Tuesday, October 20, 2009

A Real Free Antivirus, Microsoft Security Essentials

Have you heard about this new product from Microsoft? The Microsoft Security Essentials MSE. Likely yes, it's an antivirus software just like other antivirus from well known names such as Norton, Symantec, AVG and Kaspersky? The only and the big difference is, it's free from Microsoft! Of course, your Windows license has got to be a genuine one, not RM10 from any IT stores in this BullehLand to install this security software.

As my antivirus subscription was expiring and reading through many positive reviews by reputable tech sites, I decided to switch to MSE for a try and now let me share some user experience here. If you look for thorough review, sorry but google it.

I installed it on both my XP Pro and Vista Ultimate machines. No hiccup during the installation on Vista but a little "freeze" when installing onto the XP Pro SP3...


I launched the Task Manager and observed that there were few installation processes still going on with some activities. So if you plan to install it later and encounter similar in your installation, just let it run and monitor the CPU processes, the installation should complete with no intervention required. Notice the MsMpEng.exe? It's the Windows Defender process. I am not sure if it attributed to the freeze, but the installation shut down the other related process MsAsCUI.exe (Windows Defender GUI executable) during the installation. Nevertheless, no harm on it, just let the installer handle.

Upon completion, if you take the default action, MSE will immediately connect to internet for virus pattern / definition update...


This takes a little while on both my XP and Vista machines. A quick scan is then started right after the update. At this time, all other tabs like History and Setting are disabled, so you can't configure anything yet until the update and scan are complete. Plus, you will see a red alert bar on the window and a red icon in the system tray...


So I suggest you to have your coffee or minimize it and continue to work on your stuff. Although a reboot was not required, but I rebooted (after the quick scan) to see if any services / processes fail to load due to this new antivirus software.

After reboot, I verified everything stayed green just like prior reboot (after update and quick scan)...


Perfect, all services started smoothly and no errors reported in the System and Application logs. Then I opened the MSE window and verify the settings. Unlike other antivirus software, nothing much to play in MSE's Settings, I left everything default except that I changed the schedule from every Sunday to daily. Since it was midnight, so I decided to execute a full scan before I zzz. I was curious to know how much resources it would consume...


Notice 2 MsMpEng.exe processes? As I mentioned earlier, one of these is the Windows Defender process. So if you are running XP and have Defender installed, you will get similar processes like above. One way to determine which process is for MSE is to run a scan while you have the Task Manager opened. The one with fluctuation on CPU column should be MSE. For example, PID 920 shown above is the MSE process with 39% CPU consumption. If you want to be certainly sure, take note on the PID (Process ID. Go to View --> Select Columns if you don't have it visible by default), launch Services from Control Panel - Administrative Tools, look for Microsoft Antimalware Service, right click on it and select Restart...


Immediately you should see a big red warning rise from the bottom...



Let it be. It will set by itself after you successfully restarted the service and when everything turns from red to green.

From above, PID 920 is now gone and a new MsMpEng.exe process PID 1988 is shown. So the MsMpEng.exe process with new PID 1988 is the MSE process that you just restarted, whereas PID 1944 is the Windows Defender process. The MSASCui and msseces are GUI interface for Defender and MSE respectively. Why I take time to explain this? It's good if you understand and know what processes are running on your PC, so you could easily be alert when you see a weird process in the Task Manager, that could be a virus or any unwanted application installed by some aliens.

Now compare the memory usage. MSE with PID 920 consumed 67240K memory when it was running a scan. After the service restart, MSE with PID 1988 consumes 43988K when idle. This is quite comparable to my previous antivirus service that consumed around 35MB memory when idle on the same machine but slightly higher around 80MB when running scan.

Since I ran a full scan right after deinstallation of the old antivirus software and installation of MSE, so whatever result from the scan should be the residuals that were missed by the old antivirus scanner. Here's the result...


Wow! That stunned me! I just reformatted my hard disk not long ago and this copy of Windows should be a clean virgin since I did not install any fancy weird software and have not visited any porn and warez site from this machine (oh yeah, from other machine yes)! Further review on the details relieved me...


Look at the virus location of one of the viruses, it's in the System Volume Information (SVI) folder and most viruses were detected here. I recalled I removed few of these viruses in that particular data partitions after I reformatted the system drive and reinstalled Windows. Likely the System Restore created restore points when the old antivirus software removed them. So they were not new virus but contained / residual virus since I did not reformat the data partitions. There was one new detection by MSE in one of the nested-nested zip (zip file in zip file in zip file in zip file, 4 layers of zip) files that I have never accessed for years. That made me smile, not because of MSE but that was the virus I intentionally kept, a virus that I used to sabotage somebody's server during college time. :P

In overall, just like other reviews by tech sites, I am impressed with MSE as an ordinary user. I would say MSE may be in advanced position than any other antivirus software since the product is from Microsoft, the company that builds the operating system too. From my experience above, even though the antivirus software detected and removed the viruses but it wasn't able to "re-detect" the viruses when they were moved to the SVI folder by Windows' System Restore since SVI folder is restricted with access by default. In other words, the virus is forever there until you format the partition which is unlikely to happen if that's a data partition to keep your personal data. Like me, I have been formatting the system drive but my data partitions/drives stay forever ever since I built this machine several years ago. On the new virus, I remember there's a setting to adjust the depth level to scan a nested zip file in the old antivirus software and I think the default setting was 3 levels. This could be the reason that "my virus" was not detected since it's 4 levels. There's no such setting available in MSE, so I guess MSE drills all the way down until it reaches the last zip file. I may be wrong though in this assumption. Anyway, I have MSE to remove the virus already, it's an old dated virus so I don't think I could use it to sabotage anyone unless the machine is running without antivirus software. I may also want to take some times to study the pros and cons of System Restore.

On my Vista machine, it's "eventless", no hiccup during installation, no virus was detected by quick and full scan (even I visited porn and warez sites :P), no performance issue where MSE is consuming around 42MB of memory usage when idle...


Except that you will not see 2 MsMpEng processes. The Windows Defender is running by svchost.exe in Vista, if you did not disable it.

So throw away your RM10 antivirus software CD from Ah Beng's IT store. Forget about keygen to crack or extend your antivirus software subscription. You never know the installer in the CD or downloaded from the torrent is virus free or has been injected with a trojan that can never be detected with the "infected antivirus software". Get a copy of MSE directly from Microsoft website here. Read here and here if you want to manually update the virus definition or your machine is not connected to internet. It's your own judgment call whether to switch or to stay if you currently own a genuine copy of latest antivirus software. It's hard to trust a new security software if your current one is proven to protect you for many years long, just like me until MSE proved itself. You may want to wait until your subscription expires, or your current antivirus software has been hogging your system resources.

UPDATE: I just learned that you don't need Windows Defender if you have MSE installed. On XP machine, uninstall Windows Defender from Add/Remove Programs. On Vista, go to Administrative Tools - Services. Look for Windows Defender, set it to manual startup. If you are technical enough, go to Registry HKLM/Software/Microsoft/Windows/Current Version/Run to delete the entry too. Alternatively, you can use msconfig to disable it.