MSE?

It's a mater of simplicity vs robustness, choose yourself.
I prefer an AV that has good self-defense against user-mode termination and proactive-like features that will allow it to detect when an unknown program tries to gain kernel mode access (from where Self-defense can be useless as the AV is on the same privilege level as malware itself).

 

In regards to Malware gaining Kernel Mode Access:

Source:
http://www.winsupersite.com/article/windows-7/microsoft-security-essentials-review


HKEY1952

 

Malware varies in terms of severity and the execution of a particular malware has different consequences depending on its capability. If a malware successfully evades AV and executes I would still prefer that the AV keep functioning and protect the system to the extent possible. To that end self-protection is essential.

On the other hand if you feel that once the AV fails to block a specific malware from executing it no longer matters whether or not it keeps functioning then self-protection is irrelevant. I have to say though that in the real world (where I clean up customers' computers) the malware load is much greater on systems that have no AV or disabled AV.

 

This all sounds good, and probably is, but there is nothing unique about it. Many AV vendors are moving to "cloud analysis". As to kernel hooking the playing field is level as far as I know. All the AV vendors can hook the 32 bit kernel and none of them can hook the 64 bit kernel including Microsoft due to Kernel Patch Protection (aka Patchguard). If Microsoft is hooking the kernel in either OS in some unique way I'd like to hear more about it.

 

Of course they can hook the 64b kernel. Just not in the same manner and with the same level of detailed control over some events/actions like with 32bit (they have to abide to Patch Guard restrictions).
If this weren't true, applications like Online Armor and other HIPS like security apps either wouldn't existed at all or would be circumvented easily on 64b; similar for rootkit removal capabilities of AVs on 64b.

 

Yes.

Are you saying that isn't possible to kill an AV, place an autorun entry with some .exe with a MSE/other AV icon, and place it under the tray bar? It will look like the AV is still running?

I mean, how hard would it be to do something like that? I'm not a programmer, so I don't. But, I believe it to be possible?

If this situation could be possible, then what would be best? Kill the AV and make it look like it's still running or the AV not allowing to be killed and still be able to warn the user?

But, to be honest with Windows 7, you don't actually have to do all that. All icons are hidden, by default.

 

That all sounds fine. I'm not a programmer and if it's more appropriate to say the 64 bit kernel is "hooked differently" that's OK by me. My point though was about the playing field being level AFAIK. Some folks seem to believe that Microsoft has special access/knowledge/skill/magic with regard to designing MSE because they've created the OS. That seems like magical thinking to me. Since it isn't borne out in either tests or real world performance what is it based on?

 

It all comes down to the knowledge level of the programmers who develop AVs, and how much money the company can dish out for development.
One could assume that MS being big as it is can afford having (or can't afford not having) good programmers with a very high level of knowledge of Windows internals (it's not something that comes as a given to anyone, even with years of experience in the field). In the majority of cases, MSE is not superior to some other AVs because those AV companies also have very knowledgeable and experienced people. Those who claim that MSE is superior to all other AVs are just being way too into the "Windows ecosystem" perfectionism thing.

 

Ha...I must say I am not affiliated with Webroot/Prevx but I must comment again re-reading some of these remarks that are not good blanket statements to make...

Maybe self-protection for MSE is not awesome because Microsoft has to wait for definitions to be released as they rely too heavily still on signatures, as do some other AVs that try to hide that fact.

Webroot SecureAnywhere on the other hand works great with self-protection, because even if the malware runs and is not detected by the cloud immediately, the self-protection module prevents malware from terminating WSA while it analyzes it and communicates with the cloud to make a determination based on its behavior. Lastly, if the file and its behavior is truly unknown and you haven't bumped your heuristics up (which if you had it would likely be blocked at that point anyway), it will keep it running in sandboxed/monitor mode keeping it from doing any damage to the system, AND still of course using self-protection so the malware cannot touch WSA.

So when you guys make generalizations like "self-protection is useless in failure of detection", I believe that is a hasty, incorrect generalization.

 

Some more words of wisdom here.

I cannot fathom how some of us are making the conclusion that they'd just as rather have their realtime AV killed than have it currently not detect, especially if there is analytic behavior monitoring.

 

I'll tell you exactly what it is based on: people fed up with playing the "which free AV is the best this year this time" game. They decide to just trust Microsoft since they're the "makers" and be done with it.

It's not based on facts or actual tests.

Also, as I've said before, Microsoft Security Essentials plays by the Kernel Patch Protection rules. If you don't believe me, go ask at MS Answers. MSE has no special magic or eliteness that other AV vendors haven't. And lastly, don't let Microsoft fool you or over-talk up their product. They have the capability to work wonders with their leet telemetry but they chose to continue to rely too heavily on signatures and that is one of the main reasons I feel their detection suffers.

 

again, who cares. What kills me is how people use Microsoft products in every day life but want to bash them on their AV. Why not just have your favorite AV vendor, create their own operating system along with the other numerous programs Microsft has, that we enjoy. Duh.

 

Where did this come from?

No one is attacking Microsoft's other products or Windows here...?

How can you say "who cares" to the potential of malware being able to render an AV useless?

 

because malware can do this to any product, correct? I have seen it on just about all. So why dwell on this issue with MSE.

 

There is no need for drama. If you can't discuss the subject which is MSE then stay out.

 

Well MSE needs to be hardened for starters, because the issue is only going to get worse as it is to be included in Windows 8. So many people are going to use it that it is going to be a big red target for malware authors.

 

I have to admit that this very attitude was part of my decision to install MSE in the first place. I actually installed Panda Cloud Free before MSE but I got too many false-positives with it. MSE isn't much heavier than Panda on my notebook. I don't know if Panda has any 'hardening' but it wouldn't have been a problem if it hadn't.

Yet when I first installed MSE it was doing excellently in many tests. Admittedly it has fallen slightly with AV-Comparatives, from 'Advanced +' originally to now merely 'Advanced'.

Oh, don't tell me that. I can't believe that MS don't know their OS better than anyone else does. Plus, I can't see what they would gain by releasing an AV with a security hole potentially so big that you could fly an Airbus A380 through it.

 

Ask Sir Rob Koch if you don't believe me...

...Does MSE have something special that makes it superior to other AVs, and if so Mr. Koch, why is it doing less than favorable in many recent tests? (Keep in mind I have seen MVPs hint at this on the forums and then get corrected as it is wrong!)

...Does MSE have self-protection other than file permissions and least user access? (I'm telling you the answer is no. They don't believe in it. And they are not doing as well as they could because of it.)

See what he says...and if you care share it with the rest of us. I already asked, and I did not like the answers I got. The result? I stopped using MSE. I do miss the little castle guy in my taskbar from time to time, but I definitely feel safe with WSA solo.

 

It is not that your concern is not appreciated but we have already discussed the lack of it and noted that other AV have it. We have also discussed advantages of the self defence and concluded that it is not the end of all the troubles that happen when the malware infiltrates successfully (executes payload). For better or worse MSE is designed the way it is. Repeating the above facts that have been discussed already serve no purpose.

 

It's not that I don't believe your seemingly genuine concern, but I do wonder whether the test results you cite are genuinely brought about because of the corollary that you are reaching about this lack of self-protection issue.

 

What he said.

 

I'm not sure why I am getting "the heat". I am only still talking about it because it has been an ongoing discussion since earlier today. There have been a massive number of posts here.

If people are going to keep talking about why they think MSE has no issue, then you must expect the other side (and it is not just me) to keep talking about why it does have an issue. For every action, there is an equal and opposite reaction.

Nevertheless, this thread has run its course for me and I no longer wish to talk about this. As usual, my bad habit of expressing my viewpoint (that often no one else cares about besides me) ad nauseum has become apparent here, and for that I have remorse.

 

No, you shouldn't have any remorse. You have made a genuine point & I was really interested about why you were so concerned about this MSE problem. You'll have to forgive my slight irony & possible sarcasm, I'm English, we're all a bit like this. Plus, this is one more malware thing I have to worry about LOL.

I do hope you haven't felt picked upon or have been taking too much heat. It's just that your posts have disconcerted me slightly & I don't really understand that much about computers & AV software to be competent enough to really know just how much this affects me running MSE.

Either way, thanks for bringing this matter to my attention. I'm not sure if it has really changed my attitude that much to actually running MSE. I never totally trust one layer of defence anyway. I think I'll be OK.

Dave

 

IMO this thread is going way off topic of how MSE is as an actual scanner. If your system is comprimised by something that can disable the AV you are already screwed, who needs a MSE notification that something is trying to disable it if UAC is on along with the firewall and common sense surely you would notice, if not brain.exe was bypassed along with basic windows components along with the AV....

 

You will be more than OK. That statement I quoted above proves you know more than most, and like I told you before I'm not worried about it nearly as much for those that use a layered defense, never place all confidence in one layer, and embrace LUA.

Time for the truth: If it was not for the Webroot deal, I'd be still using MSE Beta v4 on my netbook. Part of my hardness on MSE in this thread has been my own uncertainties coming out. Like many I suspect here as well, I have become attached to the simplicity and ease of use of MSE. I am a power user but something about MSE - it just gave you everything you needed and nothing more.

I will say (maybe 2nd time) that if you read my "Is your free AV performing well" thread you will see I have collected and interpreted all the results from multiple vendors and Microsoft is doing quite well. It is not far behind Avast, which I interpreted as in the lead. Keep in mind I interpreted test results numerically and emphasized penalizing vendors for specifically excluding their free version from tests. I wanted no bull - give me the results of the free version. Microsoft has fortunately been very transparent and they have come a LONG way since their OneCare days (which we likely all can agree on). I am also still overjoyed they took my (and many others') feedback and brought Default Actions back in the beta.

So there's a lot of good about MSE. I like it. It's the friendliest free AV to use. There's no advertisements or upsells to confuse your grandmother you installed it for. The protection seems to be in a mildly questionable state for version 2 but I believe it is solid if combined with LUA=UAC Max or SUA full-time. Now v4 should hopefully be filled with awesome.

I have also failed to give it credit for 5.0 repair and 5.0 usability (pretty sure) on the last AV-TEST result. That is grand! I'm just so used to being an "ounce of prevention = pound of cure" guy that I freaked when I saw the protection score.

So in closing, I am NOT NOT NOT trying to advise anyone to drop MSE. Why? Because they are transparent and hopefully shall continue so into Windows 8. Avira and PC-Tools, likely have great potential and may even be doing as good or better than MSE, but if you view my thread you'll see their lack of free version test participation KILLED their score. To me, logically, lack of tests means something to hide, and it isn't fair to count their paid version/suite scores since even a deluxe-only feature as small as a malicious URL filter may change the score they get. Even worse, they sometimes cut out parts of the engine!

PC-Tools AV Free for example, is NOT the same thing as their paid PC-Tools Spyware+ Anti-Virus. It's just anti-virus. So, the scores will likely not be quite as good and they know this so they purposely exclude their free AV from most tests hoping people just see PC-Tools and approve it. Not meh!

So there you have it. I'm an MSE fanboy myself in denial.

And thanks for your kind words!