February 28, 2007
Now that Windows Vista has been available for almost a month, the comparative performance benchmarks are in.
It's about what I expected; rough parity with the performance of Windows XP. Vista's a bit slower in some areas, and a bit faster in others. But shouldn't new operating systems perform better than old ones? There are plenty of low-level improvements under the hood. Why does Vista only break even in performance?
To be fair, Vista does a lot more than XP. I don't want to get into the whole XP vs. Vista argument here, but suffice it to say that the list of new features in Vista is quite extensive-- although perhaps not as extensive as some would like. Vista's integrated search alone is enough for me to banish XP from my life forever.
Microsoft has gotten a giant security shiner from Windows XP over the last five years. That's why Windows Vista goes out of its way to radically improve security, with new features like User Account Control (UAC) and Windows Defender. The existing security features in XP, such as Windows Firewall and System Protection (aka restore points) were significantly overhauled and improved for Vista, too. Enhanced security is a good thing, but it's never free. In fact, Vista's new security features will slow your PC down more than almost any other kind of software you can install.
For best performance, the first thing I do on any new Vista install is this:
- Turn off Windows Defender
- Turn off Windows Firewall
- Disable System Protection
- Disable UAC
I've had friends remark how "slow" Vista feels compared to XP, but when I ask them whether they've disabled Defender or UAC, the answer is typically no. Of course your system is going to be slower with all these added security checks. Security is expensive, and there ain't no such thing as a free lunch.
You might argue that three out of these four security features wouldn't even be necessary in the first place if Windows had originally followed the well-worn UNIX convention of separating standard users from privileged administrators. I won't disagree with you. But Windows' long historical precedent of setting user accounts up by default as privileged adminstrators is Microsoft's cross to bear. I can't rewrite history, and neither can Microsoft. That's why they came up with these painful, performance-sapping workarounds.
But this doesn't mean you have to give up on security entirely in the name of performance. If you're really serious about security, then create a new user account with non-Administrator privileges, and log in as that user. This isn't the default behavior in Vista, sadly. Post install, you get an Administrator-But-Not-Really-Just-Kidding account which triggers UAC on any action that requires administrator privileges. I'm sure this torturous hack was conceived in the name of backwards compatibility, but that doesn't mean we need to perpetuate it. The good news is that Vista is probably the first Microsoft operating system ever where you can actually work effectively as a standard, non-privileged user. As a standard user, you get all the benefits of UAC, Defender, and System Protection.. without all the performance drain.
Let me be clear here. I'm not against security. I'm against retrograde, band-aid, destroy all my computer's performance security.
Speaking of retrograde, band-aid, destroy all my computer's performance security, the one security feature Vista doesn't bundle is anti-virus software. And nothing cripples your PC's performance quite like anti-virus software. This isn't terribly surprising if you consider what anti-virus software has to do: examine every single byte of data that passes through your computer for evidence of malicious activity. But who needs theory when we have Oli at The PC Spy. Oli conducted a remarkably thorough investigation of the real world performance impact of security software on the PC. The results are truly eye-opening:
|Norton Internet Security 2006
|McAfee VirusScan Enterprise 8
|Norton Internet Security 2007
|Trend Micro PC-cillin AV 2006
|Norton Antivirus 2002
|Windows Live OneCare
|Webroot Spy Sweeper
|avast! 4.7 Home
|Panda Antivirus 2007
|AVG 7.1 Free
The worst offenders are the anti-virus suites with real-time protection. According to these results, the latest Norton Internet Security degrades boot time by nearly 50 percent. And no, that isn't a typo in the disk column. It also makes all disk access sixteen times slower! Even the better performers in this table would have a profoundly negative impact on your PC's performance. Windows Defender, for example, "only" makes hard drive access 54 percent slower.
And yet, despite the crushing performance penalty, anti-virus software is de rigeur in the PC world. Most PC vendors would no sooner ship a PC without preinstalled anti-virus software than they would ship a PC without an operating system (yeah, you wish). The very thought of running a PC naked, vulnerable, unprotected from viruses sends system administrators screaming from the room in a panic. When you tell a sysadmin you dislike running anti-virus software, they'll look at you mouth agape, as if you've just told them that you hate puppies and flowers.
I don't see why they're so shocked. anti-virus software itself, while not self-propagating like a virus, certainly fits the definition of a Trojan Horse. Once installed on your system, it has a hidden, unadvertised payload: it decimates your computer's performance and your productivity. In my opinion, what we really need is Anti-Anti-Virus software to keep us safe from the ongoing Anti-Virus software pandemic.
I've never run any anti-virus software. And Mac or Linux (aka UNIX) users almost never run anti-virus software, either. Am I irresponsible to run all my computers without anti-virus software? Are Mac and Linux users irresponsible for not participating in the culture of fear that Windows anti-virus software vendors propagate? I think it's braver and more responsible to recognize that anti-virus software vendors are not only telling us to be afraid, they are selling us fear. The entire anti-virus software industry is predicated on a bad architectural decision made by Microsoft fifteen years ago. And why, exactly, would any of these vendors want to solve the virus problem and put themselves out of business?
I'll certainly agree that you can't stop users from clicking on dancing bunnies if they have their mind set on it. You should have a few different security layers in any modern operating system. But we should also be treating the disease first -- too many damn users running as administrators-- instead of the symptoms.
As for remediation strategies, I'm a fan of the virtual machine future. We should treat our operating system like a roll of paper towels. If you get something on it you don't like, you ball it up and throw it away, and rip off a new, fresh one. But if that's too radical for you, I think Jan Goyvaerts is on to something with good old plain common sense backups:
In fact, with a proper backup system in place, you don't have to be afraid of messing up your system. I don't use any anti-virus or anti-spyware software. If my system starts acting up, I'll restore the backup, and have a guaranteed clean system. No spyware remover can beat that. If I want to play with beta software, I don't have to inconvenience myself by running it in a virtual machine. I do use VMware for testing my applications on clean installs of Windows. But when beta testing new versions of tools I use for development, I want to test them in my actual development environment rather. When the beta expires, I wipe it off by restoring the OS backup.
It's not terribly different from my virtual machine solution. Either way, you go back to a known good checkpoint. And I'll take a backup strategy over a computer with hobbled performance any day.
This also begs the question of what safety really means. No matter how much security software you install, nagging users with dozens of security dialogs clearly doesn't make users any safer. We should give users a basic level of protection as standard non-adminstrator users. But beyond that, let users make mistakes, and provide automatic, unlimited undo. That's the ultimate safety blanket.
Posted by Jeff Atwood
Windows had originally followed the well-worn UNIX convention of separating standard users from privileged administrators.
There has to be somebody out there besides me that understands why Windows did this. Anybody?
You don't even need VMs for family members, separate OS installs will work too. In fact, for anyone into hard gaming, or almost anything using DirectX really, VMs are essentially a non-choice. (At least until the next generation of designed-for-VM hardware comes out; I understand ATI's DX10 card will have some support.) For someone who just wants myspace or a compiler, VMs are a great solution.
Just give them useful names on the OS selection screen, and use passwords to back that up.
I personally feel that the place for anti-virus is the firewall. Although it can't stop all infection routes, it can handle the most common (direct files, zips, rars, bad html) with aplomb. My only issue with Fortinet's implementation is that it won't do Samba A/V. You can even get it on junker Linksys with user-developed firmwares, although you have to be a unix whiz to get it working well.
One more thing I always disabled on XP was the System Restore. All it did was take up time and space and I never once had an occassion to use it.
Some people swear by System Restore, but it's really just a poor man's virtualization.
And to be fair, most uses of System Restore are legitimate; it's due to a botched third-party driver install, which would hose *ANY* operating system. I just don't like it because it's invasive and incomplete. But in the right circumstances it is better than nothing (and it beats doing an in-place reinstall of the OS).
understands why Windows did this
Enlighten us. I think it's due to the endless backwards compatibility. Vista couldn't use regular user accounts because it had to be compatible with software for XP, which in turn had to be compatible with software for Win98 and NT4, which in turn had to be compatible with software for Windows 3.1, which in turn had to be compatible with software for DOS 6.22, and so forth, and so on, ad nauseam.
Sometimes I think this backwards compatibility stuff (eg, the Raymond Chen camp referenced in the above Spolsky article) is hurting us more than it helps. Of course, the minute that MS creates an OS which doesn't bend over backwards to run the crappiest of crappy, ancient Win31 apps, journalists and users have a field day with complaints about how "Windows doesn't work with my software". Microsoft can't win.
Well, unless they choose the virtualization strategy. Then they win, because every bit of software is locked in a VM time capsule and is perfectly compatible.
Telos: ROFLMAO. I saw that show when it was aired here in Norway a couple of years ago. Happy to see it hit prime time youtube. Well deserved! :)
But it proves your point nicely.
BTW: Great article as always Jeff. I second your motion to change the Windows world in regards to the admin vs user accounts. Change this, and really let people be happy about increased performance, and less problems. If they had only supported proper user-account installation too. Like someone suggested above, there should have been a My Programs folder - that was unrelated to the general setup and other users.
Seems like antivirus software wouldn't have to be so slow if the OS was careful about marking files as executable or non-executable. Non-executable data files would never be examined. Executable files would be examined, as would non-executables made executable. Applications with data files with embedded executables (e.g. Word documents) would not run scripts unless the file was marked executable. If there was that sort of boundary, disk access could suffer less.
Personally, I like the OLPC approach. Apps run in separate containers, and cannot affect each other without the user's permission.
Hardware-based DEP can go a long way to help.
You seem to have been reading my mind lately Jeff. I gave up on anti-virus years ago when I did my own performance checks. I find it endlessly amusing that people will spend another 600 bucks to get a 10% improvement in cpu speed and then they go install an AV program and a software firewall (in addition to their perfectly good router firewall).
Get RAIDed 10k rpm Raptor hard drives and no AV and boot times are nearly bearable.
Wouldn't it be easier/better to have virtual machines for each family member? And inside the VM they are running as standard, non-privileged users?
I'm all for virtual machines, but you can't seriously believe that your family members are going to use a virtual environment inside of a regular one, do you? Just so you could keep them isolated? Seems a bit ridiculous.
Agreed. Is playing games a good idea on a virtual machine? Kids often play heavy games. But lower privileges isn't really a solution either, some anti-cheat software needs admin privileges (lame i know).
Hasn't anyone heard of a multi boot system or whatever it's called? With something like Partition Magic you can divide your hard drive into partitions, and install a separate windows on each drive. They can't see each other. So you have a clean windows1 with password for mum and dad, and a windows2 for the kids. Kids (like me, i did it often enough..) can mess up whatever they want on their win2, parents don't notice anything :D
MS need to release an OS that has zero backwards compatability, even if it just for the MSDN and technet crowd for the next few years, and do it soon. Virtualisation will suffice for those old apps, if required.
Another perf boots, turn off Aero and go back to windows standard. No more distracting animations, laggy menus and crappy menu highlighting contrast.
Every good IT administrator knows that they need to run users as standard instead of admin. I think 85% or so (Microsoft number) want to run users as Standard instead of Admin. About 15% do. Enough sidebar.
With the IT side of things, antivirus is more of the IT person covering themselves. I work IT, and I will throw a FIT if one of my users isn't running antivirus. I don't run anti-virus myself; it's a waste of resources, as nicely proven by that article. However, if I get a virus, I just blame myself. If a user gets a virus, they blame me. Or, worse yet, they tell my boss to blame me, which ends in a job-losing situation. You really just want to cover all your bases. Even through intensive user education, there's no guarantee that a user won't open an .exe attached email. Even if you've been over a hundred times before, it's still your fault that there wasn't antivirus on the machine.
Running antivirus is of course horrible, horrible, horrible performance degradation. Tons. However, from an entire business perspective, it works out. Machines now are costing less than they were in the past, which is a net savings. The extra horsepower available combined with antivirus software brings them to be about equal. The increase of speed a user would get from not running antivirus (which, sadly, most of them couldn't use anyways) would NOT be more of a financial benefit then the four or five virus-removal helpdesk calls. As much as I couldn't stand to see it on my own machine, the extra 30 seconds of load time every day for a user is validated and justified by the fact that I probably won't have to spend three hours of my day backing up their files and de-virusing their machine. It may sound arrogant, but it just makes good business sense.
And since i'm already being pedantic, the definition of Trojan Horse software is not that it destroys your performance or productivity, the definition is that it's hidden inside something else.
This is from the legend of the Trojan Horse, where soldiers hid inside a big wooden horse so they could get into the city of Troy.
And furthermore, "begs the question" means to presuppose that which one is trying to prove. You mean "raises the question".
I hope that helps, have a nice day.
I don't see how multi-boot helps at all. It may keep your kids from messing up YOUR stuff but they can still mess up their own (forcing you to constantly fix it).
Someone else pointed out that VM's only work for this as long as you treat them basically as readonly. As soon as you start saving your important emails, Word documents, source code, etc. to them it is no longer feasible to just ball them up and throw them away.
The best answer is to use the OS the way it was actually intended to be used. Run as a Limited/Standard user drum continues to beat....
definition [of a Trojan Horse] is that it's hidden inside something else.
Right, the complete destruction of your computer's performance is hidden inside the illusory, incomplete promise of security offered by anti-virus software vendors.
It is hidden. If Symantec told people how much slower their computers would be after installing Norton Internet Security, they'd never let it inside the gates.
(the percentages were definitely wrong, though, so thanks for that correction)
Hey, I'm an engineer at VMware and a fan of your blog. Wanted to say that if you want to see unlimited undo in action, you should check out the new/experimental 'record/replay' feature in Workstation 6.0 (it's in beta right now). You can turn on 'recording' for your virtual machine, and this gives you a continuous checkpoint of all state at the hardware level. You can then return to any previous moment in time exactly by 'replaying' the recording, and then hitting the 'go live' button during the replay at the moment you want to return to. You can also mix snapshots with continuous recording, if you want to checkpoint "known good states" to quickly return to.
As you can imagine, there are a lot of possibilities this opens up, particularly if you were to tie it in to guest level facilities like e.g. Windows System Restore, Windows Update and so forth.
The performance hit is quite serious but you can expect to see that improve as the hardware support for this feature shows up in the future.
An amusing aside is that the performance hit is actually smaller on some older Pentium chips due to peculiarities of the hardware that work out in our favor.
As soon as you start saving your important emails, Word documents, source code, etc. to them it is no longer feasible to just ball them up and throw them away
Well, I have a few thoughts on this
1) use web-based document shares.
2) Have a script that copies the contents of the \User\ folder to a quarantine folder on the host machine before destroying the VM. This is one scenario where you would want to run anti-virus software on demand to give the files a (reasonably) clean bill of health before letting them out of quarantine.
3) Have a script that periodically and silently backs up the \User\ folder to a quarantine folder on the host. That way if something malicious destroys the file, you'll have a 'checkpoint' on the host to roll back to. No need to virus-scan the files at this point, although I guess you could.
Also, there is "Application Virtualization" which unlike full-bore virtual machines only virtualizes away the disk access. Still a pretty decent solution since you can basically undo everything that any application has written to disk, ever, including its installation.
Look under "application virtualization". Just think of it as a magic layer between a particular application (it is per-app) and the disk.
Granted that unlimited undo is available, how can you protect yourself against the mechanism itself being compromised? The idea to throw the compromised state cleanly away is good, but I don't think using that state to undo to a previous, presumably uninfected state will be effective.
it just makes good business sense
Maybe. You present a compelling argument. But we're still spinning our wheels treating the symptom and not the disease. The status quo /has/ to change.
Antivirus brinksmanship is just a digital form of endlessly chasing our tails.
And I don't like being sold fear.
I honestly didn't think that ZoneAlarm slowed down my pc that much, at least not to noticeable levels. However, I'm not using version 7 of the engine - which version were you using as apparently they aren't using the same anti virus engine at all? I don't think the latest version supports Vista yet.
Two things made the difference for me:
1) Router firewall: block ports 135 and 445.
I still run AVG and Spybot but it has been a long time since they have detected anything.
I never run any anti-virus software either, and the only time ever I got a virus was when a roomate got a little insecure and had to read one of THOSE emails, and run the attachment.
However, I'm not sure using virtual machines or backups or anything like that really solves the problem. Viruses by nature attempt to corrupt the system, so even in a VM it will try to do that. If your VM has access toyour data drive, the virus will end up on that drive waiting for the chance to break everything. If you backup before you notice the virus, the virus can go with it and destroy your backups.
Mac/Linux users don't worry about antivirus because they don't have to, for the most part. They'll probably have to some day, but right now most virus writers just don't care to write viruses for those systems. You can talk all you want about how secure those OS's are, but users are the weak point in any system.
You mention in "The Power of Defaults":
"For most users, the default value is the only value. Your choice of default values will have a profound impact on how your application is used."
That's why your friends don't turn off all the new security features in Vista.
Vista IS slower than XP "BY DEFAULT"...
Evidently XP doesn't include ANY security software. That's "the reason" for the lack of performance in Vista. Well, that AND all the D.R.M. crap (it IS).
Why there is no Kaspersky on the benchmark? Its by far the best anti virus I had used (I'd use ALL of the mentioned above).
Great article as usual.
I agree. I've been saying for a long time to many of my associates - if you're a sensible enough person, if you can recognise some of the (not very subtle) signs of a potential virus, etc, and if you run on a standard user account, and not as an administrator, you're fine.
At least, you're fine enough.
I'm happy to sacrifice my largely imagined protection from viruses that I get with virus software and subscriptions for speed. You know, speed. The thing that lets you use your computer and get work done.
The day will come when someone produces the necessary analytics software for the masses. It will be Task Manager on steroids. It will be the sunlight we need.
It will tell you what activities -- services, apps, etc -- are consuming disk, CPU, bandwidth
It will combine strong knowledge of what the governing process is. Right now if I want to know what AluSchedulerSvc.exe is, I have to Google it. But this app will know, and it will know that these 5 other services and this running process actually all run for the benefit of this app (Norton LiveUpdate, the pig), and it will be able to tell the user that.
Maybe it's already written; if so I'd love to know about it.
But when it goes mass-market, the cost of anti-virus, and the cost of too many other poorly written memory-resident apps, will hit everyone's radar screen.
I'm have about 6 Windows installations as Parallels images. If I install something, I create a copy before and after the installation. If something goes wrong, I just go back to whenever stuff was still working.
I think it totally depends on what you do with your computer, when I was back in University and had no money I had to download certain "tools" from untrusted sources (or do without). I recently switched to AVG because I was sick of all the extra crap that Norton tries to do and it found some viruses in those old archived files that Norton has missed for years.
Now that I've been out in the work force for a few years if I need something I buy it from a trusted source so I don't have as high a risk anymore but working as a software developer I regularly need access to areas and files on my system that would be restricted to a "Power User".
Hey, dunno if youve probbably already all seen this, but i find it holarious
'How to install Vista'
On a slightly unrelated note, I wanted to try out Vista on my main desktop machine but it turns out that my Motherboard manufacturer is behind on getting those drivers out. I would think that DFI would be a little faster since it caters to the DIY market of PC Geeks (DFI LanParty NF4 SLI-DR).
I'm also running RAID 0 (and I know the risks which is why I have a rigorous back up routine between internal hard drives, my two other computers and two external hard drives) and I couldn't find drivers for Vista for that either (it didn't like the ones on the floppy that came with the drives and of course no help from DFI either).
I couldn't agree more. I have been running as a Limited User on XP for years without any antivirus software and I couldn't be happier. I simply scan my computer with an online virus scanner every couple of weeks. The one thing I will say is that you really should have antivirus software that simply scans emails. My biggest fear is that I will get a virus in an email and pass it along to someone else (even though it doesn't harm my computer). I can't afford to have that happen when I have clients counting on me. So you don't need full blown antivirus protection all the time. Just email protection.
I also couldn't agree more on the idea that Microsoft has really blown it with Vista. They needed to FORCE people to run as standard users. The time has come to educate the masses. Instead, even so-called "computer experts" aren't getting the message. How many times have you read articles by "experts" claiming that UAC is worthless because users will just learn to click "ok" and ignore it? Well this tells you that they are obviously still running as administrators because if you are running as a standard user you have to enter your username AND password. Not just click OK. So it just shows that Microsoft is obviously not doing enough.
Here are some thoughts on what could have been done.
1) Force the user to create an admin AND a standard user account during install. Give ample information as to what each account is for.
2) Do NOT show admin accounts on the login screen. Instead, have a link that takes you to a separate page called "Admin Accounts". On that page put a big warning about what those accounts are used for. Only standard accounts show on the login page by default.
3) When you log in with an admin account, pop up a big warning message that must be cleared EACH time (no checkbox saying "don't show this message again"). Inform the user that the account is only for administering the computer.
4) Allow all of these settings to be overriden using group policy so that people installing servers/appliances or who REALLY know what they are doing can use the computer the way they want too.
Until Microsoft FORCES its users to run in a safe manner we simply won't be able to get rid of things like UAC for administrators.
As a side note, UAC is great for standard users. It is the feature that makes running as a standard user so painless. I just wish that you could turn off UAC on a per user basis. I would turn it off for the Admin account (which I rarely have to log in to) and turn it on for the standard user accounts.
Finally... "But shouldn't new operating systems perform better than old ones? " implies that Vista should be faster than DOS. Hmmm....
Real-time antivirus software on client machines is for the birds.
Antivirus software on mail servers is essential. Even if you read your mail on Linux, you can be overwhelmed with the bulk of computer viruses during a virus crisis. The world hasn't had a serious virus outbreak for the last few years, but back in the age of MYDOOM and NETSKY, I had addresses that would get upwards of 50,000 messages a day.
I do like Windows Defender. I've found that most Windows machines in real life do have several kinds of malware on them, and Windows Defender does do a good job of removing them.
Windows XP made a good deal of progress towards making it possible to work as a non-admin user. It's sad that Microsoft didn't bite the bullet and move closer to the Unix model.
Alas: Microsoft copied the idea of symbolic links from Unix, which could have been a great boon to Windows administrators everywhere. Unfortunately, the user-space in Windows can't cope with them -- deleting a symbolic link from Windows Explorer or with the DEL command deletes the original file.
Microsoft seems to be as bad as copying ideas from the Unix world as the Unix world is at copying ideas from Microsoft.
I seem to have gotten a lot better performance using Symantec Antivirus (the SMB version). It provides significant control over the real-time scanning and lets me push out common settings to all machines. I turn scanning off for my development and VM partitions to improve performance and limit all real-time scanning to "scan on create" so every file read is not scanned. Email is scanned in and out so I feel pretty good that I've got the borders protected. It does do a memory scan on boot which definitely extends boot time, but that can be turned off. I let it run a full scan weekly, but even when I do use the computer then its not really that bad. (This may be hardware to - dual core, 10k drive.) So far the price and renewal of a 5 machine license has seemed reasonable.
Egads! No anti-virus software? No anti-spyware software? And you rationaize that by saying you'll just tear off a new sheet of paper towel and start fresh? Well, great. Without that software, how are you going to know your hands are dirty and you need a new piece of paper towel? You'll have to observe some change in system behavior. What happens if that "change" is your bank accounts are empty because somehow you got a keystroke logger on your system yesterday just before visiting your bank? What if the "change" is that your customers start calling up asking why THEIR bank accounts are empty after installing your freshly compiled and shipped software which contains the same keystroke logger?
You've got to have some kind of software to notify you of bad behavior caused by malware as soon as it manifests. My personal preference is for software that notifies me of malware as it enters the system. Right now, I'm using OneCare on Vista. Unlike most of those other pieces of software you mentioned, OneCare doesn't scan stuff as it enters the system. It either waits for the malware to activate, or it waits for its system-wide tune-up. Then it catches the bad stuff. I don't quite like that method, but it's acceptable. And, it sure beats eye-balling your system behavior as a metric of infection.
I've never run any anti-virus software
Dude, I'm glad I'm not the only one :-}. I mentioned in passing that I've never run AV software while I was talking to a Security MVP at a conference and I swear to god the guy started screaming at me at the top of his lungs going on about rootkits and trojans.
Like you I've never had a problem that would have been solved by AV software. Yeah, I've had IE eat s*it once in my 20 years of PC use, but I hardly call that worth a reason. I hate AV software with a passion - besides the tremendous performance drain it often mysteriously can screw up all sorts of other applications by deleting files on the fly, blocking ports even when configured not to. I have customers whom I support and good 50% of the weird problems reported are due to malbehaved AV software.
Hey, it runs in American Society. It's the American way of life to be paranoid and fear the walls of your own home. After all Big Brother is watching, n'est pas? The more paranoid we 'feel' the more money the security vendors make. Remember Norton Utilities? Whatever happened to the tools stuff they made? They figured out there's way more money in paranoia...
Dave A.: I think you are jumping the gun a bit.
#1: Use of a good firewall (I use Tiny Firewall) will tell you when a program runs that doesn't have a hash it recogizes, and will ask you if you want to run it and if you want to trust it.
#2: If you get infected with a program that steals account information like that, chances are its cutting edge and won't be detected by antispy/mal/virus anyways.
The important bit is that you don't let programs freely access the internet. The most secure way IMO is deny all/allow some, not the other way around.
My setup uses tiny firewall (which i think got bought out, lame.), sysinternals process explorer and tcpview, firefox w/ adblockplus, and gmail. I just don't get viruses or malware.
But shouldn't new operating systems perform better than old ones?
Has that ever been the case? At best, any performance improvements offset slowness added by new features.
I've never run any anti-virus software.
I've only just started running AV at home - and only to protect myself from my company's virus infected network when I VPN in. ;)
I've been saying this very thing about anti-virus software for years and am in total agreeance with Dan's post. I also use an older version of Tiny Firewall (before it got bought out and spammed up), block all access and set exceptions where needed. I run a basic anti-virus check online at McAfee once every six-months, use Ad-Aware once a month and in all my years in front of a Windows computer have not ever caught a single virus.
The worst thing is, convincing people that Norton and the like is not a good idea and it actually massively degrades your machines performance and is an absolute nightmare to configure and uninstall (like AOL in fact).
Here's my two cents. I'm sick and tired of everyone trying to tell Micro$oft what to do. People need to realize that these products are not designed and released specifically for "you". Microsoft has to cater to billions of people around the world, and that means that they have to find a common ground for every feature of their OS. If you don't like what their doing, or specific features they've included, find another operating system (there are plenty to choose from). Security vulnerabilities exist in every OS and they always will. Microsoft controls the majority of the user market; which is the reason they are targeted more often.
It's not up to Microsoft to force a user to do anything. Just like it's not up to anyone else to tell me not to smoke, or to tell the fat guy over there to not have that second doughnut. Don't get me wrong, I am in now way condoning what they've done with their new OS; in fact, the thing that irritates me the most is Microsoft telling me what my computer can, and cannot, do. You want a safer computer, then setup a non-admin account yourself, but don't force me to use a user account that is useless to me. Let me decide how I want to run my computer. And if anyone want to argue that the average user doesn't know anything about security, well then it's time they become proactive and do some research. What are they gonna do if they get a flat tire out in the middle of nowhere and can't get a signal on their cell phone. They better learn how to change a flat real quick. Quit being lazy and expecting people to do things for you. Google isn't that hard to use, so use it. You don't want a virus or spyware, then don't open that email that claims to have nudey pictures of Brittney Spears, and don't click on that porn ad.
As far as anti-virus software goes, of course you're going to take a performance hit. If you think you're safe just because you can use system restore to recover those corrupt system files. Think again. Some viruses are capable of corrupting file contained in the system restore folders. It may not have happened the last time, or today, or tomorrow, but it will one day. Think one AV software is better than the other, well then your wrong again. Different AV software may detect viruses that other won't, and vice versa. No one AV software will ALWAYS detect everything, no matter what they may claim. Sure one may run faster than the other, and detect more viruses more often than another, but there will always be that one time when one virus is left dangling in your system32 folder. If you don't want to run AV software well then that's fine too, but don't think that you're not vulnerable to losing everything on your computer because you run an online virus scan once every couple of weeks. Who are you to tell Joe Blow over there that he doesn't need to run AV software, because you don't know what his surfing habits are. And if you're using a separate backup, well then kudos to you because you're in the small percentage that do.
To the System Administrators out there, if you don't have some sort of virus protection on your network because "it slows thing down", then I must tell you that you're a fool. People can flame me all they want, but it only takes one idiot to open that email from the hacker in Thailand and you may never see daylight again because your too busy trying to remove the viruses from every computer in the office. Don't want to run AV on the computers themselves, then put it on the router separating your LAN from the rest of the world, but have something or you're just asking for it.
Well my venting is over, let the flaming begin!!!
(I like the name. Sometimes quote-success-unquote is truly Worse Than Failure - with failure you have to do it over again better. With "success" you have to live with all the problems, because why would the company spend time fixing something that works?)
Very informative discussion - I think I need to tweak some settings when I get home...
*looks at post*
*looks at Firefox tabs*
*reaches for more coffee*
Apologies to all.
And why, after reading the investigation results, did you only comment on the Norton Internet Security 2006 row?
From your table, my conclusion is:
Perfect! I'll just use AVG Free, which does a good job with minimum performance issues.
Why risk a system restore, when a decent antivirus can scan my mail and system files without hogging the system?
Bro, you forgot about Kaspersky. Its by far the best right now. Runs only 1 process and the detection % is quite high. Ask CNET they reviewed it and its "By Far"
I used to think the VM solution was an answer. Before that I was even looking at write-protected flash memory that boots then creates, loads, and transfers control to a RAM drive (a stripped Win95 as a guinea pig). Usable for browsing and as a terminal client but that's about it.
The problem is neither of these work unless you never pesist ANYTHING. Sooner or later your "data" partition (even a NAS share) will get infected. Rolling back to a "clean VM" is no help unless you trash all of your data outside (as well as inside) the VM.
So far the safest technique seems to be to locate machines behind a simple NAT device that doesn't have known exploits, run something lightweight like AVG, delete all spam unread, browse with the highest security settings available, explictly request a scan of anything downloaded before using it, and run with a normal user account whenever possible. Running Defender as well probably makes sense... though pretty soon we're right back where we were performance-wise.
Good post, but I still run W2K as I couldn't stomach XP.
You didn't list AntiVir, which I like a lot. Before I bought a router I would get the Code Red (?) virus regularly because I have IIS 5 installed.
When I moved and my cable company came over to hook me up, I asked if I should install my router first and they said "no, we have anti-virus software". Well, after they left I found I had a nasty one, caught by AntiVir.
A router, Spybot (which catches stuff each time I run it), AntiVir, PestPatrol, Firefox and I have a very snappy machine with no re-installs in almost 2 years and hardly ever an issue.
John Pirie: There is a pretty good process-based performance monitor built in to Vista. Open up task manager, click the Performance tab, and click the "Resource Monitor" button.
However, do NOT follow these steps if you're a non-admin user with UAC disabled. Task manager will go into a loop of restarting itself over and over as fast as possible and you won't be able to stop it without rebooting.
Silly rabbit, dual core processors and gigs of ram is not for gaming, it is for that antivirus suite.
Here's the thing, and I speak as a man that has used Mac (7,8,9,X.1,X.4), Linux (too many distros to list) and Windows (98SE, 2000,XP)... Anti-Virus software is only necessary if you're a dumb-ass. Those same SysAdmins that look at you mouth agape also secretly harbor the opinion that you're a knuckle-dragging moron that will click on every banner, download from every prompt and install every open-ended malicious piece of software you can get your mitts upon.
And if they're a typical user who doesn't understand saftey, well, they're probably correct. Not that they mean to be that way, it just happens through lack of education. But if you've got a good knowledge of your system, understand what you're downloading and from whence it comes, you're pretty safe. If you're unsure, run a virus scan pre-install and post-install. No need to have constant vigilance if you're not installing some crappy new thing or another every single day.
I keep a copy of AVG Free 7.1, which I almost never allow to run its automatic scan. I know what I've installed on my system, I know what's malicious and what isn't. If it's malicious, I avoid it. I use a closed browser, FireFox, with additional security measures added into the mix. I avoid file-sharing, gray-area downloads and the like. I don't have virii on my computer simply because I don't let them into my system. GMail protects my email (and it being web-based means I have access to it anywhere, any time, and as long as I'm using FireFox, I'm basically secure).
Most users, however, aren't educated. I educated my parents: time and again I told them "If you aren't sure, ask me. If you are sure, ask me. If you're 100% positive, just ask me." Then I explained. After awhile, they stopped needing to ask me. As far as I know, they never get viruses anymore. Of course, I pounded the basics into their head early. AVG, SpyBot, Ad-Aware, HijackThis. I make them install HijackThis, but they still have me look the list over before they disable anything.
Frankly, an informed user is a safe user. The only thing you really need is a simple firewall, because DoS attacks are just /so/ 1993.
I'd love to run without anti-virus and anti-spyware, but children (especially teenagers) are incredibly adept at filling any PC with trojans and viruses in a matter of minutes. They even know how to bypass most internet filter software. I sometimes think children are viruses!
Jimbo, set up their computer as a non-admin and your troubles will simply disappear. That is the main message in this blog post. But it seems to be lost on so many users and so-called "experts".
Quit running as admins. Quit making excuses. After that, if you feel more comfortable using antivirus software as wel, then do so.
Matt - you're assuming the children have their own computer! Back in the real world, there's one family PC and it's needs are too varied to have a single non-admin user. I tried the multiple XP users approach, and that was an appauling experience - I was forever trying to find lost homework for the kids!
I'm a developer, not a net admin, so the easiest of several approaches has been to protect the PC to the hilt (minus on-access scan), then turn it all off when I get a chance to play with it! :D
Jeff, are you running normally from an admin account, yourself? It sounds like you are. Because you suggest to turn off UAC, and if you run as a standard user, isn't UAC effectively just a convenience allowing you to do admin-ish things without having to explicitly switch users over to the admin account? (That's how I think it works, anyway, on my system. Otherwise, if a standard account could do admin-ish things without UAC and entering the password, it would essentially be an admin account.)
If you don't run from a standard account, why do you expect everyone else to?
sometimes you have to protect your PC from your own family!
Wouldn't it be easier/better to have virtual machines for each family memory? And inside the VM they are running as standard, non-privileged users?
The only risk in a VM is that any local data/content you've created would be lost or compromised in some way.
Something weird with your site though , I can't seem to select a single comment to copy. Just clicking and trying to select a comment selects all the comments from the top and not just the one I'm interested in. I was trying to copy a link from one of the comments when I noticed this.
Thanks for your blog. I enjoy it tremendously.
Sixteen times slower than what?
The second I can achieve 60fps in Supreme Commander under VMWARE, I'm virtualizing. Until then....I'll take my chances.
Why is educating people seen as anathema?
Sometimes I love Mac OS X. ;)
Oh but I don't use AV/S software on my Paralells Windows XP Images.
Copy, paste, run, thrash. :)
WHat I don't get is how comes that there's SOOO much difference between Bloarton Antivirus and AVG. Is the latter *not* doing anything?
"Wouldn't it be easier/better to have virtual machines for each family memory?"
I don't know how VMWare works, but, in my experience, Virtual PC 2007 from Microsoft is much slower than running on the real machine (even using the Core 2 Duo's virtualization capability). If you're worried about the performance hit of running malware-protection software, then VPC seems to be out of the running. Also, VPC is limited to, I believe, 16 bit graphics and has no USB support (i.e., in all probability, no printing or scanning). From some of the comments I've seen, it looks like network data flow isn't very smooth through the VPC, either.
To paraphrase from your RAID 0 blog entry, is it worth greatly increasing your risk for the sake of a small increase in speed?
Also, I have BIG problems with the methodology used to come up with the performance hits in the test you mentioned. The author of the test talks about it quite a bit. But, the fact is, he's running those tests in a VPC. Plus, the VPC is limited to just one of his CPU cores and just 512MB or RAM. Dollars for donuts, if he ran those tests on the actual hardware (dual core AMD 64 X2 4800+ and 2GB RAM), I'd bet his perfomance hits would have been an order of magnitude smaller.
Wouldn't it be easier/better to have virtual machines for each family member? And inside the VM they are running as standard, non-privileged users?
I'm all for virtual machines, but you can't seriously believe that your family members are going to use a virtual environment inside of a regular one, do you? Just so you could keep them isolated? Seems a bit ridiculous.
Jimbo, I'm not assuming that there is an account defined for each person using the machine. I am assuming that you would create two users:
Admin - The administrative account that only you login to. You obviously only use this for administering the machine.
User - a Limited User account that everyone logs into to use the computer.
I've been doing this for years and the pain level is actually much lower than trying to keep your kids from messing up your machine. I've even done this on Win 2000 for my in-laws! I used to get calls from them about every two weeks for some crazy computer problem related to them going to bad web sites. After setting them up as a limmited user account I haven't had to fix a thing in 3 years!
So please don't give me excuses. It can easily be done and you will be much happier for it. It irks me when computer professionals take the easy way out simply because they aren't willing to take the time to learn.
Go here, read up, and never have to fix your kid's mistakes ever again. And don't take it personally. I will continue to beat this drum until every computer professional gets on board.
On a more development related note, it is important to keep at least one copy of Vista in a VM that has all those options left to their defaults. I don't know how many times I've heard fellow developers say, "but it works on my machine". The two biggest issues I see are:
1. Developers never testing their software with a non-admin account.
2. Developers never testing with a software firewall that has an "ask first" policy of whitelisting applications. I don't know how many times I've hit a dialog that is supposed to hit the internet and it fails because a firewall is prompting the user to allow or block. No "Retry" button, just an ugly, unhelpful error.
One more thing I always disabled on XP was the System Restore. All it did was take up time and space and I never once had an occassion to use it.
Again, after having read the article Jeff referenced for those test results, all the test really shows is that you can't really multi-task in XP with only 512MB RAM and one CPU. Especially if one of the tasks is heavily hitting the hardware. Double-especially when the hardware is virtualized.
512mb is a TON of memory for XP, even for heavy multitasking (several apps active) and anti-virus. Don't forget that XP was released in 2001, when 512mb was a pretty substantially large amount of memory to have in a PC.
I use Visual Studio 2005 in virtual machines running XP all the time and it's fine even with 128mb, though 192mb is a bit roomier.
But yes, virtualization is particularly brutal on disk perf. Which means running anti-virus under a VM-- one of the most disk intensive apps out there-- would be quite painful.
At any rate, the I have total confidence in the scientific method used in Oli's tests. He has a baseline number reflecting benchmarks without any software installed, and then differential numbers reflecting benchmark results with (x) software running. The absolute difference might be smaller on physical hardware, but the relative scale of the perf difference should be the same.
Thanks for the link, Jeff and thanks for standing up for my figures.
I did try and perform them in the best possible way but without having to wipe and reinstall windows 100-odd times. The VM was the only way to do that.
There are obviously going to be bottlenecks that rear their heads in the VM that a native OS wouldn't see -- but the comparisons are just a guide. If anything this should really be used as an av-vs-av rather than an av-vs-nothing study if you want to take direct comparisons but either way, I stick with what I say and "go commando".
A sharp eye and some common sense is my antivirus.
Great post Jeff.
I run Avast Home and was not aware of the 115% I/O delay. I will definitely look over my options again now when my eyes are open. In the case of Avast it should be easy to turn off the "on access scan" when I'm doing the heavy tasks of gaming (and letting it be on when the rest of the family is using the computer).
To clarify one point: I am not proposing that everyone immediately stop running anti-virus software just because I said so. If only I had that kind of power..
I just want users to understand exactly how severe the performance penalty is when you *do* choose to run anti-virus software.
As David Sokol so aptly pointed out, sometimes this is a reasonable tradeoff. But I'd still like to see it get fixed in the OS first; there's a reason Linux and Mac users almost never *need* to run anti-virus software.
It is extremely important to point out that your two benchmark sources, TomsHardware and Anandtech, publish benchmarks with an eye toward gaming (rightly so, since this is where any performance impact will be felt most severely).
What people are forgetting is we exeperienced the exact same sort of performance penalty with WinXP when it was released. People were disappointed to find their games ran slower than on Win98. But as better drivers emerged and (more importantly) applications were OPTIMIZED for XP instead of Windows 98, XP became known as a fantastic performing platform in a very short amount of time.
In 9 months, nobody will be complaining about Vista's performance.
Jeff the difference between backups and VMs are that a VM is typically a copy of the current state of your machine, where a backup is a collective copy of individual files that make up your machine. If you are infected and you don't know when you got infected you should need the ability to incrementally go back and find a VM that isn't infected anymore and that copy may not have the file you want that was in another copy.
VM's are great sandbox tools, the ability to do stuff and get it so messed up that you can easily restore a safe image and start again.
As for not running any Anti-Virus software at all. That's making the assumption that "you" will be the only one that is allowing your machine to get infected. There is this little thing called the OS that on it's own allows things to exploit it and get infected.
Take this, albeit far feached thought, for example. Let's say I was able to hack into or work at a DVR company (like Tivo) and insert a virus/trojan into the next OS of the DVR. Your DVR connects up to the mothership, downloads it's marching orders and then spends all day behind your firewall trying to hack your pc or futuristic toaster, since you leave both plugged in and/or on all day. So you come home and the only thing you immediately notice is that only half your heating coils work in your toaster. Then weeks or months later, your system eats itself. Then what?
I totally agree that Anti-Virus software is the biggest plight on performance that I have ever seen. However when I am doing things that require all my system resources (like gaming), I just temporarily disable the anti-virus software... And the sidebar, and windows defender.. and the firewall... and Windows Update... etc
But when an OS is not a security threat, and it's left soley up to the user to be a good citizen, then I will be right there with you with my 'user' security, no anti-virus and my firewire5000 backups.
I agree with Jeff -
1) Disable those 4 things they are either slow or annoying as hell.
2) Set yourself up to be a 'user' by default and use the 'administrator' when you need it.
3) Get a good anti-virus like Kasperky.
4) Listen to what your "performance score is" as you could be running the wrong speed of RAM, running on 4500 RPM hard drive, etc.
Do those things and you should have a very good Vista experience.
That's why I install AVG on my home computer... and used to on any family's computers that didn't have anything. It wasn't the best, but it would usually just work and didn't slow them down so much they would complain about it...
Also, Kasperky is light and it is the most effective:
Finally someone else besides me spoke out against the use of AV software.
Once upon a time I bought Norton System Works and the performance drain was atrocious. In the days when 300Mhz processors and 32Mb of ram were considered top of the line, I would be relegated to a 5 minute boot. I removed it from my system and never looked back. It has been nearly 10 years since I have used AV software and I refuse to use it.
Email comes from an AV scanned provider, firewall setup on my modem and router, default deny all traffic ... I will tell it what is acceptable.
In todays computing world we are informed that we need a 3Ghz processor and 2Gb of ram .. but when you remove all of the extraneous bloat that users are brainwashed into believing they need, system requirements are significantly reduced. I have found, that even with "sub-par" hardware, you can achieve a perfectly acceptable level of performance by turning off all of those programs that start when you boot.
Take a look in your startup folder at what is loaded when you start your computer, look at all the icons in the systray .. that stuff is what kills performance.
Run the msconfig utility and see what is running at startup .. and .. if you are really brave, just take a look at the services (Start-Run-services.msc) that are currently running, enabled, and set to automatic startup. Those are your performance killers ...
Practice safe computing, turn off auto preview in email clients, don't open attachments, and for crying out loud .. don't download and install that latest waaaayyyyy cooool screensaver ... you will be paying for it later with tons of spyware, malware and reduced system performance.
Keep up the campaign Jeff ... I am here for you!
Best anti-virus ever? Installing windows on D: instead of C: ;-)
@EnricoG: What about %winroot%\system32\
Ryan posted the following link
AOL uses Kasperky, so I am glad to see they got the same score. But it's funny they tested different versions.
1. Kaspersky version 184.108.40.2063 - 99.62%
2. Active Virus Shield by AOL version 220.127.116.119 - 99.62%
I think we need a different approach to virus testing.
We need a reliable record of what files have been modified. Any file which is modified (or is new, thus never scanned) gets scanned before being allowed to run. Once a file has been approved then it runs the next time without being scanned.
The AV program would keep it's own list of approved files. This would have be somehow tamper-proof as well as the detection of files that have been written. Support for this would probably have to be written into the heart of the OS.
Loren, instead of that, some software, such as Avira Antivir, can scan files only on write. (And only those with a given format, normally.)
And I'm pretty sure there is actually something like the tripwire+av that you mention, I just can't think of any offhand.
As for only marking files as executable, that wouldn't defend against the worst current threats: Exploiting buffer overflows in running software (fortunately partly fixed by NX), and spyware installed alongside legit software, at which point you gave it full permissions to own you and mark whatever it wants executable for later. Cute!
Jeff, you speak a lot about virtualization and recently mentioned in your reply that Microsoft should embrace it. I could've sworn they quietly bought out a company that produced emulators awhile back. I could be mistaken.
But what does amuse me is that what you're essentially talking about is what OS X had in the earlier implementations: the Classic Layer. I'm not going to go into exhaustive detail, but it strikes me as amusing that what you see as a solution is one that was seen by Apple awhile back.
Classic Layer is still available for OS X, but if you know what you're doing you've already either found the OS X version of the app or an OS X implementation by a later vendor.
I think without the Classic Layer, OS X would've fallen flat on its face. OS X abandoned OS 9's conventions in favor of a more intelligent design, but even Apple knew that if they didn't do it, they'd be hosed.
It's not the first time Apple has shown themselves to be cunning in this regard. Awhile back they converted from Motorola 680x0 processors to PowerPC processors. But they kept compatibility for 680x0 apps in PowerPC implementations and even made it possible to compile a single app into a Fat Binary, which would allow you to compile once and deploy to both. It was woefully bloated if you made them into one, but it was a better solution that trying to run two separate downloads.
Frankly, if Vista does dump so much backwards support, you're barking up the right tree.
I don't see why running the entier OS in a virtualized machine would not have zero performance problems compared to anti-viruses, if it provided sort of data protection. Sounds like magic thinking.
Also I don't think that trashing Windows and starting anew makes sense, that's like throwing your desk away, drawers and all, because you dropped ink on one book on top of it. You never know what you're going to loose, what you're going to roll back to.
Ho and to the poster who thinks Apple Classic Layer is such an amazing invention. Microsoft did the same thing years before with the WOW subsystem for windows 16 bit application, and of course, what you do think the DOS virtual machine was in Windows 16-bit. In fact NT has had support for sub-systems in general, including POSIX and an OS2 1.x compatibility sub-system. In Win64 there is a break in compatibility with Win32 stuff to some extent, that's the jump that microsoft is using to start a few things anew.
Rick Strahl, some small percentage of the world is capable of not running AV software and getting by, but most people should as they do not have your skill level. That said, most AV software is not so good. Certainly Norton is a pile of crap.
As to speaking against "American Society" and its paranoia, please let us native Americans handle that, and you can deal with your country's paranoia, e.g., making it an illegal an jailable offence to question certain aspects of your country's history in the 1940s.
Great article! Like you, I don't run ANY anti-virus nor anti-malware software other than non-resouce hogging app SpywareBlaster. That said, the hoards of ignorant computer using idiots out there must sacrafice performance for protection from themselves. It's a fact of life for the vast majority of users. XP should have never granted admin rights to new user accounts, but I do understand why. How would you (Microsoft) like to field the support calls from millions of morons when they can't install a program or defragment their systems? UAC is a decent 'work-around' for this problem.
I also don't run AV software at home, although when I unleash a new version of Paint.NET to the auto-updater I definitely run it through an AV scan. I think it'd be irresponsible not to!
Regarding the poster who wanted a middle ground between restricted and admin, you might want to look at the Power User account. I don't remember exactly what it allows/disallows but it might do some of what you want. It's a bit of a hidden option though for some reason.
I would not be suprised if in the next version of Windows we see everybody running on properly limited accounts. Personaly I see Vista as a transition stage, there is still a lot of software that struggles not running under administrator and people need to be able to switch. The sort of software that fails is the sort of poorly designed software a lot of people will be using, and a lot of those people will be people who don't really know much about computers. To request them to switch accounts or switch programs is a little much. Yes, the UAC could have been implimented better, but I think Microsoft are playing it safe (perhaps a little too safe) in creating an intermediate step before completely limiting access by default. By the next itteration of Windows all software in reasonable use *should* be up to speed on what it can and can't do under a limited account.
I've always found anti-virus software to be a huge drain. I've not yet found one that I'm satisfied with to run on demand so I just occasionaly use a web one. One of the biggest problems with anti-virus software is scheduling; they often don't realise that just because I'm not at the computer doesn't mean I'm not running stuff that I would like to have higher priority than them. It will be interesting to see if Microsoft release any of the work they've done on scheduling and how that affects the way anti-virus software works.
A very interesting and eye opening article. I'm a big fan of NOD32 which I moved to after trying both Norton and Mcafee and seeing my games grind to a halt.
I'm disappointed that Vista did not promote the use of limited user accounts more. I'm certainly going to try running as non-admin if and when I actually upgrade to Vista.
As for alternatives to Antivirus software, although there were some interesting ideas discussed here did anyone actually consider that backing up your entire system, warts and all, is actually quite time consuming and also expensive in terms of storage? If you add unlimited levels of undo then surely that is going to be a big performance hit while the OS scurries around backing itself up all the time. That sounds like much more of an inconvenience than having a small drop in performance from running one of the better Antivirus solutions and just backing up my important documents across my network every night.
The VM approach may work well in the future but at the moment only IT pros can really set it up properly. It's also useless for games, something your kids will most probably want to do.
In short, we can all moan about Antivirus software slowing our computers down and the braver, more techie people can even go without, but until Microsoft actually sorts the whole "admin for everything" fiasco, Antivirus is still going to be the most practical solution for most people.
As someone that built his first computer primarily as a gaming platform, I had to learn good security habits to prevent viruses on my system fairly quickly, as many games had (don't know about the current state of the situation) a lot of problems with active antivirus software (especially Norton and McAfee). Therefore, I had to disable the AV software to play the games I built the machine to run, and then would usually forget to re-enable it, or simply not do so because the software was often such a hassle to turn on and off on the fly.
For a long time I kept AV software up to date and installed on my machine, and scanned the system whenever things started acting up, and simply kept the active scanning/prevention software from running. Eventually I found that the only time I got a virus on my system was when I did risky things, or purposely installed one to make sure the AV software was working (am RTS game loosely based on the movie WarGames originally shipped with a virus in the registration software on the disc, and I wanted to make sure the installation hadn't run the registration software and infected the system).
I am now at the point where I simply use an online scanner to check for a virus if my system starts misbehaving. On the other hand, I now run frequent scans of my system(s) for spyware, since even sites that should be safe have a tendency to install spyware/adware on their users' systems for whatever reason.
The biggest hurdle I had to face in the nearly 10 years I've been maintaining this regimine was teaching it to my wife, and in that case a User-level account helped significantly, and Vista's UAC does help make this a little less painful for both of us (since we don't have to switch users to install software, just enter the administrator user name and password).
One other thing I've found that helps in cases where I've really screwed something up is to maintain a completely clean administrator account on the system so that I can recover user files and manage user accounts when the administrator account used to install software on the machine does get corrupted by some piece of malware. In my personal experience, though, AV software finds nothing on systems where I've had this happen, and even when I go to the extent of installing AV software and running a complete scan (with up-to-date definitions) there's nothing there until you scan the user account with 2 different anti-spyware engines, or you realize that Windows sometimes just eats users for breakfast when left to its own devices.
I'm also a gamer and I always leave the auto-protect feature of AV disabled. Most conscientious PC users who do not share their PCs with careless users/small children do not need auto-protect turned on. Anyone who is stupid enough to click on executables in e-mail, or even attachments from people they don't know deserves whatever they get.
I leave it set for a weekly system scan at 4:30am when I won't be bothered with it, and that's been enough to keep my 5 PCs clean of any viruses. I have not had virus-related data loss on any PC using this technique in 7 years.
Anyway, there's a fundamental problem with the idea, and I think you'd find this to be true on a Linux system as well: if you want the user to run un-elevated, they don't have the authority to view the process list for anybody but themselves.
Not true. Linux does not restrict who can view the process list.
Vmyths.com comes to mind.
Fighting against computer virus hysteria since 1988.
Although the there's not much going on in the last two years.
John Prie wanted "task manager on steroids". It's not quite there yet, but Vista did add a column to the Processes tab called "Description". It gives a long title (one line, probably 3-5 words) for each process that's running. Of course, all ~10 svchost.exe processes just show up as "Host Process for Windows Services", so I'd take that with a grain of salt...
Anyway, there's a fundamental problem with the idea, and I think you'd find this to be true on a Linux system as well: if you want the user to run un-elevated, they don't have the authority to view the process list for anybody but themselves. My problem with the article is twofold: one, no matter what sandbox you put the user in, the whole system can be compromised if the sandbox isn't good enough; two, no sufficiently complex sandbox can possibly be known to be "good enough". The truth is, no security system can be perfect. Your best bet is to have an offline backup of all your important data, and scan regularly with something you're confident will catch malware -- and don't expect perfection.
Is there an advantage to running as a Standard User vs Running as Admin with UAC enabled?
The problem is that there's too much dammed software out there that requires you to have freaking ADMIN level access just to run. I WANT to run as a limited user, but it seems that you need to diagnose, tweek, and sometimes just give up and run-as admin for about half the stuff you install.
And what's the worst offender? frelling KIDS software. You think I want my 5 year old to be an admin on the system he gets to use? If EVER you'd think there was software that would be designed to run as a low-rights user, you'd figure it would be stuff designed for little kids, so that Dad or Mom can install using an admin account, and the kid could run it using their no-rights account. You might think this, but is it even close to reality? no way. no now.
Nearly 80% of the educational stuff we get for him won't even run if he's logged in as an ordinary user. About 30% of that you can figure out what permissions it needs in what out of the way directory (nothing under the user's area in docs and settings, no that would be entirely TOO easy) and get it working using a lot rights account. But that still means I have to spend sometimes hours trying to figure out what stupid file in what out of the way place the thing is trying to access, and give him rights to it. Some of them REPLACE a file in the system EVERY STINKING TIME you run them. WTF? It makes me want to hunt down and KILL some dammed developer somewhere. Some I've yet to have the time/patience/interest to slueth out, and so he can't run them on his own.. He has to come over, interupt what I'm doing on my system, and get me to come over and use run-as to start up the programs. Given attention span of kid his age, that means every 15 min if I'm lucky..
Last August, I sold my Mac and returned to a PC running Windows. Here is what I have been doing on my Windows XP box:
1. Run as a regular "limited" user account.
2. Use Fast User Switching or RunAs to administer the box when needed.
3. Use FSUTIL to turn off 8dot3 and last access in NTFS.
4. Turn off System Restore and remote assistance.
It is pretty simple and easy to do. Since my initial installation and configuration of XP, I have hardly needed to use my admin privileges.
Every Saturday morning, I back up my user files and then run Windows Update. So far, everything has been peachy.
Personally, I wish more Windows software didn't require installers, so that I could simply unzip it and run it from my home directory (which is what I did on my Mac).
In the process of upgrading my anti-virus, the installer removed the old version then installed the new version. In the short time while I was running without anti-virus and firewall (including the windows firewall) a couple of trojans appeared on my computer. I'm no idiot when it comes to computing, so I simply can't believe it is possible to run a secure computer without any of these.
Paul, your computer isn't using a hardware firewall (your basic $40 NAT router)? If that's so, I urge you to immediately go out and buy one ASAP.
I wouldn't directly attach *any* computer, regardless of OS, to the internet without putting it behind a NAT router first. Software firewalls are no substitue for a proper hardware NAT router solution. They're incredibly cheap and, by now, quite mature (plus they allow you to share your internet connection among multiple machines at home). Once you're behind NAT, no hacker can directly touch your system; they have to trick you into downloading their code.
But you're right, if you directly attach an old version of XP (even SP2) to the internet, it'll be compromised almost immediately. I just assumed typical computer users realized what a bad idea that was by now.
Jeff, what hardware firewall would you recommend? I've got one of the Pre-N wireless routers, but I'm guessing that it is just a software firewall?
As long as you're using a router of some sort (and you're using the default configuration), you effectively have a one-way firewall that blocks all incoming connections. I don't have any particular recommendations, but I use the D-Link DGL-4300 which has 802.11b wireless, a gigabit ethernet switch and upstream QoS (meaning, you can saturate your link with downloads and still get excellent response times, even in twitch gaming scenarios). I recommend it wholeheartedly:
Interesting article Jeff, but I can't necessarily agree with a standpoint of running no anti-virus system at all. A recent incident where the latest downloadable distribution of the WordPress blogging system was compromised by a cracker should be a warning that even the most sensible net user can unwittingly infect their system with something undesirable.
If I then accidently (as if anyone would ever do this on purpose) get something onto my system that is stealing personal information, perhaps banking details, then I want to know about it ASAP. Even running in a VM session there could be *useful* information to steal - with an increased level of integration between applications (e.g. Office 2007) users are more likely to want to run several applications (with their inherent data) together in a VM.
Prevention rather than cure :-)
if people stopped using intercrap exploiter, then there would be little need for such "security" software.
Norton is bloat and everyone knows that.
For years I used security software on my machines. First I had Trend Micro PC-cillin Internet Security as a all-in-one security software but with the years they pressed more and more (useless) features in and it became slower and slower. Last week I tried to install Trend Internet Security 2007 on my old notebook Pentium 3 1.5 GHz 512MB Ram. That was a mistake! System slowed down and crashed. Now I switched back to avg.
On another Athlon64 machine I used Zone Alarm pro in combination with ESET Nod32 and Webroot Spysweeper. Webroot brought several upgrades and with each of them the system became slower and less stable. So I decided to kick out spysweeper and turn on the antispy in zonealarm. Not have been very lucky with that setup...
Now I bought a new core 2 duo machine with vista and thought about security software. I decided to do it without a personal firewall, antivirus, antispyware but decided to setup a virtual machine. With the new CPUs it's a pleasure to work with such a setup as it doesn't slow down your PC in any respect.
I will never install security software again (at least as long as manufacturers do build crappy functions in it). The Virtual machine setup really gives you peace of mind and do not fake security or slow your system.