dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2927
share rss forum feed


fan13027

join:2008-10-26
Winnipeg, MB
Reviews:
·Shaw

[Other] MS Safety Scanner vs MS Security Essentials

Apologies if this is not the right forum for this question (mods feel free to move if necessary). Apologies, also, for the length of this post.

I'm running Win 7 (64-bit) and I also support my 88 year-old father's machine also running 64-bit Win 7.

Dad started having problems that made me suspect some sort of virus or other malware. I ran (from safe mode) a full scan using Super Anti Spyware, Malware Bytes, and Microsoft Security Essentials (which is his real-time scanner).

I found nothing with any of these and so I decided to try out Avira Rescue CD which is run booting their software directly from a CD (using a Linux ? kernel).

This process produced four results, all listed as a trojan called 'FakeSysdef.jh.2'. Avira reported it was unable to repair the infected files but renamed them instead.

So off I went to Google for a removal tool, and this when I found MicroSoft Safety Scanner ...

»www.microsoft.com/security/scann···Req.aspx

After running MS Safety Scanner it identified the same 4 files (that Avira had) on Dad's machine.

So after this longish rambling post, my question (and possibly complaint as well) is ... "Why did MS Safety Scanner find threats that MS Security Essentials didn't?"

Security Essentials (to the best of my knowledge) was setup to scan ALL files not just key system files, or executables only. Wouldn't these two products (BOTH from MicroSoft) use the same virus or threat database, and if not, why not?

Primarily I have used MS Security Essentials for it's speed and small foot-print as regards to machine resources used. But now I can't trust MS Security Essentials anymore .... and much as I hate to, will have to try something else. Or is there another explanation?

P.S.
Removal status of the 4 threats identified is not fully determined yet, so don't ask please.


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

Were things like automatic update actually automatically installing updates, and was the option to install the updates with a scheduled scan enabled?

I can't give you a definitive answer, but I hate how it wasn't properly self updating.



sbconslt

join:2009-07-28
Los Angeles, CA
reply to fan13027

Just thinking in the abstract... Sometimes on-demand scan tools are configured to be more aggressive than resident components from the same vendor. That situation can arise out of optimizing to minimize false positives. In effect the coverage afforded by an on-demand scanner may be greater than the coverage afforded by a resident scanner. It's a different use case and it's engineered differently.
--
Scott Brown Consulting



fan13027

join:2008-10-26
Winnipeg, MB
Reviews:
·Shaw
reply to BlitzenZeus

said by BlitzenZeus:

... I hate how it wasn't properly self updating.

I'm not sure what you are referring to. MS Security Essentials was always updating with the latest virus definitions.

Windows Update is NOT set to auto update - I hate that it updates and asks for reboots at the most in-opportune times. I run Windows Updates on dad's machine manually about once a month. But these updates shouldn't have anything to do with virus detection ???


PeteC2
Got Mouse?
Premium,MVM
join:2002-01-20
Bristol, CT
kudos:6
Reviews:
·Comcast

said by fan13027:

said by BlitzenZeus:

... I hate how it wasn't properly self updating.

I'm not sure what you are referring to. MS Security Essentials was always updating with the latest virus definitions.

Windows Update is NOT set to auto update - I hate that it updates and asks for reboots at the most in-opportune times. I run Windows Updates on dad's machine manually about once a month. But these updates shouldn't have anything to do with virus detection ???

MS Security Essentials updates definitions through Windows Updates, so that could be an issue, though that may not necessarily be the reason that it missed stuff.

I prefer to use both MS Security Essentials along with Malwarebytes...
--
Deeds, not words


fan13027

join:2008-10-26
Winnipeg, MB
Reviews:
·Shaw

I am aware that Windows Update serves up definition updates for Microsoft Security Essentials, but I thought (I'm sure I've seen it before) that when/if you reboot the machine (or just stop and restart Security Essentials it will download updates directly.

I did try with Malware Bytes as well (from Safe Mode) but it found nothing either.

At any rate, I think my problem is solved ... there were (the same) four files identified by MS Safety Scanner and the Avira Rescue (boot) CD. It turns out one of the files was in a Program Data directory for MS Security Esssentials so I strongly suspect that MS Security Essentials was compromised by the virus/trojan.

I am in the final stages of clean-up and all seems well now.

Thanks everybody for their input.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to fan13027

fan13027, you can check for the latest malware-definition-updates for "security essentials" at this webpage:

»www.microsoft.com/security/porta···ADL.aspx

when i was using "windows defender", i found that using its updater mechanism did not download the latest malware-definitions and so i would always install the latest malware-definitions manually, downloading them from the website that i posted a link to, above..



fan13027

join:2008-10-26
Winnipeg, MB
Reviews:
·Shaw
reply to fan13027

Final Update -- got the 4 files identified removed and did some basic cleanup. MS Security Essentials was still acting a bit flaky so I decided to completely uninstall and then re-install it.

As soon as I did that and rebooted the machine, the real culprit (that I assume brought in the trojan) was revealed. MS Security Essentials immediately complained about the presence of Alureon.E RootKit.

Used aswMBR from Avast and also Mini-Tool Partition Wizard

»www.bleepingcomputer.com/download/aswmbr/

to get rid of that nasty bugger and a bit more clean-up and all is now fine! Unsurprisingly, the machine runs much faster now, which was Dad's original complaint that got me started poking around.

That was the first RootKit I have ever dealt with in my life, was fun and educational ... and I think I learned a lesson too (which I might apply to my own machine as well). To make life for Dad easier (he's 88 and not very tech savy) I had turned off UAC on his machine when I first set it up for him about 4 years ago. After discussion with Dad and a "layman's explanation" of what it does he said he could live with the annoyance -- UAC definitely getting turned back on on his machine



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by fan13027:

To make life for Dad easier (he's 88 and not very tech savy) I had turned off UAC on his machine when I first set it up for him about 4 years ago.

You know it really only takes a few minutes to get over having to put in an admin password now and then... and the alternative sure is pretty bad.
--
My place : »www.schettino.us


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Or if you're logged in as admin, a few seconds or less to click ok



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by DarkLogix:

Or if you're logged in as admin, a few seconds or less to click ok

yep. And just a moment to ask yourself "did I do something that should need admin privs?"
--
My place : »www.schettino.us


aussiedog

join:2007-01-10
Colorado Springs, CO
reply to fan13027

You might consider running Microsoft EMET along with MSE.

Download:
»www.microsoft.com/en-us/download···id=29851

More information here:
»blogs.technet.com/b/srd/archive/···-v3.aspx

Also there is a small footprint utility called ThreatFire (PC Tools) that assists in realtime malware interception and is specifically aimed at rootkit detection.
--
If I can only find my keys...


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to fan13027

said by fan13027:

Final Update -- got the 4 files identified removed and did some basic cleanup. MS Security Essentials was still acting a bit flaky so I decided to completely uninstall and then re-install it.

As soon as I did that and rebooted the machine, the real culprit (that I assume brought in the trojan) was revealed. MS Security Essentials immediately complained about the presence of Alureon.E RootKit.

Used aswMBR from Avast and also Mini-Tool Partition Wizard

»www.bleepingcomputer.com/download/aswmbr/

to get rid of that nasty bugger and a bit more clean-up and all is now fine! Unsurprisingly, the machine runs much faster now, which was Dad's original complaint that got me started poking around.

That was the first RootKit I have ever dealt with in my life, was fun and educational ... and I think I learned a lesson too (which I might apply to my own machine as well). To make life for Dad easier (he's 88 and not very tech savy) I had turned off UAC on his machine when I first set it up for him about 4 years ago. After discussion with Dad and a "layman's explanation" of what it does he said he could live with the annoyance -- UAC definitely getting turned back on on his machine

fan13027, i would like to hear more about how you removed the malware.. did someone help you with that, or, did you find some helpful information about how to do that?

i see what you said about using "aswMBR" and "minitool partition wizard"... tell us more..


fan13027

join:2008-10-26
Winnipeg, MB
Reviews:
·Shaw

I had no help from anyone ... I consider my self "middling" as far as tech expertise is concerned ... not a pro by any stretch of the imagination, but far more savvy than "the average" user.

Based on symptoms from Dad's machine I was convinced he had some sort of virus. I ran MS Security Essentials, Malwarebytes Anti-Malware, and Super AntiSpyware -- all were run in Safe Mode on the Windows 7 machine.

All three products mentioned above FOUND NOTHING. That's when I decided to use a "rescue disc" -- weapon of choice was a free (downloaded from Internet) Avira Bootable rescue CD. This process found, and removed SOME portions of a trojan it called FakeSysdef.jh.2. When scan completed, I was informed it was unable to completely remove the trojan (four individual files were found, and while it renamed two of the files successfully the other two remained intact).

I Googled the name of the trojan and that is when I discovered Microsoft Saftey Scanner. That product was able to completely remove the files associated with the trojan.

I then rescanned with the original 3 pieces of software, MS Security Essentials, Malwarebytes, and Super AntiSpyware. Again they detected nothing.

After this there was some cleanup to do, it looks like the Trojan hijacked dad's browser so all his favorites had to be recovered. Also a few other miscellaneous odds and sods.

MS Security Essentials was still acting a "little hinky" -- nothing specific I could put my finger on but things just still seemed "odd". Because one of the four files discovered and removed was actually resident in a MS Security Essentials directory ( C:/Program Data/Microsoft/Microsoft Security Essentials ) I decided to be on the safe side and completely un-install and then re-install MS Security Essentials.

As soon as this was done Security Essentials identified a new threat - Alurea.E (not sure of correcvt spelling here) RootKit.

Again, Googling the rootkit name came to my rescue and led me to the "aswMBR" tool. This tool identified and confirmed (albeit a different version) of the Alurea rootkit. The software tried to fix the problem with an in-built Fix MBR component but re-running the scan showed the rootkit to still be present - although now inactivated. Reading at the aswMBR (actually Avast - provider of the tool) website explained how the rootkit worked, how to find and identify it with partitioning software and how to remove it.

Simply, rootkit creates a new HIDDEN partition (very small - about 1-3 MB) at the very end of the existing Windows partition. I simply used Partition Wizard to find and delete the hidden partition and everything thereafter was fine.

When I read my words above, it all sounds so simple, but in actuality it took me about 20 hours over 2 days to do this all.

Bottom line, for me anyways (with my existing skill level), it all turned out to be the oft repeated lesson - Google Is Your Friend