Configuring Microsoft Security Essentials

This page contains some recommendations on setting up the “Microsoft Security Essentials” software.

Be thorough

Go ahead and click on the “Settings” tab. The “Scheduled scan” screen will show up. Change the “Scan type:” from the default “Quick scan” to the only other option, “Full scan”.

but not too thorough
Don't waste time asking if you're lying to yourself

TechAt blog about MSE CPU usage recommends excluding MsMpEng.exe from the scan. Specifically, the entire path should be specified, which may be located at "C:\Program Files\Microsoft Security Client\MsMpEng.exe" for some operating systems, or under C:\Program Files\Windows Defender in Windows 8 and 8.1 (and presumably somewhere else with SCCM 2012R2).

Otherwise, Nestor's commentary on SuperUser.com indicates the virus scanning may jump CPU usage up to around 45%.

Also, on the “Default actions”, a hyperlink to a (redirection) web page goes to a a description of recommended actions. For the “Severe” and “High” alert levels, which only have options for “Recommended action”, ”Remove”, or “Quarantine”, the web page notes that for alerts “about potential threats that are severe or high, the recommended action is to remove these programs.” If potential automatic deleting of data which is detected as a threat is undesirable (perhaps out of concern of false detections), either change those two alert levels to “Quarantine” as the default action, or uncheck the “Apply recommended actions” checkbox (which applies to all alert levels). If that is unchecked, MSE will still place files into a suspended status and the user will be alerted so the user can then decide whether to take an action (which the user can specify at that time).

The “Advanced” section of “Settings” has some other options that one may wish to change:

  • Unchecking “Scan archive files” may help prevent unintentional changes.
    • If archive files are being used to save data in the long term, then this box should probably be unchecked so that files are not getting changed during routine scans. (The archive files shouldn't be posing any danger until data is being extracted, at which point the Real-time protection should catch any problems.)
    • The danger of archive files being modified might be less of a threat if the “Apply recommended actions” checkbox was unchecked in the section called “Default actions”).
  • Checking the “Create a system restore point” box (if that is unchecked by default?) can help recovery if problems occur. “Create a system restore point” (daily before cleaning) likely isn't a bad idea unless that ends up using too much disk space.
  • Unchecking the “Remove quarantined files after:” checkbox will prevent automatic deletion of files that should be safe. (The whole point of the quarantine is to make sure that the files are safe.) This way, administrators (who can manually delete the files if they deserve) don't need to have time pressure to review data, and don't need to worry about accidental deletion of data that may be worth further studying.
  • Enabling “Scan removable drives” will increase protection, although it may cause a very notable amount of slowdown.
More settings worth customizing

There is another section, below the “Advanced” section. This may now be called the “MAPS” section (which stands for “Microsoft Active Protection Service (MAPS)”. Older versions of Microsoft Security Essentials called this the “Microsoft SpyNet” section.

One can choose to participate in the “Advanced membership” which allows file locations, information about how detected software operates, and resulting impacts to be additional information sent to Microsoft. (By scrolling down that page, a hyperlink can be seen which goes to a redirect address sending web visitors to a “Microsoft SpyNet privacy statement.”