MSRT Reconsidered

Microsoft's Malicious Software Removal Tool (MSRT) is a standalone scanner designed to detect and remove prevalent threats. It is updated monthly, and is pushed as an important update every "Patch Tuesday". Whether downloaded via Automatic Updates, or manually from WU or MSU, it always runs silently in the background while doing its thing.

When the detection and malware removal process is complete, the tool displays a report describing the outcome, including which, if any, malware was detected and removed.

Microsoft says "Because computers can appear to function normally when infected, it's a good idea to run this tool regularly even if your computer seems to be fine." To run an MSRT on-demand scan (as opposed to the monthly one-time scan), you will have to download the latest version from the Microsoft Download Center:
http://go.microsoft.com/fwlink/p/?LinkId=40587

My problem with MSRT is that I don't like programs working in the background that silently delete whatever they detect. Not even if they notify me after the fact. I've seen enough problems with false positive detections from just about every AV and security scanner I've used. Some of these FPs have been system wreckers, when system - critical files were automatically deleted or quarantined. Which is why I always configure them to alert me only to detections, not to quarantine or delete.

I can't believe MS is immune to FPs with its various security scanners, including MSRT. I would also note the spate of faulty patches issued by WU/MSU in recent times. They do not inspire confidence. And I have to question the assertion that infected computers can appear to run normally even when infected. I have never run regular on-demand scans by any of my security programs when my system is working well, and have never regretted this approach.

My current practice is to download MSRT monthly from the Microsoft Download Center, and save running it for a "rainy day" if and when my system is acting up. I note that in doing so MS currently tries to bundle (with pre-checked options as default) an MSN default homepage & a Bing default search engine with MSRT. These options have nothing to do with security, and I always uncheck them. I also now only run MSRT  from a command prompt: mrt.exe /N. This should result in a "Notify only" scan. Yet during the Quick scan I am still informed that anything detected will be removed. A Full scan by MSRT (which can take up to several hours) does indicate that only detected malware will be reported, and makes no mention of removal. So I don't know what to believe.

In defense of MSRT, I have to admit it has never detected/removed anything on my systems. And I'm not aware of any significant FPs reported elsewhere. That said, to me it has become a bit of a nuisance, a waste of 5-6 minutes for even a "quick scan", with a potential downside. I used to run MSRT religiously every month, but no more.

As always, I'm open to other insights/opinions, especially from the malware removal experts. (I can't help but notice that MSRT does not figure prominently in the removal tools recommended in the malware removal forum. Since MSRT provides no real-time protection, I once again question the usefulness of running it at all).

Some of your facts and perceptions are inaccurate. First, the little stuff - if you look in the link you provided, MSRT runs on the second Tuesday of each month. But "Patch Tuesday", which is not an official Microsoft term by the way, frequently occurs on more than one Tuesday in a month.

More importantly, MSRT is NOT like other scanners that look for thousands of different threats AND "patterns" AND "behaviors" that may indicate some new unknown threat or malicious activity. That is where the majority of FPs come from. MSRT does NOT do that. It looks for a very small, finite number of known threats, then applies specific fixes for them, if it finds any. So the risk of false positives is very remote. And as you yourself noted, MSRT hasn't found any on your systems.

My problem with MSRT is that I don't like programs working in the background that silently delete whatever they detect.

While in general, I feel the same way, but I think you are being overly critical of this tool and you are perhaps, tainted by ancient history and incidents of other tools. Again, MSRT looks for specific malware, thus is not likely to make a mistake. I would never say never, but it is very remote. It has never happened on any of the systems I am responsible for either.

You say you don't like programs running in the background so you run it manually, then complain it wastes your time. That's not really fair. If you just let it run with its defaults, little of your time will "wasted". And frankly, "wasted" is hardly accurate either, IMO. Just because a security program does not find anything, that does not mean the time is wasted - any more than heath insurance for healthy people is wasted money.

And BTW, even on my slowest system using a HD, it only takes about 4 minutes for the quick scan. I just ran it on this SSD based system and it took 1 min and 1 second - when run from the site. But even with large HDs, is 6 minutes out the 43,200 minutes each month really a that big a wastes of your time to know your system is clean?

And your comment that it can take hours for the full scan is hardly fair either. Have you run MBAM's full scan?

TBH, I don't like scanners to automatically delete things they find either. So like you, my real time scanners are set to alert me if they find something. But again, that is because those real time scanners are also looking for unknowns and "suspicious behaviors". Plus, my 3rd party scanners rely on what they think a Microsoft file should look like - based on their signature/definition files at the time of the scan. MSFT is always current and MS knows what their files look like.

I don't even let WU automatically install updates on MY systems. BUT I do recommend "normal" users keep WU in its default settings - which is to automatically download and install. Note if that were a problem today with W7/8/10 systems, there would be 10s of millions of broken computers every "Update Tuesday" - but that is not happening. Remember, W7/8/10 are NOT XP! Yes, occasionally someone has a problem with an update, but those are rare exceptions and exceptions don't make the rule.

Yeah, MSFT prompts to make Bing your default search engine and home page - you cannot single out Microsoft for doing that. All programs do that these days - even products you pay for! And MS provides a very easy opt-out option. And in any case, if you miss those opt-out options, it does NOT suddenly install unwanted toolbars, downloaders, or other junk on your system. Any changes can readily be undone.

Now for my biggest concern about your comments and that is this MAJOR misconception:

I have to question the assertion that infected computers can appear to run normally even when infected

If you truly believe that an infected computer MUST exhibit symptoms of infection, then you, sadly, don't understand the security threats malware presents. The fact of the matter is, it is a primary goal of the creators of much of the malware created today to remain undetected while it does it dirty deeds, or while it remains dormant until activated at a later date. And these malicious code writers are very good at doing just that!

And understand some of those dirty deeds are NOT to disrupt your computing tasks, or steal your bank accounts and passwords, but to draft your computer into the badguy's bot army then use your computer (and IP address) to participate in distributing spam or in a DDoS attack on others. All without you, the user, ever knowing anything is going on.

Some may consider me a computer expert. And in fact, I've had a very long career supporting "secure" communications networks, so I feel confident I know how to "practice safe computing" to keep from getting infected. But I will not pretend for a second I am smarter than the badguys (or the Microsoft experts) and I will continue to run MSRT every month.

I used to run MSRT religiously every month, but no more.

IMO, that is a big mistake. Just because you eat healthy, exercise regularly, get plenty of sleep, don't abuse drugs or alcohol, that does not mean you cannot be hit by a car driven by an uninsured motorist. Six minutes every 30 days is well worth it.

Thanks Digerati:

I can see your duck icon frowning at me!  I was playing Devil's Advocate, and I do appreciate your reply.

1) "Patch Tuesday" is a common, if unofficial term, for the 2nd Tuesday monthly updates. I used it for convenience. I am aware of out-of-band patches on other dates.

2) Obviously, if one uses Automatic Updates to run MSRT, then there is no time wasted, as they will install/run in the background. I choose to avoid automatically installing any software/updates (with some reason, given recent experiences with MS updates), preferring to download/install them manually from WU. And in my experience, MSRT frequently takes the longest of all the updates to install/run silently using this method. That said, downloading and running a quick MSRT on-demand scan takes about the same amount of time for me as from WU, maybe 5-6 minutes. And it seems to take a bit longer every month. This on a fast Win 7/sp1 system, with a reasonably fast internet connection (30/10 Mbps).

I don't have an SSD drive, and probably my 1 TB HDD accounts for my longer scan times. I am always reluctant to use other programs while a scan is in progress, hence my reference to "waste of time". Perhaps I'm too cautious, but 6 minutes/month=1 hour /year.

And yes, I have attempted to run a Full MSRT scan, but abandoned it when the progress bar clearly indicated very little progress after half an hour. It was obvious to me that it would indeed take several hours to complete, as MS had  warned. So I think that comment was entirely fair. As a rule, I only run the quickest on-demand security scans (and even then, rarely), so this did not bother me. By comparison, a Quick HitmanPro scan takes about 90 seconds, an Emsisoft Anti-Malware Quick scan about 30 seconds, an MBAM Hyper Scan about 4.5 minutes, and a Panda Free AV Critical scan about 4 minutes. 

You ask if a 6 minute scan as insurance is worth it. I would say yes, of course, if I knew it was effectively finding and deleting malware that my multiple other layers of security might miss. I have no evidence, after many years of using MSRT, that this is so. I have to take the word of MS, since independent evidence of the efficacy of MSRT is lacking. Unlike AVs and anti-malware programs such as MBAM, it is not subject to independent testing.

3) I appreciate that MSRT is a targeted scanner against specific prevalent threats. I do wonder if it offers additional protection against bots not covered by my real-time AV and MBAM Premium protection, or my other passive layers.

I wasn't really too concerned about the FP potential, given my experience, but it always lurks in the back of my mind.

4) I am sadly aware that most free and paid security programs now bundle non-security junk for marketing purposes. I was not singling out MS in this regard. But the fact remains that it is an obnoxious practice, and one might expect MS to rise above the others. The fact that others do it is not an excuse, IMO. Yes, those changes are easily undone, and it is not like installing the ASK toolbar. But it is a nuisance.

5) I am certainly no computer or security expert, but have never considered myself sadly misinformed as to the threats out there. Including the threat of having my computer pwned by a bot network. I have nothing but respect for MS-MVPs, born of long years of following their advice with success. So if you tell me that my machine might be compromised silently, bypassing my AV, my hardware and software (Outpost Pro) firewalls, MBAM Premium and WinPatrol PLUS real-time protection, and my common sense, then so be it. I would have thought something would show up in one of them, or at least in Task Manager/CPU usage, to indicate something was afoot.

Anyways, thanks again for your thoughts. I don't see MSRT discussed much in the forums I frequent, and it was beginning to annoy me, hence this post.

You ask if a 6 minute scan as insurance is worth it. I would say yes, of course, if I knew it was effectively finding and deleting malware that my multiple other layers of security might miss. I have no evidence, after many years of using MSRT, that this is so. I have to take the word of MS, since independent evidence of the efficacy of MSRT is lacking. Unlike AVs and anti-malware programs such as MBAM, it is not subject to independent testing.

Now wait! If you knew it was finding malware??? You don't run "supplemental" scans (scans above and beyond your regular real-time scanners) with MSRT and the like in the hopes of finding anything. You run them to verify nothing got by your regular scanners and you, the user, and always weakest link. When I run a manual scan, I expect nothing to be found and I would be quite upset if MSRT found anything. So instead of criticizing MSRT for finding nothing, you should be relieved and happy it found nothing! I am!

Clearly, you are more security aware and disciplined at practicing safe computing than others. And that's great! :) But I suspect MSRT is finding threats on many of their systems - otherwise MS would stop expending $millions in resources on it.

These badguys are smart, relentlessly persistent, and always one-step ahead of the goodguys. We are and must be ALWAYS on the defensive. None of us should assume our security "defenses" and common sense are infallible. And I emphasize "defenses" because we can't really be offensive - we can only "react" to what is inevitably and relentlessly being thrown at us.

You also seem to be forgetting that millions and millions of computers are NOT single user systems but instead, are used by multiple users in the same household or workplace. And certainly, in many if not most cases, not all users will be as disciplined or "security aware" as the one user who is responsible for the security of those computers. This is especially true if there are invincible, "it can't happen to me", teenagers in the house.

I am sadly aware that most free and paid security programs now bundle non-security junk for marketing purposes. I was not singling out MS in this regard. But the fact remains that it is an obnoxious practice, and one might expect MS to rise above the others. The fact that others do it is not an excuse, IMO. Yes, those changes are easily undone, and it is not like installing the ASK toolbar. But it is a nuisance.

NO DOUBT it is an obnoxious, annoying nuisance! But it is not, by any means, just security programs that do it. Virtually any program you download will try to get you to install or upgrade to something else. While I agree the fact others do it is not an excuse, but these companies must get a return on their investment somehow so their employees can feed and shelter their families - and fund further development of the program too. Note that more and more of Microsoft products are now free (including Windows 10!) so they too must keep revenue coming in. So I feel this practice is no more than ads in a newspaper, on TV, or those annoying little post cards that fall out of magazines. And I have accepted that as long as I can easily opt-out, I can live with it.

I have nothing but respect for MS-MVPs, born of long years of following their advice with success. So if you tell me that my machine might be compromised silently, bypassing my AV, my hardware and software (Outpost Pro) firewalls, MBAM Premium and WinPatrol PLUS real-time protection, and my common sense, then so be it.

:( Don't take my comments personally. Sorry if I ruffled your feathers but this has nothing to do with me being an MVP and my comments were not intended to be taken personally.

You simply said, "I have to question the assertion that infected computers can appear to run normally even when infected". That is what I replied to and it IS a well-known, established fact that malware can reside on computers without impacting performance or otherwise being noticed by the user!

You did not say anything about bypassing your regular security, or your common sense! But to that, even the best security possible can easily be defeated if the user opens the door and lets the badguy in. That's why socially engineered methods of malware distribution are so effective. They trick even the most experienced among us with professional, genuine looking emails and webpages into clicking on honest-looking malicious links.

And don't forget that major banks, corporations, insurance companies and government organizations are being compromised right and left and they have true IT security professionals on staff, using very sophisticated security software, hardware based firewalls, etc. Yet still, after-the-fact analysis typically reveals the malware existed on their networks and computers, often for months, before the "payload" was deployed and finally detected.

So do not assume your defenses and common sense is enough. I don't and I feel I know what I am doing too - and I am the sole user of my computers.

I appreciate that MSRT is a targeted scanner against specific prevalent threats. I do wonder if it offers additional protection against bots not covered by my real-time AV and MBAM Premium protection, or my other passive layers.

Only if it is a known threat. Note the MSRT "signature/definition" list is constantly evolving and changes almost every month. You can see the current threats it looks for here.

I don't see MSRT discussed much in the forums I frequent, and it was beginning to annoy me, hence this post.

And I am glad you started it because there clearly are some misconceptions about it. It is a good tool and anyone responsible for a computer that has access to the Internet should keep it in their arsenal, and use it - if for no other reason than to verify nothing got by their real-time security defenses, and common sense.

No feathers ruffled here! I'm just trying to learn. And you have persuaded me to reinstate my MSRT monthly run  again, the nuisance factor notwithstanding.

But mercy! I was not suggesting that I wanted MSRT to detect something on any of my systems just to prove that it worked! None of my many AVs ever detected anything either, for which I'm grateful. But AVs are subject to independent testing, and I can run them on demand to detect only.  I was just grumbling.

In the final analysis, I guess I'll just have to trust that MSRT is working as advertised, and won't delete anything that is system critical.

Again, thanks for your thoughts.

But AVs are subject to independent testing

True, but even those tests are questionable because they don't represent real-world scenarios. Therefore, what is happening is many A/V makers are configuring their scanners to excel in these lab tests to look good. This is why MSE and W8's Windows Defender are still fully capable of protecting us even though Microsoft has announced they will not pursue high test scores. And the evidence MSE/WD works is the lack of infected users. I use MSE on all my W7 systems and WD on my W8 systems.

None of my many AVs ever detected anything either, for which I'm grateful.

That likely means you keep Windows and your security programs updated and avoid risky behavior. All necessary to keep our systems clean - regardless our anti-malware solution of choice.