The Grey Chronicles

2010.October.8

Goodbye Spybot, Hello MSSE? Part VIII


Task Manager Snapshot: Real-Time Protection With AviraThis continues yesterday’s post regarding the activation of real-time protection exclusion list for Microsoft Security Essentials [MSSE]. This is a comparative analysis of my favorite security freeware, Avira AntiVir Personal, versus the week-old installed MSSE, in lieu of SpyBot – Search and Destroy.

In the previous post, MSSE with exclusion list showed a remarkable less memory usage during start-up. AntiVir Guard [avguard.exe] uses as much 18,092 K compared to the MSSE’s 30,460 K!

As proposed in Part IV to analyze the effectiveness of this security application, Process Monitor from SysInternals was used to monitor hard drive file access and registry inspection of Microsoft Security Essentials [MSSE] during start-up. It revealed the following:

Only Documents and Settings, Program Files and Windows directories have been included in the scan. With that, only the particular sub-directories were scanned: All Users\Application Data, \NetworkService\Application Data\, and NetworkService\Local Settings\ in Documents and Settings ; Microsoft Security Essentials in Program Files; and AppPatch\, Fonts, Prefetch, System32, WinSxS in Windows directory. Moreover, during system start-up, MSSE tried to scan some paths which were NOT FOUND, such as:

C:\windows\system32\drivers\windows\system32\bootvid.dll
C:\windows\system32\drivers\windows\system32\drivers\1394bus.sys
C:\windows\system32\drivers\windows\system32\drivers\battc.sys
C:\windows\system32\drivers\windows\system32\drivers\classpnp.sys
C:\windows\system32\drivers\windows\system32\drivers\oprghdlr.sys
C:\windows\system32\drivers\windows\system32\drivers\pciidex.sys
C:\windows\system32\drivers\windows\system32\drivers\wmilib.sys
C:\windows\system32\drivers\windows\system32\hal.dll
C:\windows\system32\drivers\windows\system32\kdcom.dll
C:\windows\system32\drivers\windows\system32\ntdll.dll
C:\windows\system32\drivers\windows\system32\ntoskrnl.exe
C:\windows\windows\system32\bootvid.dll
C:\windows\windows\system32\drivers\1394bus.sys
C:\windows\windows\system32\drivers\battc.sys
C:\windows\windows\system32\drivers\classpnp.sys
C:\windows\windows\system32\drivers\oprghdlr.sys
C:\windows\windows\system32\drivers\pciidex.sys
C:\windows\windows\system32\drivers\wmilib.sys
C:\windows\windows\system32\hal.dll
C:\windows\windows\system32\kdcom.dll
C:\windows\windows\system32\ntdll.dll
C:\windows\windows\system32\ntoskrnl.exe

Most of these PATH NOT FOUND ensured that MSSE looks for pseudo-system files which some malwares notoriously create to fool the system. This is to be expected! MSSE tried, however, to scan for the following NOT FOUND or NAME INVALID files, such as:

C:\c:\windows\system32\drivers\*.sys
C:\windows\system32\drivers\c:\windows\system32\drivers\dump_atapi.sys
C:\windows\system32\drivers\c:\windows\system32\drivers\dump_wmilib.sys
C:\windows\system32\drivers\c:\windows\system32\drivers\procmon20.sys
C:\windows\system32\drivers\c:\windows\system32\drivers\uphcleanhlp.sys
C:\windowsc:\windows\system32\drivers\dump_atapi.sys
C:\windowsc:\windows\system32\drivers\dump_wmilib.sys
C:\windowsc:\windows\system32\drivers\procmon20.sys
C:\windowsc:\windows\system32\drivers\uphcleanhlp.sys

Interestingly, in C:\c:\windows\system32\drivers\, note the repetition of the drive c:\, and of windowsc:\windows\, note the concatenation of windows and drive c:\! Most probably programming errors?

Only the following Registry keys were accessed: Classes Root [HKCR], Current User [HKCU], Local Machine [HKLM], Users [HKU]. Only Current Configuration [HKCC] was not scanned. In the Current User [HKCU], only the Software and the Environment keys were scanned. In the Local Machine [HKLM], only Software, System’s CurrentControlSet, Setup and WPA were visited. In User [HKU], only the Default and S-1-5-20 were included.

Meanwhile, doing a MSSE’s Quick Scan of the system, Process Monitor still active in the background, produced almost the same results as described above.

In Documents and Settings, the contents of the following folders were quick-scanned: Administrator, All Users, {UserName}, Guest, LocalService and NetworkService. Furthermore, most exe, .dll, .sys files in Program Files were inspected including .chm, icc, .txt, .flt, among others. In the Windows folder, most system executable files and direct link libraries were scanned, including those in the root Windows directory.

In the System Registry, Quick Scan inspected most Shell Extensions [ShellEx] and Type Libraries [TypeLib] in Classes Root [HKCR]; most keys in Current User [HKCU] Software\Classes, including particular keys in Software\Microsoft such as Active Setup, Internet Explorer and the Windows\CurrentVersion. In Local Machine [HKLM], in addition to the keys itemized in [HKCU], the following Software\Microsoft sub-keys were also scanned: Code Store Database, Cryptography, EnterpriseCertificates, SystemCertificates, and Windows NT. Moreover, Software\Policies, System\CurrentControlSet\ were also included in the Quick Scan. In the Users [HKU], all the sub-keys from .Default to S-1-5-21, specifically in the Software nodes. The same with the start-up scan, the Current Configuration [HKCC] was not scanned.

The Quick Scan also inspected the drive and the registry for files and keys, respectively, of about a thousand pseudo-security applications and other malwares ranging from 180Search Assistant to Zwunzi! Most of the generated NAME NOT FOUND in Quick Scan of the files in the hard drive were the name folders, Desktop and Start Menu shortcut links [.lnk], or executable files associated with these pseudo-security applications and other malwares. The NAME NOT FOUND in the Registry were the Shell Extensions [ShellEx] handlers, Class [CLSID] and Application [AppID] Identification keys of these respective malwares.


Notes:

Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 LicenseDisclaimer: These posts do not necessarily represent any organization’s positions, strategies or opinions; refer to this blog’s self-imposed rules: A New Year; New Rules. Unless otherwise expressly stated, posts are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. Comments are moderated to keep the discussion/s relevant and civil. Readers are responsible for their own statement/s.

Blog at WordPress.com.