locked
Why did Microsoft Security Essentials Knowingly Allow a Virus? RRS feed

  • Question

  • I started my computer and was notified of updates. The updates were Microsoft Sliverlight 6.0MB and Microsoft Security Essentials. I updated. I shut down my computer and went to work. I came back and started my computer and received a popup that Java failed to start, click here to fix. It was only through quick thinking and experience that I avoided a disaster. I shut down my computer and restarted in safe mode with networking. I opened MSE and the virus was listed in the history and the action taken was allowed. Allowed, my settings are Quarantine for all 4 levels. How can MSE allow a virus when it knows it is a virus? I did a full scan and MSE said No threats were found.  No threats, it is a Virus! Since the virus was listed in History in all detected items there is no option to remove it. It was not listed in Quarantined or Allowed. I went to OneCare Safety Scanner, No help there also! I did a system restore (which might not have worked had I let the virus scan my computer). I have always said system restore is last option. I have fixed every problem to date and never used system restore before. I volunteer on Microsoft TechNet and Microsoft Answers forums and this is my very first question. My system log below shows the virus. My blood is boiling over!!!!!!!!

     

    Log Name:      System
    Source:        Microsoft Antimalware
    Date:          14/02/2011 6:12:37 PM
    Event ID:      1116
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:     Removed for security

    Description:
    Microsoft Antimalware has detected malware or other potentially unwanted software.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Rogue:Win32/FakeRean&threatid=2147607809
      Name: Rogue:Win32/FakeRean
      ID: 2147607809
      Severity: Severe
      Category: Trojan
      Path: process:_pid:3920
      Detection Origin: Unknown
      Detection Type: Heuristics
      Detection Source: System
      User: NT AUTHORITY\SYSTEM
      Process Name: C:\Users\Removed for security\AppData\Roaming\defender.exe
      Signature Version: AV: 1.97.1671.0, AS: 1.97.1671.0, NIS: 9.1.0.0
      Engine Version: AM: 1.1.6502.0, NIS: 2.0.5854.0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft Antimalware" />
        <EventID Qualifiers="0">1116</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-02-14T23:12:37.000Z" />
        <EventRecordID>34500</EventRecordID>
        <Channel>System</Channel>
        <Computer>Removed for security</Computer>
        <Security />
      </System>
      <EventData>
        <Data>%%860</Data>
        <Data>3.0.8107.0</Data>
        <Data>{79A27CE3-F762-45FC-8CD8-B95DF3C298F4}</Data>
        <Data>2011-02-14T23:12:07.157Z</Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>2147607809</Data>
        <Data>Rogue:Win32/FakeRean</Data>
        <Data>5</Data>
        <Data>Severe</Data>
        <Data>8</Data>
        <Data>Trojan</Data>
        <Data>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=Rogue:Win32/FakeRean&amp;threatid=2147607809</Data>
        <Data>1</Data>
        <Data>
        </Data>
        <Data>1</Data>
        <Data>2</Data>
        <Data>%%820</Data>
        <Data>C:\Users\Removed for security\AppData\Roaming\defender.exe</Data>
        <Data>NT AUTHORITY\SYSTEM</Data>
        <Data>
        </Data>
        <Data>process:_pid:3920</Data>
        <Data>0</Data>
        <Data>%%844</Data>
        <Data>3</Data>
        <Data>%%848</Data>
        <Data>1</Data>
        <Data>%%821</Data>
        <Data>0</Data>
        <Data>9</Data>
        <Data>%%887</Data>
        <Data>
        </Data>
        <Data>0x00000000</Data>
        <Data>The operation completed successfully. </Data>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>0</Data>
        <Data>No additional actions required</Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>AV: 1.97.1671.0, AS: 1.97.1671.0, NIS: 9.1.0.0</Data>
        <Data>AM: 1.1.6502.0, NIS: 2.0.5854.0</Data>
      </EventData>
    </Event>

    Tuesday, February 15, 2011 2:43 AM

Answers

  • Well the allow is most likely put there by the virus program, and the options were blocked by the virus program. What I meant by MSE allowed it is, MSE programers know about this virus yet their definitions were not good enough to stop it so it was allowed. My MSE was totally up to date and  Real Time Protection was on. Thanks for the bad day MSE!
    Wednesday, February 16, 2011 4:33 AM
  • Hi,

    When was the virus recorded in the history? Before the update? If so, the update refresh the defination of the virus data, the "virus" was proved to be safe. It might be a component from a third party software.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, February 18, 2011 8:42 AM
    Moderator

All replies

  • The same thing happened to me, I also had to do a system restore, I don't understand why MSE says that it should be removed, yet it allows it.

    td

    Wednesday, February 16, 2011 3:06 AM
  • Well the allow is most likely put there by the virus program, and the options were blocked by the virus program. What I meant by MSE allowed it is, MSE programers know about this virus yet their definitions were not good enough to stop it so it was allowed. My MSE was totally up to date and  Real Time Protection was on. Thanks for the bad day MSE!
    Wednesday, February 16, 2011 4:33 AM
  • Hi,

    When was the virus recorded in the history? Before the update? If so, the update refresh the defination of the virus data, the "virus" was proved to be safe. It might be a component from a third party software.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, February 18, 2011 8:42 AM
    Moderator
  • I too am having a problem with MSE allowing things that are detected.  Under Settings, Default Actions, all four alert levels are set to Remove.  However, occasionally I'll check the History tab and see that I have detected items listed and the action taken section says ALLOWED.  How can this be?
    Sunday, April 10, 2011 4:04 PM