Lexington Computer Repair Blog

Microsoft has recently introduced their latest iteration of virus protection called Microsoft Security Essentials (MSE). I have read reports, largely anecdotal, that it is a pretty good product and in fact it has got good ratings for its virus removal ability (NOT necessarily detection) from AV-Comparatives. I have been a fan of Avira Anti-Vir for some time now based both on their excellent independent test results and my own experience with cleaning up customers’ PCs. I expect I will continue to use Avira, but I’m having second thoughts about installing it on customer machines. The problem is that Avira has this nagware component on their free version. The nagware pops up every day suggesting that you buy the product, this is OK as far as I’m concerned but I believe that naive users may not be able to quickly distinguish between this legitimate advert and a pop-up for one of the nasty Fake Anti-virus products.

Yesterday I had a customer bring me a laptop infected with a very recent and particularly nasty set of viruses. The viruses prevented installation and/or execution of all of the key malware removal tools (for example, I installed Malwarebytes and while it was getting ready to run, the viruse(s) killed it and rendered it thereafter unusable – impressive). In addition, Task Manager was disable and Safe Mode disable (by BSOD).

I always start a virus removal by making an image of the drive I will be working on. That image can be mounted on my computer just as if the original drive was attached. I decided to use this image as a test to see what MSE would find on it compared to Avira and thereby get a datapoint for myself on just how good MSE is compared to what I consider the best antivirus program available.

Test Environment

The scans were run on a machine that dual boots between Windows 7 and Windows XP Pro. I have a licensed version of Avira AntiVir on the Windows 7 drive and MSE loaded on the XP Drive. I use ShadowProtect Desktop from StorageCraft Technology for imaging drives. The Avira scans were run with virus definitions from 3 November and the MSE using definitions from 4 November. The initial infection of the drive was reported to have occurred on 2 November with the machine having around 3 minutes of internet access on 3 November.

Baseline – Avira

During its scan, Avira identified 19 instances of malware, they were:

• TR/Agent AH.313 Trojan x2
• TR/FraudPack.yox Trojan x4
• TR/Crypt.ZPACK.Gen Trojan x3
• TR/Crypt.XPACK.Gen Trojan
• TR/Agent.AH.312 Trojan
• ADSPY/Wheatesbug.A adware
• TR/Agent.AH.337 Trojan x2
• TR/Agent.AH.319 Trojan
• TR/Crypt.ZPACK.Gen Trojan
• TR/Agent.AH.308 Trojan
• TR/Agent.AH.310 Trojan

Microsoft Security Essentials

Initially, I installed MSE on a laptop that is on the same network where the infected image resides. I then shared the image, gave the share a drive letter on the laptop and told MSE to do a custom scan on that drive letter. The scan ran for about 15 minutes and found nothing, zero, zilch, nada – YIKES! I was a bit surprised by this initial result but decided to consider it an unfair comparison as Avira was tested on the resident machine (but took note that an over-the-network scan by MSE is probably useless). I then installed MSE on the test machine’s XP drive so I could run a local apples-to-apples comparison.

On this second configuration, which took just over an hour to run, MSE found the following 22 items:

• Trojan:Win32Meredrop
• TrojanDownloader:Win32/Renos.JM x4
• TrojanDownload:Win32/Resno.JI x4
• TrojanDropper:Win32/Sirefef.A!dll (Avira missed this one)
• Trojan:Win32/Fakeinit
• Virus:Win32/Alureon.A
• VirTool:Win32/Obfuscator.HG x10

Conclusions

While my methodology contains at least one glaring flaw, that MSE had 1 day’s newer data, the comparison was still sufficiently valid for my purposes. Here is what I have drawn from the comparison:

• MSE found problems in 7 individual files that Avira did not (these details are not listed above)
• Avira found problems in 3 files that MSE did not (also not detailed above)
• While MSE had the advantage of 1 day over Avira which is a little unfair, it acquitted itself well in the test
• I would be comfortable installing MSE on customer computers

Errata

I have not taken into account the possibility of false positives in these tests. It’s possible that either of these scanners appear to be better than they really are because they are finding problems that aren’t really there. Generally I don’t concern myself with FPs as I would rather err on the safe side anyway. Having said this, MSE found ATAPI.SYS, EVENTLOG.DLL and LSASS.EXE to be infected, deleting these programs will pretty much screw your Windows installation so an FP here could be a problem. I also have concerns about MSE on a low-spec machine, it seams to command a lot of processor power even when it is doing nothing, it took 100% CPU cycles on my PIII laptop and virtually shut down the machine for 30 seconds when I merely tried to open Control Panel.

On the other hand, Microsoft, who can’t produce a secure operating system do seem to have a very good handle on finding the viruses and trojans that take advantage of their deficiencies (in a 1.0 version product no less). If I combine MSE’s excellent virus removal results with my quasi-scientific malware discovery results described here, I think it is a very recommendable product and I will keep an eye out for some more scientific studies from AV-Comparatives and others.

Addendum 12 May 2010: I am continuing to install MSE on customer computers. I like it because it is very easy to maintain and that’s quite important for many users. However, MSE does has its flaws that have come out in using it over time and I do not install it on every computer.

First, anecdotally, I do not think it finds all the viruses that Avira does. On occasion I have run MSE first, the Avira and Avira still found items or traces of virii. Secondly, MSE is not very good on a low-specification machine. If the computer has 500MB of RAM or less or it has a slow processor, I find that often MSE drags the machine to a crawl either by monopolising RAM or the CPU.