Monday, April 18, 2011

Understanding Microsoft Anti-Malware Software

Please see the updated document which includes changes made in Microsoft Anti-Malware products since 2011:
Understanding Microsoft Anti-Malware Software 2012


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The release of the Microsoft Safety Scanner has resulted in confusion about the available anti-malware tools provided by Microsoft and questions about when they should be used. 

Before answering the questions, let's take a closer look at the products available from Microsoft.


Microsoft Security Essentials


Microsoft Security Essentials (MSE) is an antivirus, anti-malware, anti-spyware software providing real-time protection for your computer.  Microsoft Security Essentials is free for home users as well as small and medium businesses with up to ten (10) PC's.

MSE works on Windows 7, Windows Vista and Windows XP, however, your PC must run genuine Windows to install Microsoft Security Essentials.  Beware of rogue/scam offerings.  MSE can be downloaded from the Microsoft Safety & Security Center.

Definition updates for MSE are obtained automatically through the program or downloaded directly from the Microsoft Malware Protection Center (MMPC) Portal.  You may also be offered updates through Windows Update. 

Microsoft Safety Scanner


The Microsoft Safety Scanner is a no-frills scanner to help remove viruses, spyware, and other malicious software. The Microsoft Security Scanner will work with your existing antivirus software but it is not a replacement for a resident antivirus software program.

The Microsoft Safety Scanner works on Windows 7, Windows Vista and Windows XP.  There is no charge to use the Microsoft Safety Scanner and there is no requirement to prove Windows is genuine.

The Microsoft Safety Scanner expires ten (10) days after being downloaded. The reason for the expiration time is at the point of downloading the Microsoft Safety Scanner, it installs the most recent definitions from the MMPC Portal. Due to the frequency of definition updates, even after one day, the definitions are outdated.  The Microsoft Safety Scanner uses the same definitions that are used for Microsoft Security Essentials and Microsoft Forefront.

For instructions on the use of the Microsoft Safety Scanner, you may be interested in this brief tutorial:   How to Use the New Microsoft Safety Scanner


Malicious Software Removal Tool


The Malicious Software Removal Tool (MSRT) scans for select malware only. Microsoft releases an updated version of the MSRT on the second Tuesday of each month along with security updates.  Additional updates are added as needed to respond to security incidents.  The current list of targets for removal is available at Families Cleaned by the Malicious Software Removal Tool.  

The MSRT works on Windows 7, Windows Vista, Windows XP, Windows Server 2003, or Windows Server 2008 and is available from Microsoft Update, Windows Update and the Microsoft Download Center.

As explained in Microsoft KB Article 890830, the Microsoft Malicious Software Removal Tool is not a substitute for an antivirus software.  There is no real-time protection and, as shown in the above-referenced list of families cleaned, the MSRT is targeting specific prevalent malicious software that is actively running on the computer.

Microsoft Standalone System Sweeper Beta

Edit Note: *The Microsoft Standalone System Sweeper Beta has been renamed to "Windows Defender Offline Beta".

Microsoft Standalone System Sweeper Beta is a recovery tool currently available from Microsoft Connect.  The tool is not a general, all-purpose scanner.  Rather, it is to help help start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware.

The Microsoft Standalone System Sweeper Beta can also be used in situations where an antivirus software fails to install or the program that is installed is unable to detect or remove malware from the computer. The Microsoft Standalone System Sweeper Beta uses the same definitions that are used for Microsoft Security Essentials and Microsoft Forefront.

For additional information on the Standalone System Sweeper see Setting Up the Microsoft Standalone System Sweeper Beta.

*See Windows Defender Offline Beta, formerly Standalone System Sweeper.

Windows Defender


Windows Defender is not an anti-malware software.  It is a free active system monitor that provides real-time protection against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. Windows Defender can be installed on Windows XP and Windows Server 2003.  It was pre-installed on Windows Vista, Windows 7 and Windows Server 2008 (enabled if the Desktop Experience feature is installed).

Windows Defender can be downloaded from the Windows Download CenterNote:  Microsoft Security Essentials includes the anti-spyware engine of Windows Defender.  Thus, when installing MSE, Windows Defender is deactivated.

Microsoft Forefront


Microsoft Forefront comprises a product line of security products for business customers.  It is designed to be centrally managed and integrated into IT infrastructure products, such as Active Directory.  If your business has more than 10 PCs and, therefore, against the license terms to use MSE, consider Forefront.  Microsoft Forefront is intended to scale to many thousands of users.  It uses the same definitions as Microsoft Security Essentials and the Microsoft Safety Scanner.

Windows Intune


Windows Intune is an Enterprise Solution that provides PC Management and Security in the Cloud.  It is an end-to-end Microsoft solution that brings together Windows cloud services for PC management and endpoint protection with a Windows 7 Enterprise upgrade subscription.  Through the web-based console, IT Staff can centrally manage and secure all the company PCs.

Included in the numerous features of Windows Intune is malware protection, using the same definitions Microsoft Forefront and Microsoft Security Essentials.

Questions and Answers


Q.  Does the Microsoft Safety Scanner include all of the definitions included in the Malicious Software Removal Tool?
A.  Yes, at the time of download, the Microsoft Safety Scanner will include the same target families as the Malicious Software Removal Tool.  However, the Microsoft Safety Scanner includes more than specifically targeted prevalent malicious software.

Q.  Does the Malicious Software Removal Tool include definitions that are not included in the Microsoft Safety Scanner?
A.  No, although if the timing is such that additional targeted families or variants were added to the Malicious Software Removal Tool after the download of the Microsoft Safety Scanner, those families or variants would obviously not be in the already downloaded Microsoft Safety Scanner.

Q.  In terms of detection and removal, does the Microsoft Safety Scanner offer what the Malicious Software Removal Tool offers?
A.  The Malicious Software Removal Tool has specific malicious targets whereas the Microsoft Safety Scanner targets not only the same specifically targeted malicious programs as the Malicious Software Removal Tool, but also targets the same viruses, spyware, and other malicious software included in Microsoft Security Essentials and Microsoft Forefront.

Q.  Do users need both the Microsoft Safety Scanner and Malicious Software Removal Tool?
A.  The simple answer is No.  In point of fact, if you are using Microsoft Security Essentials as your antivirus product, you theoretically do not need either the Microsoft Safety Scanner or the Malicious Software Removal Tool.  However, there are instances where, for one reason or another, there is a problem updating MSE or the need to clean a computer that does not have Internet access.  Another valuable use of these tools is if your computer has a virus that your current antivirus software missed or is unable to remove.

Q.  Is their any point in running both the Microsoft Safety Scanner and Microsoft Security Essentials?
A.  No.  The Microsoft Safety Scanner uses the same definitions as Microsoft Security Essentials.  

Q.  How do I know if I have the latest definitions installed in Microsoft Security Essentials?
A.  The change log for the latest definitions for not only Microsoft Security Essentials but also Microsoft Forefront and Windows Defender is available from the Microsoft Malware Protection Center (MMPC) Portal.

Q.  Can I download both the 32 bit and the 64 bit versions of the Microsoft Safety Scanner to a USB stick and take to another computer to run the correct version for the destination machine?
A.  I suggest that you create a separate folder for each version of the download as both the 32-bit and 64-bit versions are named the same, as msert.exe.





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


22 comments:

  1. Thanks. What a miracle to find explanations in clear, common english!

    ReplyDelete
  2. Thank you for the kind words. I am glad you found the article helpful.

    ReplyDelete
  3. Thank you for your excellent comparison and, also, for your how-to post, regarding the newly released MS Security Scanner.

    Your articles are even better and thorough than anything found on the official Microsoft Security Scanner web site.

    With your useful observations on MS Security Scanner, I am now scanning my system to fight a Conficker infestation with it. I hope the MS Security Scanner will fix it and remove any conficker variants.

    Major thanks!

    PS. After a closer look, your entire site seems extremely helpful!! Added to my feeds. Hopefully, I will browse through your other posts, once this infestation is over.

    ReplyDelete
  4. Hi, Stelis.

    You are most welcome and thank YOU!

    If you are certain your computer is infected with Conficker, after cleaning, you need to get caught up with Microsoft Security updates. In addition, if you have used a USB stick/flash drive, most likely it will also need to be disinfected.

    Additional information is available at Conficker Worm | Virus Removal.

    ReplyDelete
  5. I recently came across a new antimalware software that Microsoft seems to be beta testing. It is called Microsoft Standalone System Sweeper and hosted on connect site - http://connect.microsoft.com/systemsweeper. It let me create a bootable USB using which I was able to clean my infected machine. I think it is a very good addition to the existing Microsoft security solutions.

    ReplyDelete
  6. My Avast program is reporting a possible heuristic malware program every morning...this is all I could copy
    \??\c:Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definitions\{DEF76937-3802-4B65-
    I have reported it to Avast, but I'm not sure I have all the file name.
    Could this be a problem? My other three security doesn't show any problems?
    Ken R

    ReplyDelete
  7. Hi, Ken.

    It is possible that Avast is reading the path wrong for Windows Defender definitions. The correct path on Windows XP for the Windows Defender defs does not include "\??\"

    C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates

    You could try scanning the file at Jotti and/or Virus Total:

    Jotti: http://virusscan.jotti.org/

    Virus Total: http://www.virustotal.com/

    ReplyDelete
  8. I really find your article useful. Thanks for sharing your knowledge!!

    ReplyDelete
  9. I currently have AVG 2011 Premium Security installed on my PC. Will Microsoft Essentials run on the same PC along with AVG Premium Security or will there be a conflict?

    Darrell

    ReplyDelete
  10. Hi, Darrell.

    It is not a wise move to run two active antivirus software programs on your computer. Doing so can, indeed, cause conflicts, regardless of which two are used. It can also affect performance.

    You can periodically scan your computer with the Microsoft Safety Scanner. ust be sure to download a fresh copy prior to scanning since you would want to use the most recent updates. See How to Use the New Microsoft Safety Scanner for additional information.

    ReplyDelete
  11. Thank you for the explanation. Clears it up for me.

    ReplyDelete
  12. Does "Microsoft Standalone System Sweeper Beta" need genuine windows 7?

    ReplyDelete
  13. Hi, jake_doc.

    Unlike Microsoft Security Essentials, there is no indication in the requirements that Windows Defender Offline Beta (formerly Standalone System Sweeper) be Genuine. That said, aside from the fact that using pirated software is another form of stealing, if your system is not Genuine, you are jeopardizing personal information on the computer.

    ReplyDelete
  14. Thank You So Much, Well Done, Kudo's, etc.

    ReplyDelete
  15. Hi, if I install MSE alongside Avast free which is already installed but turn off MSE's real protection OFF can I then use MSE as a second opinion "on demand" antivirus scanner? I can't see an issue with 2 AVs conflicting here as MSE becomes on demand with real time protection off?

    ReplyDelete
  16. Turning off MSE's real-time protection is merely disabling Windows Defender, the anti-spyware portion of the application. So, no, you should not install MSE as a second opinion.

    However, what you can do without concern for conflicts is use the Microsoft Safety Scanner. (Brief tutorial here: How to Use the New Microsoft Safety Scanner ~ Security Garden.)

    In addition, along with the regular second Tuesday of the month security updates, Microsoft includes an update to the Malicious Software Removal Tool, which provides another second check of your computer.

    ReplyDelete
  17. holaa! tengo un problema , me aparece activar el security essentials , pero me tira el error 0x800705b4 ... si podrian ayudarme se agradece mucho

    ReplyDelete
  18. Hi, Cristian.

    The 0x800705b4 error you are getting when attempting to activate Microsoft Security Essentials (MSE) could be caused from several things.

    Check that Windows Defender is disabled on Windows Vista or Windows 7 or or uninstalled on Windows XP.

    Also be sure you have uninstalled any previous antivirus software you had installed on the computer. (See this document for links to uninstallers: List of anti-malware product removal tools - Experts Community Wiki - Site Root - Windows Experts Community.)

    Additional information is available in this checklist: Microsoft Security Essentials - Installation Checklist and Frequently Asked Questions - Experts Community Wiki - Site Root - Windows Experts Community.

    ReplyDelete
  19. Thank you for explaining these apps so clearly. I just got a new computer that had both Windows Defender and a trial version of Norton on it. The pricey Norton expired and I uninstalled it.
    And there was Windows Defender, which I hadn't noticed before.

    So, is Windows Defender a full anti-malware app, or do I need something else to replace Norton?
























    ReplyDelete
  20. Yes, Windows Defender on Windows 8/8.1/8.1.1 is a full antivirus software.

    If you elect to use it instead of Norton, after uninstalling Norton, I strongly suggest you run the removal tool to remove the remnants. It is available here: Download and run the Norton Removal Tool to uninstall your Norton product

    Note: This article has been updated. The updated version is located at Understanding Microsoft Anti-Malware Software 2012

    ReplyDelete
  21. Thank you for your information about Windows Defender and MSE. I just spent over an hour on the phone with a tech who obviously did not know that.
    Thank you

    ReplyDelete

Neither spam nor comments containing vulgarities will be approved.