Testing Microsoft Security Essentials

Visit web page about the EICAR Anti-Malware Test File http://www.eicar.org/anti_virus_test_file.htm and locate some downloadable content near the bottom locate the downloads section.

Multiple things are likely to happen when the malware is detected. The more noticable may be that a notification is made in the lower-right corner of the screen. However, that notification is temporary and goes away. The second thing, which doesn't change if action is still needed, is that the icon in the “system tray”, also known as the “message notification area”, turns red. (This is located where there may be several icons, next to the clock in the (usually lower-right) corner of the screen.) The icon looks like a building with a flag over it. Basically, this icon may look red when the program first starts up (because it hasn't yet verified that protection images are up to date), but at any other time, that building being red is likely a problem. In this case, it is because Microsoft Security Essentials detected something that it is treating like malicious software. Another thing that will happen is that if the “Microsoft Security Essentials” program is opened, the top banner that says “Computer status - ” will no longer be green and say “Protected”. Instead, the banner will become red and the computer status will be considered “At risk”. On the “Home” tab of a computer with a detected threat, the monitor will be shown with a red background and there will be a red “Clean computer” button (with a “Show details” link, which provides additional options on how to respond, located under that “Clean computer” button).

One of the less noticable things may be that a ten minute counter starts. Microsoft Security Essentials Reviewers Guide (converted from Word Document to HTML by Google) notes, “Severe threats are automatically addressed by Microsoft Security Essentials after 10 minutes if no action is taken by the user.”

In the “Details” there is a hyperlink which, naturally, goes to the “Get more information about this item online.” redirection page hyperlinked to from MSE about EICAR.

From here, the “Clean Computer” may be selected.

Another option is to select the “Show details” link. This will bring up a new window that shows the details of the “Potential threat”.

The “Show details >>” button makes the window taller.

Hovering over some fields and/or buttons will show tooltips. (The “Hide details <<” button was pressed before these next couple of screenshots were taken.)

Since this isn't actually a malicious file, allowing it is safe to see how that works.

With Windows Vista, changing the “Recommendation” column to “Allow” may change the “Apply actions” button so that it has a shield icon, which indicates that “User Account Control” will get involved.

Choosing to “Apply actions” may cause some screens like the following to show up.

Applies actions, then...

After the EICAR test file is allowed, that file will not trigger any alerts nor interference by Microsoft Security Essentials. To re-enable protection for this file, go to the “History” tab, choose the “Allowed items” radio button, place a checkbox (which doesn't appear until “Allowed items” is selected) next to the specified file, and choose “Remove”.

Choosing this option does not (immediately) affect any existing file, but removes the program from the list of “Allowed items” so that detection for that file will act as normal (for real-time protection as well as any other scans that are initiated).

If the software is allowed, manual copies of the malware may be made, and the software may be manually removed. The way this is done is to go to the “History” tab. The lowest option is “Allowed items” which may show some items, even if “All detected items” does not show those items. Check the box next to the appropriate software and choose to “Remove”. Note that this does not mean to clean up the system by removing the offending files, but simply means to remove each selected category of items from the list of allowed items.