Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Microsoft Security Windows IT

Microsoft Security Essentials Misses 39% of Malware 149

Barence writes "The latest tests from Dennis Publishing's security labs saw Microsoft Security Essentials fail to detect 39% of the real-world malware thrown at it. Dennis Technology Labs (DTL) tested nine home security products on a Windows 7 PC, including Security Essentials, which is distributed free to Windows users and built into Windows 8 in the form of Windows Defender. While the other eight packages all achieved protection scores of 87% or higher — with five scoring 98% or 99% — Microsoft's free antivirus software protected against only 61% of the malware samples used in the test. Microsoft conceded last year that its security software was intended to offer only "baseline" performance"."
This discussion has been archived. No new comments can be posted.

Microsoft Security Essentials Misses 39% of Malware

Comments Filter:
  • by NoNonAlphaCharsHere ( 2201864 ) on Friday December 20, 2013 @08:25PM (#45750595)
    Microsoft Windows hosts 99.999% of malware.
  • Actual Reports (Score:5, Informative)

    by mythosaz ( 572040 ) on Friday December 20, 2013 @08:26PM (#45750601)
    • Re:Actual Reports (Score:5, Insightful)

      by mythosaz ( 572040 ) on Friday December 20, 2013 @08:33PM (#45750643)

      7.2 Threat selection
      The malicious web links (URLs) used in the tests
      were not provided by any anti-malware vendor.
      They were picked from lists generated by Dennis
      Technology Labs’ own malicious site detection
      system, which uses popular search engine
      keywords submitted to Google. It analyses sites
      that are returned in the search results from a
      number of search engines and adds them to a
      database of malicious websites.
      In all cases, a control system (Verification Target
      System - VTS) was used to confirm that the URLs
      linked to actively malicious sites.
      Malicious URLs and files are not shared with any
      vendors during the testing process.

      In other words, you get to take his word for it, and we don't know what failed or why.

      • by msauve ( 701917 )
        Not just that. I'd be more interested in a metric which considers the real-world prevalence of a threat. They're not equal, failure to block a common threat is much worse than failure to block a rarely encountered one.
        • Re:Actual Reports (Score:5, Informative)

          by hairyfeet ( 841228 ) <bassbeast1968@gma i l .com> on Saturday December 21, 2013 @04:34AM (#45752415) Journal

          I have an even better question....how much of the stuff did he just ignore what MSE told him and kept on installing? How much was an actual failure, IE a drive by or zero warning from MSE, and how much was deliberate PEBKAC?

          As a PC builder and repairman I have more exp than most when it comes to bugs and AVs (disclosure, I give customers Comodo or Avira, depending on how big PEBKAC they are) and I use MSE on my gaming system and here is the thing...while MSE will TELL you, it won't yank the keyboard out of your hand and slap your wrists. You can say "I choose to ignore this" and click a single button and bypass the block. Now some AVs very much WILL yank the keyboard from you, in fact I recently stopped giving out Avast because it had gotten SO aggressive that even if you told it that it was a false positive and to let it run? it would just straight up ignore you.

          But here is the two things you must keep in mind if you choose to run MSE, 1.- It don't do shit as far as webpages, in fact I don't think I have ever seen MSE block single webpage no matter what was on it, so using a browser that runs in low rights mode is a must, and 2.- It was originally Giant AntiSpy and so that is what it works best on, its not really any good at blocking the social engineering based attacks we see a lot today, the "Hey its your BFF (insert name) on (insert chat client) and I found this great page, just click here!" where the person is then led to a page full of zero days type of attack.

          That said frankly you shouldn't be giving MSE to your clueless types anyway, that is what a sandboxing AV like Comodo or one that holds their hand like Avira is best at, what MSE is for is for your non clueless who aren't gonna be doing PEBKAC shit and just want a lightweight AV to scan executables and add another layer to their defenses. It was never designed to be the end all be all, you got half a dozen free AVs that do that particular job VERY well, but all of them do HELL of a lot more scanning and thus take up more cycles, and when I'm gaming or editing audio/video? I NEED those cycles, thanks anyway.

          My Win 7 system has been running ME since RTM in Oct 09 and its clean as a whistle, then again I run a low rights browser with ABP (a good 85% of bugs IME come from infected ads), don't run strange executables and don't click on email links either. If you are smart enough to show common sense on the web? MSE is fine. if not? Comodo, Avira, Avast, you have choices.

          • I switched from Avira due to constant obnoxious upgrade offers some time ago. If they've gotten better on that I might reconsider - but Avast works fine if you're willing to whitelist a process and then reboot. I mostly run into false positives with flash drives, so all it takes is unplug and replug in that case. What really pisses me off is, as you say, "yanking the keyboard away" and forcibly removing useful utilities which Norton/Mcafee tend to do regularly without the option to cancel. I've taken to set

            • Have you tried Comodo AV? You seem like you know what you are doing and Comodo AV lets you get more fine grained than any AV that I have seen. You can tweak the sandbox, the scanning engine, you can tweak pretty much every single behavior of the entire thing so it does what YOU want it to. The reason I don't hand it to my PEBKAC users is that it isn't very hand holding, it treats you like an adult that at least understands a tiny bit about security which AV like Avira and Avast don't.

              As far as Avast its g

              • I recall having tried Comodo some time ago, and found that it actually had more options than I wanted. Not that control is a bad thing, but going through a training process where you get interrupted every 5 minutes for a couple weeks by processes asking for permission to run is more trouble than it's worth for me. I like that feature in a firewall, but not so much an AV.

                However, I do most of my security on the browser side with NoScript/NotScripts/AdBlock where most of the garbage doesn't even get onto the

          • If you're smart enough to use a decently secure browser, you don't run strange executables or click on ads, and you don't open strange email attachments, you really don't need antivirus. If you run anything other than Windows, doubly so.
      • by vux984 ( 928602 )

        Is it clear that the malicious urls actually hosted different payloads? Or did MSE and McAffee just get hammered by same virus strain 30 times?

        I realize that if a strain is common and being missed that it's a big deal, but it does distort the picture greatly if they just keep testing the same "gap" in security over and over again.

        There is also the question of what some of this stuff is and whether or not its even within MSE's purview. Kapersky Internet Security and NIS etc are full system protection -- they

      • Re:Actual Reports (Score:4, Insightful)

        by TapeCutter ( 624760 ) on Friday December 20, 2013 @09:57PM (#45751075) Journal
        Yes, vendor A says vendor B's free product sucks. I put MES on my win7 boxes after the free AGV let something thru earlier this year. The virus tricked win7 into thinking an infected system file was a good thing.Interestingly MSE was the only one of three free virus scanners I tried that picked up the infection.

        However there was catch22 since MSE stubbornly refused to install itself until the infected file was gone and win7 kept restoring the infected file at boot up. The pragmatic developer in me gave up digging further down that particular rabbit hole. I realise I was now also fighting a win7 immune system that the virus had usurped, but I knew how it got in and that was enough to convince me to change the scanner I'd been using since the late 90's. First time in at least 10yrs I've had to wipe my own windows system disk because of an infection.

        Why yes, IAACS, but the above is experience with MSE is a personal anecdote, not a professional opinion.
        • by cusco ( 717999 )

          My wife's family is in Peru, and her nieces and nephews send her emails and such from the Internet cafes. MES has caught everything but one ever since it was first introduced, and that one was only because she accidentally clicked 'OK'. Even then the MES bootable CD cleaned it.

        • by mlts ( 1038732 )

          Almost all AV software is (to borrow a British term) bollocks. One time interval, one AV offering is at the top of the heap. Next time interval, same package is now getting stomped on by other tests, and some tests are not really objective.

          Every other OS out there except Windows runs quite fine without AV software. The only reason McAfee is running on the AIX or Solaris box is because it makes the legal eagles happy... and even then, the software only runs when a cron job fires off to fetch updates, then

          • Re:Actual Reports (Score:5, Insightful)

            by LordLimecat ( 1103839 ) on Saturday December 21, 2013 @12:52AM (#45751833)

            CryptoLocker has showed that to be the case.

            Having been on a team that dealt with cryptolocker, I can say that you are not correct.

            Cryptolocker often is sent as malicious executables contained in zip file email attachments, which could target Linux or OSX or AIX just as easily.

            you tend to be screwed no matter how good the AV program is,

            If the virus is in usermode, the AV can easily remove it no matter what measures it takes, since the AV runs with root privileges. If the virus has root, it depends on what virus and what AV and how recent each is.

            The whole premise of "Windows gets viruses because its insecure" is such an absurd myth thats been disproved so many times that its astonishing that people still make such a stupid claim. Go look up Pwn2Own, and see how vulnerable your *nix systems can be when theres a sufficient incentive to break in. Go look up the cross-platform PDF Proof of concept. Check the stats on what type of exploits are used for the majority of malware (OS / third party /browser plugin); I think you'll find that OS-level exploits are quite uncommon these days compared with the others.


            Viruses dont do that because there is no financial gain whatsoever to killing a Bitlocker volume.

            • It might now be the case that Windows isn't as insecure as it once was, but it certainly used to be true about Windows being insecure by design.

              For example, there was the whole automatically running software from any removable disk/usb stick thing; hiding file extensions so that users didn't know what was executable; running everything as administrator by default.

              The problem was that Windows wasn't designed as a multi-user system and thus didn't have the necessary privilege separation systems that other
              • The problem was that Windows wasn't designed as a multi-user system and thus didn't have the necessary privilege separation systems that other OS had.

                Windows NT most definately was. You are talking about the 15-20+ year old Windows 1/2/3/9x.

                • You're right, I forgot about NT and versions derived from that.

                  With XP, it was almost the default to run everything as Administrator, so the multi-user aspect was made useless. Also, a surprising amount of software relied on having administrator level permissions. The whole idea of storing data in the same directory as the programs made sure that a lot of software wouldn't run unless the user had full write permissions to the "Program Files" directory.

                  I think some early bad design decisions hog-tied lat
      • Furthermore:

        All target systems were fully exposed to the
        threats. This means that any exploit code was
        allowed to run, as were other malicious files

        Which suggests that every time a warning popped up, e.g. "This site would like to install MalwareToolbar, Allow/Deny?" they clicked Allow, and every time a site wanted them to download malware.exe, they did and then executed it.

    • Thank you.

      Reading that, the more important news is probably that McAfee scored even worse.


  • Bullshit (Score:5, Interesting)

    by TheRealMindChild ( 743925 ) on Friday December 20, 2013 @08:26PM (#45750603) Homepage Journal
    Norton Internet Security received the strongest protection rating in DTL's tests, detecting 99% of the malware used

    I call bullshit. This seems like a paid advertisement to me. The only reason they used a few undetected ones was because no one would believe anything hit 100%
    • Re:Bullshit (Score:5, Interesting)

      by 00Monkey ( 264977 ) on Friday December 20, 2013 @08:38PM (#45750661) Homepage

      Seconded! There's no way in hell NIS performed at this level on a legitimate test. It's shit and that's putting it nicely.

    • Appendix B claims that the study was not sponsored. We don't still of course know if they are lying, but I just wanted to point that part out.
      • Sponsored? (Score:5, Insightful)

        by dcooper_db9 ( 1044858 ) on Saturday December 21, 2013 @12:06AM (#45751663)

        From page 19 of the report:

        What is the difference between a vendor and a partner vendor?

        Partner vendors contribute financially to the test in return for a preview of the results, an opportunity to challenge results before publication and the right to use award logos in marketing material. Other participants first see the results on the day of publication and may not use award logos for any purpose.

        Do you share samples with the vendors?

        Partner vendors are able to download all samples from us after the test is complete. Other vendors may request a subset of the threats that compromised their products in order for them to verify our results. The same applies to client-side logs, including the network capture files. There is a small administration fee for the provision of this service.

    • Either that, or it also ends up having a lot of false positives. Basically, if you flag almost everything as malware, you're going to be able to catch most of the malware. The great thing about MS Security Essentials is that it doesn't try to find reasons to justify it's existence.
    • Re:Bullshit (Score:5, Funny)

      by Anonymous Coward on Friday December 20, 2013 @08:42PM (#45750697)

      Norton failed to detect itself. That's why it only got 99%.

    • by retroworks ( 652802 ) on Friday December 20, 2013 @08:56PM (#45750777) Homepage Journal
      http://www.geek.com/microsoft/microsoft-security-essentials-strikes-out-on-questionable-av-test-1538990/ [geek.com] Geek.com outed this testing firm last Friday for A) running MSE without applied windows updates, and B) accepting sponsorship from tested softwares.
      • Sorry that's last February not Friday
      • Sounds about right (Score:5, Insightful)

        by Sycraft-fu ( 314770 ) on Friday December 20, 2013 @09:39PM (#45750983)

        If you look at AV Comparitives, who seem to do pretty good testing, MSE is about 90%. That's quite low (though there are commercial apps that are worse) but the tradeoff is zero false positives on essentially every test.

        It's certainly not what you get if you want highest security, but it does a reasonably good job, and doesn't generate false positives, which can piss off newbie users and make them want the AV scanner off. It also updates definitions via Windows Update, if its internal updater has an issue, which is nice for people who won't mind after their AV software.

        It's not what I use, but it isn't a bad baseline. I'd sure as hell use it rather than Norton :P.

        • True, and most of the misses tend to be malware that's not in circulation much at the moment.
        • by gman003 ( 1693318 ) on Saturday December 21, 2013 @02:31AM (#45752169)

          More to the point:

          Defense, of any sort, requires layers. And with enough layers, each individual layer can have quite a significant failure without compromising the integrity of the whole defense. My browsing habits, AdBlock, browser-based malware blocking, antivirus, and OS-level permission limits - all of those protect me. Each one probably only has a 90% success rate, but that combines to 99.999% effectiveness (assuming each layer is fully independent - in reality, stuff that can break one layer is likely able to break some of the others, so it may only be 99.9% effective, which is still pretty damn good).

          I use MSE not because it's the best, but because it's the least intrusive. It nags me to run a scan about once a month, and I think only once has it flagged any malware (false positive - I do scans with MalwareBytes every few months, which is much better at detection and removal but does nothing for real-time protection, and it did not find anything). Other than that, it doesn't put any noticeable load on my system or bother me with meaningless alerts - unlike even "good" AV like AVG.

      • Geek.com outed this testing firm last Friday for A) running MSE without applied windows updates

        I noticed that too while reading the PDF.
        But it doesn't seem like much of a defense for MSE's and McAfee's extremely poor showing.

    • It is not that steamy bloated piece of shit known as 2007! Other labs report it as one of the best with minimal performance degration believe it or not.

      It is re engineered and has a tarnished image like real player and IE which are hard to break.

      • It may be wonderful, but based on what happened in the early-mid 2000s I won't even look at Norton. I ditched Kaspersky when I bought a 3 license package for the office, but didn't need two of the S/Ns for a couple of months. When I installed them, I found that the timer on all three licenses expired based on when the first one was installed.

        I'm not in a high-risk environment, so I'll stick with defender for the time being.

        • I use Avast. This version I use now is pretty good. It is free. If you put it in game/silent mode it wont ever bug you. I notice minimal performance downgrade.

          The good news is most AV software is rapidly improving with the exception of McCrappy. True Norton's answer for malware was to encapsolate the whole damn hammer! Worse, may the lord have mercy on your soul if you ran it on Vista! The disk would spin to eternity with indexing and with the whole virtual disk layer encapsulated doing a scam for each damn

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You've obviously not used Norton in the recent years have you.
      I swear you nerds are stuck with obsolete knowledge and refuse to accept that things change.

      Microsoft Security Essentials was one of the best when it first came out and is now of the worst. Things go both ways.

      • by mlts ( 1038732 )

        I don't understand the point of buying AV software on a non-enterprise basis when a decent program is installed (or downloadable at no charge -- a utility that doesn't throw pop-ups at you demanding subscriptions), the two exceptions would be SpywareBlaster (which updates killbits, adds blocking cookies), and Malwarebytes (which blocks IP addresses.)

        The enterprise is a different story. AV software is a must for jumping through regulatory hoops, and something like System Center 2012 Endpoint Protection or S

      • I swear you nerds are stuck with obsolete knowledge and refuse to accept that things change.

        That's a bit simplistic. It's more like this: remember the bailout General Motors got a few years back? What was it, $500 million, taxpayer money? Then they used it to build a new plant, IN MEXICO! That was the moment I say "Fuck GM from now until eternity!" I will never buy a GM product because of that.

        Maybe I'll get an American made car, like a Toyota. Anyway... same idea goes for NIS....

        Norton made such awful software for so long that they don't deserve a second chance. I don't even care if they d

    • It's a consistent result across many recent tests, since the re-engineering effort a few years back. NAV/NIS seems very low impact on systems, and is routinely first place for performance and among the top for detection.
    • Norton Internet Security received the strongest protection rating in DTL's tests, detecting 99% of the malware used I call bullshit. This seems like a paid advertisement to me. The only reason they used a few undetected ones was because no one would believe anything hit 100%

      I can't help but think that if this really were something sponsored by Norton that they wouldn't have had a free product (Avast) score so closely to Norton (which is a paid product.)

    • Norton IS 39% of malware! It eats up processor time, ties up an insane amount of memory and is damn near impossible to remove. In Norton's case the treatment is worse than the disease.

    • Did they mention that many of the competing products rendered the computers they "protect" slow buggy and sometimes useless?
  • 89.376% of stats from "security" outfits are crap with 99.9118000042% confidence interval.
  • MSSE vs Norton (Score:4, Insightful)

    by Mr Foobar ( 11230 ) on Friday December 20, 2013 @08:28PM (#45750619) Homepage

    So, either MSSE misses over a third of malware, or use Norton and your computer turns into a zombie with the performance of a 486 running WfWG...

    Hmm, tough choice there.

    • Or use avast?

      Good detection and minimal overhead.

  • If they made a good security product, I'm pretty sure there would be much gnashing of teeth. Remember the uproar because MS dared to include a browser and media player? I'm sure if they put a decent antivirus product in Windows they'd just get sued again.

    • Yeah, I can see the NSA doing that.
    • by Seumas ( 6865 )

      MSIE wasn't decent, either. Didn't stop anyone.

      In fact, one might assert that providing a worse bundled product was more damaging as it would cut down other vendors and give users a false sense of security. (If this report were even legitimate).

      Of course, Defender isn't even bundled (you have to actively seek it out, download it, and install it), so I don't think the "anti-trust!" thing even applies.

      • Defender *is* bundled in later versions of Windows. Look, far be it from me to defend M$, but as far as the free AVs go, I've recommended MSSE to a lot of my clients. It runs quietly and unobtrusively and doesn't constantly ask the user to make decisions he may not have a clue about, and it doesn't nag you to ***BUY OUR PAID VERSION ZOMFG*** every five minutes. It does its job reasonably well, albeit not perfectly, and like others I'm a little skeptical of this outfit's testing methodology and results. FWIW
      • MSSE is not bundled with 7. Defender (which is the same thing) is bundled in 8 and 8.1.

      • IE 6 was the best browser. Don't believe me? Go google Slashdot stories on Netscape from 1999 to 2002?

        IE as much as I hated MS winning was the browser I kept using as it was more standards compliant and faster browser. It supported MS CSS while no browser supported W3c CSS at all. It rendered more properly code than Netscape and even early Mozilla!

        • You need to make it more plain when you joke around like that
          • Re: (Score:3, Interesting)

            I was typing that on a phone and didn't have time to elaborate. IE was only popular when IE 6 was light years ahead of Netscape 4.7 in 2001. Netscape 5 and 6 I did not even bother as websites would not even render correctly. Not because the IE era started on the web, but because there were more quirks in thsoe pieces of dinosaur doo than even IE itself!

            People use what is best. IE no longer has the strangle hold because it is not the best thing since sliced bread anymore.

            In 2001 through 2003 I used it with M

    • by chuckugly ( 2030942 ) on Friday December 20, 2013 @08:50PM (#45750743)
      It used to be pretty decent, at one point MS was trying to recruit me to work on that since I had a lot of AV development experience; I eventually declined and fed them a few resumes who they did hire, but to get to the point, they have done this in the past at least once before. Maintaining AV is an ongoing and expensive endeavor, and MS just doesn't seem to learn that lesson. It's not something they can develop and then tweak for year after year, they need to have developers and AV researchers on it 24/7, every week of the year. That's not cheap and apparently not their model.
  • I just assumed that from the start. It's better than nothing, though.
  • but i would seriously question the source of any "objective report" and check who paid for the report. I know how these things work....
  • by istartedi ( 132515 ) on Friday December 20, 2013 @10:26PM (#45751201) Journal

    Norton detected 99%. The other 1% is Norton.

    • Here's hoping Norton can lift it's game.

      Though it's kind of hard to delete a file when it must first terminate the running process.

  • I don't know much about the current state of software viruses (I'm a Linux user!) but my understanding was a lot of them looked for suspicious behaviour rather than straight up definitions.

    In that case if I'm a Malware writer it's nice if I can sneak around 3rd party anti-virus software, but it's not essential.

    But if Security Essentials is built into Window's and it catches my suspicious behaviour every time, well there's not a big niche for my virus. Just like web developers would make sure their pages ren

  • by Slagothor ( 1156549 ) on Saturday December 21, 2013 @12:47AM (#45751823)
    I care about the security of MSE a great deal. MSE does what Av should do. It also does it in the background like it should and out of the way. MSE is a program/tool that is outstanding. Surprised to see it come out of Microsoft. If a paid version were needed/required, I'd pay, and I don't pay for Av protection.
    • MSE used to be a pay-for service called Live OneCare from Microsoft, and as noted above used to be a separate product originally written by another company. So it's more of a good strategic acquisition rather than an inspired idea by the MS execs themselves. I don't know exactly why they went free, but you missed your chance to pay for it, unless you feel like getting Forefront licenses [microsoft.com]
  • I used to use http://vx.netlux.org/ [netlux.org] It was a malware repository, everything that had been released and updated regularly.
    It was a serious board for everything malware and filled a nitch. The boards country made any site that carried malware (short term) as illegal.
    They fought for awhile and now you can see it's gone.

    I always deleted the malware I downloaded, those I wish I'd of kept now.

    Is there a place to download malware to check ones malware prevention/detection?
    And not the EICAR test file.


  • All I want is a program that combines Autoruns [microsoft.com] with StartupMonitor. [cnet.com] and steps in when any Dll or executable is about to be modified, hell, the OS should do that anyway.

    Over 5 years I have enjoyed running my PC virus free. and without the annoyance of anti-virus software's constant nagging. VirusTotal for when I'm in doubt [virustotal.com] and a scan with Malwarebytes Anti-Malware [filehippo.com] for when I get a tinge of paranoia.

  • Would love to hijack this thread and see what everyone uses since /. ers are likely more sophisticated and knowing in their selection than most ....

  • others call a utility.

    MSE doesn't give a damn about Produkey. Every other antivirus I've ran wants to erase it.

    I have a program called vfat.com, which was a disk defragmenter for MS-DOS, working only on FAT formatted disks. I have used it hundreds of times for years back in the days of dial-up 2400bps BBS. Now, everybody screams that it's some kind of virus. The damn file predates the Morris worm, and you're telling me that it's a virus, the VFAT virus?

    Another program, pskill seems to be on most other a

We don't really understand it, so we'll give it to the programmers.