Microsoft Malware Protection Command Line Utility

Running Windows 7 Pro 32 bit. About once every week the Microsoft Malware
Protection Command Line Utility uploads about 100+ mega bytes to my
computer. I am using Microsoft Security Essentials as my antivirus. This
is the only antivirus installed or ever has been installed on the computer.
I have checked the task scheduler and found nothing out of the ordinary.
Anybody have any idea what is being uploaded? I manually update the
security essentials virus definitions every morning when I turn on the
computer so I know they are always up to date.
--
Bill

Brought to you from Anchorage, Alaska

Bill Bradshaw wrote:

Running Windows 7 Pro 32 bit. About once every week the Microsoft
Malware Protection Command Line Utility uploads about 100+ mega bytes
to my computer.

That would be for the signatures database to use when comparing hashes
of the files found on your computer.

Microsoft Windows Malicious Software Removal Tool (MRT)
https://support.microsoft.com/en-us/kb/890830
and
https://en.wikipedia.org/wiki/Malici...e_Removal_Tool

mrt.exe remains local. On my Win7 setup, it is 140KB in size with an
Oct 18 datestamp (probably from when I last enabled BITS and WU service
to do a WU review and update). There is no separate database file. The
sig database is built into the .exe file probably as a huge data block
although hopefully it is encrypted or, at least, hashed to verify that
its contents have not been corrupted or deliberately tampered.

Vipre Rescue comes to mind as another static AV you download and use.
You have to re-download it later to include any new virus sigs in its
database available at that time. I've never used Vipre to know if it
rolls its sig database into its .exe to provide a single and hopefully
protected payload or if it comes as a separate .exe file along with a
separate sig database file.

mrt.exe - Causing concern one a month
http://www.liutilities.com/articles/...ce-in-a-month/

The size is not cumulative. What you download next month replaces what
you downloaded today.

I am using Microsoft Security Essentials as my antivirus.

That program as well as other anti-virus programs will perform periodic
downloads of their current signature database. Those downloads are in
the background although some AV programs can impact the responsiveness
of the computer during that download and local update of the database.

The standalone normally-once-ran antimalware "update" doesn't have the
luxury of having its own database updater. It doesn't maintain a local
database of file signatures. You download the standalone non-updating
AV program and with whatever is the current sig database at the time of
the "update".

Think of it as a snapshot: just showing the part of the pic for your
head doesn't show where you were, who you were with, what you wore, or
the other details available in the full pic. But that pic is a snapshot
at a particular time, just like the monthly standalone AV "update".

This is the only antivirus installed or ever has been installed on the
computer. I have checked the task scheduler and found nothing out of
the ordinary. Anybody have any idea what is being uploaded? I
manually update the security essentials virus definitions every
morning when I turn on the computer so I know they are always up to
date.

MRT does not replace a good anti-virus program. It's just Microsoft
making sure that some malware may get caught for those users that do not
employ any security software to protect their hosts, or they use really
crappy AVs (even worse than Microsoft's Defender or Security
Essentials).

I'm a bit surprised you were unaware of MRT, it getting pushed monthly,
or what it is or does. You've been around in Usenet under that nym
since 2009.

I am aware of MRT and I download it as part of the monthly updates I select.
I have been using usenet groups since way before 2009. I do not remember
all my email addresses but I believe the previous one was
. I did not realize the program would download the MRT
signatures on its own. I am using Microsoft Security Essentials as my
antivirus. Thanks for the explanation.
--
Bill

Brought to you from Anchorage, Alaska

"VanguardLH" wrote in message
...
Bill Bradshaw wrote:

Running Windows 7 Pro 32 bit. About once every week the Microsoft
Malware Protection Command Line Utility uploads about 100+ mega bytes
to my computer.

That would be for the signatures database to use when comparing hashes
of the files found on your computer.

Microsoft Windows Malicious Software Removal Tool (MRT)
https://support.microsoft.com/en-us/kb/890830
and
https://en.wikipedia.org/wiki/Malici...e_Removal_Tool

mrt.exe remains local. On my Win7 setup, it is 140KB in size with an
Oct 18 datestamp (probably from when I last enabled BITS and WU service
to do a WU review and update). There is no separate database file. The
sig database is built into the .exe file probably as a huge data block
although hopefully it is encrypted or, at least, hashed to verify that
its contents have not been corrupted or deliberately tampered.

Vipre Rescue comes to mind as another static AV you download and use.
You have to re-download it later to include any new virus sigs in its
database available at that time. I've never used Vipre to know if it
rolls its sig database into its .exe to provide a single and hopefully
protected payload or if it comes as a separate .exe file along with a
separate sig database file.

mrt.exe - Causing concern one a month
http://www.liutilities.com/articles/...ce-in-a-month/

The size is not cumulative. What you download next month replaces what
you downloaded today.

I am using Microsoft Security Essentials as my antivirus.

That program as well as other anti-virus programs will perform periodic
downloads of their current signature database. Those downloads are in
the background although some AV programs can impact the responsiveness
of the computer during that download and local update of the database.

The standalone normally-once-ran antimalware "update" doesn't have the
luxury of having its own database updater. It doesn't maintain a local
database of file signatures. You download the standalone non-updating
AV program and with whatever is the current sig database at the time of
the "update".

Think of it as a snapshot: just showing the part of the pic for your
head doesn't show where you were, who you were with, what you wore, or
the other details available in the full pic. But that pic is a snapshot
at a particular time, just like the monthly standalone AV "update".

This is the only antivirus installed or ever has been installed on the
computer. I have checked the task scheduler and found nothing out of
the ordinary. Anybody have any idea what is being uploaded? I
manually update the security essentials virus definitions every
morning when I turn on the computer so I know they are always up to
date.

MRT does not replace a good anti-virus program. It's just Microsoft
making sure that some malware may get caught for those users that do not
employ any security software to protect their hosts, or they use really
crappy AVs (even worse than Microsoft's Defender or Security
Essentials).

I'm a bit surprised you were unaware of MRT, it getting pushed monthly,
or what it is or does. You've been around in Usenet under that nym
since 2009.

Bill Bradshaw wrote:

I did not realize the program would download the MRT signatures on its
own. I am using Microsoft Security Essentials as my antivirus.

I doubt MRT can find anything more, and probably much less, than MSE.
After all, Microsoft is still compiling the sig database for each. It
takes so little to run MRT and a short run that I don't bother hidding
that update but just let it download, run, and, of course, never find
anything since my choice of AV software has better detection coverage.
MRT is just part of Microsoft building their image reputation regarding
security (whether it is effective or not).

I don't think MRT downloads any signatures but rather the sig database
is built into mrt.exe as probably a data block in the code. When it
run, it probably unrolls the data block into a table or database into
memory hence why it cannot be too big since it runs on some rather
low-end computers. 100MB isn't very large so it only scans for the more
recent and most significant pests.

https://support.microsoft.com/en-us/...ons-of-windows
(short URL: http://tinyurl.com/jz7ep8c)

That says only some of the worst and current pests are detected, not all
of them as would a real AV product.

https://support.microsoft.com/en-us/kb/891717
0x80508002 The signature database is corrupted. Download the
0x8050A005 The signatures are not signed. Microsoft Windows
0x8050A004 The signatures are not valid or are Malicious Software
corrupted. Removal Tool again
0x80508002 The signature database is corrupted.
0x80508004 The signature database is corrupted.

Sure looks like they want you to [re]download mrt.exe to get the
signature database. Since the product is not an actual on-access
(real-time) AV scanner, it only detects based on signatures, not on
heuristics. It may incorporate some fingerprint checks (traces of
changes made by malware) but I doubt it. Looks to be just a sig
checker.