

Windows 8 to have built-in anti-virus - there's good and bad news - yuhong
http://nakedsecurity.sophos.com/2011/09/14/windows-8-anti-virus-good-bad-news/

======
thaumaturgy
1\. This is bad for antivirus vendors who want to continue doing the same ol'
thing. McAfee, AVG, and others are still terrible, and Norton has got such a
bad reputation that even though its recent products have improved (somewhat?),
it will be a long time before independent consultants start recommending it
again. So this is going to put pressure on these companies to do something
newer and better, which is great.

2\. But, it likely won't change what actually ships with new PCs, since PC
vendors these days (Dell and Acer directly, Best Buy, Staples, and others)
make their margins by shipping computers with a free trial version of McAfee
or Norton in the hopes that the customer will be snookered into paying for the
software. In our experience, most customers do end up buying it, since they
don't know any better.

3\. Although we recommend and love Microsoft Security Essentials, it is not
perfect. Just last week we had to do a manual cleanup of infected register
systems for a local business where both MalwareBytes and MSE missed major
components of the virus. The leftover components were sufficient to re-infect
the systems -- while running in Safe Mode. (This was XP, for those wondering.)

4\. Malware developers still have a lot of tricks they haven't even tried yet,
that honestly I'm surprised haven't shown up already.

5\. Malware is largely a commercial industry now, so there will be financial
pressure on malware developers to adopt new tactics to defeat the bundled
antivirus.

6\. But, antivirus technology also still has a lot of room to improve.
Microsoft especially is in a unique position to do this because they can
legally do things like repair infected or damaged components of Microsoft
software from clean copies, which might be a legal gray area for independent
companies. (I am not a lawyer and all that.) Microsoft has the capability and
resources for example to develop software which can examine key operating
system areas for anything that looks suspicious -- something which most
antivirus software doesn't do now.

7\. In our end of the business, it could be a mixed blessing. On the one hand,
we lose money on every single virus cleanup that we do, and I hate charging
people for it anyway. On the other, it does drive new customers to us and
gives us the opportunity to really make a strong first impression. But I won't
cry into my pillow at night if Microsoft somehow manages to eviscerate the
malware industry.

8\. But, I'm skeptical about rapid adoption. What we're seeing right now is
more and more people trying to keep their computer-related costs down. We're
_still_ doing significant XP support -- probably over half of our Windows
users, if I had to estimate -- and, earlier today, the only reason we were
able to convince a client that they would actually be better off buying a new
replacement system is because decent _IDE_ hard drive upgrades right now just
aren't worth it. If this trend continues, and if Windows 7 continues to be
"good enough" for most people, it'll be years before we see enough adoption of
Windows 8 to make a dent in malware, which gives the malware developers plenty
of time to adapt. (But, I could be surprised. Then again, what I've seen so
far of Windows 8 isn't exactly compelling.)

9\. Finally, the best place right now to stop malware, in our opinion, is
still the browser. Chrome + AdBlock Plus by itself typically prevents repeat
malware cleanups. The major exception to this _was_ Limewire.

So, basically: I don't think this will really have that much of an impact any
time in the near future, but if it does, it will probably make malware nastier
and antivirus software better, and it will still be business-as-usual for
support companies, which means it won't really improve consumers' lives much.

~~~
nodata
> Chrome + AdBlock Plus by itself typically prevents repeat malware cleanups.

That's interesting because Chrome is installed as the user (and so writable by
the user), not as admin (like everything else). Chrome should be easier to
infect.

Got any numbers?

~~~
thaumaturgy
No, unfortunately. :-( One of my 2012 projects is to build us a system that
can keep track of all this stuff so I can publicly provide real data on what
we see instead of winging it.

Web-wise, there seems to be two primary sources of infection: malicious ads on
legitimate websites, and poisoned search results. (Compromised websites were
all set to be a strong third source, but Wordpress cleaned up its act and we
haven't seen as much of that this year.)

AB+ takes care of the ads, which seems to be the biggest source of infections.
Chrome seems to be pretty resilient to direct attacks against the browser so
far, if statements from people at CanSecWest are anything to go by. (With at
least one known exception [1].)

We make guesses about the source of the infection based on the type of
infection, what we find in which temp folders, and the client's browsing
history -- if they're OK with us looking into that.

edit: I should explain that we've seen the same results from Firefox w/ AB+.

[1]: [http://www.geek.com/articles/geek-pick/googles-chrome-
browse...](http://www.geek.com/articles/geek-pick/googles-chrome-browser-has-
finally-been-hacked-2011059/)

~~~
kijin
Thanks for the info. I use AdBlock Plus and I love it too.

On a related note, what do you think about NoScript? Does it really help
prevent attacks these days, or are NoScript users just being paranoid? I use
NoScript with AdBlock Plus, but so many websites rely on JS these days, it
gets annoying pretty quickly.

~~~
rkudeshi
I wanted to love NoScript, but it broke too many web pages.

Trying Ghostery now, seems much more user-friendly.

~~~
RexRollman
I've tried to leave NoScript a month ago but there are too many asshole
website developers out there. But your recommendation is a good one, as I've
heard nothing but good things about Ghostery.

------
bad_user
This is a good thing. Anti-virus companies have gotten lazy, mostly to
increase profits.

I have in-house knowledge of an anti-virus product (BitDefender) that could
have been the best in the world. But instead the board of directors decided
one day that the product _is too good_ and that they should keep it down a
notch, as it wasn't worth it to keep so many talented developers on the
payroll. The product itself is still good, but is bloated (as normal users
need to see a lot of background activity and red lights for the cost to be
justified) and it's not what it should have been.

In general I feel bad when companies get bitten by Microsoft's anti-
competitive behavior, but not this time.

~~~
DanBC
> _normal users need to see a lot of background activity and red lights for
> the cost to be justified_

The corporate versions of anti-malware are usually better because they can
avoid all the klaxons and alarms and flashing dialog warnings, because it's
not the user who pays, it's someone else in the corporation.

As three14 says below, some Anti-malware software feels awful to run; really
nasty interfaces and nasty mangling of the experience. Having the machine run
a scan when the user is away helps.

But I'm surprised there isn't a better AV product out there.

------
three14
I would be more bothered if other vendors anti-malware wasn't _terrible_.
Every virus-like behavior I've seen over the past several years was actually
anti-malware misbehaving. One particular peeve is disk usage - anti-virus
scans at a low priority, but somehow the disk slows to a crawl anyway. I
suspect that the antivirus gets fewer I/O requests serviced, but causes many
seeks so once it gets an I/O request honored, the disk is tied up until the
seek completes. It would be nice if the OS took care of this, but given that
it doesn't, I blame the anti-malware vendors for not caring about their
customers.

~~~
brc
I say this to many people. If the definition of a virus or malware is
something that hinders performance and functionality of your computer, then
most commercial AV products fit the bill. They have a massive footprint, stop
you doing normal things, constantly interrupt you and generally are impossible
to remove completely.

It staggers me how competition in the anti-virus market gave us so many bad
products. Even the ones that started out good slowly morphed into expensive
bloatware. Security Essentials was the first step against that trend, and I'm
happy to see it go all the way.

~~~
T-hawk
> It staggers me how competition in the anti-virus market gave us so many bad
> products.

They all suffer from the problem of "This rock keeps tigers away." A large
proportion of AV instances never incur any malware at all; it gets stopped at
the corporate firewall level or the users just don't browse to any infected
sites. So how can you tell that the AV package is even doing anything? It must
keep itself in the user's face to seem productive, or else that AV package
will lose sales to a competitor that looks like it does more.

You know all those email taglines "This message was scanned by Norton AV" or
whatever? Those are trivially fakeable and carry zero security meaning, or
even worse than zero in tricking someone into falling for a fake. Their
presence is obvious when you understand what they really are: advertising for
the AV package.

Security Essentials is the first AV package that's not motivated primarily by
sales, so it has the ability to stay out of the way where commercial AV
products can't. (Why does MS Security Essentials exist at all? I recall one MS
blogger, probably Raymond Chen, mention in passing that MSSE was created to
reduce Microsoft's own support workload, as a fair number of support tickets
with Microsoft are caused by malware.)

------
captain-asshat
Some people seem to have forgotten that the reason MSE is so good is because
Microsoft have an entire department that explores those DrWatson errors people
send them. Some of the time the reports include virus authors' early attempts
which are accidentally sent and then used to create virus definitions.

If MSE was installed by default, the data MS would have to improve it would
increase by a substantial amount. Also, MSE is generally rated the best AV in
pretty much every independant review I've seen.

"Malware authors. You don't think they're going to ignore this development, do
you? If most budget-conscious home users stick with Microsoft's built-in
offering, then surely the first thing the bad guys will do is make sure their
latest creation can slip past Microsoft's scanner."

While misguided, this point raises a problem. By having a single 'default' AV
installed, it might mean the attack surface is made simpler as malware writers
need only target a single scanner. With MS' demonstrated speed in addressing
issues however, I doubt this is a great threat.

------
jigs_up
Pig and Hungry hungry hippo eh? Couldn't have put it better myself. So tired
of seeing this crap foisted upon people who don't know any better. While I see
the author's point about it being a bad thing for all users to be protected by
the same antivirus software, I must say that MSE is the only antivirus
software I've ever been comfortable using. I didn't use antivirus software for
well over a decade, but MSE has such a small footprint and is so unobtrusive
that it's now a question of 'Why not?'.

------
d_r
Am I wrong in wishing for Microsoft to take a step toward sandboxing/code
signing instead of playing the cat-and-mouse (and sometimes snake oil) game of
antiviruses and antimalware products?

Admittedly, this is probably not feasible by definition since the Windows
ecosystem gives developers infinite freedom. And sandboxing is not trivial to
get right. "Bad" applications will just go out of their way to entice the user
to allow "read and write all my files." And sadly, users don't really read or
understand warning dialogs. But one could wish, right?

Signed, someone who has seen too many friends' computers slowed down with said
antiviruses, defenders, and always a plethora of toolbars.

~~~
cek
Nope, you're not wrong at all in wishing that.

I was one of the folks in charge of defining and building the Windows Phone 7
application platform. I pushed extremely hard to ensure that when WP7 shipped
the app sandbox was tight, tight, tight. So much so that I pissed enumerable
people off because we refused to open it up to anything but managed code. I
always argued that the product would be better off in the long term with a
real reputation for being solid & secure.

It was hard to do, but we were able to do it because WP7 was basically a v1
product and we had no backwards compatibility requirements (or existing
customers <g>).

For Big Windows, it's a lot harder. A LOT HARDER. But I have read that Win8
will have a sandbox for new apps. That should help a lot, but it really is
just a start. AV software will still be a necessity for most users.

Note that I find it highly ironic that Android failed to keep their sandbox
tight early on and as a result that platform is suffering significant malware
problems. Timely: [http://techcrunch.com/2011/11/20/mcafee-nearly-all-new-
mobil...](http://techcrunch.com/2011/11/20/mcafee-nearly-all-new-mobile-
malware-in-q3-targeted-at-android-phones-up-37-percent/)

~~~
gjm11
<pedant>"Enumerable" means almost exactly the opposite of "innumerable", which
I think is what you meant: (Enumerable: able to be counted. Innumerable: not
able to be counted.)</pedant>

~~~
TylerE
Uh, in this context I would wager he has a pretty good idea how many people he
said no to.

------
derwildemomo
I just can't stop thinking about that analogy where a car buyer is forced into
buying brakes just after he bought a brand new car, because said car doesn't
ship with working ones. Antivirus feels the same for me: why would I want to
buy an OS that is flawed and needs to be fixed by buying third-party products?
Microsoft adressing that issue isn't something I perceive as great news, it's
rather sad they shipped windows so insecurely for such a long time.

~~~
sandboxed
Anti-viruses will always be necessary. There is money to be made in sending
spam, running bot nets, and mining data. Regardless of what operating system
you are running I'm sure there is someone out there who could find a
vulnerability if he or she was motivated enough. Is this more of a PR move?
Whenever you talk to Mac users they seem to flaunt the fact that they are
virus free or is it that no one bothers since so few people have macs compared
to pcs?

~~~
dhx
Anti-virus software is not necessary. It's a side effect of poor system
configuration, slow release cycles for patched software and to a lesser
extent, poorly designed software.

If a severe vulnerability is discovered, open source communities race to
distribute a new version of the software (faster than anti-virus vendors can
respond). Package management allows patches for _all_ software to be rolled
out quickly and securely. A turnaround time exceeding 2 hours from knowledge
of a critical vulnerability to patched software being distributed to
1,000,000's of computers would be considered slow. The concept of executing
files downloaded from Internet sites, provided on removable media or sent via
email is completely foreign.

Proprietary vendors tend to follow the processes defined in their ISO 9001
compliant Quality Management System. They wait for the next weekly "Urgent"
Security Working Group Meeting so that a proposal to develop a Software Change
Request can be agreed upon. ... blah blah... 2 months later you _may_ have
updated software that users won't know about because they don't check the
sites of the 100's of applications on their computers on a daily schedule.

Microsoft _could_ do more, particularly with respect to system-wide package
management. However, _proprietary software vendors_ are the primary culprits.
Microsoft can't help Windows users if software vendors refuse to respond to
security vulnerabilities quickly or fail to design their software with
consideration towards security.

I wish I saved the reference, but I read an interview recently where the
founder/CEO of a prominent anti-virus vendor stated bluntly that the only
reason the business exists is because of a failure to address {a list of well
known and ignored problems including some I mentioned above}. Marcus Ranum
("inventor of the firewall")[1], Linus Torvalds[2] and many other well known
and greatly respected researchers/practitioners have views on the computer
security industry that may appear surprising. These people have significant
influence, decades of experience and the respect to back it up. The comments
they have towards the industry, including anti-virus vendors, are often quite
negative (while remaining constructive). There is a reason founders of anti-
virus companies can make discouraging remarks about the need for their company
to exist -- they know from vast experience that software vendors won't be
listening.

[1] <http://www.ranum.com/security/computer_security/> [2]
<http://article.gmane.org/gmane.linux.kernel/706950>

~~~
DanBC
> _It's a side effect of poor system configuration, slow release cycles for
> patched software and to a lesser extent, poorly designed software._

Don't forget stupid and naïve users - those who know that the dodgy crack /
serial website is going to have infected files, or those who don't realise
that cute cursors come with malware.

And, to be fair, it's not just MS that has these problems. BSD makes things a
bit less scary for Mac users, but there's still the problem of people running
as a high level user and entering their password whenever they're asked,
without necessarily thinking about it.

------
phamilton
It seems like this will be a tech equivalent of USPS vs FedEx. Government vs
private sector.

