Microsoft Security Essentials review

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research‘s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

Share
  • Sigh

    You complain that MS Security Essentials (which I am not looking to defend) quarantined/deleted EICAR. “Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.
    It shouldn’t delete or quarantine all copies it finds on the machine.”

    Really?

    From EICAR’s site that you linked to: “The test file will be treated just like any other real virus infected file. ”

    From the Wiki article you linked to: “A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found genuinely harmful code.”

  • MS Hate is boring

    Your inability to withhold your obvious MS hatred really makes this review almost useless.

    Based on the few pieces of information that is actually useful in between the MS hate sounds like this scanner is a pretty good product.

  • http://jbrownsec.blogspot.com jbrown

    Nice review, thanks for sharing.

  • attrition

    Thanks for the review, I appreciate your calling it as you see it.

    -b

  • Jay S

    The author’s knowledge of how AV scanners handle EICAR test files is laughable. “20 years of experience” hasn’t served him well at all. In all, a pretty useless review.

  • Rob Morgan

    If MSE is that good, then why is its malware detection worse than Malwarebytes’ Anti-Malware? Maybe because it is made by the same outfit who dumped on poor losers Windows Live OneCare and Windows Defender. Funny how all the Redmond fanbois talk up MSE but we all know they use Avira or Nod!

  • cletus

    I like how he bags out MSE for finding and removing the things it’s actually installed to do. It’s an odd review. I don’t think that a “Zoo” file pretty much made up of malware and viruses is something an AV should treat lightly.

  • DC

    now i read another review [url=http://arstechnica.com/microsoft/news/2009/09/first-look-microsoft-security-essentials-impresses.ars]here at arstechnica[/url]. now that seems more like a proper review. go read the part about the EICAR test file =/

  • http://www.BeyondSecurity.com Aviram

    @DC – With all due respect to ars technica, the quality of AV’s isn’t how well they handle EICAR. The fact that MSE can block *a* virus, and the most tested virus on the planet, doesn’t tell you how well it will deal with the less known, more sophisticated versions.
    The fact that MSE didn’t clean Rob’s entire “zoo” is something to really worry about.

  • http://www.fernandojfernandez.com Fernando

    What scared me was the part in the spynet disclaimer about possible sending them identifiable information.

  • bob

    If someone goes to the trouble of publishing a review to share their experience, it is not necessary to bag it on the basis of your own prejudices.

    1. Yes – could have expressed the EICAR thing better
    2. This is a security specialist sharing her/his insights – wouldn’t you be interested to know that the scanner isn’t very good at scanning and finding viruses ? [the ZOO]
    3. Interesting observation about Sunbelt Software emails. If this is more than just a coincidence MS have something to answer

    I was considering using this product with Windows 7. I will read other reviews but will probably wind up buying AV software i can trust.

  • Jeff

    I do not know if the MSE engine has been updated since the review came out, but my experiences were considerably faster than the ones in this article.

    Full scan of about 700,000 items, 250GB took about 1 hour and 11 minutes.

    On a different PCs, scanning time has been on par with that, roughly around 200 GB of data per hour.

    I realize that systems differ and milage may vary, but that is a huge difference.

  • Pingback: uberVU - social comments

  • max

    wow, it took 1hr for 70gb? Mine was done in minutes with 288gb filled on a quick scan, and I only have a 2.26ghz Core 2 duo. Not to mention it fixed 2 virus issues right away that my avira antivir couldn’t and it’s never done anything wrong. I think its a great tool, especially along side another antivirus. MSE also only leaves a footprint of 7000kb on my RAM in idle, and I can even watch movies and do many other things when it’s scanning at full bore:)

  • Mark Stewart

    Just a little update on this bit on garbage.

    I happily installed and trusted this application (who else knows windows better than the guys who wrote it ?)

    However.

    Today I had to tremove by hand.
    a.exe, b.exe c.exe and msa.exe …all trojans and downloading extra ones by the hour. I must have picked them up in a “drive by” active X component … all my mail is read online, I never download anything email connected.

    Standard malware packages detected them all (after noticing a real slowdown of the network), MSE ignored them all … not a good show really.

    I’ll be going back to Avira or Avast

    Robs mention of his Zoo not being completely discovered is the most worrying aspect of this reveiw … MS fanboys beware, this product is not protecting you

  • Bichey

    MSE seems to be a KICKASS anti-virus program. I was infected with MSA.exe, b.exe which MSE failed to detect.

    Now installed NOD32 & I am safe from that ugly viruses

  • http://blogs.securiteam.com/index.php/archives/1324 MS Fan

    I am going to install it to-night.

  • pastorbob

    I do not understand why your full system scan took “ten or twelve hours” to complete. I have three hard drives that total 1 terabyte on my system. They contain over 30.000 files that add up to a couple of hundred gig of data. My full scan with Security Essentials took about 1-1/2 hours to complete. Perhaps it is the type of files that you have, who knows. Anyhow, I have read several reviews of Security Essentials and yours is the only one that was so negative and scored it low. Given your complaints about the way it handled the EICAR I suspect you have a very strong anti-Microsoft bias. Perhaps you should take up a different line of work?

  • Shawn

    Quirky review, to be sure. I’ve used McAfee/NAI since the DOS days, and have trusted the enterprise product on a campus environment for over a decade, with no out serious issues in that time. However, after reading good reviews of MSE, I have installed it on several home PCs (including three of my own) which were already running the latest McAfee VS Enterprise. I was quite surprised to find it found trojan files (not infections) on one of my home PCs that McAfee missed, and a similar result on a known infected PC where McAfee also found nothing.
    For a free product, it does pretty well. McAfee has some explaining to do…

  • Eric

    Eight hours? Really? Wow, looks like you’re MS hatred is shinning through. I did a full scan on a pentium IV, 256 MB RAM XP machine with a 120 GB HDD that had 92 GB occupied by pictures, movies and music and it only took right at an hour to perform a full scan. And that was a laptop, mind you.

  • George

    Useless review. When you say that the DCOM feature is really hard to turn off in XP, it just shows your lack of current knowledge. This hasn’t been an issue since 2004 when that Service Pack was released.

    And the fact that MSE identified and removed the DCOMbobulator from GRC, shows that MSE knows a thing or two! The DCOMbobulator does exactly what an exploit program would do by testing that port! Hello!!!

    It’s sad that this review could be read by someone and taken seriously. It’s full of false assumptions and lack of knowledge. And no, I don’t work for MS!

  • Randy

    I just tried it myself. Here’s a review

    Pros:
    -Can actually find malware in zip, gzip, 7zip, and a bunch of other archive files.
    -Free

    Cons:
    -Resource Hog. Ever since I installed it MsMpEng.exe takes up about 10% of CPU all day long. I turned off “Real-time protection” and it’s even giving me the scary red colors to prove it.
    -No monitor. There’s no way to know if it’s currently doing a scan or not and of course no way to stop a scan in progress. Killing MsMpEng.exe works for a short while until it somehow starts up again in a few minutes. I guess I could write a kill script to execute in a loop.
    -Not integrated. I was doing a full scan and of course it was taking all night. There were Microsoft updates and the computer rebooted itself. Good-bye full-scan. It didn’t even start over or at least show the little that it found in some sort of log. It just stopped scanning.

    I’m totally willing to pay for good Anti-Virus protection, but who do you trust? I would think Microsoft would have some skin in the game to salvage their reputation as an unsafe OS (see conficker). I guess this tough economy forced MS to give this assignment to a few college interns or maybe a group of guys from some overseas sweat-shop. Good effort guys, but maybe try some standard software engineering practices before adding features like animated systray icons and losing features like “stop all scans”.

  • Tester

    Tested MSE on one system @ 80GB HDD, plainly full of documents, 512MB RAM, and a 1.6 GHz Processor, Single-Core (Intel E1200), and an Intel 865GV series chipset (ASRock ConRoe865GV), with preinstalled Windows XP SP2. Works perfectly fine, ‘cept that it had trouble when updating with a wrong system time. Maybe an error on my side. Overall, just fine.
    Time of (full) scan: Approx. 1.25 hours – 1.5 hours.
    Forgotten to check on the quick scan.
    Notes: similar to Windows Defender in start, although it is quite quicker. Also, uses at least 40% in CPU consumption, but other programs worked properly. Even tried running a couple of games, alongside Adobe CS3 apps, and the programs ran quite okay.

    Overall, a neat and lite AV that’s free (for this case). Will try in a higher spec pc and check results.

  • Mac

    Randy.. 10% ? Granted I am reading reviews on the web and not actively working a document or have database files open .. but when I do start something, like a VPN session into work the MsMpEng.exe process spikes for a second or less but most of the time it is stilling idle (0%). When I connect using remote desktop or close my VPN session there are small spikes of 2-24% for a second or less. My laptop is running XP SP3 — newley reloaded, 1 CPU (

  • Tester

    p1, can I ask you to make a portable copy of your ‘zoo’ on a zip file? I also want to test out if your findings will equal mine on a heavily infected, file-laded pc.

  • Bichey

    I am sure that even Bill Uncle don’t use Microsoft Security applications in his own computer for the poor performance of the same.

    He must be using Kaspersky or NOD32

  • Agellius

    Whatever people may say about the accuracy or correctness of the review, I enjoy your writing style.

  • Suman Sesham

    Hi All,
    I used MS essentials today(08/01/2010). My computer was infected with renos trojans. I have ESET AV installed on my PC. It never deleted these, but always detected. I searched through internet to find the solution for this.Installed many softwares suggested and edited registries etc. But nothinfg fixed the issues.

    After I have installed MS Essentials, It ran a quick scan and after few moments it detected these viruses and asked whether to remove these infected files. said yes and it took 5 minutes to remove them and after a reboot everything was ok.

    I strongly suggest to use this….

  • Garry

    Been running MSE for 4 months, every week, on a scheduled scan. after using Norton for 2 years, which by the way, ought to be an operating system instead of an anti-virus. Have tried AVG which likes to hide and doesn’t seem to do much. I also run malwarebytes as an option, about every 2 weeks. it’s good, and doesn’t run in the backround and doesn’t take up much space. NO virus scanner will catch everything. Both of these programs do a good job and do not take over your system. I have used them both to clean several other desktops/laptops that were riddled with viruses and they would each catch a couple things the other did not. My advice? Don’t put all your eggs in one basket. I like MSE, but nothing else from MS. Don’t use IE, Outlook, or any other lame MS product. But this one is simple, quick, and is at least as effective of any other protection I have used since 1995. If you want to know if it is running BTW, check the r/lower corner of the toolbar. It will show a green castle type icon with an “arrow” spinning in the center. Yes, rocket science.

  • Richard K

    Your review is crap, and so is your blog.

    I have gotten better rusults with MSE then with ANY other free utility, and for that matter most purchase anti virus software over the years.

    It is light weight, for sure. Not a fast as some, but fast enough.

    20 year of experiance….my ass.

  • Rob Stansbury

    Computer was protected by CA, it started acting up, CA found nothing with manual or real time scan. Uninstalled and installed MSE, it found 9 trojans and some adware, did a great job removing all but 1, it kept coming back after reboot. I booted to safe mode and scrubbed it manually. Now all is fine, very light on resources and seems to do a great job protecting the computer!

  • Josh

    I personally find MSE to be at least better than the other free solutions (and less annoying) and from a corporate environment it beats McAfee (though what doesn’t?).

    I just wanted to add some personal experience on the full scan times. I decided to let it do a full scan on my 320gb drive with 215 in use (dual core processor), no folder exclusions and checking in archives. I ended up canceling the job after 9 hours when it was time to go home.

    I have it set to run a quick scan weekly at lunch hour and have yet to see it still running when i return from eating.

  • Al

    Don’t put all your eggs in one basket, hmmmmmm…

    I am not an IT pro but I am responsible for the IT estate here in our office, 3 desktops and 7 laptops.

    Recently I upgraded everyone to Windows 7 and Office Enterprise, during that upgrade I stumbled accross MSE I installed it initially on my own machine and I liked it. I have now installed it on all the others and done away with the AVG free edition we were using.

    MSE picked up trojans on a couple of the machines that AVG had obviously missed, asked me what I wanted to do with them and then got rid of them. I ran a full scan on all machines (using default settings on MSE) varying disk sizes from 160 to 500 GB and from memory the scan took no longer than an hour or so. I think I would have remembered if it took longer.

    So for me and for a free AV programme MSE is excellent….

  • Patrick

    Thank you for the most biased, almost useless review I’ve read in a long time

  • http://glitter.rr.nu Dennis Teel

    He’s reporting his experiences with this product.i believe he had problems with the software for some reason.regardless of the reason,whether it’s fault of his own or not,it’s still his personal evaluation and it’s wrong to take that from him by sarcasm.there’s alot of reviewers on the net that talk bad about software like AVG free and Panda Cloud,even though i find that the two products are awesome.but i don’t throw sracasm at people doing bad reviews about them.i take it with a grain of salt is all and continue to use the software.
    i’ve use mse and i like it.but i’m not going to throw mud at someone that posts a bad review of it. there’s such a thing called the freedom to to disagree and the maturity to disagree without throwing sarcasm.

  • http://none B

    I’ll stick to my AVG and Spybot combo, TYVM. Nice review. It’s also funny to see all the responses from people who feel the need to defend Microsoft because that’s what their machine came pre-loaded with. “MIcrosoft is awesome, because they told me so!” LOL

  • sp1ke0k1ll3r

    So with 20 years reviewing AV software, but didn’t know you might have to adjust
    settings etc before you use it?

  • boysha

    Let me see…Microsoft made Windows. Windows is used all over the World and is by far the most popular OS on Earth. The fact that it sucks is not important. What is important, however, is the fact that if Microsoft released something FREE it is gaining something with it. The fact that this software goes through the entire system of all their owners is telling me that, aside from “fixing” it it is also scanning it for other purposes. My guess, to find out what is out there on our machines. Yes, it is free but probably because it was well paid by some corporation or Government agency…It is an easy way of controlling what we do, say or think…
    Do I trust it? Not ever!

  • Name

    *Yawn* MS bashing is getting old. Hardly an objective article. Next!

  • ZebPointen

    This review almost put me off trying MSE, and I’m rather glad it didn’t, as I’ve been satisfied with the program thus far.

    I Installed it a couple of months ago when my sub for Kaspersky ran out. It’s intercepted one nasty Trojan since (I had maybe three in four years with Kaspersky), but I’ve run Kasperky’s online scanner and found nothing else. I have to assume that despite its relative lack of intrusion MSE does the job.

    I can only think that on these systems where it’s taking ages to scan it’s getting in a tussle with remnants of previously intalled scanners, as a full scan on mine, which has a 698gig hd with 128 gigs free has just completed after 1 hour and 41 minutes.

  • http://www.gdiusa.ws GDI

    So do you recommend Microsoft Security Essentials or not? And, is it better than McAfee or Norton, two popular programs?

  • http://securiteam Dude

    i used to feel protected by mse. a month later a trojan made his way in in a java exploit. next thing i no a red house is sittin in the corner of my task bar. i booted into safe mode with networking and downloaded avg free 9.0 and removed the trojan. not a problem since