From: "Bill Bradshaw" <bradshaw@gci.net>

Running Windows 7 Pro with Microsoft Security Essentials. Every once and a while the Microsoft Malware Protection Command Line Utility uploads over 100 megs to this computer. Unfortunately I have not been keeping track of the dates this happens but have now started to see if there is a pattern to the dates. I manually check every morning to confirm the virus definitions have been updated (this usually involves a couple of megs). I have also gone through the task scheduler to see if there something I would recognize that would be doing this without finding anything obvious to me. Anybody have
any idea what is going on? This is probably harmless but I still want to understand it.
--
<Bill>

Brought to you from Anchorage, Alaska


--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: VanguardLH <V@nguard.LH>

Bill Bradshaw wrote:

Every once and a while the Microsoft Malware Protection Command Line
Utility

This one?

MpCmdRun.exe

It is a cleanup tool. You'll find it has one, or more, events defined
in Task Scheduler. It has the following commands (with hyphen prefix):

-Scan
-Trace
-GetFiles
-RemoveDefinitions
-SignatureUpdate <---.
-Restore |
-AddDynamicSignature |
-ListAllDynamicSignature |
-RemoveDynamicSignature |
-EnableIntegrityService |
-SubmitSample |
|

... uploads ... |

|
downloads -------------------'

... over 100 megs to this computer.

It employs a signature database as do most anti-virus programs.

https://technet.microsoft.com/en-us/library/gg131918.aspx

Run mpcmdrun (without any arguments) in a command shell to see its own
help on how to use it.

http://www.addictivetips.com/windows-tips/command-line-utility-mpcmdrun-exe-microsoft-security-essentials/
http://www.windowscentral.com/how-use-windows-defender-command-prompt-windows-10
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "Bill Bradshaw" <bradshaw@gci.net>

Thanks for your response. I have run this program from the command prompt.
Is the signature update different from updating the virus definitions from within MSE Update? I guess basically I am asking are there 2 database(?) files involved because I know the definitions get updated every morning because I do it manually as my first step after turning on the computer.
--
<Bill>

Brought to you from Anchorage, Alaska

"VanguardLH" <V@nguard.LH> wrote in message news:ei8rbdFttloU1@mid.individual.net...

Bill Bradshaw wrote:

Every once and a while the Microsoft Malware Protection Command Line
Utility

This one?

MpCmdRun.exe

It is a cleanup tool. You'll find it has one, or more, events defined
in Task Scheduler. It has the following commands (with hyphen prefix):

-Scan
-Trace
-GetFiles
-RemoveDefinitions
-SignatureUpdate <---.
-Restore |
-AddDynamicSignature |
-ListAllDynamicSignature |
-RemoveDynamicSignature |
-EnableIntegrityService |
-SubmitSample |
|

... uploads ... |

|
downloads -------------------'

... over 100 megs to this computer.

It employs a signature database as do most anti-virus programs.

https://technet.microsoft.com/en-us/library/gg131918.aspx

Run mpcmdrun (without any arguments) in a command shell to see its own
help on how to use it.

http://www.addictivetips.com/windows-tips/command-line-utility-mpcmdrun-exe-microsoft-security-essentials/
http://www.windowscentral.com/how-use-windows-defender-command-prompt-windows-10

--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: VanguardLH <V@nguard.LH>

Bill Bradshaw wrote:

Thanks for your response. I have run this program from the command prompt. Is the signature update different from updating the virus definitions from within MSE Update? I guess basically I am asking are there 2 database(?) files involved because I know the definitions get updated every morning because I do it manually as my first step after turning on the computer.

The GUI frontend probably checks status to determine if the database
file is newer than the last retrieved database. I haven't used the command-mode mpcmdrun tool to know if it bypasses the download by first checking if the database's datestamp is newer than the local one's
datestamp.

The -SignatureUpdate switch can take additional arguments on the command
line. The only one that I know about is the -unc argument which
specifies an alternate path to a definition file using a UNC; see https://en.wikipedia.org/wiki/Path_(computing)#Uniform_Naming_Convention. Sometimes users will download the definition file and then use mpcmdrun
to use that one. For example, they may disable auto-update and decide
when to update using the downloaded def file and either run mpcmdrun
themself or have it as a scheduled task.

If you run "mpcmdrun.exe -signatureupdate" in a command shell, what do
you see for its console output? Do an update, then following with
another update. Does it just go ahead and push in the same update or
does it notify you that the database is already up to date?
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "Bill Bradshaw" <bradshaw@gci.net>

It just reports the signature file is up to date no matter how many times I run it. I wondering if this may have something to do with the Network Inspection System definitions.
--
<Bill>

Brought to you from Anchorage, Alaska

"VanguardLH" <V@nguard.LH> wrote in message news:eibif5Fg0mkU1@mid.individual.net...

Bill Bradshaw wrote:

Thanks for your response. I have run this program from the command
prompt.
Is the signature update different from updating the virus definitions
from
within MSE Update? I guess basically I am asking are there 2 database(?)
files involved because I know the definitions get updated every morning
because I do it manually as my first step after turning on the computer.

The GUI frontend probably checks status to determine if the database
file is newer than the last retrieved database. I haven't used the command-mode mpcmdrun tool to know if it bypasses the download by first checking if the database's datestamp is newer than the local one's
datestamp.

The -SignatureUpdate switch can take additional arguments on the command line. The only one that I know about is the -unc argument which
specifies an alternate path to a definition file using a UNC; see https://en.wikipedia.org/wiki/Path_(computing)#Uniform_Naming_Convention. Sometimes users will download the definition file and then use mpcmdrun
to use that one. For example, they may disable auto-update and decide
when to update using the downloaded def file and either run mpcmdrun
themself or have it as a scheduled task.

If you run "mpcmdrun.exe -signatureupdate" in a command shell, what do
you see for its console output? Do an update, then following with
another update. Does it just go ahead and push in the same update or
does it notify you that the database is already up to date?

--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: VanguardLH <V@nguard.LH>

Bill Bradshaw wrote:

It just reports the signature file is up to date no matter how many times I run it. I wondering if this may have something to do with the Network Inspection System definitions.

Probably have to wait until Microsoft actually has a newer signature
database file to upload.

If you want, you can manually download and install the sig updates from:

https://support.microsoft.com/en-us/help/971606/how-to-manually-download-the-latest-definition-updates-for-microsoft-security-essentials

Until there is a new version, doing this over and over is a waste of
bandwidth, time, and CPU cycles. Alas, their KB article and download
links don't provide version information.

http://www.techspot.com/downloads/5247-microsoft-security-essentials-definition-update.html

That announced a new sig (definition) update just today. Is that the
one the GUI frontend to MSSE reports to you? After you use mpcmdrun
with the -signatureupdate switch, is the version any different in the
GUI frontend for MSSE?
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "Bill Bradshaw" <bradshaw@gci.net>

The command line utility ran again today and added 10 megabytes. You
noticed a change and the command line ran again. I will start recording version numbers along with dates. I ran mpcmdrun and it reported no updates needed.

With your help we seem to have isolated it to mse and updates.
--
<Bill>

Brought to you from Anchorage, Alaska

"VanguardLH" <V@nguard.LH> wrote in message news:eieqsgF51lcU1@mid.individual.net...

Bill Bradshaw wrote:

It just reports the signature file is up to date no matter how many times >> I
run it. I wondering if this may have something to do with the Network
Inspection System definitions.

Probably have to wait until Microsoft actually has a newer signature
database file to upload.

If you want, you can manually download and install the sig updates from:

https://support.microsoft.com/en-us/help/971606/how-to-manually-download-the-latest-definition-updates-for-microsoft-security-essentials

Until there is a new version, doing this over and over is a waste of bandwidth, time, and CPU cycles. Alas, their KB article and download
links don't provide version information.

http://www.techspot.com/downloads/5247-microsoft-security-essentials-definition-update.html

That announced a new sig (definition) update just today. Is that the
one the GUI frontend to MSSE reports to you? After you use mpcmdrun
with the -signatureupdate switch, is the version any different in the
GUI frontend for MSSE?

--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)