Saturday, September 07, 2013

Microrant: Microsoft Security Essentials & File Restore

I’ve been a long time fan of the anti-virus/anti-malware application Microsoft Security Essentials for non-technical family and friends for the following reasons.

  1. It’s free.
  2. The GUI is not “scary” or threatening to civilians.
  3. It plays very well with all Windows OS’s (XP-Win7).
  4. It automatically updates the engine and DAT files as part of the Windows Updates settings.

Since I have been running it on my own personal systems for quite a while, it is super-easy to walk folks through solving most any problems they have without needing to get a remote session to their PC.

Granted, while it has rated low in recent AV-TEST results my confidence it it has remained high enough to continue to use and recommend it to others.  (MSSE rebuttal to those results here.)

However the UI frustrated me today and I am strongly considering switching over to Bitdefender Antivirus Free.

I’ve been running Bitdefender Free on my Win 8 virtual machines for some time and absolutely love it.  The interface is a bit more “geeky” and technical than MSSE and you need to provide/register it with a valid email address. However that also gets you access to a “cloud-based” console to manage and view history on all your Bitdefender free systems that you have registered. That’s kinda handy and useful for geeks like me who use a similar approach at work.

Bitdefender products also get rated high in recent AV-TEST results.

(See also Virus Bulletin summary results.)

Anyway, the rant today is because of the current MSSE handling of potential threats; or to be more accurate, the behavior encountered in the UI when trying to recover from MSSE’s handling of potential threats.

This morning I had downloaded an updated version of Nir Sofer’s IE PassView.  I use this great utility when I am responding to a user’s system where they have forgotten passwords (and didn’t write them down or put them in a digital password manager app). Often they saved the password to “auto-enter” in IE when the browse to the page (yuck but what are you gonna do?). So I can use this tool with their permission to look for and recover the password for them. If I don’t find it there, I try many of the other password tools Nir Sofer has on his site. Usually I get lucky and can recover it.

Only today, when I downloaded the ZIP file package for the application, MSSE kept intercepting the downloaded file and quarantining it as a threat.

No biggie. I’d expect as much since it could be used by others for nefarious purposes.

So I just opened up MSSE, clicked on the “History'” tab, and found it present under the Quarantined items list.

So I did what seemed natural and ticked the checkbox next to the line item, and hit the “Restore” button.

It disappeared out of the list.

I checked back to my download location.  File not there.

Hmmm.

So I downloaded the file again from NirSoft.  Again it was intercepted and quarantined. Again I restored it.

Again it disappeared to the netherworlds.

I didn’t see an UAC prompts even though the “Restore” button has a little shield like it should be prompting me for confirmation action.

Hmmm.

Clearly “Restore” didn’t restore anything. Nor did it whitelist the file for future downloads.

It wasn’t listed in my “Allowed items” list in MSSE either.

Ok.

So, non-intuitively, I selected the “All detected items” radio button.

In the list was the file listed several times for all the repeated download attempts.

5j3qw4s4.prl

I clicked on one of those and selected “Allow item”.

A UAC prompt appeared and I said “OK”.

I checked my download location and there was the restored file now.

The item still wasn’t added and listed in the “Allowed items” list.

Hmmm.

So (as of today) it appears that in some cases with MSSE, when a file is intercepted and quarantined, and you want to free it from quarantine and restore it;

  1. don’t select it from the quarantine list and “Restore” from there.
  2. select it from the “all detected items” list and “Allow item” from there.

Running iepv.exe didn’t generate any MSSE alerts or warning bells.

Subsequent retries shows that MSSE no longer quarantines downloads of the ZIP file.

So MSSE seems to have been quite good at intercepting the ZIP file for IE Pass View during download, and quite good at making it challenging to “restore” the download file after it had been quarantined. However it also was quite poor about easily allowing me to “whitelist” it. Nor did it complain or protect me (not that I really wanted I to…just saying) from the actual execution and presence of the iepv.exe binary.

Hmmm.

This alone isn’t enough reason to jump away from MSSE, however it is one more data-point in my considerations of moving to a different solution on my personal system.

Posting in case anyone else searches the Googles for this particular issue.

--Claus V.

2 comments:

Unknown said...

I generally download to a white-listed folder so that MSSE don't butt in on the programs I DO want to run. Simple, easy & effective in avoiding the restore/allow hoops. Also, this makes sure anyone else cannot run the same program without my permission... :)

Claus said...

@ Van Dame - That is a brilliant tip! Worthy of a follow-up post I do believe.

Thanks for taking the time to share it!

FYI, I'm not sure if beta released of MSSE are your thing, but my RSS feed reader brought me notice of a new prerlease release version of MSSE if you are interested:

Microsoft Security Essentials Prerelease - Version 4.4.207.0 9/9/2013

Cheers!

-Claus V.