Jump to content
RESET Forums (homeservershow.com)

WHS 2011 and Antivirus


pcdoc
 Share

Recommended Posts

A story broke last week about a problem with Microsoft Security Essentials and Microsoft Forefront. I'm not sure which exact engine versions, but the ones affected apparently shares the same definition files between MSE and Forefront. What happened was that Google Chrome got flagged as a Trojan and removed, for only about three thousand folks. Microsoft caught the issue fast, but with Forefront at the edge of an enterprise, it's suspected many corporate intranets had far more machines affected. Here's the whole story:

http://www.zdnet.com...gle-chrome/4006

 

That's pretty fast reaction time, and not a big deal really, although it might not be entirely over quite yet:

http://www.informati...virus/231700163

 

Today, I heard a timely "Security Now with Steve Gibson" podcast, where he gives a great rundown of heuristic scanning in antivirus products, and the fundamental problems with how current antivirus products handle sophisticated attacks. He also talks about the MSE/Chrome story as well. The shownotes link here:

http://twit.tv/show/security-now/321

mention the Chrome issue. But actually listening to the first 20 minutes or so of the podcast is better.

 

I'm hoping to get definitive answers, so I can alleviate worry about this, and move on to more fun projects frankly, like finishing moving from old hardware to a nice new Core i7 with lots of elbow room.

Link to comment
Share on other sites

  • Replies 138
  • Created
  • Last Reply

Top Posters In This Topic

  • tinkererguy

    16

  • pcdoc

    12

  • ikon

    16

  • Joe_Miner

    13

Top Posters In This Topic

Coincidence? I think not.

 

Besides, I haven't seen one enterpise operation to this point allowing thier users to run Chrome and most severely limiting Firefox.

Link to comment
Share on other sites

Joe_Miner, your assessment of the situation is greatly appreciated, I so appreciate your stepping in (while I was away for a day), and putting up so much great info!

 

You found the perfect document at http://technet.micro...y/bb625083.aspx, it sure would have saved me some trouble figuring out the install (I get impatient), but now it's here, and this is great!

 

I haven't decided if I should re-do all my screenshots and video, just for this change in launch method, it's all so time consuming (yours is the legit way that Microsoft intended, mine is the lazy way with no commands to memorize). It sure looks like the end result is exactly the same (both ways kick of the MSI). I've now added addendum/notes to my posts.

 

More important, I'm also working to try to get more info on what is going on with the future of antivirus solutions at Microsoft, since we don't all want to be wasting our time learning something if it doesn't have much life left and/or is unsupported.

 

Just a footnote: having been a user of some competitor's antivirus products for about a decade, I never really saw much difference between server products and client products, perhaps Microsoft stuff is similar. I'm not talking about virus signature distribution and/or AV intall mechanisms (those are server components), I'm just talking about the client install that goes with those deployment features. Generally, client looks just like a client whether installed on a server OS or a client OS, with daily quick scans, etc. So, as long as the vendor doesn't actually prevent the client product from installing on a server OS, and the signatures are updated regularly, I'm not very that worried about using Forefront Client Security for now (instead of nothing), since it at least seems to be stable and frequently install, and works an awful lot like MSE from a usability perspective.

 

Thanks for your very nice comment. Sorry I wasn't a little faster getting that document out there -- it had been a quest for awhile to figure out how to make Forefront work on WHS (since it seemed it should) so I had been spending quite a bit of time off and on going thru techNET's library. As one would expect I even learned something along the way :)

 

As far as I can tell the end result is the same -- IMHO, I wouldn't change your video one bit -- It was very educational to me how you zeroed in on which msi actually loaded and I appreciated the work you put into it -- I think it's good for folks to see both ways.

 

I am very currious too about what Microsoft is doing about antivirus solutions. I agree with your footnote too.

 

The problem is.... The more I see of Forefront the more I like it -- I don't see why MS doesn't have a version out there for WHS -- it could check for a valid WHS OS and then load. With a decent AV solution and the emerging DE solutions I would expect MS would sell a lot more. Right now I have no answer I could recommend for friends or family who wanted a home server short of spending a lot for an AV or just disabling external access and running without protection (except widows defender -- more on that interesting dev).

 

Another solution would be for MS to expand Windows Defender and add AV to it. Come to think of it I thought I saw an AV def file in the Win 8 developers version of Windows Defender so maybe that's where we're going. Go to Windows Defender in Win 8 and click update and it will say it's installing the latest "virus and spyware definitions" from Microsoft!

 

Jumping into Win8 and going to Windows Defender -- when I update Windows Defender it says it's installing the latest virus and spyware definitions from Microsoft

1WinDefUpdate2011-10-08.jpg

Note that the Virus Definitions and Spyware definitions files are versions 1.113.1237.0

2WinDefDefFiles2011-10-08.jpg

It had been awhile since Windows Defender had done a scan in Win8 (I had it hibernating) -- after the scan everything was green

Now note the definition file versions in the current FF on WHS-2011

3FFonEnterpriseAVDeffs2011-10-08.jpg

and when we check WSE the Virus and Antispyware definitin file numbers are the same!

4MainMSEDefFiles2011-10-08.jpg

 

Hummmmmmmmmmmmmmmmmmmmmm!

Edited by Joe_Miner
Link to comment
Share on other sites

Just for fun I remoted into my other VM running WHS-2011 -- same definition files (this is the VM I tried loading FF on originally and it has been running continously since then -- about a week -- without a hicup as far as I can tell.

5FFonHalAVDeffs2011-10-08.jpg

Edited by Joe_Miner
Link to comment
Share on other sites

I went ahead and created a video entitled "Forefront Client Security Doesn't Affect Home Server Backup Speed Significantly"

 

Along the way, I answer how to determine how long a backup actually takes (since the Dashboard no longer tells you), something I mentioned I was hoping some add-on could do:

http://homeserversho...__fromsearch__1

 

And you'll see in the video that unless you're doing a Full System Scan, the impact of Realtime Virus Scanning being left on is not noticeable. Nor is the impact of a quick scan (daily) being done during backups.

 

In other words, yeah, it's still looking like a good, lightweight product, after a week of use on my WHSv1 and 2011-based servers.

 

Love your great screenshots showing Windows 8 is using the same definition! It sure seems like all Microsoft Antivirus products are rather similar, from a usability perspective, a good thing.

 

From a vulnerability perspective, well, that's another story, but at least it appears Microsoft acted fast with the recent, Google Chrome flagged as a Trojan, incident, minimizing impact, across all their antivirus products. It's nothing like the black eye a security company faces with a machine won't boot or bluescreens. There's frankly been so little negative to say about MSE for >1 year now, so it seems it's just a minor bump in the road.

Link to comment
Share on other sites

I went ahead and created a video entitled "Forefront Client Security Doesn't Affect Home Server Backup Speed Significantly"

 

Along the way, I answer how to determine how long a backup actually takes (since the Dashboard no longer tells you), something I mentioned I was hoping some add-on could do:

http://homeserversho...__fromsearch__1

 

And you'll see in the video that unless you're doing a Full System Scan, the impact of Realtime Virus Scanning being left on is not noticeable. Nor is the impact of a quick scan (daily) being done during backups.

 

In other words, yeah, it's still looking like a good, lightweight product, after a week of use on my WHSv1 and 2011-based servers.

 

Love your great screenshots showing Windows 8 is using the same definition! It sure seems like all Microsoft Antivirus products are rather similar, from a usability perspective, a good thing.

 

From a vulnerability perspective, well, that's another story, but at least it appears Microsoft acted fast with the recent, Google Chrome flagged as a Trojan, incident, minimizing impact, across all their antivirus products. It's nothing like the black eye a security company faces with a machine won't boot or bluescreens. There's frankly been so little negative to say about MSE for >1 year now, so it seems it's just a minor bump in the road.

 

Great video and demo.

Link to comment
Share on other sites

looks like we may have another option soon:

 

Microsoft Forefront Endpoint Protection 2012 (Prerelease)

 

client install looks to be able to go on Server 2008

 

http://technet.micro...y/hh184327.aspx

 

I had spotted that in MSDN or somewhere, but since it was beta and my focus was to try go live now, I actually forgot to mention it in my blog posts, thank you welchwerks!

 

Sure would be more reassuring if any home server variant were listed in the list of OSs though, making the likelihood higher that the installer will run and the product will be be supported, but that's all conjecture. Will have to circle back and take a look at antivirus solutions, once it actually comes out (GA). By then, we'll hopefully all have some more information directly from Microsoft on this matter.

Link to comment
Share on other sites

  • 2 weeks later...

Great stuff! Its really very helpful for me. I use Avast because it works good, update regularly, alerts of potential viruses quick, have been around a long time with good reputation.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...