What with twenty years experience in reviewing AV software, I figured I’d better try it out.
It’s not altogether terrible. The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.
But even for free software, and from Microsoft, it’s pretty weird.
When I installed it, I did a “quick” scan.
That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs. At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo. It deleted nine copies of Sircam.
Lemme tell ya ’bout my zoo. It’s got over 1500 files in it. There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware. There are files which have had the executable file extensions changed. But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.
(Which it deleted. Without asking. Personally, for me, that’s annoying. It means I have to repopulate my zoo from backups. But for most users, that’s probably a good thing.)
Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer. And all kinds of bells and whistles went off. As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did. That probably means the real-time scanner is fairly decent. (In my situation it’s annoying, so I turned it off. MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions. The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”). Initially, everything is set at “Recommended action.” I turned everything down to the lowest possible settings: I want information, not strip mining. However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff. It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.
(I did try to find out more. It does have help functions. If you click on the “Help” button, it sends you to this site. However, if you click on the link to explain the actions and alert levels, it sends you to this site. If you examine those two URLs, they are different. If you click on them, you go to the same place. At that location, you can get some pages that offer you marketing bumpf, or watch a few videos. There isn’t much help.)
You can exclude specific files and locations. Personally, I find that extremely useful, and the only reason that I’d continue using MSE. It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan. However, for most users, the simple existence of that option could signal a loophole. If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner. (There is also an option to exclude certain file types.)
So I did a full scan. That took over eight hours. I don’t know exactly how long it took, I finally had to give up and leave it running. MSE doesn’t report how long it took to do a scan, it only reports what it found. (I suspect the total run was around ten or eleven hours. MSE reports that a full scan can take up to an hour.)
While MSE is running it really bogs down the machine. According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft. The files were all from my email. On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives. (On the other hand, every single message was from Sunbelt Software. This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)
Then I started to go through what Microsoft said it found, in order to determine what I had lost.
The first item on the list was rated severe. Apparently I had failed to notice six copies of the EICAR test file on my machine.
Excuse me? The EICAR test file? A severe threat? Microsoft, you have got to be kidding. And the joke is not funny.
The EICAR test file is a test file. If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR. It’s harmless. Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.
It shouldn’t delete or quarantine all copies it finds on the machine.
After some considerable work, I did find them. They seemed to be the “suspect” messages that Microsoft wanted. And when I tried to recover them, I found that MSE had not quarantined them: they were left in place. So, at the very least, at times MSE lies to you.
(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities. It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors). (Called them weird names, too.)
MSE quarantined Gibson Research‘s DCOMbob.exe. This is a tool for making sure that DCOM is disabled on your machine. Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.
OK, final word is that I can use it. I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.
You might want to make sure Microsoft isn’t reading your email …