A reader (thanks Joe D.) shared with us his recent experience with the Microsoft Windows Malicious Software Removal Tool after the latest update (July).
The tool requires administrative privileges during the initial installation, but can then run as an unprivileged user from then on after accepting the license agreement.
From the release notes:
"You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.
Note After you accept the one-time license terms, you can receive future versions of the Malicious Software Removal Tool without being logged on to the computer as an administrator."
It appears that some component of the Agreement may have changed in this latest update which will require an Admin user to launch the tool and accept the new agreement. Some users may not be aware of this and be under the false impression the tool is running on a schedule as expected.
So now would be a good time to double check that the Malicious Software Removal Tool is in fact running on your machine(s) as expected. In fact now is a good time to review any security software in general that is expect/required to be running on your systems to determine it is in fact running. Any number of updates, misconfigurations, network huffage, or even better/worse malicious action could have disabled various programs or prevented them from running.
Many flavors of malware will search for and shutdown or disable most of the common personal firewall, anti-virus/anti-spyware tools. Or even more difficult to audit are those malicious programs which simply modify the firewall settings to allow the ports they need open.
Here is the link to details on the tool:
This KB has some useful information for determining the tool is running (especially in a large environment):
"A2. You can examine the value data for the following registry entry to verify the execution of the tool. You can implement such an examination as part of a startup script or a logon script. This process prevents the tool from running multiple times.
Entry name: Version
Every time that the tool is run, the tool records a GUID in the registry to indicate that it has been executed. This occurs regardless of the results of the execution."
So for the lastest update the GUID is:
July 2008 BC308029-4E38-4D89-85C0-8A04FC9AD976
This may also help determine that the tool is being updated.
ISC Handler on Duty