microsoft security essentails scan time

[fivealive]

so i turned my computer on and i told mse to update and run a scan and i noticed after 2 minutes it had burned thru almost 250,000 files. Generally a scan takes about 13 minutes to complete for my computer its now doing it in half the time which is great but in concerns me on why its doing it so fast when nothing on the computer has changed.

[Maurice Naggar]

Hello fivealive,

One wonders if the MSE scan engine would have been "souped up" via a very recent update. If I were you, I'd be posing your question on the MS Answers forum for MS Security Essentials

http://answers.microsoft.com/en-us/protect/forum/protect_scanning

The "regulars" there may have a better clue.

Cheers.

[goldhound]

I also see MSE taking under a minute to do a quick scan on my (fairly new) win 7 laptop. Concerned me a bit.

[fivealive]

I was running a full scan. I will admit I generally don't watch the scan but I took longer then normal to close the program, so as I went to close it I noticed how quickly it was burning thru the files.

The computer is like 4 months old got it back in december. Maurice you could be correct I had just updated. The program.

[David H. Lipman]

It is possible, and I don't know this for a fact, is MSE White Listed files that were scanned and proved original Microsoft OS files. Subsequent scans then "skipped" these files as they had not changed since the last scan.

[Maurice Naggar]

@fivealive & goldhound

What is your version details on MSE ?

Here is mine

Security Essentials Version: 2.1.1116.0

Antimalware Client Version: 3.0.8402.0

Engine version: 1.1.8202.0

Antivirus definition: 1.123.664.0

Antispyware definition: 1.123.664.0

On an old Compaq laptop, Win XP (2 GB RAM) a quick scan with MSE took about 9 minutes.

[fivealive]

my version details is as follows :

Security Essentials Version: 2.1.1116.0

Antimalware Client Version: 3.0.8402.0

Engine Version: 1.1.8202.0

Antivirus definition: 1.123.664.0

Antispyware definition: 1.123.664.0

Network Inspection System Engine Version: 2.0.8001.0

Network Inspection System Definition Version: 11.0.0.0

[Maurice Naggar]

You are current, then.

per "rhab" on MS Answers, the version #s I listed are the current ones (at the current time).

In addition, he provides the following resources.

Antimalware Engine Notifications

http://blogs.technet...0-mar-2012.aspx

Antimalware Engine 1.1.8202.0 is released to all Microsoft Security Essentials and Forefront Client Security, Forefront Endpoint Protection, Windows Intune Endpoint Protection customers on 20 Mar 2012. Signature package 1.123.0.0 is the first that contains this engine.

Microsoft Malware Protection Center-Definition Change Log

http://www.microsoft.com/security/portal/Definitions/WhatsNew.aspx

[goldhound]

My version is identical to fivealive's.

[fivealive]

Thanks for the answers to mse questions.

Now to figure out what the rundll32.exe is for

Right clicking on it and clicking on show services in task manager tells me nothing

[exile360]

You can use a tool such as tasklist.exe (command line tool built into Windows) to see what modules are loaded under rundll32.exe. It is an application used for running DLL's as processes (executables) and is an essential system component.

For info on how to use tasklist, just open a command prompt (START, then type cmd and press Enter) and type tasklist /? and press Enter.

[David H. Lipman]

Dynamic Link Libraries (DLL files) are executables that have have a series of functions. There are a few ways they are loaded...

1. An EXE file calls a routine from that DLL and the EXE will load that DLL into memory and use said routines

2. Register the DLL into the system, such as; regsvr32.exe mydllname.dll

3. Run the DLL by loading RUNDLL32.EXE and load the DLL routine such as; rundll32 mydllname.dll,myroutine

RUNDLL32.EXE is a legitimate OS file and is found in; c:\windows\system32 if RUNDLL32.EXE is executed from a different location, it is probably malware.

[Maurice Naggar]

Why are you looking at rundll32 ?? It is a "component" of Windows.

When you open Task Manager, you may see Rundll32.exe entry in the Processes tab. Or, you may see it elsewhere.

Rundll32.exe is a valid system file which executes a DLL.

[fivealive]

I was curious about what it is and iv been checking out all the processes in task manager trying to learn about then. I'm curious about it is all (and probably a bit paranoid).

[exile360]

Well, infections (and MANY) other programs can certainly use rundll32 in order to execute, but that doesn't make rundll32.exe in and of itself a risk. You can actually learn a lot about how it works by looking at the modules loaded under its process (as described by myself and David above). I just don't recommend trying to terminate anything or unload any modules, but there's certainly no harm in looking.

[fivealive]

yeah i have no intention in stopping the process since i dont know what was running it. but best way to learn is to go digging and looking

[fivealive]

so ran tasklist and this is what i found

rundll32.exe 1492 ntdll.dll, kernel32.dll, KERNELBASE.dll,

USER32.dll, GDI32.dll, LPK.dll, USP10.dll,

msvcrt.dll, imagehlp.dll, IMM32.DLL,

MSCTF.dll, nvinitx.dll, ADVAPI32.dll,

sechost.dll, RPCRT4.dll, shell32.dll,

SHLWAPI.dll, uxtheme.dll, dwmapi.dll,

ole32.dll, CRYPTBASE.dll, CLBCatQ.DLL,

OLEAUT32.dll, CRYPTSP.dll, rsaenh.dll,

RpcRtRemote.dll, actxprxy.dll, comctl32.dll

no clue what any of it means

[exile360]

Well, all of those DLL's are loaded by RunDLL32.exe. If you wish, you may do some research as to what each file is. I suggest using a search engine, though not all results will be reliable (some sites simply say that any file you search for is or could be an infection, even when the file you're searching for is a perfectly safe system file).

The following sites are reputable and will let you know info about each DLL, and if a file is listed, that means that a file by that name exists within a default installation of the operating system:

Windows 7 DLL File Information

Windows XP DLL File Information

[fivealive]

alright thanks i did create a dump file of it here

edit cant upload since its to big

[fivealive]

so heres a list of dll files in that isnt listed on that site

nvinitx.dll

and doing a search for the file on my computer and opening up its properties brings up the digital signature as belonging to nvidia which makes sense since one of my graphics cards is an nvidia card.

thanks for all the help exile im learning quite a bit by doing this thank you