Microsoft Security Essentials

Reviewers Guide
June 2009

For more information, press only:

Rapid Response Team
Waggener Edstrom Worldwide
(503) 443-7070
[email protected]

Abstract

This reviewers guide provides a first look at the features of Microsoft Security Essentials and how
it benefits consumers. Available to users of genuine Windows at no additional cost, Microsoft
Security Essentials provides protection from spyware, viruses and other malicious software
including trojans and rootkits. In addition to providing high-quality security for consumers, this
new solution has a lightweight design and uses smart resource utilization techniques to minimize
the impact on the common computing tasks users do every day, such as launching browser
windows and opening and saving documents, even on older and less powerful PCs. With a no-
hassle, straightforward installation, automatic updates and simple user interface, this solution
helps make it easy to get and stay protected.
Information contained in this document represents the current view
of Microsoft Corp. on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
This reviewers guide is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
IN THIS SUMMARY.
Complying with all applicable copyright laws is the responsibility of
the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in, or introduced into a
retrieval system, or transmitted in any form, by any means
(electronic, mechanical, photocopying, recording or otherwise), or for
any purpose, without the express written permission of Microsoft.
Microsoft may have patents, patent applications, trademarks,
copyrights or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written
license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks,
copyrights or other intellectual property.
Unless otherwise noted, the example companies, organizations,
products, domain names, e-mail addresses, logos, people, places
and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail
address, logo, person, place or event is intended or should be
inferred.
© 2009 Microsoft Corp. All rights reserved.
CONTENTS INTRODUCTION ........................................................................................ 1
WORKS WITH WINDOWS .................................................................................. 2
GENUINE WINDOWS ................................................................................ 3
QUALITY PROTECTION ........................................................................... 4
ROOTKIT PROTECTION ..................................................................................... 4
DYNAMIC SIGNATURE SERVICE ....................................................................... 5
FALSE POSITIVES ............................................................................................. 5
REAL-TIME PROTECTION .................................................................................. 6
SYSTEM SCANNING AND CLEANING ................................................................. 6
EASY TO GET PRTOECTED AND STAY PROTECTED ........................ 9
SIMPLE AND QUICK INSTALLATION ................................................................... 9
PRECONFIGURED FOR OPTIMAL PROTECTION ................................................ 9
ALWAYS UP-TO-DATE .................................................................................... 10
SIMPLE TO UNDERSTAND AND EASY TO USE ................................. 11

CLEAR PC SECURITY STATUS ....................................................................... 11

INTUITIVE USER INTERFACE ........................................................................... 12
MINIMAL EFFORT REQUIRED TO HELP KEEP THE PC SAFE ......................... 13

DOESN’T GET IN THE WAY ................................................................... 15

LIGHTWEIGHT DESIGN; TUNED FOR PC PERFORMANCE .............................. 15
FEWER INTERRUPTIONS ................................................................................. 15

SYSTEM REQUIREMENTS, AVAILABILITY, PRICING AND

LICENSING ............................................................................................... 16
SYSTEM REQUIREMENTS ............................................................................... 16
PRICING AND LICENSING ................................................................................ 16
AVAILABILITY .................................................................................................. 16
APPENDIX:
COMPARISON TO OTHER MICROSOFT OFFERINGS ....................... 17
INTRODUCTION The consumer security landscape is changing with malware evolving from a
cottage industry to a full-fledged fraud economy, in some cases even
involving organized crime. A rich malware ecosystem has developed with
producers, distributers and users who collaborate in and across their local
geographic regions, many of whom have adopted practices similar to those
of legitimate software organizations. While some malware continues to focus
on exploiting system vulnerabilities, more and more attacks are focused on
social engineering techniques that exploit basic interaction between human
and PC to display unwanted advertisements or steal sensitive information.

One of the most significant trends of the second half of 2008 as outlined in
the latest version of the Microsoft Security Intelligence Report (SIR v6) is the
large increase in rogue security software detected in many countries
worldwide. Malware masquerading as security software is introduced to a
user’s system and, once installed, bombards the user with pop-up
advertisements and alerts claiming that the computer is infected. The only
way to remove the threats is to pay for the full version and even then,
malware is typically left behind.

Botnets, networks of computers invisibly controlled by a “command-and-

control” computer to execute malware on the infected machine or spread it to
others, are also increasing in number, with PC users frequently not knowing
they are infected.

With malware attacks increasing in both number and severity and the
increasing incidence of rogue security software, quality anti-malware
protection delivered from a trusted source is a must-have for today’s PC
users — yet a surprising number of consumer PCs remain unprotected.
There are a number of contributing factors to this:

ƒ Complication. Customers are confused by trials and annual subscription

renewals, in many cases believing their PCs are covered when in fact
their subscriptions have expired and they are not protected.
ƒ Payment models. Traditional online subscription and payment models
do not work in emerging markets where consumer credit is not always
readily available.

ƒ PC performance level. Weighty security suites do not perform well on

older machines or new, less-powerful form factors such as the small
notebook PCs that have become mainstream.
ƒ Cost. Many consumers are either unwilling or unable to pay the cost for
the security suite solutions that come on their PCs.

Microsoft Security Essentials is tailored to address these challenges. As a

no-cost service for users of genuine Windows software, Microsoft Security
Essentials removes the cost and payment barriers and helps alleviate the

Reviewers Guide: Microsoft Security Essentials 1

 confusion that comes with trial conversions and annual renewals. A simple
installation and automated updates help consumers more easily get
protected and stay protected throughout the life of their PC.

Lightweight and utilizing smart memory management and CPU throttling

techniques, Microsoft Security Essentials is also friendlier to low-bandwidth
scenarios and less powerful PCs.

With Microsoft Security Essentials, consumers worldwide now have access

to trusted, high-quality, no-hassle security for their genuine Windows-based
PC.

Works With Windows

Microsoft Security Essentials works with Windows Security Center in

Windows Vista and Windows 7 Action Center to provide users with up-to-
date information about their current level of protection, and alerts users when
real-time protection is off or the signature status is out of date.
Windows Security Center and Windows 7 Action Center also notify the user
of important Microsoft Security Essentials events via standard notifications.

Reviewers Guide: Microsoft Security Essentials 2

GENUINE WINDOWS Real-time protection such as that found in Microsoft Security Essentials is a
great tool in the fight against known malicious software; however, improving
the overall health of the ecosystem also requires addressing malware at the
distribution source. Studies have found that a substantial number of sites
offering counterfeit product keys, pirated software, key generators or crack
tools attempted to install malicious or unwanted software. Multiple examples
also exist of malware embedded within counterfeit products. Once infected,
these PCs are more likely to become malware hosts spreading malicious
software to other machines in the ecosystem.
Requiring genuine Windows as a minimum system requirement for Microsoft
Security Essentials increases visibility of this risk with non-genuine Windows
users, increasing the likelihood they will take steps to become genuine and
improving Microsoft Corp.’s ability to address this core exposure to the
security health of the Windows ecosystem overall.
Microsoft Security Essentials validates the genuine state of Windows as part
of the installation process. If successful, the installation continues
uninterrupted. If the PC does not pass genuine validation, the installation
terminates and the user is directed to information on resolving genuine-state-
related issues. Microsoft Security Essentials does not trigger a change in
state of the Windows-based PC but instead reads the genuine value stored
on the machine where available, or alternatively calls an API to validate
where a local status does not exist. No personal information is viewed or
collected as part of genuine validation.
Regardless of their genuine status, all Windows-based PC users continue to
receive all critical security updates, service packs, update rollups, and
important reliability and application compatibility updates. Microsoft will also
continue to utilize its Malicious Software Removal Tool to remove prevalent
malicious software to help raise the level of security across the Windows
ecosystem — as it does now from more than 400 million Windows-based
computers worldwide.

Reviewers Guide: Microsoft Security Essentials 3

QUALITY PROTECTION Built on Microsoft’s industry-certified malware protection engine, Microsoft
Security Essentials takes advantage of the same core anti-malware
technology that fuels the rest of Microsoft’s security products including
Microsoft Forefront, the Malicious Software Removal Tool, Windows
Defender and Windows Live OneCare, which has received the VB100 award
from Virus Bulletin, Checkmark Certification from West Coast Labs and
certification from the International Computer Security Association Labs.

As with Microsoft’s other security products, Microsoft Security Essentials

uses advanced system scanning and removal technologies that employ a
definitions database that details the characteristics and behaviors of known
malware. Threats are collected every month from more than 450 million PCs
around the world and are assessed by the Microsoft Security Response
Center, and new signatures written and deployed daily.

Rootkit Protection

Rootkits are a particularly difficult type of malware to protect against, and

Microsoft Security Essentials includes a number of new and improved
technologies to provide additional defense against rootkits and other
aggressive threats. These technologies include the following:
ƒ Live kernel behavior monitoring. Technology acquired from Komoku
Inc. for monitoring the integrity of kernel structures has been fully
integrated into Microsoft Security Essentials. Telemetry and update
requests are sent to the dynamic signature service whenever the
computer’s kernel has been attacked or modified by a new rootkit that is
not yet detected with traditional signatures.
ƒ Improved anti-stealth functionality. Support for direct file system
parsing (RootkitRevealer-style scanning) is included as part of the quick
and full scan actions with Microsoft Security Essentials, allowing for the
identification and removal of malicious programs and drivers hidden from
the file system by a rootkit.

ƒ Improved live rootkit removal. Microsoft Security Essentials

dynamically loads a new kernel mode driver as part of the cleaning
process so that it can take the aggressive actions required to
successfully remove some of the more advanced rootkits.

Consumers using Microsoft Security Essentials also have access to the

Microsoft Standalone System Sweeper tool via product support, which allows
users to boot into a Windows Preinstallation Environment and scan or clean
a system when it is completely inactive.

Reviewers Guide: Microsoft Security Essentials 4

 Dynamic Signature Service

With the release of Microsoft Security Essentials, Microsoft is introducing

Dynamic Signature Service, a new approach to providing the most up-to-date
protection for the PC without having to wait for the next signature download.
In addition to validating suspicious files against the set of signatures that are
downloaded daily, Microsoft Security Essentials contains additional
technology to monitor for new and emerging malware and check for
signature updates in near-real time.

A new class of heuristic signatures leverages Microsoft’s dynamic translation

technology to emulate the behavior of a program before it runs. Microsoft
Security Essentials uses these signatures to look for signs of suspicious
behavior, characteristics that are similar to known malware and other
abnormal operations, and then queries the Dynamic Signature Service to see
if the program should be submitted for analysis or terminated.
After a process starts, Microsoft Security Essentials also monitors the file,
registry, network and kernel mode actions taken by unknown programs to
look for suspicious behavior. Actions such as initiating unexpected network
connections, attempting to modify privileged parts of the system, or
downloading known malicious content all trigger requests for updates from
the Dynamic Signature Service.

False Positives

Microsoft sets a very high industry-recognized bar for the quality of its
definition updates. The company maintains a significant database that is kept
up to date with the most popular Web sites and application downloads on the
Internet. All updates and engine releases are put through extensive incorrect
detection and application compatibility tests prior to release to help ensure
they do not mistakenly identify valid software as malicious.
Microsoft Security Essentials also uses the Microsoft SpyNet telemetry
system to monitor the quality of definition updates after release to customers.
Telemetry is sent to Microsoft on files being detected and removed by users
in real time and used to identify abnormal patterns and assess the potential
impact of an incorrect or misbehaving signature. In the rare event of an
incorrect detection being discovered on a user’s machine, the Dynamic
Signature Service fixes the signature in real time and helps prevent users
from being impacted.

Reviewers Guide: Microsoft Security Essentials 5

 Real-Time Protection

Microsoft Security Essentials uses real-time protection to help address

potential threats before they ever have an opportunity to become a problem.
Users are alerted when spyware, viruses or other malicious software
attempts to run or install on the computer, suspicious files and programs are
prevented from opening, and suspect processes are prevented from running
if they exhibit characteristics consistent with malicious software. In addition to
helping provide better protection from constantly changing threats, fewer full
system scans are less intrusive to the user.

System Scanning and Cleaning

Microsoft Security Essentials offers full system scanning capabilities with

both scheduled and on-demand scanning options to provide an extra level of
confidence. Scheduled scan is turned on by default and configured to run
weekly at 2 a.m. when the system is likely idle. There are three scanning
options:
ƒ Quick scan. On by default, a quick scan rapidly checks the areas
malware is most likely to infect including programs running in memory,
system files and registry.
ƒ Full scan. A full scan checks all files on the computer, the registry, and
all currently running programs.

ƒ Custom scan. A custom scan allows users to scan only the areas they
select.
Users can choose when they want a scheduled scan to run, view the scan
results before cleaning or, if they do not want to run scheduled scans, run a
scan on demand. If a PC is not “awake” when the scan is scheduled to run,
Microsoft Security Essentials will start the scan at the first opportunity when
the PC is awake and idle.
Microsoft Security Essentials runs a quick scan as part of the setup
experience to ensure the system is clean right from the start.
In addition to scheduled and on-demand system scanning, Microsoft Security
Essentials provides a Windows Shell extension that allows users to scan
individual files at any time by right-clicking on the file either in Explorer or on
the desktop.

Reviewers Guide: Microsoft Security Essentials 6

 When Microsoft Security Essentials determines a possible threat is present
on a user’s machine, the user is alerted to the threat. Identified threats are
categorized by alert level as Severe, High, Medium or Low, and the user can
choose whether to ignore, quarantine or remove the item from the system.

ƒ Quarantine. Microsoft Security Essentials blocks less severe threats and

moves them to a quarantined queue where the user can elect whether to
restore or permanently delete them. By placing an item in quarantine, the
user can test the item’s removal before deleting it from the system.

ƒ Remove. This action permanently deletes the item from the system.
ƒ Allow. This action will stop Microsoft Security Essentials from detecting
the item in future scans by adding it to the Allowed Items list. Users can
remove items from the Allowed Items list at any time.

Reviewers Guide: Microsoft Security Essentials 7

 Microsoft Security Essentials automates the removal process by taking the
recommended action for all items detected. By default, automated scans will
remove Severe and High items, although the user may change default
actions in the Settings tab at any time.

Reviewers Guide: Microsoft Security Essentials 8

EASY TO GET Simple and Quick Installation
PRTOECTED AND STAY
PROTECTED Microsoft Security Essentials is easy to obtain online directly from Microsoft,
and because it is available at no cost, there is no need to go through a
lengthy registration process or provide billing information. There are also no
trials that require later conversion and no annual renewals. Installation is
designed to be quick and easy and does not require a complex registration
process.
Once installation is complete, users have the option to download the latest
signature updates and immediately perform a PC scan.

Preconfigured for Optimal Protection

Microsoft Security Essentials is installed preconfigured with settings for the

typical user. Standard settings include running a scheduled scan weekly at 2
a.m. when the system is most likely idle.

Reviewers Guide: Microsoft Security Essentials 9

 Real-time protection and automated scanning of downloaded files and
attachments are also enabled by default.

More experienced users can set a full range of configurable options, run
updates, view excluded file types, locations and processes, and view history
at any time.

Always Up to Date

Microsoft Security Essentials uses Microsoft Update to ensure the

signatures, anti-malware engine and application are always up to date. New
malware signatures are downloaded once per day with new signatures
accessed in virtually real time through the Dynamic Signature Service. As the
threat landscape changes and new malware emerges, malware engine
upgrades and new application features are also delivered to users
automatically through Microsoft Update.

Reviewers Guide: Microsoft Security Essentials 10

SIMPLE TO UNDERSTAND Clear PC Security Status
AND EASY TO USE
Microsoft Security Essentials adopts the popular Windows Live OneCare
green/yellow/red color-coding to designate the security status of the user’s
PC. A color-coded icon in the taskbar tells the user at a glance if any
attention is required.

A green icon means that status is Good. Microsoft

Security Essentials is up to date and is running in
the background to protect the user’s PC against
malware.

A yellow icon means that status is Fair. The user

will have some action to take such as turning on
real-time protection, running a system scan, or
addressing a medium- or low-severity threat, but
there is no immediate risk to the PC.

A red icon means the PC is at risk and a high- or

severe-level threat must be immediately addressed
to protect the PC.

When a yellow or red icon is present indicating action is required, users can
take the required action directly from Microsoft Security Essentials system
tray icon without ever having to enter the application.

Reviewers Guide: Microsoft Security Essentials 11

 Intuitive User Interface

Within the application, the user is provided with a clean, simple home page
that shows the security state of the PC. At the green steady-state, the user
can run a scan if desired but there are no specific recommended actions for
the user to take.

When the PC has an issue requiring user attention, the look of the home
page changes based on the issue. The status pane turns either yellow or red
depending on the situation and an action button appears in a prominent
location on page with the suggested action.

Reviewers Guide: Microsoft Security Essentials 12

 Once the user clicks the button to take the recommended action, the
detected file is cleaned, a quick scan is completed to ensure no additional
malicious software was installed by the originally detected item, and
Microsoft Security Essentials returns to the green state.

Minimal Effort Required to Help Keep the PC Safe

Microsoft Security Essentials reduces the effort required to help keep a

user’s PC safe by simplifying and automating tasks whenever possible.
When user intervention is required, clear status and recommended actions
are presented both on the home page and through application alerts.

Alerts are specifically designed to minimize interruption to the user. When an

alert occurs, users can take immediate action directly from the alert.

Reviewers Guide: Microsoft Security Essentials 13

 If they prefer, users can click on “Show details” to launch the alert interface,
which provides additional information about the potential threat and
recommended actions.

Severe threats are automatically addressed by Microsoft Security Essentials

after 10 minutes if no action is taken by the user.

Reviewers Guide: Microsoft Security Essentials 14

DOESN’T GET IN THE Lightweight Design; Tuned for PC Performance
WAY
Because Microsoft Security Essentials is core anti-malware only, it doesn’t
carry the weight of the suite products and has a much smaller download size.
Microsoft Security Essentials has been tuned to minimize the impact on PC
performance. Scans and updates are scheduled to run when the PC is idle
and they use a low-priority thread. CPU throttling ensures no more than 50
percent of the CPU is utilized to ensure the system remains responsive to
those tasks the user is likely to be performing such as opening files or
browser windows, cut/copy/paste, file save, etc. Microsoft Security Essentials
uses smart caching and active memory swapping so signatures that are not
in use are not taking up space, thus limiting the amount of memory used
even as the volume of known malware continues to increase, and making
Microsoft Security Essentials friendlier toward older PCs as well as today’s
smaller, less powerful form factors.

Microsoft Security Essentials is focused on ongoing performance

improvements as well. Telemetry on files that are slow to scan is sent to
Microsoft for analysis and resolution, and routine engine updates can
incorporate advancements for improved scanning speed, remove unneeded
signatures and reduce memory usage.

Fewer Interruptions

No offers, information-only pop-ups or update status notifications are pushed

in front of the user. Microsoft Security Essentials runs quietly in the
background to help ensure the user’s PC is always protected. Users are
alerted only when there are specific actions that need to be taken. When the
user is not present or is too busy to take the recommended action, Microsoft
Security Essentials takes the default action on behalf of the user. If desired,
the user can launch the application at a later time to review and adjust
actions taken.

Reviewers Guide: Microsoft Security Essentials 15

SYSTEM REQUIREMENTS, System Requirements
AVAILABILITY, PRICING
AND LICENSING ƒ Operating system. Windows XP Service Pack 2 or 3, Windows Vista,
Windows 7; x32 and x64
o For Windows XP
- CPU: 500 MHz or higher
- Memory: 256 MB RAM or higher
o For Windows Vista, Windows 7
- CPU: 1.0 GHz or higher
- Memory: 1 GB RAM or higher
ƒ VGA display. 800x600 or higher
ƒ Disk space. 140MB available hard-disk space
ƒ Internet browser.
o Windows Internet Explorer 6 or later
o Mozilla Firefox 2.0 or later

Pricing and Licensing

Microsoft Security Essentials is available to genuine Windows consumers at

no charge and may be installed on as many PCs as desired. Microsoft
Security Essentials will continue to be automatically updated for free as long
as it resides on the genuine Windows-based PC.

Availability

Microsoft Security Essentials will be available for limited public beta in early
summer in the following geographic regions and languages:
ƒ Geographic regions: Brazil, China, Israel, U.S.
ƒ Languages: Brazilian Portuguese, English, Simplified Chinese
The Microsoft Security Essentials global launch is slated for the second half
of 2009 in the following geographic regions and languages:

ƒ Geographic regions: Australia, Austria, Brazil, Belgium, Canada, China,

France, Germany, Hong Kong, Ireland, Italy, Japan, Mexico,
Netherlands, New Zealand, Singapore, Spain, Switzerland, Taiwan, U.K.,
U.S.
ƒ Languages: Brazilian Portuguese, Dutch, English, French, German,
Italian, Japanese, Simplified Chinese, Spanish, Traditional Chinese

Additional geographic regions and languages are expected to be made

available at a later date.

Reviewers Guide: Microsoft Security Essentials 16

APPENDIX: COMPARISON The following table shows the features and detection capabilities of Microsoft
TO OTHER MICROSOFT Security Essentials and other Microsoft anti-malware-related offerings.
OFFERINGS

For individuals or home (No IT) For enterprises

Malicious Windows Windows Microsoft Windows Live Forefront Client
Software Defender Live OneCare Security OneCare Security
Removal Safety Essentials
Tool (MSRT) Scanner
Removal of
prevalent viruses
most-
3 3 3 3 3
Comprehensive removal
of known viruses 3 3 3 3
Real-time anti-virus
3 3 3
Comprehensive removal
of known spyware 3 3 3 3 3
Real-time anti-spyware
3 3 3 3
Additional offerings for + Managed firewall + IT infrastructure integration
target audience: + PC performance and customization
Tuning + Centralized management
+ Data backup and and reporting
restore
+ Multi-PC
management
+ Printer sharing

Reviewers Guide: Microsoft Security Essentials 17