windows live onecare

  • Thread starter Thread starter Warren
  • Start date Start date
W

Warren

have any of you ever used windows live onecare...a waste of $50.00. Now i
know why they are discontinuing it. it finds NOTHING and i have to run
antispyware and antimalware to keep my pc clean. please suggest the best
free protection for my machine since i won't be using this one anymore.
 
From: "Warren" <[email protected]>

| have any of you ever used windows live onecare...a waste of $50.00. Now i
| know why they are discontinuing it. it finds NOTHING and i have to run
| antispyware and antimalware to keep my pc clean. please suggest the best
| free protection for my machine since i won't be using this one anymore.

Avira AntiVir used in conjunction with Malwarebytes' Anti Malware.
 
msnews.microsoft.com said:
I agree with you about Live Onecare. it did suck.

That said - Windows now has Microsoft Security Essential at
http://www.microsoft.com/security_essentials/

which seems to be working for me.
It found 2 infections that Norton 360 did not.
So far, I like it.

To clarify, the anti-virus engine used in MSE is different than the one that
was used in OneCare. That is, you aren't stuck with the same bad AV that
was in OneCare.
 
Warren said:
have any of you ever used windows live onecare...a waste of $50.00. Now i
know why they are discontinuing it. it finds NOTHING and i have to run
antispyware and antimalware to keep my pc clean. please suggest the best
free protection for my machine since i won't be using this one anymore.

Basically what you are really asking is what other users are currently
using. Even after trialing several products and users deciding what they
like best, you are still going to get responses that reflect what users have
chosen as their current security suite. So, with that in mind, here is my
setup:

- Avast! 5 (fully operable so using its on-access scanner).
o Free version.
o Not all "shields" are installed since I don't need them (I don't use
prattle IM clients or P2P file stealing) or they can be problematic
(like timeouts due to delays in e-mail traffic from the scanning). I
only installed the following shields:
* Web shield (with intelligent streaming disabled)
* Network shield
* File shield
o Prior free versions only let you do a quick scan (ashquick.exe) that you
could schedule in Task Scheduler. V5 lets you add a schedule to both
the quick and full scans so, for example, you could quick scan on
Mon-Sat and full scan on Sun.
o Unlike Avira, Avast lets you schedule how often to check for updates
with a single setting. With Avira, you will need to add more scheduled
jobs that do an update check (recommended since the free version of
Avira hits the same server for all users which makes it busy and it
could be 3 days before you get an update if you just go with the default
1-per-day update scheduled job).
o The free version of Avira does not include their web shield. Avast
includes their web shield in their free version.
o Avira free version does not include the e-mail scanner (but often you
end up having to disable it for other AV products due to the problems it
creates).
- MalwareBytes AntiMalware
o Free version.
o Does not include an on-access (real-time) scanner. This is actually
desirable to avoid conflict with whatever is your AV program of choice.
o There is no option to check for updates before running a manual scan.
The update dialog is also on a different tab. Be sure to do an update
before you run a manual scan.
- SuperAntispyware
o Free version.
o Disable the on-access (real-time) scanner. Used only as an on-demand
(manual) scanner to avoid conflict with other security software.
o Be sure to update before scanning. It has an option to ensure checking
for updates before you run a manual scan.
- WinPatrol
o Free version.
o Does not include an on-access scanner.
o Polls at intervals for changes to system to alert on critical
modification.
* Change the default poll interval for all monitors down to 1 minute.
Waiting 5 minutes to find out something changed is too long.
- ReturnNil Home
o Lets you make changes to your system which are obliterated when you
reboot (or you can choose to keep the changes).
o Any install that requires a reboot would be obliterated if ReturNil were
active since it discards all changes made to the virtual disk (so
ReturNil is not useful for any install that requires a reboot - instead
use a virtual machine, like VirtualPC 2007, VMware Server, or
VirtualBox).
o Can be configured to activate on Windows startup. Handy when giving a
host to kids or strangers since a reboot wipes everything they changed.
o Microsoft's similar product is called SteadyState.
- SpywareBlaster
o Free version.
o No on-access scanner (this product isn't potent enough to use for
real-time scanning, anyway).
o Usefuleness lies in adding ActiveX killbits in the registry to prevent
known malware from running. This is passive but always-present
protection.
o Can add "bad" domains to Restricted Sites security zone to neuter them.
* This does not prevent sites from relaying content from those bad
sites. It merely disables many HTML features if and when you visit
those sites.
o Can add "bad" domains to the cookie blacklist in the web browser.
- Virtual Machine (VM)
o Free version(s).
o VirtualPC 2007 (have also used VMware Server and VirtualBox in the
past).
o Provides isolation of an application by running it inside a guest OS
instead of on your host OS.
o Legally you will need another license of Windows if you want to run an
instance of it in a VM.
* Windows 7 comes with XP Mode which is a licensed copy of Windows XP
SP-3 (but which is legal only under that instance of Windows 7 so
there is no portability). You install XP Mode (since Microsoft didn't
include it as an install-time option) and follow with an install of
VirtualPC.
o VM is more protective than using a sandbox (e.g., Sandboxie) to isolate
an application. They make an excellent environment under which to test
unknown or untrusted software.
* With the effort and side effects of using a sandbox, the setup and use
of a VM is no more difficult than a sandbox but a VM affords more
isolation.
* Sandboxie is probably the only currently support (and least flaky)
sandboxing program available.
- The free version turns into nagware after the 1-month trial period.
- The free version does not have the option to force every instance of
a program to get sandboxed, like a child process for a web browser
started by clicking on a URL link in a message in an e-mail. Only
the paid version has the force option. By reducing privileges on
normal Internet-facing apps and using a VM as a test environment, I
get covered on lower and higher levels of isolation that what is
afforded by a sandbox.
- Of course, with a sandbox, you don't need another license for
Windows to run it inside a VM.
- PC Tools Firewall Plus
o Free version.
o Includes both firewall (with rules for which apps are allowed to connect
to the network) and HIPS (Host Intrusion Protection System) which are
rules as to which apps can even load or what actions they can perform
with other apps.
o Includes a whitelist of known good apps to reduce the number of prompts
to the user to make a decision.
o Alternatives are Tall Emu's Online Armor and Comodo Firewall (both are
firewall + HIPS).
* Online Armor has its Run Safer feature which can force apps, like the
web browser, to run under reduced privileges (same as if you had
logged under a limited user account). Running an app under a LUA
(limited user account) token restricts what actions a malware can
commit if its infection vector is through the restricted app (web
browser, e-mail client, newsreader, or other Internet-facing app).
* Comodo Firewall has its sandbox (which is not a full sandbox but still
provides some isolation). You can add an app, like the web browser,
to the sandbox but disable file/registry virtualization to only force
that app to run under a LUA token. (Note: Comodo still needs to work
on their sandbox as it is still to flaky in its operation.)
* Both Online Armor and Comodo include whitelists of known good apps.
o Unlike Online Armor but like Comodo Firewall, PC Tools will will let you
specify rules as to WHERE an app may connect.
* For example, you may want an app to phone home to check for updates
and nuisance you with alerts that a new version is available,
especially if you have already tested that new version and have
problems with it or otherwise decide you don't want it. But you could
let that same app connect everywhere else.
o All firewall+HIPS products suggested here:
* Can be quickly disabled by right-click on their tray icon. For
example, you will need to disable them when visiting the Windows
Update site so you can install updates to Windows or Office.
* All these products are at the top of Matousec's list of best
firewalls (http://www.matousec.com/).
o While both Online Armor and Comodo Firewall have the means of forcing
the web browser (or any app) to run under a LUA token (to reduce it
privileges and throttle any malware through that infection vector), PC
Tools is lacking in this feature. See the next point about using SRPs
to restrict applications.
- Software Restriction Policies (SRPs)
o Every version of Windows from XP and on up (not sure about 2000) can
have an SRP rule defined to restrict a program. The available choices
for a security level in an SRP rule are:
* Unrestricted: App runs at the same privileges as your Windows account.
* Blocked: App is never allowed to run.
* Basic User: Available in Windows Vista and up, hidden in Windows XP
but can be added via a registry edit. Restricts the program to run
under a limited user account's privileges.
o By using an SRP rule to force a program to run under an LUA token, you
get the same benefit as Online Armor's Run Safer option or Comodo's
firewall with its sandbox (but with file/registry virtualization
disabled for that app). So I can combine PC Tools Firewall Plus with
SRP to give me the same functionality as, say, Online Armor with its Run
Safer option but I get better detailed control in PC Tools firewall
rules than I do in Online Armor's firewall rules. I have several
outstanding problems with Comodo Firewall (see their forums by searching
on my moniker there) and why I don't use that product.
o SRP is available already in Windows and requires no addition software
installation from 3rd party vendors.
o You can still run the app without restriction. SRP path rules are based
on, yep, the path you specify to the program so the same executable in a
different path won't have that SRP rule applied against it.
o How to setup an SRP rule (and how to get the Basic User security level
added to Windows XP) is too lengthy for this already long post. If you
want more info on using SRP that is part of Windows, ask for more info
and I can spew out my canned response.
- GeSWall (isolation + policy enforcement)
o Free version.
o Only isolates web browsers and some prattle (IM) clients.
o Is not a proper sandbox but does provide some virtualization to isolate
an application.
o Instead of using Windows' privileges assigned to an app, it enforces its
own access control rights on the isolated app.
o I don't currently use this anymore because it can get in your way too
much. It can interfere with the functions of an app. It is designed to
be transparent but isn't quite invisible. I would still be using
GeSWall except for the interference it has in how an app can operate.
o More restrictive in its policies than those afforded by using an SRP
rule.
o Tracks any downloads using the app (web browser) to make them run
isolated, too. When you run the downloaded app, you have the choice of
running it isolated or unisolated (so an install you download can
actually do the install to your host if you opt to do so).
o Easy switch an app from isolated to unisolated. A "G" icon gets added
to the titlebar of the isolated app. If you want to run it unisolated,
click on the G and select to restart as unisolated. A bit easier than
having to right-click on a tray icon to disable all protection,
especially when you only want one instance of the app to be unisolated.
o Does NOT prevent malware files from getting deposited onto your host.
Only prevents them from committing their malicious action.
o Between having an anti-virus and firewall+HIPS security software, VMs,
and SRP rules, GeSWall becomes pretty superfluous. It's when you don't
have all those other techniques that GeSWall will shine.
 
VanguardLH said:
To clarify, the anti-virus engine used in MSE is different than the
one that
was used in OneCare. That is, you aren't stuck with the same bad AV
that
was in OneCare.

Which engines are in MSE now? All I can find is references to Forefront
and earlier.
 
Warren said:
have any of you ever used windows live onecare...a waste of $50.00.
Now i
know why they are discontinuing it. it finds NOTHING and i have to
run
antispyware and antimalware to keep my pc clean. please suggest the
best
free protection for my machine since i won't be using this one
anymore.

I never used OneCare.

I use Avast! free version on one laptop (Vista) and AntiVir free version
on the other (XP Pro). I'm depending on the fact that I can download and
execute Malwarebytes' Anti-Malware and SuperAntiSpyware free version as
I find the need. I use the native firewall on each even though I am
behind a rudimentary firewall in the form of a router. I use ClamWin
(when I'm bored) and have Windows Defender also running.

Then again, my needs may be simpler than yours.
 
FromTheRafters said:
VanguardLH wrote ...


Which engines are in MSE now? All I can find is references to Forefront
and earlier.

Yep, Forefront in MSE. It was their acquired GeCAD's RAV that they rolled
into their OneLive product. OneLive (with its GeCAD AV) always showed poor
coverage. Alas, in the Nov 2009 av-comparative.org testing, MSE (with its
Forefront engine) was also doing very, VERY poorly. Hopefully that will
jump up significantly in the next review due in another 3 months. This is
not the only way to measure effectiveness but does give some indication of
effectiveness.

http://www.microsoft.com/presspass/press/2003/jun03/06-10gecadpr.mspx
http://en.wikipedia.org/wiki/Windows_Live_OneCare

I don't recall ever seeing GeCAD in any av-comparative.org review (or it was
so long ago that I didn't recognize the name when I saw Microsoft acquired
this product). Could be they wouldn't submit a sample, didn't want the
results reported, or were so poor for coverage that they didn't make the top
listed products. OneLive (that used GeCAD AV) did get reported but started
out at a very low coverage, so low that I never bothered to retain any
memory about its coverage other than it sucked. Coverage grew slowly and
steadily but was never great. Anything under 95% is too low. It never
seemed a rationale choice since *free* AV products did so much better.
 
VanguardLH said:
Yep, Forefront in MSE.

I read in some blurb about MSE that the scanning system is based on the
same one in Forefront. Then I read some blurb about Forefront's scanning
being based on the AntiGen system, then found this:

=====================
Q. What antivirus scan engines are included with Antigen?
A. Antigen products support multiple scan engines from industry-leading
vendors. Below is a chart of what scan engines are available with each
product.
Microsoft Antigen for Exchange

Microsoft, CA InoculateIT, CA Vet, Norman, Sophos
=====================

I musta taken a wrong turn somewhere - are there multiple (and
non-Microsoft) scanning engines involved in MSE?
It was their acquired GeCAD's RAV that they rolled
into their OneLive product. OneLive (with its GeCAD AV) always showed
poor
coverage. Alas, in the Nov 2009 av-comparative.org testing, MSE (with
its
Forefront engine) was also doing very, VERY poorly. Hopefully that
will
jump up significantly in the next review due in another 3 months.
This is
not the only way to measure effectiveness but does give some
indication of
effectiveness.

I will check that out later, thanks.
http://en.wikipedia.org/wiki/Windows_Live_OneCare

I don't recall ever seeing GeCAD in any av-comparative.org review (or
it was
so long ago that I didn't recognize the name when I saw Microsoft
acquired
this product). Could be they wouldn't submit a sample, didn't want
the
results reported, or were so poor for coverage that they didn't make
the top
listed products.
:o)

OneLive (that used GeCAD AV) did get reported but started
out at a very low coverage, so low that I never bothered to retain any
memory about its coverage other than it sucked. Coverage grew slowly
and
steadily but was never great. Anything under 95% is too low. It
never
seemed a rationale choice since *free* AV products did so much better.

It always worried me just what type of malware existed in that last 5%.
While a detector that gets almost everything except the viruses with
polymorphic self-decryption routines could lead one to believe it is
adequate for protection from the most prevalent type of malware out
there (i.e. lame) - and have a good showing when measured against such
malware in its test set. Would be a complete failure if the threat
landscape suddenly changed to more sophisticated viruses.
 
From: "FromTheRafters" <erratic @nomail.afraid.org>


| I read in some blurb about MSE that the scanning system is based on the
| same one in Forefront. Then I read some blurb about Forefront's scanning
| being based on the AntiGen system, then found this:

| =====================
| Q. What antivirus scan engines are included with Antigen?
| A. Antigen products support multiple scan engines from industry-leading
| vendors. Below is a chart of what scan engines are available with each
| product.
| Microsoft Antigen for Exchange

| Microsoft, CA InoculateIT, CA Vet, Norman, Sophos
| =====================

| I musta taken a wrong turn somewhere - are there multiple (and
| non-Microsoft) scanning engines involved in MSE?

NO.

The engine is from the purchase of RAV and was the basis of Live OneCare and is successor
MSE.
 
David said:
From: "FromTheRafters" <erratic @nomail.afraid.org>



| I read in some blurb about MSE that the scanning system is based on the
| same one in Forefront. Then I read some blurb about Forefront's scanning
| being based on the AntiGen system, then found this:

| =====================
| Q. What antivirus scan engines are included with Antigen?
| A. Antigen products support multiple scan engines from industry-leading
| vendors. Below is a chart of what scan engines are available with each
| product.
| Microsoft Antigen for Exchange

| Microsoft, CA InoculateIT, CA Vet, Norman, Sophos
| =====================

| I musta taken a wrong turn somewhere - are there multiple (and
| non-Microsoft) scanning engines involved in MSE?

NO.

The engine is from the purchase of RAV and was the basis of Live OneCare and is successor
MSE.

Nope. Remove the "and". OneCare and MSE use different anti-virus engines.

Sybari Antigen --.--> Forefront
'--> MSE (via Forefront Client Security)
GeCAD RAV -----> OneCare

Microsoft acquired Sybari Software Inc, a Romanian firm with NY offices, in
June 2005. With the acquisition, Microsoft acquired the Antigen line of
security products which got renamed to the Forefront product line and became
the basis for Microsoft's family of enterprise-level security products.

See: http://www.microsoft.com/presspass/press/2005/feb05/02-08SybariPR.mspx
http://en.wikipedia.org/wiki/Microsoft_Security_Essentials

Microsoft purchased the Reliable AntiVirus (RAV) product from GeCAD, another
Romanian firm (Bucharest) but which continues to exist as its own company,
in June 2003. Users had to wait another 2 years before RAV showed up in the
summer of 2005 in a beta version of OneCare.

See: http://www.microsoft.com/presspass/press/2003/jun03/06-10gecadpr.mspx
http://en.wikipedia.org/wiki/Onecare

Both were acquisitions of or purchases from Romanian companies. I didn't
find out how much Microsoft paid to acquire Sybari and what they paid to buy
the RAV product. Antigen was a suite of enterprise-level security solutions
that became the Forefront family line with its Forefront Client Security
desktop agent going into MSE. RAV was a end-user security solution and went
into OneCare (and looks to have died there).
 
David H. Lipman said:
From: "FromTheRafters" <erratic @nomail.afraid.org>



| I read in some blurb about MSE that the scanning system is based on
the
| same one in Forefront. Then I read some blurb about Forefront's
scanning
| being based on the AntiGen system, then found this:

| =====================
| Q. What antivirus scan engines are included with Antigen?
| A. Antigen products support multiple scan engines from
industry-leading
| vendors. Below is a chart of what scan engines are available with
each
| product.
| Microsoft Antigen for Exchange

| Microsoft, CA InoculateIT, CA Vet, Norman, Sophos
| =====================

| I musta taken a wrong turn somewhere - are there multiple (and
| non-Microsoft) scanning engines involved in MSE?

NO.

The engine is from the purchase of RAV and was the basis of Live
OneCare and is successor
MSE.

Well then, lets hope it can live up to mediocre. :o)
 
From: "VanguardLH" <[email protected]>


| Nope. Remove the "and". OneCare and MSE use different anti-virus engines.

| Sybari Antigen --.--> Forefront
| '--> MSE (via Forefront Client Security)
| GeCAD RAV -----> OneCare

| Microsoft acquired Sybari Software Inc, a Romanian firm with NY offices, in
| June 2005. With the acquisition, Microsoft acquired the Antigen line of
| security products which got renamed to the Forefront product line and became
| the basis for Microsoft's family of enterprise-level security products.

See:: http://www.microsoft.com/presspass/press/2005/feb05/02-08SybariPR.mspx
| http://en.wikipedia.org/wiki/Microsoft_Security_Essentials

| Microsoft purchased the Reliable AntiVirus (RAV) product from GeCAD, another
| Romanian firm (Bucharest) but which continues to exist as its own company,
| in June 2003. Users had to wait another 2 years before RAV showed up in the
| summer of 2005 in a beta version of OneCare.

See:: http://www.microsoft.com/presspass/press/2003/jun03/06-10gecadpr.mspx
| http://en.wikipedia.org/wiki/Onecare

| Both were acquisitions of or purchases from Romanian companies. I didn't
| find out how much Microsoft paid to acquire Sybari and what they paid to buy
| the RAV product. Antigen was a suite of enterprise-level security solutions
| that became the Forefront family line with its Forefront Client Security
| desktop agent going into MSE. RAV was a end-user security solution and went
| into OneCare (and looks to have died there).

I'm not convinced. As far as I know there is only ONE Microsoft AV engine and ONE set of
signatures and that was OneCare and is now MSE. Perhaps something else is the engine for
MS MRT.

I have a couple of contacts to ping. I will look into this.
 
From: "VanguardLH" <[email protected]>

UPDATE:

The same engine is used in ALL; Malicious Software Removal Tool, OneCare and Security
Essentials.
However, The signature sets are not necessarily the same.

I was told "...it's not exactly the GeCAD RAV engine any longer - the code has evolved..."
:-)

This is a DEFINITIVE answer.
 
David said:
From: "VanguardLH" <[email protected]>

UPDATE:

The same engine is used in ALL; Malicious Software Removal Tool, OneCare
and Security Essentials. However, The signature sets are not necessarily
the same.

I was told "...it's not exactly the GeCAD RAV engine any longer - the
code has evolved..."
: -)

This is a DEFINITIVE answer.

From who? That's not your answer. You were told by someone else. If
they're willing to be held accountable for their claim, where did they
publish it?

Where did Sybari's code go? Where did GeCAD's code go? Did they get mixed
together? Did one of them get tossed and just used one of them? Is it an
engine with Sybari and GeCAD code mixed together? What does "evolved" mean?

Your "definitive" answer is more cloudy than anyone guesses have been prior
or based on published articles describing the ForeFront, MSE, and OneCare
products. Your "source" gave a response that cannot be verified, has no
supporting evidence, and won't even expose themself to be held accountable
for their claim. Sorry, David, I don't buy it.
 
From: "VanguardLH" <[email protected]>


| From who? That's not your answer. You were told by someone else. If
| they're willing to be held accountable for their claim, where did they
| publish it?

| Where did Sybari's code go? Where did GeCAD's code go? Did they get mixed
| together? Did one of them get tossed and just used one of them? Is it an
| engine with Sybari and GeCAD code mixed together? What does "evolved" mean?

| Your "definitive" answer is more cloudy than anyone guesses have been prior
| or based on published articles describing the ForeFront, MSE, and OneCare
| products. Your "source" gave a response that cannot be verified, has no
| supporting evidence, and won't even expose themself to be held accountable
| for their claim. Sorry, David, I don't buy it.

I can't tell you whom it came from specifically. All I can say is it came from a high
positioned person in Microsoft. Someone I have communicated with since just before MS
AntiSpyware became Windows Defender.

You may choose to not believe me or "buy it" but, what I relayed is a fact coming from
somone with real inside knowledge.

As for the evolution concept from the GeCAD '03 roots, I did not press my contact.
 
Back
Top