programming and human factors
by Jeff Atwood
Jon Galloway and I got into a heated debate a few weeks ago about the efficacy of anti-virus software. My position is that anti-virus software sucks, and worst of all, it doesn't work anyway. That's what I've been saying all along, and it's exactly what I told Jon, too:
The performance cost of virus scanning (lose 50% of disk performance, plus some percent of CPU speed) does not justify the benefit of a 33% detection rate and marginal protection. I would argue the illusion of protection is very, very dangerous as well.Ask yourself this: why don't Mac users run anti-virus software? Why don't UNIX users run anti-virus software? Because they don't need to. They don't run as administrators. Sadly, the cost of running as non-admin is severe on Windows, because MS made some early, boneheaded architectural decisions and perpetuated them over a decade. But the benefit is substantial. There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator.
I believe we should invest our money, time, and effort in things that make sense, things that work. Things like running as a non-administrator. And we should stop wasting our time on voodoo, which is what anti-virus software ultimately is.
To be fair, anti-virus software is more effective than I realized. In the August 2007 Anti-Virus Comparatives, the lowest detection rate was 90%, and the highest was 99.6%.
But I have a problem with the test methodology that produced these results. If we build a library of tests using all the viruses and malware in all of recorded history, we'll get an absurdly high detection rate. But who really cares if Kapersky can detect a year old virus, much less a three or four year old one? What matters most, I think, is detection rate for new threats. That's what's really dangerous, not some ancient strain of a long-forgotten DOS virus. I'm sure anti-virus vendors love comparatives like this. It makes for great ad copy: we can detect 99.7% of threats! The bad news, which is hidden by a footnote marker and placed in 4-point text at the bottom of the page, is that 99.3% of them are so old as to be utterly irrelevant and meaningless. (Update: in a comment, Anders pointed out that a November 27th "proactive/retrospective" test (pdf) from the same site, using threats only a month old, showed far lower detection rates: between 80% and 33%.)
We could appeal to the data. Of the top 5 threats on the virus radar, only one is younger than six months. However, the youngest dates from December 4th, a mere eight days ago. And it only takes one. If anything gets through your anti-virus software, you're just as compromised as you would be if you were running no anti-virus software at all.
But for now, let's assume these comparative statistics are correct. The heroic anti-virus teams can detect 99.7% of all the evil code in the world, and protect you from them, in the name of truth, justice, and the American Way. But it's far from automatic. It only works if you stick to the plan. You know, the plan:
Wow, not much can go wrong there. And then you only have a 0.33% chance (or a 20% chance, depending which set of data you believe) of getting in very big trouble. Problem solved!
Or you could just, y'know, not run as an administrator, and then you'd never have any chance of getting in trouble. Ever. Well, at least not from trojans, malware, or viruses. But evidently a few children's programs fail to run as non-administrator, and programming as a non-administrator is difficult, so that's a deal-breaker for Jon.
After a lot (really, a lot) of back and forth with Jon on this topic, I realized that my position boiled down to one core belief:
Blacklists don't work.
At its heart, anti-virus software is little more than a glorified blacklist. It maintains an internal list of evil applications and their unique byte signatures, and if it sees one on your system, kills it for you. Sure, anti-virus vendors will dazzle you with their ad copy, their heuristic this and statistical that; they'll tell you (with a straight face, even) that their software is far more than a simple blacklist. It's a blacklist with lipstick. It's the prettiest, shiniest, most kissable blacklist you've ever seen!
I could waste your time by writing a long diatribe here about how blacklisting is a deeply flawed approach to security. But I don't have to. We can turn to our old friend Mark Pilgrim for the most radical deconstruction of blacklisting you'll probably ever read.
I see from Jay's Comment Spam Clearinghouse that the latest and greatest tool available to us is a master [black]list of domain names and a few regular expressions. No offense to Jay or all the people who have contributed to the list so far, but how quaint! I mean really. Savor this moment, folks. You can tell your children stories of how, back in the early days of weblogging, you could print out the entire spam blacklist on a single sheet of paper. Maybe with two or three columns and a smallish font, but still. Boy, those were the days.And they won't last. They absolutely won't last. They won't last a month. The domain list will grow so unwieldy so quickly, you won't know what hit you. It'll get so big that it will take real bandwidth just to host it. Keeping it a free download will make you go broke. Code is free, but bandwidth never will be. Do you have a business plan? You'll need one within 6 months.
And then people will start complaining because a regex matches their site. Or spammers will set up fake identities to report real sites and try to poison the list. Are you manually screening new contributions? That won't scale. Are you not manually screening new contributions? That won't work either. Weighing contributions with a distributed Whuffie system? Yeah, that's possible, but it's a tricky balance, and still open to manipulation.
It's all been done. It's all been done before, and it was completely all-consuming, and it still didn't work. Spammers register dozens of new domains each day; you can't possibly keep up with them. They're bigger and smarter and faster than you. It's an arms race, and you'll lose, and along the way there will be casualties, massive casualties as innocent bystanders start getting blacklisted. (You do have a process for people to object to their inclusion, right? Yeah, except the spammers will abuse that too.)
Oh, and it goes on. That's a mere slice. Read the rest. Like Mark, blacklists make me angry. Angry because I have to waste my time manually entering values in a stupid blacklist. Angry because the resulting list really doesn't work worth a damn, and I'll have to do the same exact thing again tomorrow, like clockwork. And most of all, angry because they're a dark mirror into the absolute worst parts of human nature.
I've had plenty of experience with blacklists. A miniscule percentage of spammers have the resources to bypass my naive CAPTCHA. They hire human workers to enter spam comments. That's why I enter URLs into a blacklist every week on this very site. It's an ugly, thankless little thing, but it's necessary. I scrutinize every comment, and I remove a tiny percentage of them: they might be outright spam, patently off-topic, or just plain mean. I like to refer to this as weeding my web garden. It's a productivity tax you pay if you want to grow a bumper crop of comments, which, despite what Joel says, often bear such wonderful fruit. The labor can be minimized with improved equipment, but it's always there in some form. And I'm OK with that. The myriad benefits of a robust comment ecosystem outweighs the minor maintenance effort.
I've also had some experience with the fancy, distributed crowdsourcing style of blacklist. It's a sort of consensual illusion; many hands may make light work, but they won't miraculously fix the fundamentally broken security model of a blacklist. You'll have the same core problems I have with the unpleasant little blacklist I maintain, writ much larger. The world's largest decentralized blacklist is still, well, a blacklist.
So, in the end, perhaps I should apologize to Jon. I suppose anti-virus software does work, in a fashion... at a steep mental and physical cost. Like any blacklist, the effort necessary to maintain an anti-virus blacklist will slowly expand to occupy all available space and time. In philosophical terms, keeping an exhaustive and authoritative list of all the evil that men can do is an infinitely large task. At best, you can only hope to be ahead at any particular moment, if you're giving 110%, and if you're doing everything exactly the right way. Every single day. And sleep lightly, because tomorrow you'll wake up to face a piping hot batch of fresh new evil.
If a blacklist is your only option, then by all means, use it.
With comments, I'm stuck. There's no real alternative to the blacklist approach as a backup for my CAPTCHA. Furthermore, the ultimate value of a comment is subjective, so some manual weeding is desirable anyway. But when it comes to anti-virus we do have another option. A much better option. We can run as non-administrators. Running as a non-administrator has historically proven to be completely effective on OS X and UNIX, where the notion of anti-virus software barely exists.
Isn't that the way it should be? Relying on a blacklist model for security is tantamount to admitting failure before you've even started. Why perpetuate the broken anti-virus blacklist model when we don't have to?
Antivirus software has always worked fine, for me, both at home and at work. Realtime protection blocks the intruders every time.
And why unix or mac users don't need an antivirus? Simple: because there are 0,1% the number of viruses for those operating systems than for Windows.
friol on December 12, 2007 1:15 AMLike real viruses, the best way to fight viruses on your computer is prevention. Learn to use the Internet. If a site looks suspicious, stay away. If you're looking for porn, don't click anything that says "free". It's not, and you'll regret trying. Watch out for places with lots of ads. If you see a banner offering a free toolbar, DON'T DOWNLOAD IT. In fact, you may want to use an ad blocker. I recommend Adblock+ if you're using Firefox. And if you get email attachments, don't download them unless you know exactly what they are. If you got an unexpected attachment from a friend, it doesn't hurt to ask if they actually sent it themselves.
If you're going to spend money securing your computer, PLEASE, don't waste it on antivirus. If you play your cards right, you won't need it. Get a firewall or something.
Personally, I'm glad to be on a Mac. I just don't have a problem with viruses.
WurdBendur on December 12, 2007 1:21 AMIn fact, as an added measure of security (though not perfect), absolutely do not surf for porn with IE, and don't use Outlook Express to read email (and make sure whatever email program you use lets you read them as text-only and isn't rendering HTML automatically).
The unfortunate fact is that the most effective "virus" problems are trojans and worms taking advantage of exploits in common software (IE, OE, WMP, QuickTime in the case of Mac users). Instead of keeping anti-virus software up to date, people should be keeping their every-day programs, including but not limited to the OS, up to date. This is especially true for anything that renders HTML and/or includes scripting support for any reason.
Of course, these are all things that everyone here should already know. Furthermore, we should all know that it doesn't really matter what OS you're on, because they all have the same basic issues when someone decides to go ahead and let a piece of software that should be suspicious to them execute on their system.
Vizeroth on December 12, 2007 2:25 AM1) I think the reason that most viruses are written to infect M$ Windows is because it has such a big market share
2) if you're running as non-admin you can still catch a virus that kills your data. It can't do everything but it still can do something
Since I usually only comment on your blog when I disagree with you, I thought Id break that pattern: this post is right on the money, Jeff!
Mats Helander on December 12, 2007 3:01 AMOne thing that I'm surprised that nobody has touched on is the fact that most (if not all) good software firewalls these days include action prevention mechanisms and Application Behavior blocking. Granted this is similar to the Vista Permit/Deny setup - but sometimes preventing unwanted behavior isn't just a matter of preventing it from actually reaching your computer. Having the tools ready to prevent unwanted behavior from even 'good' applications can protect you as surely as never running 'bad' apps.
As for myself, I don't run anti-virus on my main PC either - but I also use a completely separate computer as a 'workhorse' to do downloading extraction so as to be able to continue whatever I happen to be doing on my main PC without interruption. Virtualization taken to an extreme, heh.
Aquaricat on December 12, 2007 3:11 AMThese are some of the same reasons that I haven't run any anti-malware products on my workstation(s) in about 3 years. First with XP and now with Vista, and I'm loving every minute of it.
A few basic precautions are all that are necessary. Treat your computer like you would your own body. If you don't sleep around with random people you meet in the bar, you won't get the clap.
If I really want to do something risky, I use a virtual machine. That's something that everybody should do, regardless of whether you run Windows, or the most hardened Unix OS. It's when you start thinking that you are invincible, and don't take any precautions at all, then you will end up as just another spambot.
kettch on December 12, 2007 3:17 AMI mostly agree with what you have said, but I don't think it fair to claim that windows only suffers from viruses, trojans and other malware.
I read a report where a research group set up boxes with unpatched OS's, and while the unpatched windows machines were, on average, compromised in under a minute, the Linux and BSD flavours were compromised, on average, in under an hour.
Like a post already said, window is a prime target, because of its market share, and yes, because it generally easier to attack then other OS's, but that doesn't make the other OS's safer, it just means you can pretend to be safer an hour longer than windows users.
acidie on December 12, 2007 3:28 AMWhat's really stupid is I've seen anti-virus packages that run appallingly badly for non-Admin users. http://www.geekrant.org/2007/06/27/ca-internet-security/
Daniel on December 12, 2007 3:29 AMOff topic but does anyone have a suggested list of blogs similar to this one.
Pete on December 12, 2007 3:30 AMI'll talk about RDF... please don't run away ! :-)
The Decentralized Information Group at MIT has a whitelist policy based on FOAF and OpenID which is IMHO very interesting. Basically, you're have to be a foaf:knows (two level deeps) of a foaf:member of the DIG group. Sean B. Palmer has a nice summary on the subject : http://inamidst.com/whits/2007/10
Also, other people started to implement exactly that but based on XFN (you know, the microformat) and for WordPress, as a plugin : http://code.google.com/p/diso/
The problem is not running as non-root, the problem is how each OS handles a task that requires root to procede.
Windows works on a 'This program wants to do something, should I allow it?' which quickly becomes the nightmare that Vista has become, every action requires a Yes or No - and every application is allowed to (just like your previous article) annoyingly steal focus to ask for permission.
Whereas on *nix, everything is told to bugger off if they want to do a task they're not allowed. The only way a virus could do damage is if the user himself requests it by manually typing sudo.
Sudo can be annoying, installing new apps usually go along the line of:
$ apt-get install python
E: Could not open lock file /var/lib/dpkg/lock - open (13 Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
$ sudo apt-get install python
Password:
the rest
But I'd rather put up with a minor annoyance that happens only once in a while when I forget to type sudo, than every single damn process my pc runs demanding to run as root.
Reggada on December 12, 2007 3:40 AMSo run Unix or X
duhhh.........
You know, it may not be a good idea to say that running without administrator privileges means you "never have any chance of getting in trouble. Ever." It's true that most current viruses run as administrator, but that can easily change. Virus writers currently use their administrator status to dig deeper into the system, but the primary task is rarely anything other than making network connections (send spam, DDoS targets, join botnet), which is obviously something limited users can do. When Microsoft completes the switchover to limited default user permissions that Vista started, virus writers will simply adjust their tactics to avoid protected parts of the system.
Mark on December 12, 2007 3:49 AMI haven't run with a virus scanner since my last one expired. I've found that I know my system well enough to notice things that shouldn't be there and I haven't yet come across a virus that needed a special program (beyond regedit and a debugger in one case) to get rid of.
Since my last reformat (due to hard drive failure, not a virus) I've run as a regular user account (Power User is basically as bad as Administrator on XP http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx) and had no issues at all. "runas /savecred /user:administrator" is slightly longer than "sudo", but that's nothing a simple batch file can't fix.
Zooba on December 12, 2007 3:54 AM@Joe: In theory virus code won't be able to break a non-admin account because it won't have the privaledges to run. Code would have to have permissions to be executed - and that would be set *deliberately* by the admin user.
Of course, Trojans can still be a problem:
1) User-A logs onto site and sees a screensaver/useful app/game that they want.
2) User-A downloads executable and elevates to admin to give it execute permission.
3) User-A (now back as an unpriviledged user) runs the executable, it has a trojan that copies their addressbook and mydocuments folders and e-mails them to a Russian* address (or does other stuff permitted by that account).
Education is the best way to reduce this (don't download from dodgy sites). But there will always be stupid people.
-Perros-
*nothing against Russians.
This'll sound naive, but what are the actions that we are saying that malware,etc does?
You do not need administrative purposes to:
1 - Delete a file owned by you (that seems pretty harmful)
2 - Browse to a website, connect to IRC, ftp (could be used for DDOS)
3 - Download large files (slow down computer) and save to directories owned by current user
4 - Connect to an arbitrary server (can be used for command and control of botnet)
5 - Send emails (spam)
(These all apply to *n*x as well)
As far as I'm aware, the only thing you can really do as administrator /without getting popups is try to *listen* on a port (or modify system files). Or maybe you *cant* do any of the things I mentioned because I'm so used to running as a user which has some admin privileges.
Most users care about their personal documents, music, photos which can be freely messed with without any privileges.
Josh on December 12, 2007 4:00 AMthe only reason antivirus vendors dont change their practice is because they rely on the profits generated from continued subscription - they wont "bite" the hands that feed them in a sense, since its in their interest to just fix up symptoms of a problem, not the cause.
this is similar to some pharmaceuticals - they produce drugs which suppress symptoms, but not cure the disease. that way, the patient will need to continously buy the drug, and thus the company makes more dough. replace with antivirus vendor, and the scenario still makes sense.
Chii on December 12, 2007 4:03 AMNice post about the reality of the virus scanners, but there are a few points I would like to add.
Running in non admin mode would indeed limit the possibilities of an program. But there are enough privilege escalation exploits, for windows components but also for virusscanners etc. So it is possible to get infected while in non admin mode.
I myself have a virusscanner running, but I never do the daily/monthly full scan. I do however like the Active protection mode, which monitors the files which are executed and scans them (thats just the normal virusscanner stuff) but what I like more is the part which looks at the behavior of the program (for instance writing to registry where it should not). That kind of protection is a good extra line of defense which blocks the new exploits too. Allthough if you look on www.rootkit.com Kaspersky has a nice open gap in the communication to the kernel driver, so a virus could just disable Kaspersky and than do the dirty stuff.
Davy Landman on December 12, 2007 4:07 AMYou are of course right about blacklists and anti-virus software Jeff, but have you considered the use of blacklists for browser ad blockers?
In this very different circumstance they appear to work rather splendidly. It feels like years since I've seen an ad on the internet. (Of course I never clicked them anyway, _ever_. Was it you who Twitter'd http://blogs.mediapost.com/spin/?p=1085 ?)
(FYI your tasteful and notated ads are not blocked by the Firefox Adblock Plus extension)
Christopher Galpin on December 12, 2007 4:07 AMThings are even worse. See the statistics page of VirusTotal.com: http://www.virustotal.com/estadisticas.html
Only 9 of 20226 threats (0.04%) were detected by all engines. This is terrifying.
Blacklists are useless, but non-admin is not panacea either. Btw, "computer hygiene" helps a lot.
martin on December 12, 2007 4:15 AMJeff, Have you seen this :
http://www.youtube.com/watch?v=Ga1crmF7uls
It seems that 99,9% detection rate isn't good enough. Botnets are getting more and more intelligent. They are changing their dsn-adresses so fast that blacklists are useless.
Tapio
Tapio Kulmala on December 12, 2007 4:25 AMJeff I also don't run a virus scanner I just can't justify giving up all the system resources for as you said something that is unlikely to work for any new virus. But I do need to run my computer as admin for the reason of programming which is a pain I would go onto my normal user account for any other reason but don't want to maintain admin and personal accounts all the time it's tedious to keep settings etc.. on both accounts.
I think the perspective on anti-virus from this blog is different to average users as most people who read this blog will know what exe to run and what not to along with the processes and services that should be running on their windows machines. This means they can usually detect a virus themselves and then may find out about it and what antivirus program can cure it. At this point I bet for most it's either temporarily install a program to remove the virus or go back to the backup of their system they have. I maintain a ghost image of my drive on dvd's with all the software I use installed and no data.
I take this and install it adding any updates and any new software I might be using and back this up for usage next time. Then I add my latest data and hey presto new clean computer probably runing a bit faster than before all in the space of an hour.
A better antivirus program for me would be a small program that detect's new processes and services of unknown origin. I think this is included in some anti-virus but that is the only part I would want I don't care about on the fly scanning of files against an outdated blacklist.
Pete
Pete on December 12, 2007 4:40 AMAgreed 110%, with 1 concept the author introduced. That's "HEURISTICS" it RULES! Being able to detect what NOBODY ELSE HAS ALREADY, is key!
I just mentioned that here in fact, to a person debating ESET NOD32 vs. AVG, ESET went 12/12 at av-comparatives' website on HEURISTICS (best guess/"smells like a duck, tastes like a duck: MUST BE A DUCK!" type stuff), here:
http://www.av-comparatives.org/seiten/ergebnisse_2007_08.php
AND, the same @ VB100 website too it passed ALL of their tests with FLYING colors (40 vendor's antivirus offerings tested, only 3 did this). See here:
http://www.virusbtn.com/vb100/archive/results?display=summary
ESET NOD32 #1, not only where it's important (heuristics) the most, but also for SPEED (written MOSTLY in assembler, this helps, with a good algorithm!)
APK
P.S.= Personally, also professionally (I kill these things daily, both spyware /or virus, etc. et al)? I see FAR MORE spyware the past year now, by far, vs. std. classical "viruses"... apk
APK on December 12, 2007 4:41 AMWhere I debated this (as to what I feel is important in antivirus products today, sorry, missed posting it here earlier):
http://www.neowin.net/forum/index.php?s=3953b2d51f1210e888e8141875774601showtopic=602537hl=
HEURISTICS (best guess tech for UKNOWN threats) rules, ESET NOD32 seems to "rule that roost" per evidences in my last post here, above!
APK
APK on December 12, 2007 4:45 AMJoe is right:
No matter which account you are using, a virus can (and will) destroy your data.
I don't care about the OS; i can install it in under 1 hour. I DO care about my data; it would take hours or weeks (depending on th etime of last backup) to recover it.
alphager on December 12, 2007 4:50 AMAs already mentioned, you don't necessarily need administrative privileges to do nasty things. And to add to that, we have privilege escalation exploits; I'm sure there's plenty that haven't been found yet, also for *u*x based systems. And while the current generation of *u*x users are ber tech-savvy people who read 42 security lists and keep their kernels updated by the hour, regular Joes wouldn't.
As for AV packages, well, what you want isn't a stupid BoyerMoore(patternList[idx], mappedFile), you want behavioral blocking that checks for suspicious program activity. The cost in CPU cycles in negligible, and it doesn't need the heavy disk activity that on-demand virus scanning does.
I am the System administrator for a small college. Mostly Linux servers, Linux/Windows clients. Users do _not_ get to run as administrator on any of our systems. We keep our software up to date. And I still have to deal with 4 or 5 security incidents a year. All on the Unix side (because that's where we serve user websites from, of course). Talk about the magical magicness of non-administrator accounts is flatly wrong.
Here's the fundamental law of computer security: don't be the easiest, most common, target on the net.
You can be sure that once most systems switch to running non-Administrator accounts, that malware writers will make the jump with only a few issues. Because, speaking as a Unix administrator, they already have.
Joel Eidsath on December 12, 2007 4:53 AMAs others have pointed out, running non-admin won't protect your user account's files and settings, but it does keep the system from getting totally borked (at least in theory).
Jeff Flowers on December 12, 2007 5:02 AM"I love the folks who install three anti-virus-"solutions", and another two personal firewalls, in addition to the built-in firewall.
All active simultaneously, of course."
Of course they're not all active simultaneously. They're all expired, but no-one knows how the buggery to uninstall them.
Running as non-admin won't protect you from something taking advantage of a buffer overflow. But then neither will most AV software. Not in time. That's the whole point of the article - blacklists don't work. So you've got this behemoth of a utility churning away in the background that's protecting you less than, currently, running as non-admin in most respects.
Again, to reitterate my previous post. We are fighting a losing battle with completely the wrong emphasis. A normal persons computer gets infected, and it will whether they have the latest shiniest AV software or not. If they're lucky it just bogs their machine down until it slows to a crawl. A simple AV can help prevent/detect and fix this sort of thing - so long as it doesn't slow it to a crawl in the first place. At worse it takes their machine down and they've lost all their data (all they can do is take it to the shop, and they will more often then not wipe the HDD just for good measure, even if they promise on pain of death that they wont). Backup is now the only answer. Or it mines their machine for sensitive information, and the only prevention against that is education.
AV software as it is currently marketed is a false hope.
[ICR] on December 12, 2007 5:08 AMI have been running my Vista powered PC without anti-virus for about 6 months now. With the built in Defender, Vista's UAC and other security enhancements built into Vista, IMHO, there is no need to install Anti-virus. As a backup precaution though, I did create an image backup of my OS and App partitions using Vista Ultimate's imaging feature. In the unlikely event that my PC is infected with a virus, I will just wipe the HDD clean and restore this image.
I do have an Antivirus software that I can use to scan my PC from time to time... it came with the Sandisk U3 USB key that I bought at a discount. I have run it only once to scan my Vista PC and as expected, it found no virus. If I were to run an anti-virus, I would rather run it off the USB key as oppose to install it on my PC's HDD.
cyclo on December 12, 2007 5:10 AMA solution :
* You have 10 differents softwares for performing the same task T
* Each time you need to do T, you pick randomly one of the 10 softwares
Against saturation attacks, let's use saturation defense :D
Alex on December 12, 2007 5:11 AMI love this post. I share the same feeling and am happy that someone just posted it.
No i do not run as an administrator and yes it helps a lot.
But an antivirus is still essential.
What you are forgetting is how often do we end up installing something thinking of it as harmless and then voilaa!
I've tried to install a couple of(seemingly harmless) applications by launching them with the admin privileges and my AV catching it installing some nasty trojans. And believe it or not, one of them was an online car racing game supplied on a cd of famous pc magazine. How does one avoid these traps. So those annoying Antiviruses are here to stay and for long.
:(
"I don't care about the OS; i can install it in under 1 hour. I DO care about my data; it would take hours or weeks (depending on th etime of last backup) to recover it."
You may be able to install the OS in under an hour, most people can't. Mainly because "reinstalling the OS" means going to the shop and buying a new computer. Or at best getting someone else to come round and fix it.
Yes, data is precious and that can still be attacked. But a whole class or distressing, destructive and costly attacks have been thrown out the window. Now all we need is a primitive anti-virus and a much heavier focus on decent backup tools - which is good for more than just virus damage. That seems to me a much more logical way to proceed. People are currently so focused on an impossible prevention they don't spend enough time worrying about how to recover from it.
Wow, this is something that we should see on Penn Teller, right? I mean if this is all true, and i do believe it is, then there's a huge amount of bullshitting going on. Can you imagine just how many people get money by producing anti-virus software.
Jazz on December 12, 2007 5:17 AMHey Now Jeff,
I learned the while talking (http://www.codinghorror.com/blog/archives/001017.html) make sure to omit the blacklist model for security.
Coding Horror Fan,
Catto
"What matters most, I think, is detection rate for new threats. That's what's really dangerous, not some ancient strain of a long-forgotten DOS virus. I'm sure anti-virus vendors love comparatives like this. It makes for great ad copy"
Well.... AV-Comparatives also do retrospective/proactive tests...
The latest test (http://www.av-comparatives.org/seiten/ergebnisse_2007_11.php) is scanning all _new_ viruses within one month, with the antivirus updates from before the first sample.
From that test, ESET NOD32 scored the best with 71% detection, and no false-positives (AntiVir detected 81% but had many false-positives).
71% (81%) proactive detection is GOOD for "blacklisting software".
AV-Comparatives also have a bunch of proactive tests with a 3-month period also (no new updates for 3 months, check with new stuff from that period).
I'd say the biggest problem are the ones that are fooled to install a "codec" to watch their porn, or runs "My secret pictures.exe" they get from some random e-mail/IM.
End-user whitelisting won't work. They'll trust the pornsite that tells them to disable the protection, or whitelist the software.
For companies, most are probably running pretty strict with non-admins already.
anders on December 12, 2007 5:25 AMAnd yes about *nix and macs not installing an antivirus.
Who cares? I mean, the comparative user base is tiny compared to windows, nobody bothers on wasting their time on them.
And yes i expect "some" criticism from the respective zealots.
:)
On my desktop, which I've been running since Vista's release, I've no antivirus running. I believe I'm a competent enough user to not foolishly execute suspicious looking files. I do have a backup process just like cylo which images the system once a week. I occasionally scan it with online virus scanners. So far, 0 viruses.
I've mentioned before previously in comment on your other AV article, the one rare time I did get hit by a virus which propagated itself throughout my home network, both AVG and SAV failed to pick it up. Yes, blacklists are worthless, all it takes is a small amendment to an existing virus to circumvent it, and a few days to months before the AV vendors pick up that particular variation.
The situation on my laptop is different however. In my working environment, flash drives are regularly swapped around, and often many of them contain viruses which are rather dated. An AV software works extremely well in this scenario.
I'd always recommend keeping an AV program running to the majority of the users (that is, people who don't read blogs like these) since the chances of them stumbling onto one due to the lack of technical expertise/experience is pretty damn high.
Mythokia on December 12, 2007 5:28 AMLook, its not about statistics or anything: its about practicality.
Practical, real world example
-------------------
1) Long ago: windows XP from 2002-2005 WITH Mcafee Virus protection, SpyBot and Adaware on a computer thats junk now. By 2003, its so infested that spybot and adaware can't do anything. Especially with "CoolWWWSearch." 2006: I used xubuntu and made sure it ran well as a server up to now.
2) I used Ubuntu, from 2004-now. I've actually tried to catch a virus. Nothing bad has happened to it. Oh wait, it has had things happen to it, like the bootloader getting screwed up, but that was from installing something wrong. Namely, a windows driver. And all I needed to do to right that was to use my super grub disk. NEVER has it been from any site.
Can virus writers change OS's? Theoretically, yes. Practically, they know "everyone" uses windows. Hell theres a good chance they do. But even ignoring that, they'd have to discover an exploitable flaw in linux (and in what flavor of it? what distro? many have different architectures, some are bleeding edge...) and then they have to make sure linux users even visit their sites or whatever. All that hassle to write something...they dont/wont do it.
Not to mention the OSS community's insane patching speeds. And Mark Shuttleworth is friggin awesome, hes been to outer space xDDD
Sammy Liu on December 12, 2007 5:32 AMSorry for double posting: But my example just goes to show that for me, using non-windows has proven to be 100% effective.
Period.
Sammy Liu on December 12, 2007 5:33 AM Can you imagine just how many people get money by producing anti-virus
software.
I don't know how much Grisoft get from the free AVG virus checker. I mean, I assume it's nothing, as that's how much they've got from me over the years. I don't notice any drop in the power of my PC running it, although I've not run exaustive tests or anything. I have no idea how much good it's doing but I guess it's doing something. Would not running it be better? I don't get it. Why? Even if I ran as a regular user and not administrator an executable could delete all my files. That's all I really care about.
While running as root/administrator is insecure, it doesn't mean that you are secure while running as a normal user. I maintain the position that the best protection from viruses, trojans and other malicious software is a decent education. Namely, one shouldn't trust everything on the web. A program running as user can still delete your data, for instance..very harmful.
In many distros you can find the repository installation model, where applications are installed from a central repository. I believe it is more secure than going on any random site and installing a program from there, unless the repository is compromised, of course.
Jean Azzopardi on December 12, 2007 5:44 AMDid anyone stop to think about the vast majority of users that just want to *use* computers? Do you really expect everyone to know how to take care while using one?
Ramiro Polla on December 12, 2007 5:51 AMJust like was posted in the previous posts about running as non-admin, I would like to point to Sudowin: http://www.lostcreations.com/sudowin/sudowin
Since I use that program I have had not a single problem running as a normal user.
Of course one problem that you could have is that a virus could wipe out all YOUR files but not those of others. Unfortunately, on my home system my files are approx. all the files on the computer.
Which leads to the other important thing everybody should do: backups!
Maybe an article about how TimeMachine revolutionizes backups?
(I don't know, don't have Leopard yet)
Joel Eidsath: and how were those Unix boxes owned? Via the HTTP server process, I presume? And I'll bet the hole wasn't even in Apache (or whatever you're running) but in a poorly secured PHP application. Well, regular users won't run a HTTP server, and a developer like me) will probably have it behind a firewall.
As for a trojan attacking my user account, that's of course perfectly possible. But it would have very few places to hide, and I can spot it at a cursory check. Which, of course, isn't true about your regular Joe, but this just proves that social engineering is the single biggest threat to security.
Felix Pleoianu on December 12, 2007 6:14 AMUltimately, a virus that just deletes your data is:
1) really quite sad (it's about the same level as telling n00bs on the internet to type in rm -Rf /); and
2) pointless (you might care about your data, but -- in the majority of cases -- why should anyone else?).
15.7KB of post and comments, and only one person mentions the possibility of using a whitelist, albeit dismissively.
Do whitelists not work either? They don't have the same scaling problem as blacklists.
I would feel much safer, even on my userland Mac, if any binary or script that didn't match a list of known-safe signatures was executed in a sandbox. I'm sure that I could be tricked into whitelisting something nasty, someday. But at least the attacker would have to be trying, which is a lot better than the current state of the game.
Blacklists work perfectly fine for my awesome ad/popup blocker, AdBlock Plus. Every other month (seriously) one gets through, and I have to manually add it. But it catches SO much that often I forget that normal people still have an ad-littered internet.
As for viruses, I think that topic is widely misunderstood and misinterpreted (by Jeff too). For starters, there is no reason why viruses would need admin rights, they just use them because right now they can. You think if tomorrow everyone would stop using the admin accounts viruses would be dead ? That idea alone is ridiculous. Also, only a small percentage of viruses actually intentionally damages your PC. Most try to do some annoying stuff, true, but the chance that a virus will eat all your files is next to zero.
J. Stoever on December 12, 2007 6:27 AMOn Windows, I think that most virus and other bad things seem to come from using Outlook (Express) and/or Internet Explorer. If you don't use either of those apps, your chances of picking up anything bad go way down.
In fact, on my Windows machines I have recently removed all my anti-virus software. In years of running Windows, I have never had a single virus detected.
However, I've fixed plenty of people's computers who have become infected and they did have anti-virus software, but it typically wasn't up-to-date (and they were using IE and Outlook). I've switched them from those apps and any issues when away.
Paul Lefebvre on December 12, 2007 6:36 AM(1) I agree that realtime antivirus scanning on Desktops is absurd, but virus scanning is a necessity for e-mail servers. I had several accounts that got 100,000+ viruses a day during the MYDOOM/NETSKY crisis. My mail reader and my mail server both ran Linux, but that didn't keep my /var partition from filling or my e-mail client crumbling under the load. Virus scanning eliminates one major category of BS that mail server administrators need to deal with.
Similarly, I've created several systems that accept uploaded files in MS formats. Malware scanning at that point doesn't stop bespoke attacks, but it prevents incidents that waste time.
I haven't seen false positives to be a big problem with malware scanners. In the last ten years I've seen one false positive for a virus scan... And I've dealt with the consequences of 10,000+ false positive "spam" emails.
(2) It's completely wrong that the UNIX permission system stops virus activity on UNIXoid systems. It's entirely possible for an email virus to:
(a) Attack an e-mail client via a buffer overflow
(b) Install itself in the user's account
(c) Add itself to a cron job that belongs to the user, to the .xinitrc, .cshrc or other place that will cause it run whenever the user is (or isn't) logged in
(d) Connect to port 25 (and other ports) on other hosts: propagate itself
(e) Hijack the email sending mechanism of a user's e-mail client, or login credentials for sending email
(f) Install keylogging software, steal data that belongs to the user, etc.
(g) Port scan, serve as a proxy and otherwise be a stepping stone to attack other machines
(h) Open ports above 1024; become part of a botnet
(i) Send spam email
That's more than enough to support viable malware. Yes, having a secure "root" domain makes it easier to clean up the mess later, and prevents malware from boogering the kernel and/or userspace to hide it's activities. But so what?
People don't attack Linux because there are far fewer Linux machines, and the software they use is less homogenous. Nothing dominates the market like Outlook in the Linux world... An attack on a particular e-mail client would only affect 10% of Linux users if that -- and Linux users are 1% of the market.
Why spend time developing malware that works on 0.1% of users when you could write one for windows and infect 50%?
I beg to differ: blacklists, specifically for spam, can help if the context in which they are used is very narrow. Speaking from experience, mail filters and firewall rules tailored for a specific mail server can cut down the volume of junk mail by more than 90%.
Trying to extend the blacklist approach from the specific context to the general case is where the wheels come off the cart. What works reasonably well as a first line of defence against spam for a small shop will become unmanageable the wider you have to cast the net, e.g. how often you have to update the spam mail search patterns, or the IP address ranges you block.
Also, how you choose what to put into the blacklist will differ between a company's internal mail management and, for example, if you have to cater users for which you offer webmail services. If the blacklist is still "sharp" enough for one scenario, it becomes a much blunter tool if you have to include both, or more.
In the end it's a trade-off. What kind of resources are you willing to spend to keep your mail server operational? And a blacklist, or a combination of several such lists, may be more effective than a different solution that consumes more resources (memory, CPU time, false-positive rate, etc.).
olsen on December 12, 2007 6:46 AMAmen! to the non-admin user account.
I surf the web using a limited account. I've yet to get anything more serious than tracking cookies. I think I got hit with 1 virus in the 4 YEARS I've had the computer. the anti-virus killed it and we're back to good again. I'm not sure I agree with you on the no antivirus, but I DO agree with the limited user account.
Besides, if I *need* admin access, I'll just right click and "run as" my admin account. Best of both worlds.
wes on December 12, 2007 7:04 AMMy biggest problem with the Windows non-Administrator user is that some programs have a automatic startup configuration (ADOBE in particular) that needs to complete for every user... but can't if you're not Admin. Really annoying. Even Firefox has problems with it's auto-update. You have to log back in as admin, and then re-log as your user.
Hutch on December 12, 2007 7:27 AMNot all blacklists are ineffective.
Adblock is a perfect example of a blacklist that works. It blocks out all those flashy bright annoying ads. It won't fool the smarter advertisers, like Google, but it gets rid of most.
Brian on December 12, 2007 7:30 AMJeff, relax, you're not always right and there is not always a simple solution.
Yes, running as a non-Admin is better, but not always practical.
I would never run Norton, which is a fat pig, but have been running Avira AntiVir for several years (the free version) and am very happy.
I also use a router, and rarely get a virus. What is more annoying is the crap that Ad-Aware blocks.
When a rant is spot on 100% correct does that make it not a rant?
Andy C on December 12, 2007 7:40 AMI think Josh's comment is on the right track. Jeff, your claim that not running as an administrator magically makes the user invulnerable to viruses is just plain wrong. There are whole categories of attacks (Josh mentions most of them: DDOS, data loss/corruption, e-mail, etc.) that running as regular user will absolutely not protect against.
How about this: you convince users that antivirus software is worthless, and I'll write a virus that scans through a user's documents and web cache looking for credit card information, SSNs, and other personal information and then e-mails it to myself using a webmail system, all of which can be done without elevation in a non-admin account on a reasonably-configured system. We'll split the proceeds 50/50.
Nathan on December 12, 2007 7:41 AMdisappointingly naive.
Xepol on December 12, 2007 7:43 AMCan we switch to whitelists? They seem to be much more reliable in security. Of course, they don't scale up very well, but for desktop - they don't have to/
I mean, let the system do an md5 hash of each executable (DLL / etc. as well) I install and then warn me if something runs that's outside of that list. Then I can add it to my whitelist or deny.
I don't install / upgrade software too often.
Jakub Kocureq Anderwald on December 12, 2007 7:51 AMSpam in email has been largely defeated by Bayesian spam filters.
That's at odd with the article, which says:
"Spammers register dozens of new domains each day; you can’t possibly keep up with them. They’re bigger and smarter and faster than you. It’s an arms race, and you’ll lose, and along the way there will be casualties, massive casualties as innocent bystanders start getting blacklisted."
Which is it? Is there a spam problem, or has it been `largely defeated` or are both statements true?
Dave on December 12, 2007 8:02 AMI would love if my Windows box worked the way my Ubuntu test box worked (unfortunately, I ended up with just enough gam.. I mean, "applications" that were Windows only to make the switch).
You install software, a nice popup asks for the admin password. Took three seconds to type it in, and that is small change in the usual download-unpack-install-configure process.
The point is that a virus can't set itself up to run every time you boot windows, in a really nasty and hard-to-get-rid-of way, unless you're running as admin.
Claudiu on December 12, 2007 8:09 AMDo this, on a Windows Machine (ALL of this):
a href="http://forums.tweaktown.com/showthread.php?s=8c20469080ebaac688073e175d7aa796t=25596"http://forums.tweaktown.com/showthread.php?s=8c20469080ebaac688073e175d7aa796t=25596/a
You won't get any virus/spywares, period, if you do the CIS Tool test, practice some common sense be smart!
APK
P.S.= It's HOW to secure Windows 2000/XP/Server 2003, yes, EVEN VISTA (via principles used) really... No virus/spyware etc. here, same setup since 2002-2003... apk
APK on December 12, 2007 8:10 AM"Like Mark, blacklists make me angry."
Mark makes you angry? :)
Roberto on December 12, 2007 8:12 AMIt doesn't matter. What prevents a virus from running "rm -rf $HOME/*". Most users will store their data in their home directory as I do on my unix machine(OS X and Linux) I don't do chgrp on my data because I need to access it and I don't want to have to enter passwords for my data each time I access it.
It's a lost cause and a virus scanner is the only tool that will prevent a fair bit of the available viruses.
While this is a bad way of thinking, are system resources at that much of a premium anymore? This more than anything else is the cause of the AV bloat I see. And at least some companies are addressing that speed issue for real-time scanning.
As for the full system scans, run them overnight, or while you are out. It's the same with any system resource intensive maintenance.
But, I would love to see whitelists for AV programs. Move to the deny all except those allowed explicitly to run, and *poof* most AV software is no longer needed. If the program changes, it asks again for permission, but none of this constant Cancel/Allow stuff.
Sounds like my firewall.....
Scott on December 12, 2007 8:23 AMSo all those times my anti virus scan my pc and used all my resources it had a to-do list ? Software does that not work = crap and should be treated as such.if you are worried about your data and maybe backing up isn't enough for you then :
1.Get yourself an external hard (a big one) drive or an 8GB(or more) pen drive.NB:this storage device is only for backing up and nothing else, DO NOT use it to transfer files.
2.Everyday after work make archives (using winrar) of your data and store them on your HD or pen drive.
3.Repeat step two (2) everyday and you should be fine .
I would imagine almost everyone reading this post could live pretty well without AV software. But we're not the ones who cause a considerable amount of collateral damage through our foolishness.
Imagine your small office, maybe a local real estate agent or your dentist, with no real IT supervision, people install whatever cute dancing kitty thing on their PCs, and get suckered into who knows what. They're the ones who need oversight and discipline, and yet are the least available to help themselves in that respect.
As for old viruses, they're not gone. I still get old viruses attached to e-mails in my inbox. For me, having AV software installed is like drivin defensively on the turnpike. I try to be more aware because I know there are other morons who are drunk, falling asleep, on the cellphone, whatever. I have AV on my machine because it's valuable to me, and I know there are idiots out there who I have to interact with who don't have AV.
RJD on December 12, 2007 8:39 AMI run as an administrator every day, and the ONE time I've gotten a virus in about the last two years was when somebody used my computer and downloaded a codec somewhere that carried the nasty bugger right in through it. Here's the kicker, I was running anti-virus, and it didn't do a damn thing to stop or remove the virus. I had to manually diagnose and remove the virus from my system.
The lesson I come away from that with is very simple. If you work intelligently on your computer, install updates, don't open suspect e-mails, and only download from trusted sources, then you won't have a problem. The only way someone can sneak past those defenses is with some sort of aggressive network attack, and that's what the firewall is for.
The vast majority of people who I see with viri have them because they're doing something horribly stupid on their computer, like running the bane of my existence, LimeWire. I have yet to find one person who ran LimeWire on a Windows system and came away virus-free. My roommate, who also runs anti-virus, caught a virus a few weeks ago, and when I took a look at his computer I found a LimeWire shortcut and handed it back to him. I told him to just back up his music, wipe the computer, and never run LimeWire again.
Anti-Virus computers worked well something like 10+ years ago. Back before you had every eastern european kid with a laptop and 10 minutes writing some new exploit about once a week. Now, they're nothing more than a "warm and fuzzy" for users who don't really know how to protect themselves.
Mattkins on December 12, 2007 8:49 AMI absolutely agree with the tone of this post. I don't use an antivirus for quite a few years now - and life is beautiful.
After I read your earlier post about performance issues caused by antiviruses, I wrote a short story that explains how to live without an antivirus: http://www.lazybit.com/index.php/a/2007/08/05/why_i_dont_use_an_antivirus
Blacklists should be replaced with whitelists - each user has their own list, and maintain it themselves, so that they don't depend on a vendor (who can require fees for each update). This is bad news for antivirus companies, because users don't depend on them anymore.
Once I whitelist all the programs _I_ use, I don't care about all the other programs out there. While the number of threats is infinite, the number of programs I run is finite - so I won't bother trying to count the uncountable, and focus on the countable instead.
Alex Railean on December 12, 2007 8:57 AMBlacklists didn't USED to work.
They do now.
Most of the spam that gets through my Gmail spam filters nowadays, however, is from "legitimate" marketers with real email addresses. Conde Nast/Gourmet are among the very worst, but SONY is another bad actor.
Blacklists work very well for these senders.
It is ironic that a decade after they became obsolete blacklists are back again.
John Faughnan on December 12, 2007 8:58 AMI saw one other comment mentioning this, but I thought it was an important enough point to bring up again. You're correct in saying that signature based virus and malware detection is nearly pointless, however there is another option.
BEHAVIORAL based detection. Instead of trying to classify threats based on signatures you already have, it is cheap and almost trivial to classify a process as harmful by what it is trying to actually do to your system.
This isn't the same as Vista's UAC where a user would be asked about every action. This involves observing normal use of the system to develop a set of rules for what certain programs should and shouldn't be allowed to do. With these rules set up correctly, protection is nearly transparent to the user, I've seen it done.
J on December 12, 2007 9:00 AMStupid Kaspersky group scheduled scan runs all day every day at work!
Man does it suck!!!!!!!
Joe Beam on December 12, 2007 9:07 AMI don't run any AV on my computers at home because I think the overall chance of getting a virus is low. If you pay attention to what you're and what you're opening, then you'll be fine. There are exceptions, of course, but overall that thinking has worked well for me.
And part of me thinks AV software is just a scam that feeds off people's fear and paranoia of technology. My father is into his 60s now and has a great fear of his computer, even though he's been using one for almost 20 years now. He won't NOT run AV software no matter what I say, but then he also bitches when his computer starts dragging ass because the AV is running in the background.
If you do feel you need AV then I you can't bitch about your computer dogging at boot-up and when things load and open.
Morning Toast on December 12, 2007 9:07 AMThe thing that Vista does with trimmed and normal tokens is as good as running as non-admin for most users. (My sister is an exception. She has to be kept as a regular user lest she download and install some spyware-laden program in order to download music.)
Elevation is implemented pretty well. Since I fully set up my box I had to elevate privilege at most once a week, so it's not a giant pain in the ass as some depict it.
But let's talk about threats: What's happening right now is either turning PCs into botnets or fishing of financial details. Both are done wholesale and not on an individual basis. It's very rare that somebody is after your data.
Regarding the probability of ignorant users becoming parts of botnets, it's only a question of time when trojan authors will start checking whether the process they have hijacked has admin privileges and then install it under user's startup folder instead of getting into the machine startup.
With regards to financial details the situation is much better. Create a separate account for logging into your bank. If both your normal account and the separate account are not admins, the chances of you getting hit by something are minimal.
Dejan
Dejan Jelovic on December 12, 2007 9:10 AMIt's interesting that you mention Kaspersky. This last week, their heuristic detection mechanism (whatever trade name they call it) started picking up or company's software as "suspicious activity" and quarantined our main executable. Fantastic. After some analysis, it turned out that the activity it was picking up as suspicious was a process priority reset from Normal to Below_normal which we do to prevent long running, ~10 minute, calculations from tying up the CPU bandwidth and degrading performance for short running, ~2-5 second, calculations. A bit over aggressive on the part of the AV, if you ask me.
Steve Bush on December 12, 2007 9:24 AMUm, even if you run as non-administrator on a Windows box, you still need anti-virus, because somewhere on your computer, something is running as an admin, whether you like it or not, and it was likely coded by chuckles the microsoft programmer, to whom "security" was not even an afterthought.
So a worm/trojan/spyware/malware/baddie/baddite will come along and use a security exploit and Privilege Escalation (http://en.wikipedia.org/wiki/Priviledge_escalation) to run as Admin on your machine.
Chris Wilson on December 12, 2007 9:34 AMGreat article it touches on things I have been advocating for years. I used antivirus software for a couple years back in the late 90s and realized I was still getting virus's. I used to work as a tech and learn much better ways of handling this without costly antivirus software (costly being CPU and resource usage). There is great software out the for ghosting a machine, creating disk images that will not take up disk space and refresh your system back to the way you want it.
Also, you can always reformat your machine which is what I was doing for awhile. But then you have to always reinstall everything. That was costly in time, which is valuable. So in my humble opinion it is best to create a ghost image of your machine how you want it, all your software set up and the settings you prefer. Then when something goes bad just reload the image. There are some small costs I should outline. First everytime you add new software you use often you must create a new image, but how often does that happen? One might also argue everytime they do that they will lose there data. But that isn't true media and drives are so cheap now that all usable or valuable data should be kept on those mediums so not to be effected by this process.
Lastly, working with images is a bit tricky at times. It takes some knowledge. But once you get it down it will save you time, money and the head aches that come along with dealing with virus's, spyware and everything else. Oh and as a fellow developer doesn't restrict your development process by running as a non-admin which I love! Hope my 2 cents is helpful.
Matt Geiser on December 12, 2007 9:42 AMJeff hit idea #2 of the six dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ and I totally agree. It is just a scaling issue.
If you want to visit the secret war room like in "Dr. Strangelove" they don't let 6 billion people in but then check to see who they should kick out, nope, they probably have a list of who should be in there in the first place. If you aren't on the list, you don't get in, or at least must have a good reason. I agree with the other Chris about whitelists, it makes the problem more *tractable* at least. You have a list of things that are permitted in memory and that's it. You can add a new program to this list, and this is a security hole, yes *but* maybe you should examine the source before you do so? Closed source? Why use it? How valuable is your data?
Chris on December 12, 2007 9:53 AMEven when running as non-administrator but with the administrator password, when malicious code wants to make system calls (lets say in Vista), I would expect to see an "allow" or "continue" button. I would believe most users (or those who don't read your blog) would naively click allow/continue (or type in the admin password).
Viruses are commonly hidden in software people download. Most people want no hassle software and click through whatever they think the system requires for them to get their software.
I am not an average user, but being a software engineer, I am also the proclaimed family IT specialist (such a burden on many of us in technology!). This is probably the #1 reason for infections or malicious code execution in my experience.
This is why anti-virus software is important. I think it compensates for an average user's naivets.
Jerry on December 12, 2007 9:54 AMHey dude, your blog is great. It makes me want to blog too. Today's topic is pretty silly though, but at least it's doing the blogger's job of creating a dialogue here.
Anyway instead of leaving my comments on the issue, I thought I'd blog about it too!
http://fuzzyschemes.blogspot.com/2007/12/naive-computer-security.html
Nice article, Jeff!
John DSouza on December 12, 2007 9:56 AMYou could enforce security with a whitelist, but you cannot stop end-users from adding harmful applications to that whitelist. Especially if the file comes from someone they trust.
techy on December 12, 2007 9:58 AMi tried running as a non-administrator in windows xp for quite a while. my xp partition is solely for gaming and all my email, picture printing, browsing, etc. is done in vista.
i really wanted to play games as a non-administrator. really. i created an administrator account called "installer" and a different "limited account" to run my games. i'd install a game as the installer user, log off, then log in with my gaming account to play.
first i had problems running my saitek programming software. research revealed this program can't run without some admin privileges. after modifying permissions for specific registry keys i had it working.
the next problem is that anytime there is a game patch released i'd have to jump through hoops to get it installed. here's how it would go:
1. log in with limited account to surf web and download patch
2. log off
3. log in with administrator account to install patch
4. log off
5. log in with limited account again to play the game
what a pain.
some games won't even run if you aren't an administrator.
others will exhibit very odd behavior. for example, the original soldier of fortune game was well known for its over the top gore. i installed this game with my installer account. when i went to play it with my gamer account--no gore!?! even performing a "run as..." with admin privileges would not show the gore. i even went into the registry and gave all the soldier of fortune entries admin privileges. no gore. only if i played the game with an administrator account would i see the game how it was intended to be seen.
after about 6 months i gave up, deleted the installer account and made my gaming account an administrator account.
cowgod on December 12, 2007 10:00 AM"There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator."
Even you're not admin/root/superuser/whatever your OS calls it, a virus/malware/trojan could still write to every file your user-account has write-access permissions for (e.g. all your documents, any songs you've composed, your music, picture and movie collection, etc.) which is pretty much all the files I care about.
If I had to choose between losing my personal data files and losing core system files, I'd rather lose core system files, because I can always just reinstall the OS (whether than OS be Windows, Mac or *nix). I can't just "reinstall" my personal data files.
Nebu Pookins on December 12, 2007 10:04 AMWhen running as non-administrator basically this happens: you can not destroy or otherwise modify 'important' system data. Included in that is that you can only modify your _own_ data. But think of it, what is more important to mister I-only-write-documents? His 'C:\'-disk that he can repair with one button and a manual of his PC, or his 'My Documents' with all his work documents that he forgot to back-up in the past month?
I am not trying to say that running as non-admin is a _bad_ thing, I'm justing saying that for average Joe it is nothing at all better than running as admin.
Thomas on December 12, 2007 10:04 AM"Why perpetuate the broken anti-virus blacklist model when we don't have to?"
well, I believe as of now, we HAVE TO.
no offence but blacklisting does save my ass off hundreds of viruses from flash drives and public machine...
well look at Vista and the future I think MS already heard you but it might take some time... I guess you'll just have to be patience! I believe everyone already realizes part of that it'll just take some time.
nekocoder on December 12, 2007 10:13 AMI am of the opinion that most people expect too much of AV software. Most people draw the wrong assumption, and it is because of misleading advertising strategies, that AV software actually protects you from threats. AV software is supposed to compliment good practices as a user, proper configuration of the machine/network etc.
What they -AV developers- should be doing, is advertising that their software eliminates the hassles of older and known threats as well as most 'strains' of these, and then take a pro-active position in actually warning their users and potential users that the world is an evil place, with new undetectable threats arriving daily that are not going to be blocked until they get a chance to disect, classify, and send out the detection update.
In all honesty, I'm thinking that the best thing any AV company could ever do is to abandon the age-old tactics and start from the ground up, a new attitude and less gimmicks. We need to start towards a system that looks for behaviours in running processes. The amount of triggerable events that can be defined as being 'harmfull' would be far smaller than any blacklist or detection signatures.
Jeff,
Write another article discussing how much damage a virus could do if you were running Windows in non-admin user mode. Suppose you visited a website that hijacked Firefox with buffer-overflow and installed a the website installed a virus-infected version of Firefox with a keylogger. It installs firefox binaries within "My Documents" folder, so it doesn't need any special permissions. It changes the links on the Desktop to this launch this infected version.
The next time you ran firefox you would have no clue that firefox was infected with a keylogger. Finally you go to your bank site and every key is logged and sent to a remote host. A browser can encrypt your information and send it to the bank securely, but if the client is hacked, who can you trust?
Scary.
Kashif Shaikh on December 12, 2007 10:22 AMrunning anti-virus software in the largest virus in the world is an oxymoron.
john Phillips on December 12, 2007 10:30 AMI haven't run a virus scanner on my desktop during my working life (I work as a .NET developer, previously Win32 and some Java on Linux).
I've yet to cause any problems on the corporate network (going on eight years sans a scanner now).
I don't run one at home either. Its pointless, and I never intend to.
nexusprime on December 12, 2007 10:30 AMI enjoy the feeling of security I get from running Linux, but even back when I was running Windows I was able to avoid (visible) malware just by never using Internet Explorer and always running questionable executables (e.g. keygens) in a virtual machine.
I agree with you about blacklisting, but I think you're overestimating the value of not running as admin. The most important files to me is my personal data, my source code and writings and pictures I've created, etc. I can easily and quickly reinstall and setup Linux, but my personal data is irreplaceable.
James Justin Harrell on December 12, 2007 10:37 AMCheck out sudown for Windows machines. No need for AV.
Bob on December 12, 2007 10:43 AMI can easily and quickly reinstall and setup Linux, but my personal data is irreplaceable.
Then of course you regularly back up your personal data, right? To an off-site host (typically, "The Internet")? Many services out there make this easy, such as Mozy (http://mozy.com/) and Carbonite (http://www.carbonite.com/).
Again: I want to encourage things that work, things that make sense. Anti-virus is neither. I do believe regular backups fit both of these categories.
Now all we need is a primitive anti-virus and a much heavier focus on decent backup tools - which is good for more than just virus damage. That seems to me a much more logical way to proceed. People are currently so focused on an impossible prevention they don't spend enough time worrying about how to recover from it.
Exactly.
Jeff Atwood on December 12, 2007 10:46 AMI love the folks who install three anti-virus-"solutions", and another two personal firewalls, in addition to the built-in firewall.
All active simultaneously, of course.
They really believe that they are this way more protected.
In fact, they are, but only because nearly nothing runs any more.
They effectively managed it this way, to block all auto-update functions, which led to year-old programs like quicktime, full of buffer-overflows.
But they just feel safe, because they throwed money away.
It's a little bit like snake oil.
If you promise you solve a problem, and they only have to pay, instead of learn, most people prefer to pay.
Even if the solution is proven to fail mostly.
I run as admin all the time and don't use any anti-virus software. The only thing I do not run as admin (via DropMyRights) is firefox and thunderbird. Where else am I going to get a virus? A floppy disc boot sector virus? uhh...right. Don't download executables from unknown locations and you'll be fine. I think the last time I had a virus was pre-1990. And yes, it was from a floppy boot sector virus.
Tim on December 12, 2007 10:59 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |