Средство проверки безопасности (Майкрософт) Microsoft Safety Scanner

Средство проверки безопасности (Майкрософт) — это инструмент, дающий возможность проверять компьютеры с Windows на наличие вредоносных программ и удалять обнаруженные вредоносные программы. Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Просто скачайте это средство и запустите проверку, чтобы обнаружить вредоносные программы и попытаться вернуть систему в рабочее состояние, устранив изменения, сделанные выявленными вредоносными компонентами. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

С ноября 2019 года средство проверки безопасности будет использовать только подпись SHA-2. Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Для запуска средства проверки безопасности необходимо обновить устройства для поддержки SHA-2. Your devices must be updated to support SHA-2 in order to run Safety Scanner. Дополнительные сведения см. в статье Требование поддержки подписи кода SHA-2 в 2019 г. для Windows и WSUS. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Важная информация Important information

Версия обновления механизма обнаружения угроз в средстве проверки безопасности (Майкрософт) совпадает с версией, описанной на этой веб-странице. The security intelligence update version of the Microsoft Safety Scanner matches the version described in this web page.

Средство проверки безопасности выполняет проверку только при запуске в ручную. Использовать средство проверки безопасности можно только в течение 10 дней после скачивания. Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. Рекомендуем скачивать последнюю версию этого средства перед каждой проверкой. We recommend that you always download the latest version of this tool before each scan.

Средство проверки безопасности — это переносимое исполняемое приложение, для него не создается элемент в меню «Пуск» в Windows и значок на рабочем столе. Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Запомните, в какую папку вы скачали его. Note where you saved this download.

Это средство не заменяет используемый вами продукт для защиты от вредоносных программ. This tool does not replace your antimalware product. Для защиты в режиме реального времени с функцией автоматического обновления используйте антивирусную программу в Microsoft Defender в Windows 10 и Windows 8 или Microsoft Security Essentials в Windows 7. For real-time protection with automatic updates, use Microsoft Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on Windows 7. Эти решения для защиты от вредоносных программ также обладают мощными возможностями по удалению вредоносных программ. These antimalware products also provide powerful malware removal capabilities. Если у вас возникают сложности с удалением вредоносных программ при использовании этих продуктов, ознакомьтесь со справкой в разделе Удаление сложных угроз. If you are having difficulties removing malware with these products, you can refer to our help on removing difficult threats.

Требования к системе System requirements

Средство проверки безопасности помогает удалять вредоносные программы с компьютеров под управлением операционных систем Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 и Windows Server 2008. Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. См. политику жизненного цикла Майкрософт. Please refer to the Microsoft Lifecycle Policy.

Запуск проверки How to run a scan

1. Скачайте это средство и откройте его. Download this tool and open it.
2. Выберите нужный тип проверки и запустите проверку. Select the type of scan that you want to run and start the scan.
3. Просмотрите результаты проверки, показанные на экране. Review the scan results displayed on screen. Подробные результаты обнаружения находятся в файле %SYSTEMROOT%\debug\msert.log. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log.

Чтобы удалить это средство, удалите его исполняемый файл (по умолчанию это msert.exe). To remove this tool, delete the executable file (msert.exe by default).

Дополнительные сведения о средстве проверки безопасности см. в статье Устранение неполадок с помощью средства проверки безопасности. For more information about the Safety Scanner, see the support article on how to troubleshoot problems using Safety Scanner.

Windows security baselines

Applies to

• Windows 10
• Windows Server
• Microsoft 365 Apps for enterprise
• Microsoft Edge

Using security baselines in your organization

Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.

Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.

We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.

What are security baselines?

Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Why are security baselines needed?

Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.

For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.

In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.

How can you use security baselines?

You can use security baselines to:

• Ensure that user and device configuration settings are compliant with the baseline.
• Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.

Where can I get the security baselines?

You can download the security baselines from the Microsoft Download Center. This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.

The security baselines are included in the Security Compliance Toolkit (SCT), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.

Community

Related Videos

You may also be interested in this msdn channel 9 video:

Service Security and Access Rights

The Windows security model enables you to control access to the service control manager (SCM) and service objects. The following sections provide detailed information:

Access Rights for the Service Control Manager

The following are the specific access rights for the SCM.

Access right	Description
SC_MANAGER_ALL_ACCESS (0xF003F)	Includes STANDARD_RIGHTS_REQUIRED, in addition to all access rights in this table.
SC_MANAGER_CREATE_SERVICE (0x0002)	Required to call the CreateService function to create a service object and add it to the database.
SC_MANAGER_CONNECT (0x0001)	Required to connect to the service control manager.
SC_MANAGER_ENUMERATE_SERVICE (0x0004)	Required to call the EnumServicesStatus or EnumServicesStatusEx function to list the services that are in the database. Required to call the NotifyServiceStatusChange function to receive notification when any service is created or deleted.
SC_MANAGER_LOCK (0x0008)	Required to call the LockServiceDatabase function to acquire a lock on the database.
SC_MANAGER_MODIFY_BOOT_CONFIG (0x0020)	Required to call the NotifyBootConfigStatus function.
SC_MANAGER_QUERY_LOCK_STATUS (0x0010)	Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database.

The following are the generic access rights for the SCM.

Access right	Description
GENERIC_READ	STANDARD_RIGHTS_READ SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_QUERY_LOCK_STATUS
GENERIC_WRITE	STANDARD_RIGHTS_WRITE SC_MANAGER_CREATE_SERVICE SC_MANAGER_MODIFY_BOOT_CONFIG
GENERIC_EXECUTE	STANDARD_RIGHTS_EXECUTE SC_MANAGER_CONNECT SC_MANAGER_LOCK
GENERIC_ALL	SC_MANAGER_ALL_ACCESS

A process with the correct access rights can open a handle to the SCM that can be used in the OpenService, EnumServicesStatusEx, and QueryServiceLockStatus functions. Only processes with Administrator privileges are able to open handles to the SCM that can be used by the CreateService and LockServiceDatabase functions.

The system creates the security descriptor for the SCM. To get or set the security descriptor for the SCM, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions with a handle to the SCManager object.

Windows Server 2003 and Windows XP: Unlike most other securable objects, the security descriptor for the SCM cannot be modified. This behavior has changed as of Windows Server 2003 with Service Pack 1 (SP1).

The following access rights are granted.

Account	Access rights
Remote authenticated users	SC_MANAGER_CONNECT
Local authenticated users (including LocalService and NetworkService)	SC_MANAGER_CONNECT SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_QUERY_LOCK_STATUS STANDARD_RIGHTS_READ
LocalSystem	SC_MANAGER_CONNECT SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_MODIFY_BOOT_CONFIG SC_MANAGER_QUERY_LOCK_STATUS STANDARD_RIGHTS_READ
Administrators	SC_MANAGER_ALL_ACCESS

Notice that remote users authenticated over the network but not interactively logged on can connect to the SCM but not perform operations that require other access rights. To perform these operations, the user must be logged on interactively or the service must use one of the service accounts.

Windows Server 2003 and Windows XP: Remote authenticated users are granted the SC_MANAGER_CONNECT, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS, and STANDARD_RIGHTS_READ access rights. These access rights are restricted as described in the previous table as of Windows Server 2003 with SP1

When a process uses the OpenSCManager function to open a handle to a database of installed services, it can request access rights. The system performs a security check against the security descriptor for the SCM before granting the requested access rights.

Access Rights for a Service

The following are the specific access rights for a service.

Access right	Description
SERVICE_ALL_ACCESS (0xF01FF)	Includes STANDARD_RIGHTS_REQUIRED in addition to all access rights in this table.
SERVICE_CHANGE_CONFIG (0x0002)	Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration. Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators.
SERVICE_ENUMERATE_DEPENDENTS (0x0008)	Required to call the EnumDependentServices function to enumerate all the services dependent on the service.
SERVICE_INTERROGATE (0x0080)	Required to call the ControlService function to ask the service to report its status immediately.
SERVICE_PAUSE_CONTINUE (0x0040)	Required to call the ControlService function to pause or continue the service.
SERVICE_QUERY_CONFIG (0x0001)	Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
SERVICE_QUERY_STATUS (0x0004)	Required to call the QueryServiceStatus or QueryServiceStatusEx function to ask the service control manager about the status of the service. Required to call the NotifyServiceStatusChange function to receive notification when a service changes status.
SERVICE_START (0x0010)	Required to call the StartService function to start the service.
SERVICE_STOP (0x0020)	Required to call the ControlService function to stop the service.
SERVICE_USER_DEFINED_CONTROL(0x0100)	Required to call the ControlService function to specify a user-defined control code.

The following are the standard access rights for a service.

Access right	Description
ACCESS_SYSTEM_SECURITY	Required to call the QueryServiceObjectSecurity or SetServiceObjectSecurity function to access the SACL. The proper way to obtain this access is to enable the SE_SECURITY_NAMEprivilege in the caller’s current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.
DELETE (0x10000)	Required to call the DeleteService function to delete the service.
READ_CONTROL (0x20000)	Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
WRITE_DAC (0x40000)	Required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object’s security descriptor.
WRITE_OWNER (0x80000)	Required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object’s security descriptor.

The following are the generic access rights for a service.

Access right	Description
GENERIC_READ	STANDARD_RIGHTS_READ SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS
GENERIC_WRITE	STANDARD_RIGHTS_WRITE SERVICE_CHANGE_CONFIG
GENERIC_EXECUTE	STANDARD_RIGHTS_EXECUTE SERVICE_START SERVICE_STOP SERVICE_PAUSE_CONTINUE SERVICE_USER_DEFINED_CONTROL

The SCM creates a service object’s security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.

Account	Access rights
Remote authenticated users	Not granted by default.Windows Server 2003 with SP1: SERVICE_USER_DEFINED_CONTROL Windows Server 2003 and Windows XP: The access rights for remote authenticated users are the same as for local authenticated users.
Local authenticated users (including LocalService and NetworkService)	READ_CONTROL SERVICE_ENUMERATE_DEPENDENTS SERVICE_INTERROGATE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_USER_DEFINED_CONTROL
LocalSystem	READ_CONTROL SERVICE_ENUMERATE_DEPENDENTS SERVICE_INTERROGATE SERVICE_PAUSE_CONTINUE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_START SERVICE_STOP SERVICE_USER_DEFINED_CONTROL
Administrators	DELETE READ_CONTROL SERVICE_ALL_ACCESS WRITE_DAC WRITE_OWNER

To perform any operations, the user must be logged on interactively or the service must use one of the service accounts.

To get or set the security descriptor for a service object, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions. For more information, see Modifying the DACL for a Service.

When a process uses the OpenService function, the system checks the requested access rights against the security descriptor for the service object.

Granting certain access rights to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possibly allow them to run applications under the LocalSystem account.

When EnumServicesStatusEx function is called, if the caller does not have the SERVICE_QUERY_STATUS access right to a service, the service is silently omitted from the list of services returned to the client.