purpose", bothunter sniffs the traffic but then
>it uses a "correlation engine" and some other stuff to identify bot traffic
>
>> But with PeerBlock, I can block any 'phoning home' I don't understand 
>>just by clicking on the entry and choosing to block it, for 15 mins, 1 
>>hour, or permanently.
>
>You can do the same using a N-IPS :) just a matter of allowing it to
>interact with your firewall or packet filter

Ah, the 'j-word' - too often the gateway to a world of unexpected hurt 
and pain :-)

-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
10/4/2009 10:43:31 AM
Ian wrote:
> Slowered wrote:
> 
>>
>> BOClean is supposedly in Comodo's package.  I looked and couldn't find
>> anything.  Did you ever look for it?
> 
> No, I didn't. I've used BOClean as a standalone in the past before. I'm 
> trying to remember, wasn't BOClean an AVG product that got axed?
> 
> Ian

FYI, I finally checked on this..."AVG Anti-Rootkit" was what I was 
thinking of, which is no longer available. You're right, BOClean is part 
of Comodo Internet Security per their website, and is also available as 
a standalone product.
0
Ian
10/4/2009 11:34:25 PM
Not anymore it isn't.............Comodo is a sleazy company.

~~~~~~~~~~~~~~~~~~~~~~~~~~~
 You're right, BOClean is part
> of Comodo Internet Security per their website, and is also available as a 
> standalone product. 


0
Smith
10/5/2009 1:32:50 AM
"Smith" <wherever@wherever.com> wrote in message=20
news:habidp$1t8e$1@news.grc.com...
> Not anymore it isn't.............Comodo is a sleazy company.

<quote>Comodo STILL supporting the criminal fraternity (the bad=20
guys)</quote>
http://hphosts.blogspot.com/2009/07/comodo-still-supporting-criminal.html=


<quote>There are plenty of people who don't want to pay for AV, we all =
have=20
one or more in the family.  This will plug that gap, assuming the =
Windows=20
version being used is legit.  </quote>
http://isc.sans.org/diary.html?storyid=3D7204&rss

Review - Microsoft Security Essentials
<quote>The biggest concern with computer viruses today is not that they =
will=20
damage home computers, but that they will force them to secretly =
participate=20
in large, illegal computer networks that are used to run criminal =
schemes to=20
steal personal information and financial data. </quote>
http://www.krisabel.ctv.ca/post/Review-e28093-Microsoft-Security-Essentia=
ls.aspx

--=20
YoKenny
Windows 7 is great=20

0
YoKenny
10/5/2009 11:19:45 AM
"NT Canuck"  wrote in message news:ha2lvg$1445$1@news.grc.com...
> "Steve Gibson" <news07_@_grc.com> wrote in message
> news:MPG.252d3a0915986f8721c6@4.79.142.203...
>
>> Just an FYI heads-up.
>
> Same back. ;)
>
> Although from (sort of ) a competitor in A/V I found
> these tested program results very comprehensive..
> includes the Microsoft offering.
> http://www.prevx.com/
>
> Click on any of the bars (specific A/V) for more detail
> and it gives even the missed findings by vendor.
>
> Note' I have no experience with Prevx but included
> the link/info since it's the only good A/V comparison
> I've seen perhaps in years (a bit different style)..
>
> 'Seek and ye shall find'
> NT Canuck

Good detection but removal is not free:
http://www.prevx.com/buynow.asp?cleanup=3Dy

--=20
YoKenny
Windows 7 is great=20

0
YoKenny
10/5/2009 11:31:41 AM
On Sun, 04 Oct 2009 16:34:25 -0700, Ian <1@1.com> wrote:

>Ian wrote:
>> Slowered wrote:
>> 
>>>
>>> BOClean is supposedly in Comodo's package.  I looked and couldn't find
>>> anything.  Did you ever look for it?
>> 
>> No, I didn't. I've used BOClean as a standalone in the past before. I'm 
>> trying to remember, wasn't BOClean an AVG product that got axed?
>> 
>> Ian
>
>FYI, I finally checked on this..."AVG Anti-Rootkit" was what I was 
>thinking of, which is no longer available. You're right, BOClean is part 
>of Comodo Internet Security per their website, and is also available as 
>a standalone product.

I think BOClean is part of the paid version of Comodo, not the free
version.  Their website is quite screwy in anything concerning
BOClean.  Many us users miss BOClean.  It was one hell of an app. Used
it for many years.
0
Slowered
10/5/2009 11:41:39 AM
"YoKenny" <YoKenny@invalid.invalid> wrote in message 
news:haclh8$2ju9$1@news.grc.com...

>> Note' I have no experience with Prevx but included
>> the link/info since it's the only good A/V comparison
>> I've seen perhaps in years (a bit different style)..

> Good detection but removal is not free:
> http://www.prevx.com/buynow.asp?cleanup=y

Yeah, I saw that too, although the only interest I had
at the time of posting was their claimed review/test of
the various 'other' vendors.

Many of the MSE reviews I've seen of late were done on
earlier MSE beta or the Live-One-Care package (6 months ago)
and only a few updated pictures inserted to seem like current
testing had been done (even then it was usually a quick install
and a few snapshots...nothing like even a few weeks long).

These anitvirus applications don't come out that often to
be 'glanced over', and certainly we can't simply place our
trust and data on once a year 'quickie' annual tests.
At least with Microsoft we know where to find them. ;)

'Seek and ye shall find'
NT Canuck


0
NT
10/5/2009 12:10:09 PM
Retired wrote:
> I solved the problem by adding .msf to the "Excluded file types" list 
> and removing thunderbird.exe from the "Excluded processes" list.  Now 
> MSE detects the malware file when it hits the temp directory and there 
> is no impact on performance.

Excellent.  This feels like the right answer.

So it appears my original post that started this sub-thread was off the 
mark.  Not scanning the email database is workable, given that 
attachments are scanned should the attachments be copied out to the 
wider file system.

(Scanning the email itself - or the email database - could potentially 
catch issues *other* than in attachments to the emails, but it isn't 
clear to me how necessary that would be, and even less clear if MSE 
would check for such stuff anyway.)

--FM /)`
0
FM
10/5/2009 12:53:29 PM
On Mon, 5 Oct 2009 07:31:41 -0400, "YoKenny" <YoKenny@invalid.invalid>
wrote:

>"NT Canuck"  wrote in message news:ha2lvg$1445$1@news.grc.com...
>> "Steve Gibson" <news07_@_grc.com> wrote in message
>> news:MPG.252d3a0915986f8721c6@4.79.142.203...
>>
>>> Just an FYI heads-up.
>>
>> Same back. ;)
>>
>> Although from (sort of ) a competitor in A/V I found
>> these tested program results very comprehensive..
>> includes the Microsoft offering.
>> http://www.prevx.com/
>>
>> Click on any of the bars (specific A/V) for more detail
>> and it gives even the missed findings by vendor.
>>
>> Note' I have no experience with Prevx but included
>> the link/info since it's the only good A/V comparison
>> I've seen perhaps in years (a bit different style)..
>>
>> 'Seek and ye shall find'
>> NT Canuck
>
>Good detection but removal is not free:
>http://www.prevx.com/buynow.asp?cleanup=y

AND they aren't even mentioning that they're comparing freeware to
paid.

I use MalwareBytes, SuperAntiSpyware, Spybot S&D, AND SpywareBlaster.
I REALLY doubt Prevx is better than the combo of freeware I use.




 
0
The
10/5/2009 3:04:58 PM
I'll defiantly add this to my collection. right along side Defender in 
Vista.

Now all we need is future OS's to include this, and/or include it as an 
important/critical update via both WU and AU.

Brent wrote:
> I will agree its much nicer than AVG... as it should be... that said I 
> have been testing it with massive file transfers to an offsite backup 
> and ended up having to add the backup program to the exception list 
> based on the detection engine for malware in the app pulling 13-20 on 
> the cpu usage
> 
> Win XP pro
> 
> 
> 
> "Sable" <sc137@rocketmail.com> wrote in message 
> news:ha36eb$1j69$1@news.grc.com...
>> I've already installed this on my mom's Windows XP machine (remotely of
>> course) and her machine is already "snappier" than when under the thumb
>> of AVG.  I hope it stays that way. 
> 
0
Jared
10/5/2009 7:39:18 PM
FM wrote:
> (Scanning the email itself - or the email database - could potentially 
> catch issues *other* than in attachments to the emails, but it isn't 
> clear to me how necessary that would be, and even less clear if MSE 
> would check for such stuff anyway.)

With some sort of integration or understanding of the database format, scanning 
emails within the message store or as downloaded should be possible without any 
serious performance impact.

However, I won't go so far as to say that MS ought to be responsible for 
integrating MSE into every mail client. ;)

As far as MSE is concerned, T-bird is just a program opening a file, and it 
wants to scan that file. I suppose MSE _could_ behave smartly and only scan the 
portions of the file that t-bird requests to read, but I don't know if that is 
the case or not.

Regards,
Sam
0
Sam
10/6/2009 2:03:17 AM
"Sam Schinke" <sschinke@gmail.com> wrote in message 
news:hae8h7$tth$1@news.grc.com...

> With some sort of integration or understanding of the database format, 
> scanning emails within the message store or as downloaded should be 
> possible without any serious performance impact.

I'm not sure MS is concerned with the database or the contents
(since items are typically benign when sitting idle) until the file
enters the systems domain (loads or executes in memory/shell).
The only actuall problem/concern might be how (and if) the
MSE terminates or removes the threat once it attempts to
communicate or activate and how/if those databases are
treated (if offended is removed or neutered).

> However, I won't go so far as to say that MS ought to be responsible for 
> integrating MSE into every mail client. ;)

At the moment afaict they are looking at the problems from
a slightly different viewpoint (MS does have better (I think)
insight into their OS internals) than simply plucking or
deleting found items inside databases/emails.

> As far as MSE is concerned, T-bird is just a program opening a file, and 
> it wants to scan that file. I suppose MSE _could_ behave smartly and only 
> scan the portions of the file that t-bird requests to read, but I don't 
> know if that is the case or not.

One of the things MSE does is when it finds a dubious file/possible
threat it initiates that file inside a small contained virtual environment
to see what it does...and if that is a problem/concern where it asks
online for more info (helps when spynet has some data) or may
follow some internal algorithm to manage that item. So in a
sense with MSE you've gained a small AI type diagnostic threat
detector and sort of a mini cloud background info network.
Extrapolate that a bit and you may see it's potential. ;)

Overall, I'd say MSE is doing at least a full days work
in less than an hour, it's not slow by any standard.
In fact, it's likely the prototype of an entirely new era client side.

'Seek and ye shall find'
NT Canuck


0
NT
10/6/2009 9:12:53 AM
Just remember that this incorporates defender and basically disables 
defender from what I have seen.

 

0
Brent
10/8/2009 9:47:03 PM
Reply: