24 Hours with Microsoft Security Essentials

Well… after being one of the lucky 75,000 individuals to get a copy of the Security Essentials beta, I’ve finally had a chance to play around with it.  My first impression… not bad!  This is the story of my last 24 hours:

The installation file was small, roughly 7MB, downloaded and installed quickly on my Windows XP SP3 virtual machine. The install was your typical install requiring license acceptance and Genuine Advantage verification to ensure I’m not running a pirated version of Windows.  Once installation was complete the software started, downloaded updates, and performed a scan of my system.

The GUI was very basic and straightforward not having the complexity of a McAfee or Norton Suite. Remember this product is antivirus and antispyware only.  Because it doesn’t have the bloat of a suite product it makes for a simplistic setup.  The configuration settings had everything you’d expect from antivirus software:  scheduling of scans, default actions on discovery, exclusions for both files types and processes, and real-time protection.  I want to give Microsoft props for including automatic restore point creation prior to applying actions on detected viruses.  As a security practitioner,  I use tools throughout the course of my daily activities that are classified by most antivirus vendors as being malicious.  Poof! Right in the middle of using a tool it disappears.  Now I bring that tool back to life by the click of a button.

Privacy advocates beware!  By installing Security Essentials, you agree to become part of the Microsoft SpyNet network.  By default you are placed into basic membership,  by the click of a button you can change over to advanced membership.  What’s the difference?  The amount of personal information Microsoft collects about you.   You can read the Privacy Statement at http://oca.microsoft.com/en/dcp20.asp to find out what information is collected.

Whenever I install new software I like to see what it added, configured, or changed on my settings.  Here are a few things I’ve discovered about Security Essentials:

  • The executable is msse.exe located at C:\program files\microsoft security essentials
  • The software is launched from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Scheduled scan jobs are place in the system Task Scheduler as MP Scheduled Scan.job and runs MpCmdRun.exe  with Scan -ScheduleJob -WinTask -RestrictPrivilegesScan Scan cmd-line switches
  • A shell extension file named shellext.dll  is added to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers
  • MsMpSvc is added as a service.

I’m sure the AV testers are banging away pretty hard at Security Essentials right now.  I know a lot of security practitioners who’d love to be the first to find a flaw in Microsoft’s solution. Supposedly AV.Test as run in through the mill throwing 3200 viruses, bots, and trojans at it, but I’ve been unable to find anything on their site.  You can read a Computer World report here.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: