Morro - first thoughts

Well, as I'm sure some of you might already know "Morro" A.K.A. Microsoft Security Essentials has started to leak all over the place. The beta doesn't officially drop till this Tuesday but I had the chance to install it tonight on one of my systems that's running 7 RC (32bit) and here are some first impressions.

First, the install file is very small (4.74mb). And I was blown away that it installed in, get ready for this, in well under a minute.

The install actually validates your copy of Windows to make sure it's Genuine but that process literally took 1-2 seconds to complete.

It then runs an update which in my case too just under 2 minutes and after that it ran what it called a "Quick Scan" but I didn't think it was that quick; took just under 10 minutes to complete.







I originally thought that, like OneCare, Defender would be disabled upon installing this but it didn't and it doesn't look like they're conflicting. Security Status in 7 reports that both Windows Defender and "Microsoft Antimalware" are both active. It does however give a warning just underneath that two antispyware products can conflict with each other.



The interface is very clean and blends into the OS very well. Even though it appears very basic, they have quite a few advances settings available (I haven't run through them all yet).



The biggest surprise so far is how light this package appears to be. Based on the few hours I've had it running, it literally feels like nothing is running in the background and the system appears to be even more responsive that when I had Avira or ESET ESS 4 installed, which as many of you know they are very light on resources.

Now let's hope the "lightness" doesn't translate into complete rubbish as far as effectiveness and detection rates are concerned.

 

Thanks for posting!
I'm also very curious about it's detection rate.
OneCare had a rather decent pro-active detection score, so I expect MS to keep this up.
Morro/MSE might just be an excellent future alternative for the current free AV's (and perhaps even paid-for software).
Some folks are getting pretty nervous it seems about this move from Redmond;

"Microsoft's free product is a slightly modified and stripped down version of the OneCare product it pulled from the shelves recently," says Dave Cole, senior director of product management for Symantec. "Consumers don't need less protection--they need more."

"Referring to Microsoft's basic antivirus and antispyware product as an essential security solution is misleading," says Cole. "Consumers need firewall protection, Web protection, antispam and identity safeguards--these are among the essentials when it comes to security, and you can only get them through a full Internet security suite provided by security experts."

Microsoft isn't going to change the dynamics of the consumer security industry, according to Cole. "The reality is that shareware and freeware vendors have been in the market for 20-plus years," he says. "The freeware space is crowded and Microsoft is just joining the fray. In addition, early reviews of the beta are showing that it underperforms when compared to existing freeware products, and well below paid solutions such as Norton AntiVirus." link

Now wouldn't Dave Cole know that ever since XP SP2, a firewall is enabled by default?

McAfee is much more honest though, about it's thoughts on Morro/MSE;

...in its 10-Q report issued May 9, the security provider clearly voiced concern about Morro's impact: "Security protection is increasingly being offered by third parties at significant discounts to our prices or, in some cases is bundled for free. For example, Microsoft announced that beginning in 2009 it will offer in emerging markets a free anti-malware consumer product dubbed Morro."

"The widespread inclusion of lower-priced or free products that perform the same or similar functions as our products within computer hardware or other companies' software products could reduce the perceived need for our products or render our products unmarketable--even if these incorporated products are inferior or more limited than our products," continues the report. "The expansion of these competitive trends could have a significant negative impact on our sales and financial results."

Cheers.

 

Reading the 10-Q (or the 10-K) is a useful antidote to the too-optimistic pronouncements of the marketing dept, but I wouldn't take the 10-Q itself as a "realistic" assessment - those tend to be too-negative when it comes to discussing possible future risks to the business, largely to avoid strike suits for securities fraud when the stock price drops (for whatever reason, usu. unrelated to what was discussed in the 10-Q/K). Welcome to securities-speak.

 

I like it. Haven't tested it yet, but It's interesting.

now lets wait for the anti-virus software vendors to hate microsoft for this

 

uses the same engine from what experts seem to think as one care did but adds some sort of cloud technology. stephen from avira stated this on another forum. but i agree i really like the integration of it and the ram usage is very impressive between 4 and 8mb even during a scan is being reported.. im testing it against a few others this weekend with my malware samples i have nearly 2000+ samples stored on a machine for just that and i will see how it does against norton2009, eset, and kaspersky since those are what i have installed.

 

Let us know how your samples fare against MSE. I have nothing to test it really except try to go onto some questionable sites.

Anyhow, it's been almost 24 hours and the system's still very fast and responsive. Another positive is the use of the contextual menu (right click on a file/folder and scan with MSE) seems instant. As a point of reference, I used to do that with Avira, it would initialize the scan engine eating 3+ seconds and then start the actual scan. Not so with MSE, it's near instantaneous and the scan itself is very fast.

Updates are coming through the main Windows Update process, briefly showing the Windows Update icon in the tray and no system slow-downs during, just some HD access.

IMO, MSFT might do very well with this. Being free, fast and light will no doubt have at least a few people interested in using it (by few I mean millions) which in turn will increase its effectiveness (Spynet network). Besides, I'm sure they don't want it to have the same fate as OneCare, which in itself wasn't a total disaster.

 

I can't wait to see more users test this to see how well it holds up. Especially against Avira.

 

So, this is a freeware? If it is, I think I would download and install it after the official release.
If this Morro is better than AVIRA(free) in terms of viruses & spywares database, detection rate and scanning rate, I won't hesitate to uninstall AVIRA(free).

 

This is very interesting..and informative
Thanks so much for the information..could this be up against Avira??
I may be checking this out!


Cin

 

Yeah, it will be absolutely free for all but on one condition; you have to have a genuine Windows, which it verifies on install.

It’ll take time before we know how effective it is or how detection rates will fare compared to, for example, Avira but it will only get better with time. The more users it has (the fact that it's a free MSFT product will help there a lot) the more effective it becomes (Spynet will take a new detected threat and push an update to all users almost immediately - at least that how it is in theory). And as zfactor said, it's based on OneCare's engine which was rated Advanced+ by AV Comparatives (May 2009) and has one of the lowest rates of FPs.

OneCare’s problems were that it was bloated/slow, always in the user's face, nagging them and you had to pay for it. MSFT appears to have addressed all those issues with MSE.

 

it did pretty well overall. missing a few all the others picked up. i have to say its generic sigs are VERY nice and they work well. it fared well overall though to my samples the other three i mentioned did all do better but only by a couple samples. morro only missed 2 samples i have the next best av picked up. overall it did a really great job for something new and in beta and that will be free. im not easy to impress and this i think will in the end be a very capable av..one thing i did see get by was antivirus 2009 a rouge av program which was really suprising since its really picked up by almost any decent av. but again being beta im positive this will be addressed i sent this info to ms after it got through as well.

its very fast. it used just a bit over 9mb on this system RUNNING a scan. i didnt notice any real slowdown at all and it ran as fast as the best of them. the only thing i saw was it did increase boot time by about 6-9seconds, this was in comparison to the other three. it took the longest to fully boot. again remember this is beta. eset time wise was the fastest boot and then norton 2009 then kaspersky then "morro". but remember we are talking within seconds of each other and not a difference of 30-40 either.

ill be testing this out all week and be throwing everything i can at it and taking it to places i dont realy recc you go on the net looking for stuff to see what it can do. when i test i look for nasties to see how well it does to stop them as well as prevent them from downloading and not allowing them to install or run.

remember i only tested with a couple thousand samples on a virtual machine. so i can only speak for what i was able to throw at it. ill keep this updated as i surf with it during the week looking for anything nasty i can to see how it reacts to it. im keeping an eye open especially for rouge programs now. also i like the integration into windows and how nice it installed. norton is about the only other one i can say installed this nice on vista and thats only speaking of the 2009 nortons

 

Thanks for the update zfactor. I'm going to leave it running on one of my machines but I'm still sceptical about its effectiveness right now; I agree once out of beta it should be decent. Still using Avira on my main production machine, don't want to take chances on that one.

 

oh def i run nis2009 on this machine normally so ill run this on the virtual pc for a few weeks and see how well it does as i said.. this week ill be back in the office tomm and ill start scouting for some nasty stuff

 

Just an update; looks like the official public beta build does disable Defender by default. The build I was using (an older internal MSFT beta build) did not do that, and actually allowed both MSE's AS module and Defender to run simultaneously.

This does make sense though, as MSE supposedly has an AS module that's at least as effective as the standalone Defender, according to a blog I read recently, and that MSE should disable Defender on install.

 

Yes, MSE disabled Windows Defender upon installing. There is no easy way to disable real time protection (right click taskbar icon options as in Avira, Norton, etc). RAM usage is also higher (around 75 MB with 2 processes) when compared to Avira 9 free, Norton AV 2009.
I love the fact that MSE doesn't say beta anywhere in the UI.

Morro and Forefront Client Security share the same malware definitions.

 

I am considering trying this beta out, but I will be closely comparing it to avast which has given me no problems in the years I have used it. I am glad to see it shares the same definitions as forefront security .

My only problem with MSE is as coolguy pointed out the memory usage is kinda high around 75+mb.

 

Memory usage for me fluctuates, MSE is really different than other AV's. Avira would usually sit around 11-12mb, while MSE is changing all the time.

 

In Task Manager I see a process called MsMpEng.exe (description: AntiMalware Service Executable) and another caller msseces.exe (description: Microsoft Security Essentials User Interface) and they are currently using 28MB memory (27MB for the first service and 1MB for the second). It’s constantly fluctuating; seen it as high as 35MB (combined).

Are these the same two associated services you have on your machine?

 

I honestly have to say I am not really impressed with this as it is. I specifically don't like the idea that MSE requires the windows update service to be set to automatic as I never use it at that setting. Also the first time I attempted to download virus definitions it failed and didn't give me a reason for doing so...

However I must say the interface looks nice compared to avast (alwil needs to hurry up with avast 5 since the current interface is getting quite dull!) and the system resource drain isn't bad at all. I am going back to avast for now since MSE is still technically pre-release software.

 

I just came across a show stopper; DVDFab6 (which I’ve been using for a bit and has been flawless on my other machines) and MSE do not play well together.

On two machines, one Vista and the other 7 RC, every time DVDFab starts, MSE shuts down and then the whole system freezes. Took MSE off and the problem went away. I'm also starting to notice massive fluctuations in resources used, going from almost nothing to actually slowing down my systems now. I guess that's why they call it a beta.

 

The quick scan uses the CPU so much (20%-50%). The interface should have been designed better. I think the final product would be much better.

 

not on my system hardly uses any cpu at all.. not sure why it does on yours

max memory usage i have seen is 28mb no higher. i too have seen the dvdfab issue so for me thats a killer. otherwise i am not sure why people are having issues it runs smooth here

 

I changed my settings to automatic update just to see what happens, it installed the updates for MSE but the update to .NET framework 3.5 SP 1, and the update Internet Explorer Compatibility View List just sat there until I decided to install them.

 

I like it. maybe one day i'll use a vire scanner again? but I guess not during the beta.

 

Probably because the time you set for the automatic installation hasn't come yet. So when windows ran automatic update so it could get the updates for MSE the other 2 updates were downloaded as well however you will notice the automatic setting for WU allows you to set a particular time for the updates to be installed.

 

But is it so bad to have it set on automatic updates, I mean, most updates can be uninstalled, right?

 

True... but I have been on the "wrong end" of some windows updates in the past, in that some of them have caused more harm than good.

So to avoid that I have automatic updates turned off and I manually check for updates myself instead. For me this is just a personal issue but for some users this won't be a problem.

 

Windows Update in Automatic mode is a show-stopper. Period.

That will likely change since that will never fly in a corporate environment.

 

But that's what MSFT Forefront Client Security is for. MSE is only for individual consumers.

 

Most of the companies use Group policy to manage Windows Update in client machines.

 

You can set exceptions.

 

MSE doesn't update it's malware definitions everyday automatically even if Windows Update is set to install updates everyday.

 

I tried that. See image below (it made no difference):

 

Try excluding the location as well.

 

+rep to you. That did the trick! Thanks

 

Awesome. Thought the problem might have been with dlls, so that was my first guess.

 

anyone know when the beta will be open to the public again? Or the RC?

 

Download

 

I like it, and it does not require Automatic Updates. I was using it with where Windows let me know if updates were available and could update it manually from within MSE.

 

I just switched over to MSE, got it from Softpedia as I am in a location not available for download. I like it, light on resources and simple to use. Made the switch due to Avira Antivir not working on Windows 7 RTM. Avira was fine for Windows 7 RC.

 

Seems strange that Avira would work with W7 RC but not W7 RTM. If that's the case then Avira better get busy and release a compatible version before October 22nd.

 

avira works fine with my windows 7 rtm though i have avira premium

 

I can confirm that Avira Free is working fine here on 7 RTM x64. The only issue is that the "avgnt" entry that used to be in the registry where we add the "/nosplash" to remove the Splash screen, for some strange reason I have no "avgnt" entry in mine.

 

In 64-bit, avgnt should be under "HKLM/ Software/ Wow6432node/ Microsoft/ Windows/ Current version/ Run/ "

 

For those who missed the download a mirror is here
I dare say the integration is better than anything out there afterall it is their own software.

 

interesting, when is the official release? I really hope it's before October 22.