Why did Microsoft Security Essentials Knowingly Allow a Virus?
I started my computer and was notified of updates. The updates were Microsoft Sliverlight 6.0MB and Microsoft Security Essentials. I updated. I shut down my computer and went to work. I came back and started my computer and received a popup that Java failed to start, click here to fix. It was only through quick thinking and experience that I avoided a disaster. I shut down my computer and restarted in safe mode with networking. I opened MSE and the virus was listed in the history and the action taken was allowed. Allowed, my settings are Quarantine for all 4 levels. How can MSE allow a virus when it knows it is a virus? I did a full scan and MSE said No threats were found. No threats, it is a Virus! Since the virus was listed in History in all detected items there is no option to remove it. It was not listed in Quarantined or Allowed. I went to OneCare Safety Scanner, No help there also! I did a system restore (which might not have worked had I let the virus scan my computer). I have always said system restore is last option. I have fixed every problem to date and never used system restore before. I volunteer on Microsoft TechNet and Microsoft Answers forums and this is my very first question. My system log below shows the virus. My blood is boiling over!!!!!!!! Log Name: System Source: Microsoft Antimalware Date: 14/02/2011 6:12:37 PM Event ID: 1116 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: Removed for security Description: Microsoft Antimalware has detected malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Rogue:Win32/FakeRean&threatid=2147607809 Name: Rogue:Win32/FakeRean ID: 2147607809 Severity: Severe Category: Trojan Path: process:_pid:3920 Detection Origin: Unknown Detection Type: Heuristics Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Users\Removed for security\AppData\Roaming\defender.exe Signature Version: AV: 1.97.1671.0, AS: 1.97.1671.0, NIS: 9.1.0.0 Engine Version: AM: 1.1.6502.0, NIS: 2.0.5854.0 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft Antimalware" /> <EventID Qualifiers="0">1116</EventID> <Level>3</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-02-14T23:12:37.000Z" /> <EventRecordID>34500</EventRecordID> <Channel>System</Channel> <Computer>Removed for security</Computer> <Security /> </System> <EventData> <Data>%%860</Data> <Data>3.0.8107.0</Data> <Data>{79A27CE3-F762-45FC-8CD8-B95DF3C298F4}</Data> <Data>2011-02-14T23:12:07.157Z</Data> <Data> </Data> <Data> </Data> <Data>2147607809</Data> <Data>Rogue:Win32/FakeRean</Data> <Data>5</Data> <Data>Severe</Data> <Data>8</Data> <Data>Trojan</Data> <Data>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=Rogue:Win32/FakeRean&amp;threatid=2147607809</Data> <Data>1</Data> <Data> </Data> <Data>1</Data> <Data>2</Data> <Data>%%820</Data> <Data>C:\Users\Removed for security\AppData\Roaming\defender.exe</Data> <Data>NT AUTHORITY\SYSTEM</Data> <Data> </Data> <Data>process:_pid:3920</Data> <Data>0</Data> <Data>%%844</Data> <Data>3</Data> <Data>%%848</Data> <Data>1</Data> <Data>%%821</Data> <Data>0</Data> <Data>9</Data> <Data>%%887</Data> <Data> </Data> <Data>0x00000000</Data> <Data>The operation completed successfully. </Data> <Data> </Data> <Data>0</Data> <Data>0</Data> <Data>No additional actions required</Data> <Data> </Data> <Data> </Data> <Data>AV: 1.97.1671.0, AS: 1.97.1671.0, NIS: 9.1.0.0</Data> <Data>AM: 1.1.6502.0, NIS: 2.0.5854.0</Data> </EventData> </Event>
February 14th, 2011 9:43pm

The same thing happened to me, I also had to do a system restore, I don't understand why MSE says that it should be removed, yet it allows it. td
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2011 10:06pm

I too am having a problem with MSE allowing things that are detected. Under Settings, Default Actions, all four alert levels are set to Remove. However, occasionally I'll check the History tab and see that I have detected items listed and the action taken section says ALLOWED. How can this be?
April 10th, 2011 12:04pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics