Tuesday, 10 December 2013

Understanding Microsoft Anti-Malware Software




Microsoft provides a variety of security products for both consumers as well as business environments.  With multiple products available, there is bound to be questions and, occasionally, confusion on which product to use. 

This article is presented to help clarify questions about the variety of Microsoft anti-malware products.  (Updated:  15JUL2013)

Microsoft Security Essentials

Microsoft Security Essentials (MSE) is an antivirus, anti-malware, anti-spyware software providing real-time protection for your computer.  Microsoft Security Essentials is free for home users as well as small and medium businesses with up to ten (10) PC's.  If your business has more than 10 PCs and, therefore, it is against the license terms to use MSE, consider System Center 2012 Endpoint Protection, described below.

MSE works on Windows 7, Windows Vista and Windows XP.  However, your PC must run genuine Windows to install Microsoft Security Essentials.  Beware of rogue/scam offerings and only download Microsoft Security Essentials from the Microsoft Safety & Security Center.

Definition updates for MSE are obtained automatically through the program or downloaded directly from the Microsoft Malware Protection Center (MMPC) Portal.  You may also be offered updates through Windows Update. 

Windows Defender (Windows 8)

Adding to the confusion between the anti-spyware program named Windows Defender and the boot-scan software Windows Defender Offline, is Windows Defender installed on Windows 8. In addition to including all of the same features as Microsoft Security Essentials, Windows Defender on Windows 8 will interface with Windows secured boot, a new Window 8 protection feature.

On a PC that supports UEFI-based Secure Boot, Windows secured boot will help ensure that all firmware and firmware updates are secure.  By loading only properly signed and validated code in the boot path, the entire Windows boot path up to the anti-malware driver will be checked to ensure that it has not been tampered with. 

Like Microsoft Security Essentials, definition updates for Windows Defender on Windows 8 are obtained automatically through the program or downloaded directly from the Microsoft Malware Protection Center (MMPC) Portal.  You may also be offered updates through Windows Update.

Note:   Do not attempt to install Microsoft Security Essentials on Windows 8.  It is incompatible with Windows 8.  Windows Defender on Windows 8 incorporates the antivirus engine of Microsoft Security Essentials.  If you elect to install a different antivirus product on Windows 8, Windows Defender will be disabled.

Microsoft Safety Scanner

The Microsoft Safety Scanner is a no-frills scanner to help remove viruses, spyware, and other malicious software. The Microsoft Security Scanner will work with your existing antivirus software but it is not a replacement for a resident antivirus software program.

The Microsoft Safety Scanner works on Windows 7, Windows Vista and Windows XP.  There is no charge to use the Microsoft Safety Scanner and there is no requirement to prove Windows is genuine.

The Microsoft Safety Scanner expires ten (10) days after being downloaded. The reason for the expiration time is at the point of downloading the Microsoft Safety Scanner, it installs the most recent definitions from the Microsoft Malware Protection Portal (MMPC). Due to the frequency of definition updates, even after one day, the definitions are outdated.  The Microsoft Safety Scanner uses the same definitions that are used for Microsoft Security Essentials and Microsoft Forefront.

For instructions on the use of the Microsoft Safety Scanner, you may be interested in this brief tutorial:   How to Use the New Microsoft Safety Scanner.

Malicious Software Removal Tool

The Malicious Software Removal Tool (MSRT) scans for select malware only. Microsoft releases an updated version of the MSRT on the second Tuesday of each month along with security updates.  Additional updates are added as needed to respond to security incidents.  The current list of targets for removal is available at Families Cleaned by the Malicious Software Removal Tool.  

The MSRT works on Windows 7, Windows Vista, Windows XP, Windows Server 2003, or Windows Server 2008 and is available from Microsoft Update, Windows Update and the Microsoft Download Center.

As explained in Microsoft KB Article 890830, the Microsoft Malicious Software Removal Tool is not a substitute for antivirus software.  There is no real-time protection and, as shown in the above-referenced list of families cleaned, the MSRT is targeting specific prevalent malicious software that is actively running on the computer.

Windows Defender Offline

Originally named Microsoft Standalone System Sweeper, the released tool was renamed "Windows Defender Offline". The original tool had long been a part of the Microsoft Diagnostics and Recovery Toolset (DaRT) for Microsoft Enterprise customers.

Windows Defender Offline is a recovery tool currently available from Microsoft.  The tool is not a general, all-purpose scanner and is not a replacement for an updated antivirus program.  Rather, it is to help start an infected PC and perform an offline scan to identify and remove rootkits and other advanced malware.

Windows Defender Offline can also be used in situations where antivirus software fails to install or the program that is installed is unable to detect or remove malware from the computer.

A unique feature of Windows Defender Offline is if a rootkit or other advanced malware is detected on your PC by Microsoft Security Essentials, Windows Defender, Forefront Endpoint Protection or System Center Endpoint Protection, you will be prompted to download and run Windows Defender Offline.

For additional information on setting up and scanning with Windows Defender Offline, refer to the tutorial created under the former name, Standalone System Sweeper, at Setting Up the Microsoft Standalone System Sweeper Beta, Now Windows Defender Offline.

Windows Defender (Anti-Spyware)

Windows Defender anti-spyware software is available for installation on Windows XP and Windows Server 2003.  Windows Defender is pre-installed on Windows Vista, Windows 7 and Windows Server 2008 (enabled if the Desktop Experience feature is installed).  It is not an anti-malware software.  Rather, it is a free active system monitor that provides real-time protection against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

Windows Defender can be downloaded from the Windows Download Center.   
Note:  Microsoft Security Essentials as well as Windows Defender on Windows 8 include the anti-spyware engine of Windows Defender.

Microsoft Forefront

The Microsoft Forefront product line was revamped, with most of the product line discontinued, although maintenance and support continues through the standard Microsoft support product life cycle. (See Important Changes to Forefront Product Roadmaps.)

Remaining in the product line are Forefront Unified Access Gateway 2010 and Forefront Identity Manager 2010 R2, security products for business customers.  These products are designed to be centrally managed and integrated into IT infrastructure products.

Microsoft Forefront is intended to scale to many thousands of users.  It uses the same definitions as Microsoft Security Essentials and the Microsoft Safety Scanner.

Microsoft Exchange Online Protection

The Exchange Online Protection service was formerly called Forefront Online Protection for Exchange.  As a spam filtering and anti-malware service integrated with Office 365 services.

Windows Intune

Windows Intune is an Enterprise Solution that provides PC Management and Security in the Cloud.  It is an end-to-end Microsoft solution that brings together Windows cloud services for PC management and endpoint protection with a Windows 7 Enterprise upgrade subscription.

Through the web-based console, IT Staff can centrally manage and secure all the company PCs.  Windows Intune includes support for
Windows RT, Windows Phone 8, iOS, and Android platforms.

Included in the numerous features of Windows Intune is malware protection, using the same definitions Microsoft Forefront and Microsoft Security Essentials.

System Center 2012 Endpoint Protection

Microsoft System Center 2012 Endpoint Protection was previously known as Forefront Endpoint Protection 2010.  System Center 2012 Endpoint Protection provides the ability to consolidate desktop security and management in a single solution.

System Center 2012 Endpoint Protection is built on System Center 2012 Configuration Manager.  It provides a single, integrated platform that reduces your IT management and operating costs.

Questions and Answers

Q.  Does the Microsoft Safety Scanner include all of the definitions included in the Malicious Software Removal Tool?
A.  Yes, at the time of download, the Microsoft Safety Scanner will include the same target families as the Malicious Software Removal Tool.  However, the Microsoft Safety Scanner includes more than specifically targeted prevalent malicious software.

Q.  Does the Malicious Software Removal Tool include definitions that are not included in the Microsoft Safety Scanner?
A.  No, although if the timing is such that additional targeted families or variants were added to the Malicious Software Removal Tool after the download of the Microsoft Safety Scanner, those families or variants would obviously not be in the already downloaded Microsoft Safety Scanner.

Q.  In terms of detection and removal, does the Microsoft Safety Scanner offer what the Malicious Software Removal Tool offers?
A.  The Malicious Software Removal Tool has specific malicious targets whereas the Microsoft Safety Scanner targets not only the same specifically targeted malicious programs as the Malicious Software Removal Tool, but also targets the same viruses, spyware, and other malicious software included in Microsoft Security Essentials and Microsoft Forefront.

Q.  Do users need both the Microsoft Safety Scanner and Malicious Software Removal Tool?
A.  The simple answer is No.  In point of fact, if you are using Microsoft Security Essentials as your antivirus product, you theoretically do not need either the Microsoft Safety Scanner or the Malicious Software Removal Tool.  However, there are instances where, for one reason or another, there is a problem updating MSE or the need to clean a computer that does not have Internet access.  Another valuable use of these tools is if your computer has a virus that your current antivirus software missed or is unable to remove.

Q.  Is there any point in running both the Microsoft Safety Scanner and Microsoft Security Essentials?
A.  No.  The Microsoft Safety Scanner uses the same definitions as Microsoft Security Essentials.  However, if Microsoft Security Essentials detects a rootkit or other advanced malware on your computer, you may be prompted to run Windows Defender Offline.

Q.  Can I download both the 32 bit and the 64 bit versions of the Microsoft Safety Scanner to a USB stick and take to another computer to run the correct version for the destination machine?
A.  I suggest that you create a separate folder for each version of the download as both the 32-bit and 64-bit versions are named the same, as msert.exe.

Q.  How do I know if I have the latest definitions?
A.  The change log for the latest definitions for not only Microsoft Security Essentials but also Microsoft Forefront and Windows Defender is available from the Microsoft Malware Protection Center (MMPC) Portal.
Q.  I installed Microsoft Security Essentials and now Windows Defender isn't available.  Why?
A.  The anti-spyware engine and real-time protection of Windows Defender are incorporated in Microsoft Security Essentials and Windows Defender on Windows 8. 
Q.  Does Microsoft provide server and cloud security software and services?

A.  Windows Intune provides both PC management and cloud security features.  For Microsoft servers, the Microsoft System Center 2012 Endpoint Protection consolidates desktop security and management in a single solution.

No comments:

Post a Comment