Microsoft Security Essentials Fails Test – Short Analysis Of Results

Recently Microsoft Security Essentials (MSE), the antivirus provided by Microsoft and installed by default on Windows 8, failed to gain certification from AV-TEST, an organization that tests AV software based on specific criteria.

MSE got a 1.5/6.0 for protection, 3.5/6.0 for repair, and 5.5/6.0 for usability

In terms of protection, it seems to do really poorly. It actually does alright, but it’s 0day protection is terribly low – enough to pull the entire score down quite a lot.

But as you can see from other AVs, the higher the rate of 0day detection the higher the performance hit and the higher the number of false positives. Why? Because the heuristics engines run longer and are much more sensitive.

So it’s obvious that Microsoft is prioritizing removal and usability far above 0day detection. They absolutely excel in low false positives, whereas the highest rated AVs have quite a large number by comparison.

So what about 0day malware? Well, on Windows 8 where MSE is installed by default there’s a system wide SmartScreen, Microsoft’s reputation based filter for detecting 0day malware. Clearly they’re separating the security into components – MSE for removal and detection of known malware, and SmartScreen for detection of 0day malware.

So take the entire score into consideration, take the entire system into consideration, before deciding whether MSE is worth using.

Source:

http://www.av-test.org/en/tests/home-user/windows-7/sepoct-2012/

Just Set Up A Computer For Someone Who’s Never Had One

I’ve just finished setting up a computer for someone who’s only ever had a work computer, which isn’t connected to the internet. They share a laptop with someone but rarely use it.

Today I helped them pick out a system, Dell, and I got them started. One really interesting thing I saw was that Dell packaged the Java plugin… an out of date Java plugin. So right off the start my friend was running Java 7.1 (wtf?), which is something like 3 patches behind.

So, naturally, I updated it and installed EMET, which I set Java to use (and changed default Windows 7 settings for DEP Always On). The system also came with Webroot security. I actually think Webroot’s pretty good but I don’t have enough personal use with it to trust it and I’m pretty sure it isn’t free, which means it’ll bug my friend in a few months and he’ll be at risk.

So I removed Webroot and put in Microsoft Security Essentials. Why? For the low false positives and direct Microsoft support.

I also put Google Chrome on the system. I can not explain to someone that they need to use NoScript when they’ve never used a personal computer – they will hate me. Chrome is the only way I can keep him secure without ever getting in his way. The Chrome sandbox is “silent” and that’s really important as this guy is likely very vulnerable to social engineering having never been exposed to it in the past.

I think he’ll be fine. With 5 minutes I’ve set his system up in such a way as to be very difficult to exploit through the most common ways (browser, plugins) and Microsoft Security Essentials is good enough and quiet enough that he should be able to trust it.

You Don’t Need An Antivirus With Windows 8

With Windows 8 out a lot of users are wondering whether they need antivirus with Windows 8, or if they need to pay for an antivirus, or do something else entirely. In my opinion if you’ve been paying for an antivirus for Windows XP, Vista, or 7, you can consider cancelling that next subscription if you’re moving to 8. In my last post about Windows 8 security I glazed over Microsoft Security Essentials and I wouldn’t call what I said ‘positive.’ For my quick non-security oriented review of Windows 8 Release Preview click here.

This post will highlight why MSE is the type of antivirus a consumer needs and why it might be the right choice for Windows 8 users.

Microsoft Is Best Suited For The Job

The fact is that Microsoft created Windows. It’s a closed source project and antivirus companies spend a ton of money just trying to figure it out. Microsoft has a massive advantage here. They know what their code is like, they know where there’s most likely to be a hole, they have the ability to “tap” systems with crash reports or opt-in data collection on a level no antivirus company can ever match. They simply have the most data.

The fact that only Microsoft has access to the source code is one major reason why you should be trusting them to secure your system.

Years Of Practice

We’re a long way away from Windows XP. Windows is not so full of holes as it used to be, Vista brought many security mitigation techniques and a new MAC system to the operating system and Windows 8 expands further on that with new techniques and a new MAC system.

The Windows system has been hacked and torn apart for years and Microsoft has not sat idly by. The company has created new tools such as EMET, which are very effective at what they do. They’ve seriously improved their patch response time and there simply is no comparison between Windows 8 security and Windows XP.

Microsoft has seen years of malware. They know what they’re up against and at this point you’d better believe they know a few ways to fight back.

Reinforced Throughout The Operating System

Microsoft has made it clear that Microsoft Security Essentials is just one layer. Windows 8 also includes SmartScreen, a reputation based heuristics filter that acts system wide to inform and protect users from unknown files that are potentially dangerous. The focus of SmartScreen is on 0day malware and samples that an antivirus might normally not catch.

Where MSE stops SmartScreen begins, picking up slack. Antiviruses are inhibited by their inability to deal with the unknown, something that they will always struggle with. SmartScreen aims to specifically deal with the unknown using heuristics based on file reputation. File reputation essentially checks how “popular” the file is – how many systems it’s been seen on. Only a major company could pull off something like this and Microsoft is absolutely the best company for it – no antivirus can be installed on more Windows systems than exist.

Windows 8 Was Built With MSE In Mind

The fact is that Microsoft didn’t built Windows 8 thinking “let’s create a system that works great with Sophos and Mcafee” they built a system to work with MSE and they built MSE to work with the system. Layered security means understanding which layers are important and which needs to be covered, having full control over every layer leads to a potentially more secure system.

Consistent Heuristic Scores And Low False Positives

AV-comapratives.com “grades” antivirus software and Microsoft Security Essentials does fairly well. It’s not amazing but it’s not terrible, and that’s fine because it’s reinforced by other areas of Windows. What it is, consistently, is quiet. Heuristics is basically a way of “guessing” something – you use heuristics for spam filters, antivirus, language analysis, anything where you need to guess. Naturally this is going to lead to wrong guesses and in an antiviruses case that’s a false positive. MSE has very few false positives, often the lowest or second lowest compared to other antiviruses. Almost all of the antiviruses that get higher heuristic detection scores also have tons of false positives (you can see the correlation) and I think that having few false positives is just as important as having high detection rates.

If my AV is constantly telling me that files that I know are good are actually bad I won’t trust it. And when the time comes and the file I think is good is actually bad and my AV alerts me I simple won’t believe it. We’re all familiar with The Boy Who Cried Wolf, same principal here.

So Is Windows 8 Impregnable?

Well, while I’m very pleased that Microsoft has stepped up its security I think there is still need for some set up to get the system closer to where it should be. I still don’t consider Windows 8 to be as secure as my own configured Linux system but there are significant improvements and for the average user I think we can expect things to go smoothly.

Much of what’s in Windows 8 is untested and may not work out well in the real world. I’m optimistic about some features and not so much about others. Time will tell. I’ve had the Windows 8 Developer Preview, Consumer Preview, and now Release Preview all installed so I have a fair bit of experience with it though.

And, of course, as Windows 8 popularity rises so will hackers interest in bypassing its features so it’s still important to take the extra measures and to keep up with patches. MSE has consistently had decent heuristics with low false positives, which I think is very important.