Here's my picture -- it's not from any deep study or information everyone
else doesn't have, so it may not be completely accurate.
msmpeng.exe =windefend=windows defender Service. This is a system service,
started at boot, which provided Real-Time protection.
MpCmdRun.exe is a command-line user mode executable which does two things:
1) it initiates and monitors requests for signature updates, and 2) it does
scanning--both scheduled and on-demand or custom scans.
MSASCui.exe is the user interface that talks to the other two, which really
do the work.
MPCmdRun talks to the Internet to get signatures before a scan, if your
settings request that, and to report scan results to spynet at the end of a
scan, if you've chosen to take part in spynet.
The Real-time protection service I would expect to need information from
Spynet each time it finds something not yet classified. and to report
finding known malware, again, of spynet reporting is enabled. These are
just my thoughts--I don't have inside information about exactly when and why
each of these executables talks out or accesses information across the
Internet.
This is not the old Microsoft Antispyware--it is quite a bit more
sophisticated. Also note that the icon is associated with MSASCui.exe,
which is not the app providing real-time protection nor the app doing the
scans. It just provides an interface to control and communicate with them.
