Microsoft Security Essentials Windows Server 2012 R2

[Maximilian Lozano]

Toprovide a basic level of security in a small server environment, we can install Microsoft Security Essentials with some simple modifications which contains most of the functionality of Windows Defender for free.

While it is not possible to directly download Windows Defender to install, we can instead make use of Microsoft Security Essentials which is available as a slightly cut down version for older versions of Windows, such as Windows 7, in order to help protect against viruses, spyware and other malicious software. Microsoft Security Essentials provides most of the protection methods that Windows Defender does with the exception of rootkit and bootkit protections.

It is important to note that Microsoft Security Essentials is designed to provide a basic level of free protection for home or small business PCs rather than important server infrastructure. Despite this, users with a very small amount of Windows server installations have been looking for ways to install Windows Defender in order to provide at least a basic level of security.

In order to resolve this, run command prompt as administrator and enter the folder where the mseinstall.exe file is located. Run the mseinstall.exe file with the /disableoslimit flag on the end as shown below.

You can select the Settings tab to modify when the weekly automatic scheduled scan takes place, by default a quick scan is set to run every Sunday at 2am and will not use more than 50% of the available CPU resources.

Although not officially supported, we have successfully installed Microsoft Security Essentials (a cut down Windows Defender) in Windows Server 2012 R2 and confirmed that it is working correctly and detecting security threats.

This is better than the default level of security, which is none as Windows Defender is only built into Windows 8, 8.1 and 10 client operating systems, however it is recommended that server operating systems make use of enterprise solutions such as System Center Endpoint Protection (SCEP) or some other option available from some security vendor.

Hi Jarrod,

thank you for quality instruction.

I was needed to uninstall msse, however Programs and Features Uninstall result error (your version of Windows is not supported), running mseinstall /disableoslimit is resulting error (only one instance can be instaled).

I would apprechiate your advice.

Regards

in my case i tried the 8th step. but my mse failed to detect it. tried installing it again but shows that only one instance of mse can be installed. so finally figured that mse is present. need guide how to open mse using cmd bcz it dosent show anywhere on the server.

tnq

FYI, these steps also help UNinstall MSE from a server that you upgraded from 2012 to 2019. Have to do the steps on the file at c:\program files\microsoft security client\setup.exe and then add a /x to the end of the path along with the /disableoslimit.

A: There is a patch for IE 6.0 running on Windows XP SP2. Please see the bulletin for the download links or search the Microsoft Download Center by the Knowledge Base (KB) bulletin number to get the download directly. You can also use Windows Update (WU) to get the update automatically.

A: IE suggests that you install MS08-073 before installing MS08-78 but there is no requirement. In some cases, the MS08-078 update does not require a restart. If the required files are being used, this update will require a restart.

A: The Microsoft Malware Protection Center MMPC group has been tracking the specific exploits and the malicious code they drop on its blog: This is a good place to review. It also reaffirms the need to maintain up-to-date antivirus protection on such systems. Depending on the exploit, removal will be different.

Q: We currently use Windows Server Update Services (WSUS) 2 - It looks like this update was downloaded for all Operating Systems (Oss) except Windows 2000. Can you confirm that a Windows 2000 version of this patch is available?

Q: Is there a better understanding or common direction of the presumed broadening scope of the malware drops being seen in the known exploit? Password stealers, keyloggers, trojans, botnets, etc?

A: A variety of malware specimens have been identified as part of these attacks. The MMPC has blogged on these attacks in more detail at The most common families seen with these attacks attempt to steal passwords of popular online games.

A: DEP does not protect against the vulnerable code being reached. However, in order for an attacker to exploit the vulnerable for code execution, they will need to prepare memory in a certain way and DEP is a fairly good protection against the tricks hackers use to prepare memory in this way. DEP + ASLR is very good at protecting against exploits, even without the patch.

A: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

A: If you use Microsoft Update or Windows Update, and run a supported Windows platform, your system will be offered and install the patch for Internet Explorer to protect against this attack. Automatic Updates is a part of Windows Update, so yes, your system will be protected.

Q: In the Key Notes column of the Exploitability Index section of the bulletin, it states Internet Explorer runs in Protected Mode with default installations of Windows Vista and Windows Server 2008, presenting obstacles to the exploitation. Does MS08-078 (Security Update for Internet Explorer) provide the same level of protection for Windows XP and Windows Server 2000/2003 to prevent obstacles to the exploitation?

A: It is not specific to any type of user. This issue affects all systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read e-mail on servers. However, best practices strongly discourage allowing this.

Q: Does this exploit in any way allow a remote directory traversal of a computer?

A: This vulnerability allows an attacker to take complete control if a user browses to a malicious website or otherwise parses untrusted content using a client-side application. We have not discovered a server-side attack vector.

Q: Does viewing an infected email in Office 2007 preview windows count as opening the email? At one time I had heard that Office 2007 preview of email was to help protect against infection.

A: To date, we have only seen active exploits that are dependent on scripting. The preview option disables script by default, thus preventing known exploits.

Q: There are reports (www.internetnews.com) that even patched computers with MS08-078 are still vulnerable. Have we wasted time and effort applying this patch?

A: We have received no reports of users with this patch installed being compromised. There are no known issues with this update.

Q: I have tried to download and install this through WSUS on Server 2003, but I cannot get it to download. Any ideas?

A: Please contact Customer Support Services if you are having trouble getting this update for WSUS Servers. The update has been available since its release and many customers have successfully downloaded and are deploying this update using WSUS. Since this is related to a security update, there should be no charge for the call.

Q: Is Microsoft working with plugin vendors to ensure that enabling DEP for IE does not cause unintended crashes? I have been unable to use Sun JVM 1.6.0 Update 11, and the bug report is still open (bug_id=6545701).

A: Yes we are. We are working specifically with Sun and Adobe. Adobe now has DEP-compliant plugins and we are still working with Sun on the JVM.

Q: Does MS08-078 provide any enhancements to DEP to provide defense in depth protection against current exploits? The bulletin indicates some concept code is available to bypass DEP, and I hope this can be fixed.

A:MS08-078 fixes the vulnerability in Internet Explorer but does not directly implement improvements to our Defense in Depth security components in Windows. Individual Defense in Depth mechanisms, by their nature, may in specific situations be incomplete protection and could be bypassed. However, it is the full set of these Defense in Depth mechanisms, such as DEP, ASLR and SEH Overwrite Protection that used in combination provides a strong mechanism of defense against new vulnerabilities and exploits. Microsoft continuously evaluates these mechanisms for their effectiveness and when needed will introduce changes to make them more effective. No improvements of such type have been included with this specific security update.

Q: How critical is it to get this update deployed to workstations where users are all configured as Basic/Limited Users - (Non Admin or PowerUser)?

A: If a basic/limited user browses a malicious web site without having installed the security update, his user account may become compromised. The net result would be that the attacker would gain basic/limited user privileges on the system. Depending on your organization and configuration, you as the administrator are best placed to assess the specific risk this poses to your organization. However, we strongly recommend installing the security update if these Basic/Limited users are allowed to access untrusted content such as internet web sites.

Q: Do software developers need to be aware of any differences in the new mshtml.dll file (in MS08-078) for apps that are using web browser controls?

A: The changes made by this security update are really very limited and do not affect the APIs developers use to interact with the components, or any way that browser controls would be implemented. Microsoft is currently not aware of any issues regarding compatibility of this patch with existing software either, though we continuously monitor the situation and will call any issues out in the KB articles should they be identified.

3a8082e126