programming and human factors
by Jeff Atwood
Jon Galloway and I got into a heated debate a few weeks ago about the efficacy of anti-virus software. My position is that anti-virus software sucks, and worst of all, it doesn't work anyway. That's what I've been saying all along, and it's exactly what I told Jon, too:
The performance cost of virus scanning (lose 50% of disk performance, plus some percent of CPU speed) does not justify the benefit of a 33% detection rate and marginal protection. I would argue the illusion of protection is very, very dangerous as well.Ask yourself this: why don't Mac users run anti-virus software? Why don't UNIX users run anti-virus software? Because they don't need to. They don't run as administrators. Sadly, the cost of running as non-admin is severe on Windows, because MS made some early, boneheaded architectural decisions and perpetuated them over a decade. But the benefit is substantial. There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator.
I believe we should invest our money, time, and effort in things that make sense, things that work. Things like running as a non-administrator. And we should stop wasting our time on voodoo, which is what anti-virus software ultimately is.
To be fair, anti-virus software is more effective than I realized. In the August 2007 Anti-Virus Comparatives, the lowest detection rate was 90%, and the highest was 99.6%.
But I have a problem with the test methodology that produced these results. If we build a library of tests using all the viruses and malware in all of recorded history, we'll get an absurdly high detection rate. But who really cares if Kapersky can detect a year old virus, much less a three or four year old one? What matters most, I think, is detection rate for new threats. That's what's really dangerous, not some ancient strain of a long-forgotten DOS virus. I'm sure anti-virus vendors love comparatives like this. It makes for great ad copy: we can detect 99.7% of threats! The bad news, which is hidden by a footnote marker and placed in 4-point text at the bottom of the page, is that 99.3% of them are so old as to be utterly irrelevant and meaningless. (Update: in a comment, Anders pointed out that a November 27th "proactive/retrospective" test (pdf) from the same site, using threats only a month old, showed far lower detection rates: between 80% and 33%.)
We could appeal to the data. Of the top 5 threats on the virus radar, only one is younger than six months. However, the youngest dates from December 4th, a mere eight days ago. And it only takes one. If anything gets through your anti-virus software, you're just as compromised as you would be if you were running no anti-virus software at all.
But for now, let's assume these comparative statistics are correct. The heroic anti-virus teams can detect 99.7% of all the evil code in the world, and protect you from them, in the name of truth, justice, and the American Way. But it's far from automatic. It only works if you stick to the plan. You know, the plan:
Wow, not much can go wrong there. And then you only have a 0.33% chance (or a 20% chance, depending which set of data you believe) of getting in very big trouble. Problem solved!
Or you could just, y'know, not run as an administrator, and then you'd never have any chance of getting in trouble. Ever. Well, at least not from trojans, malware, or viruses. But evidently a few children's programs fail to run as non-administrator, and programming as a non-administrator is difficult, so that's a deal-breaker for Jon.
After a lot (really, a lot) of back and forth with Jon on this topic, I realized that my position boiled down to one core belief:
Blacklists don't work.
At its heart, anti-virus software is little more than a glorified blacklist. It maintains an internal list of evil applications and their unique byte signatures, and if it sees one on your system, kills it for you. Sure, anti-virus vendors will dazzle you with their ad copy, their heuristic this and statistical that; they'll tell you (with a straight face, even) that their software is far more than a simple blacklist. It's a blacklist with lipstick. It's the prettiest, shiniest, most kissable blacklist you've ever seen!
I could waste your time by writing a long diatribe here about how blacklisting is a deeply flawed approach to security. But I don't have to. We can turn to our old friend Mark Pilgrim for the most radical deconstruction of blacklisting you'll probably ever read.
I see from Jay's Comment Spam Clearinghouse that the latest and greatest tool available to us is a master [black]list of domain names and a few regular expressions. No offense to Jay or all the people who have contributed to the list so far, but how quaint! I mean really. Savor this moment, folks. You can tell your children stories of how, back in the early days of weblogging, you could print out the entire spam blacklist on a single sheet of paper. Maybe with two or three columns and a smallish font, but still. Boy, those were the days.And they won't last. They absolutely won't last. They won't last a month. The domain list will grow so unwieldy so quickly, you won't know what hit you. It'll get so big that it will take real bandwidth just to host it. Keeping it a free download will make you go broke. Code is free, but bandwidth never will be. Do you have a business plan? You'll need one within 6 months.
And then people will start complaining because a regex matches their site. Or spammers will set up fake identities to report real sites and try to poison the list. Are you manually screening new contributions? That won't scale. Are you not manually screening new contributions? That won't work either. Weighing contributions with a distributed Whuffie system? Yeah, that's possible, but it's a tricky balance, and still open to manipulation.
It's all been done. It's all been done before, and it was completely all-consuming, and it still didn't work. Spammers register dozens of new domains each day; you can't possibly keep up with them. They're bigger and smarter and faster than you. It's an arms race, and you'll lose, and along the way there will be casualties, massive casualties as innocent bystanders start getting blacklisted. (You do have a process for people to object to their inclusion, right? Yeah, except the spammers will abuse that too.)
Oh, and it goes on. That's a mere slice. Read the rest. Like Mark, blacklists make me angry. Angry because I have to waste my time manually entering values in a stupid blacklist. Angry because the resulting list really doesn't work worth a damn, and I'll have to do the same exact thing again tomorrow, like clockwork. And most of all, angry because they're a dark mirror into the absolute worst parts of human nature.
I've had plenty of experience with blacklists. A miniscule percentage of spammers have the resources to bypass my naive CAPTCHA. They hire human workers to enter spam comments. That's why I enter URLs into a blacklist every week on this very site. It's an ugly, thankless little thing, but it's necessary. I scrutinize every comment, and I remove a tiny percentage of them: they might be outright spam, patently off-topic, or just plain mean. I like to refer to this as weeding my web garden. It's a productivity tax you pay if you want to grow a bumper crop of comments, which, despite what Joel says, often bear such wonderful fruit. The labor can be minimized with improved equipment, but it's always there in some form. And I'm OK with that. The myriad benefits of a robust comment ecosystem outweighs the minor maintenance effort.
I've also had some experience with the fancy, distributed crowdsourcing style of blacklist. It's a sort of consensual illusion; many hands may make light work, but they won't miraculously fix the fundamentally broken security model of a blacklist. You'll have the same core problems I have with the unpleasant little blacklist I maintain, writ much larger. The world's largest decentralized blacklist is still, well, a blacklist.
So, in the end, perhaps I should apologize to Jon. I suppose anti-virus software does work, in a fashion... at a steep mental and physical cost. Like any blacklist, the effort necessary to maintain an anti-virus blacklist will slowly expand to occupy all available space and time. In philosophical terms, keeping an exhaustive and authoritative list of all the evil that men can do is an infinitely large task. At best, you can only hope to be ahead at any particular moment, if you're giving 110%, and if you're doing everything exactly the right way. Every single day. And sleep lightly, because tomorrow you'll wake up to face a piping hot batch of fresh new evil.
If a blacklist is your only option, then by all means, use it.
With comments, I'm stuck. There's no real alternative to the blacklist approach as a backup for my CAPTCHA. Furthermore, the ultimate value of a comment is subjective, so some manual weeding is desirable anyway. But when it comes to anti-virus we do have another option. A much better option. We can run as non-administrators. Running as a non-administrator has historically proven to be completely effective on OS X and UNIX, where the notion of anti-virus software barely exists.
Isn't that the way it should be? Relying on a blacklist model for security is tantamount to admitting failure before you've even started. Why perpetuate the broken anti-virus blacklist model when we don't have to?
Actually AV software vendors tend to remove all the old and outdated signatures. Otherwise, the sig files would bloat and become massive.
Thus, many of the tested virii are fairly recent and moderately relevant.
Virus scanners are only as smart as their users:
Users who click on every attachment, just because they *have* a virus scanner promising to protect them will still catch a virus sooner or later. That's statistics law, as long as the detection rate does not equal 100%. Which is - as we all know - impossible to achieve, because the virus has to be in the wild, before it can get analyzed and added to the signature data base. IOW: Someone has to get sick before you can invent the vaccine. It'll never work the other way around.
The other sort of users who don't trust their software and think before they execute any kind of software, don't need a virus scanner, because they have a brain doing its job. And the brain's heuristics seem to be much more efficient. ;)
After all, there's this universal truth:
Virus scanner can only show the presence of a virus, never their absence.
That is what makes virus scanners useless as a protection measure. They may have their use as part of an intrusion detection system, though.
P.S. Telling me that a virus scanner actually protects you from getting viruses onto your machine is like telling me that software can get "bug-free by testing".
Vinzent Hoefler on December 12, 2007 11:23 AMThat's why WindowZones exists... it allows Windows users to continue their bad practice of running as admin but it locks things like IE/Mail/etc into non-admin sandboxes. Check it out at WindowZones.com
This is -exactly- the scenario and rationale that the product was created for!
Dave on December 12, 2007 11:37 AMIn my opinion, Microsoft Vista's "Allow/continue" dialog boxes have nothing to do with security for the exact reasons that many people have already commented on: No ordinary user is going to do anything more than click "allow" whenever they are confronted with the dialog. I can't picture my mom (or any of a number of accountants in our company) saying, "oh look... this software is doing something suspicious. Should I allow it?" She's just going to click ahead.
Instead, Microsoft is using the age old method of CYA (Cover your ***). By putting up incessant warnings to the user, when something goes bad Microsoft can claim, "Oh, but we told you about it, so the damage is really your fault."
Steve Bush on December 12, 2007 11:52 AMQuite possibly the most ridiculous post I have seen on your website. Everyone else has your mistakes covered though so I just want to register my disdain for this.
Heywood Kenobi on December 12, 2007 11:53 AMI did not read all your comments (too many). But the notion that nix/OSX does not suffer from malware is because of non-administrator default settings is quite absurd. The reason there not affected is because its not profitable for the malware writer at this point in time, and for no other reason. There is *nix malware, two new ones just this week. Check sophos.
"There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator."
That statement is completely inaccurate. A trojan can steal the data from your home directory and HTTP it back home, no need for administrator there. Malware wants your data, not just your box or root account. And since you run most apps as non-administrator, I think its safe to say that most malware has access to that data.
Chris on December 12, 2007 12:20 PM1) whitelists work fine ... but how do I get mail from people who have not sent mail to me before? - Oh it's in the spam box with the 10,000 spam emails (and since it's an order from a new customer it's the most important email I will get today)
2) Unix security is not just don't run as an admin, it is don't run things just because they are a program as well
A particular buffer overflow exploit will only work on one version of one program, this means that all the users with their autopatched latest Outlook are all the same but the user running another client is less likely to get hit
Buffer overflows, and stupid users will compromise any system, but the other methods of infection are stopped on Unix systems, and the most common one, of a user trying to run the program that someone sent them or they found on a website, is difficult enough to to so that they won't bother
3) Why is Development so difficult to do on Windows without running as Admin? Unix users developed most of Unix without thier development tools running as admin? Is this just Microsoft taking the easy option?
Jaster on December 13, 2007 1:14 AMEver think that maybe some of the folks injecting viruses into the community may be actually "employed" by some of the major anti-virus companies?
It brings me back to an old Charlie Chaplin skit where he is a window replacement salesman and he pays a street kid a few cents to go throw rocks in windows right before he makes his pitch...
Let's not be naive about their intent, and most of all, just be smart in how you guard your computer. With proper precautions you can completely protect your computer for malware.
Mark on December 13, 2007 1:55 AMGreat article. Antivirus software is voodoo but Unix as a personal OS has holes too. For example. . .
Lots of users have a personal bin directory prefixed on their $PATH. They could be tricked into running sudo malware with a file like $HOME/bin/apt-get.
Sudo is often configured to only ask for a password if some amount of time has passed since the last sudo because entering a password constantly is annoying. Unprivileged malware could watch the process list for a user command known to require sudo and time it's attack to gain root privileges by calling sudo itself. It is also possible to never require a password for sudo and I'm sure this feature is used more than it should be.
As pointed out by commenter Joe, malware on unix can still wipe out your data without root privileges.
A good sudo configuration and regular backups are a more general and cost-effective solution than any Antivirus.
Sam on December 13, 2007 5:14 AMVery nice article.
But what do you think should be done? It's fine to shoot down something that doesn't work. But what does work?
Nate Peck on December 13, 2007 5:29 AM@Sam
By default, sudo will tie its password timeout to a given tty, so a malware that's daemonized or running from a user's crontab probably won't be able to use it. It's possible to configure it less securely, and there are sometimes good reasons to, so you're right in general.
Cowherd on December 13, 2007 5:41 AM Anyway instead of leaving my comments on the issue, I thought I'd blog
about it too!
But I'm not reading your blog - I'm reading this one.
Dave on December 13, 2007 5:42 AMI've been reading CH for a long time, possibly most of it's existence. I have to say, this has been one of the best posts I have ever read. And the shear fact of the matter is, it all makes too much sense to me now. I think I have spent too much time messing with what I will have to now refer to as the black list of doom. And I should have been spending my time focusing on the hardware and software of recovery. I'm glad I'm young, as I would have felt like I spent too much time on it if I 10, 20 or 30 years further on. It's still something I don't wish to admit really. I gotta thank you.
On another note, and I don't know that this is the place for it, but my library runs a newsletter, and I would like to ask permission to put CH in the newsletter as one of my site recommendations. It's kinda my thing to ask before I do. So what do you say?
Geoff Sams on December 13, 2007 6:27 AM"Learn to use the Internet." - that's arrogant and nave, WurdBendur. All it takes is one compromised banner ad server serving a surf-by exploit, and bang - you're dead. You don't need to be surfing pr0n sites or downloading warez.
Remember that the problem here isn't to keep power++users, programmers, and *u*x living-in-parent's-basement geeks free from viruses. It's keeping the average Joe safe.
f0dder on December 13, 2007 6:45 AMYour wrong about blacklist, at least in some cases.
Email is one case that blacklist are very effective. Most email providers use DNSBL (DNS Blacklist) to block or filter emails. Some are accurate enough to use before you even except the SMTP connection (spamhaus.org is a good example) others are commonly used in point based systems to increase the probably a message is spam (http://www.surbl.org/)
I can see how this is less effective in comment spam. First blog comments are far less common than email so there is less of a community around building a blacklist. And email servers are meant to talk to other email servers, so having a dynamic IP talking to a mail server is generally a good indication of spam. Blog comments are the opposite, anyone can leave a blog comment so you can't category the traffic as easily.
BTW: I don't run any AV software. I am always behind a hardware firewall (i disable windows firewall) and have auto-updates enabled on all my computers exploits are unlikely. That just leaves user-error, and i trust myself to not be an idiot and open something I shouldn't.
Tony Bunce on December 13, 2007 7:15 AM@Joe
Though this has probably been stated in the comments already, I don't have the time to go through all of them, and since nobody seems to have quoted you on your first point, I'll go ahead and take the honor.
"1) I think the reason that most viruses are written to infect M$ Windows is because it has such a big market share"
Actually, there are alot more reasons than that. While alot of people think that as systems become more popular, the amount of viruses for them will increase, this is only a small part of the matter. In reality, it is nearly impossible to infect a Linux or Mac machine with a virus.
1) Root access. Unless the user is doing something really special, they aren't going to be logged in as an admin, so the code won't be able to run. For administrative tasks, the user authorizes a short session of administrative status. Even in this status, by theory, programs should not be able to take advantage of it themselves.
2) Compatibility. While this is geared more towards Linux than Macs, it is still a valid argument. Simply put, there needs to be several different releases of the said malware, one for each of the major denominations of Linux distributions. Unless, of course, the virus has you compile the source code yourself. But a user stupid enough to compile the source code for a virus is a user that shouldn't be running Linux.
That being said, you could make an argument that programs are able to convince the user to compile them, to convince the user that "Oh, yes, we are legit," but the system is going to return some serious warnings in the meantime. Even after the program is launched, Linux and Macs will do everything they can to shut down the script, and, assuming the user isn't a bumbling idiot, they will succeed.
The bottom line: Macs and Linux computers are not at risk for viruses. Period.
Griff on December 13, 2007 8:07 AMI think we have a lot of people bashing Vista who have never run it.
Reggada holds up Unix-based systems as better because if users try to do something that requires admin privileges, it fails, then you can run it again with sudo to give it admin privileges if you choose. I fail to see how this is better than Vista detecting the app wants to do admin stuff and asking if it should be allowed. Is it better because it's harder?
That plays into the comment that Vista's UAC accomplishes nothing but CYA for Microsoft because it lets them say they warned people. Well, they DID warn people, so their A should be C'ed.
Do you think the Unix approach would make much difference to computer-illiterate people? They simply won't be able to do certain things until a computer-literate person tells them how to run sudo, then the lesson they'll take from that is if something gives them an error use this magic sudo program to fix it. They'll share with all their friends. Hell, they'll probably just start running EVERYTHING with sudo and share THAT trick with all their friends.
Allen says he'd love if his Windows computer worked like his Ubuntu computer, which just has a popup asking for an admin password when he installs something. Vista's UAC will do that if it is a normal user account or will simply ask for an OK if it is an admin account.
I think what people fail to understand about Vista's UAC is that for the most part it is meant to transition us to apps that work correctly. Once I settled into my PC where I wasn't installing things frequently, and once I got updates to several of my apps, I hardly ever see the UAC prompt. I wonder if the people talking about every app actually run Vista or if they picked up this impression from the Mac commercials. If you are getting an annoying number of UAC prompts, then you probably have a bunch of apps that need to be fixed. This is the exact kind of bad app that people are complaining about, so you'd think they'd be happy that the app essentially gets a badge of shame (the UAC prompt) plastered on it at every startup.
"Do you think the Unix approach would make much difference to computer-illiterate people? They simply won't be able to do certain things until a computer-literate person tells them how to run sudo, then the lesson they'll take from that is if something gives them an error use this magic sudo program to fix it. They'll share with all their friends. Hell, they'll probably just start running EVERYTHING with sudo and share THAT trick with all their friends."
Continuing this line of thought, I think it boils down to telling Grandma that she is to answer "no" to this prompt (or not run sudo or whatever), always, unless she is sure it is something that is OK to run.
I tend to be more on the side of not requiring much expertise from the typical users, because some of these "how to keep yourself safe" lists are ridiculous, but this is one place where the line has to be drawn. Sorry, Grandma, but if you allow everything or whitelist everything then you're on your own.
Bob on December 13, 2007 8:58 AMgray list
Montana Rowe on December 13, 2007 8:58 AMI don't agree with you.
- They do work. I downloaded kaspersky internet security and ran it. It found a lot of crap on my computer.
- Just because they don't catch every single malware doesn't mean they suck. Catching most of the malware is much better than catching nothing. Plus how would you know if it doesn't catch everything unless you know you planted a malware and your av software didn't recognize it.
- Some of the AV slow down your machine considerably. Find one that doesn't. Scan your machine when you're not using it. That makes good use of its idle time. I run backups and scanning when I am sleeping.
- You personally have a fast machine. Do AV software they really slow your machine considerably?
- AV software do not replace your security and safe guards. They complement it. If you depend on them to give your a false sense of security, it's your fault, not the software's. An automatic shifting car makes it easier for you to drive, it doesn't teach you how to drive or drives your car. AV software help you against malware.
Abdu on December 13, 2007 9:40 AMA decent article of antiviral security is here : http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1247943,00.html
Gary on December 13, 2007 9:50 AM"They do work. I downloaded kaspersky internet security and ran it. It found a lot of crap on my computer."
So the intrusion detection finally waved the red flag? Great. Congratulations.
Now, let me guess, what do you do? Let this snake oil software remove all the stuff it found, and continue running the already compromised machine?
Ignorance is bliss. *shrug* - Still, just having this warm fuzzy feeling inside your belly now does not change the fact that your machine is owned by someone else already.
Vinzent Hoefler on December 13, 2007 10:29 AM"Simply put, there needs to be several different releases of the said malware, one for each of the major denominations of Linux distributions."
That's actually nonsense. Kernel calls haven't changed so much since 1.x. libc might be considered a problem, but I actually have written programs which need no libc to run.
Fact is, that we ship binaries running on all distributions tested so far (debian, knoppix, red hat, slax, suse, ubuntu, ...). If we can, virus writers can, too.
Vinzent Hoefler on December 13, 2007 11:04 AMOnly one person seems to have mentioned vaccinations. Which is kind of what antiviral software is like. They don't guarantee every individual is safe from the disease, but rather, than the one disease can't damage the whole of society. If antiviral software wasn't around, then all those ancient viruses it can detect might still be floating around. But with near 100% "inoculation", the "disease" is gone.
So the stuff is useful, but not at the extreme level to which it has been taken.
Additionally, the key security insight which both Windows and Unix developers need, is that their software should be developed with no more expectation of security privileges than is actually necessary to accomplish the task.
Windows developers (and users) are still used to doing everything as admin. Whereas every introductory text on Unix administration says "don't do any more as root than is necessary." That little line in the books is what gives Unix the advantage. Even if the end users don't take it to heart, the Unix software engineers do, and that goes a long ways.
(Unix also has available to it "chroot". No idea if that is available in Windows, but it would eliminate many, if not most of the "rm -rf $HOME" concerns being mentioned. Right as soon as the Unix software engineers readjusted their thinking to expect chroot jails for their software.)
Jay Kominek on December 13, 2007 11:50 AMAlthough I agree with your point(s), running as a "normal user" under Vista is really unbearable if you do anything more than listen to some music or tap in some documents. All sorts of software will not work anymore (to name one, HDD Thermometer, which I downloaded after this post: http://www.codinghorror.com/blog/archives/000748.html). Even running as administrator doesn't cure everything. For example, there is no way I can download a file over direct connect using DC++ when I am not an administrator.
Now this can be Vista's fault, or the fault of other software vendors, but in the end, I'm semi-forced to be an administrator...
Still, not being an idiot and not running IE and/or MSN does help a lot...
Leo on December 13, 2007 12:00 PMFor years, I ran my XP system without virus software. Then somebody claimed it was irresponsible for me to do that, and I was probably infected with all kinds of public nuisances. I doubted it, but I installed one of the well-known anti-malware packages just to make this somebody shut up. It found nothing. I left it installed, and in the years since installing it, it has found nothing. Noting nothing nothing. These people who are inadvertently helping run the spam botnets... Who are they and what are they doing to "join"? It's not as if I'm extra-careful, though I do view all filename extensions and I am suspicious of email enclosures. Does that make me super-anti-malware-expert-man? I am starting to think malware is about as real a threat as WMD in Iraq. Maybe it's something you notice if you're responsible for maintaining a thousand computers operated by complete idiots, but that's not me (the responsible one or the idiots).
pete on December 13, 2007 12:01 PMI believe the OS should simulate the Admin account for non Admin users. This will make the viruses believe they've infected the system... Also, the OS should kill programs that try to infect OS system files or that tries to write to user files that were created with other programs, unless the program uses a system dialog to open the file.
This way, the user can work without having to logon as an Admin and user files are protected adequately.
Of course, when a user wants to install a program for a group, he should have the privileges of that group.
Just some ideas, probably not too original (but Vista could have used some clarity of ideas in the conception of the OS).
I am with you. Only idiots get viruses.
Josh Stodola on December 13, 2007 12:44 PMAll OS's have vulnerabilities. And many of those vulnerabilities allow code to execute with elevated privileges, so running as non-admin will not save you if you come across one of these little nasties in the wild that was written to take advantage of that.
And yes, this is even true if you are running Linux or Mac. There are exploits that can do this on those OS's too.
Telling people to ditch their antivirus and to instead run as non-admin, is a very irresponsible thing to do.
I hope nobody takes you seriously and actually does it.
What they should be doing is using a non-admin account AND running their antivirus as admin.
app on December 13, 2007 12:45 PMRunning Windows as non-admin is tantamount to not being able to use your PC. To say that *nix and OS X do that so it's recommended for Windows is not exactly the same thing. The *nix and OS X implementations are much much better than Windows. So, in summation, it's almost a lost cause running Windows as a non-admin user.
Diego on December 14, 2007 2:41 AMVinzent Hoefler: spot on the sugar, baby!
Okay, so there might not be a homogeneous attack vector for all *u*x systems... so what, you do what's being done for windows systems already, you compile a big frigging package of them and try them in turn.
Sure, still won't be as effective as windows exploits are now, but if linux suddenly boomed to the same marketshare and the same kind of users as windows, well... game over.
"http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true"
I guess you never install any software because you assume everyone is a bad guy? A malware can be implanted in an innocent software which you accept to install. Running as an admin will not help you then.
Abdu on December 14, 2007 6:45 AMsorry jeff i will not completely agree with you. Yes we have to constantly update the blacklists, but they work quite well. I have adblock in my firefox and it saves me from much of the ads and flash movies that i dont want to view. on the virus front again you are very right, it is a very big design flaw in windows, the running system as administrator by default. not just the os we take this mentality to other things also. i have seen very senior colleagues using "sa" to interact with SQL Server from application although application is doing all the database work using a bunch of stored procedures. they face problems when ever they have to work with oracle, because they take everything for granted like sa on sql server. the most significant factor in reducing virus attacks is disciplining yourself while surfing and not visiting dangerous site, not downloading untrusted content and not plugging your portable drives into others systems without a thought and vice versa.
trial blazer on December 14, 2007 6:50 AMLinux is great at the moment because only geeks are using it. Switch all average Joes to Linux, and we'll see how malware creators try to break linux. :)
http://en.wikipedia.org/wiki/Priviledge_escalation
techy on December 14, 2007 7:48 AMTo Vinzent Hoefler : What makes you think my machine is owned by someone else? So you expect me to format my machine and reinstall everything everytime I find something?
I don't have the tech-how to know if my machine is infected so I let a good software do the job for me. I suppose if this software was part of the OS, it's ok but if it's a third party tool, god forbid?
How do you know if your machine is not infected in any way? You cross your fingers?
Abdu on December 14, 2007 9:18 AM"To Vinzent Hoefler : What makes you think my machine is owned by someone else? So you expect me to format my machine and reinstall everything everytime I find something?"
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true
Try "Law #1".
Vinzent Hoefler on December 14, 2007 11:50 AMOne of the benefits of running AV with a subscription, is getting an update as soon as there is a break out.
By working together, most of us get "vaccinated" before the threat spreads...
I don't remember seeing any posts about major virus spreads in the past 3 years, since Norton AV initiated the subscription model.
I can't help but say the magical words for all private computer users;
Offline backup storage.
Backup is taken every month, before you backup you do not download or change things on the computer for a few days in order to give any possible threats time to play out. Check the system thoroughly with updated 'blacklists' which means you are likely to remove anything harmful since the 'defenders' will have had time to create new definitions. Now backup data.
If you are really paranoid, keep a second set and overlap month by month. That way you will always have at worst a two month old backup.
BTW; I liked the original post. Thanks for some fine viewpoints.
Lars Levin (Swe) on December 17, 2007 6:15 AMWhen I saw the hatred of the blacklist, I recalled a security article I read long ago.
http://www.ranum.com/security/computer_security/editorials/dumb/
The part that directly relates being the "Enumerating Badness" section.
Dan on December 17, 2007 9:48 AMThis is an interesting alternative for stopping viruses, including ones that are so new nobody has yet heard of them.
http://www.download.com/SafeSpace/3000-2239_4-10772191.html?tag=lst-1
-Scott
Scott Langham on December 18, 2007 4:54 AMI think you need to do a post on why are there spammers and virus creators in the first place? Why do we have such a huge industry built around stopping these people? Who are they really? They can't all be pimply faced teenagers who are just trying to be annoying. Where is the market for creating trojans and viruses?
I admit I don't understand it, there are so many good productive open-source projects people can get into and then they can say they were part of something good instead.
I must admit I just don't understand the motivation behind it all. Do you?
And thanks for you posts, I read religiously. Keep up the good work.
Shane
Shane, you're like I was, in that you don't * THINK * like criminals do since you ask that question (a good sign, meaning you're no scumbag).
I was exposed to it once I took the job I am presently in, which is helping out folks daily with their PC hassles, which today, is mostly removing malware infestations.
As an example, as to WHY it is done?
Well - You should look up the "Russian Business Network" as to some insights as to the "how/why" of WHY they are out there doing this stuff (malware creation):
It's to make money, via stealing YOURS (or, your identity) via spyware/virus/trojans/rootkits/malwares of today, as to their motives...
Especially since folks are into online shopping (credit card # stealing here), OR, online banking (self-explanatory as to what they want to keystroke monitor here send to their servers, to sell to those that make fake charge plates etc.)...
APK
APK on December 26, 2007 6:05 AMMaybe I missed it, but does Jeff's article say whether Admin + UAC on Vista is sufficient? Jeff, do you run Vista with UAC enabled? Has the security industry weighed in on whether Vista and UAC really addresses the issue?
Running VS.NET 2005 as a non-elevated admin resulted in all sorts of warnings the first time I ran it, suggesting I should run it elevated for any kind of web development. I'm not getting that kind of warning with VS.NET 2008. Did they fix that?
flipdoubt on January 2, 2008 5:44 AMHi,
But what is the solution then? I read the whole thing interested and looking for a final comment like, that's why in my opinion if you are running Windows Vista you should...
So what? should I forget about AVG7.5?
Jorge
jorgedbucaran on January 7, 2008 6:32 AMmicrosoft and other companies profit from this problem is why it exists
I think whitelists are the answer but they need to be regulated by non profits and open source
macs are for profit if they beat out microsoft they'd develop the same problems I bet
open source is the only option with honest security and sanity is my vote
shane on January 17, 2008 12:34 PMWhat's wrong with snake oil?!
The only killer virus I ever got was a pop-up add that advised me I had a virus and that I should buy their anti-virus product right away. When I refused to buy the product, it locked up the computer. When I tried to reboot fresh and reformat the drive, it shut down the computer. I guess they were going to get you one way or the other. Anyway, I've seen more than one AV or ASpyware ad that was a malware in disguise. So, be careful from where you get your AV!
Anyway, why don't we just set up international clearing houses for all internet traffic, so that everything can be scanned and approved? ;)
PB on February 17, 2008 1:03 AMTo falsify the argument about virus proliferation being due to market share, compare the number of viruses available for Macintosh System 7 versus Mac OS X. Max OS X has a much bigger market share, so it would be expected to have more viruses — it has none in the wild.
If you're running as a non-administrator you can't accidentally infect the computer with a virus - you can run a trojan which goes and deletes every file you have access to, but that's a different matter.
I have Sophos installed as part of the SoE for my iMac, and it's a pain in the arse. Most of the mail I receive that gets tagged as "spam" causes Sophos to have a cry - it pops up a dialog box telling me that a particular file had a virus, so it's going to deny me access. Unfortunately it uses the actual file name, not the name of the message or what mailbox it exists in. It also denies Mail the right to manage that file, so my Mail folder is getting filled with files I can't delete (except by opening a terminal and issuing a sudo command).
I wasn't going to open the files anyway (a spam announcing Russian brides, with a file attached called "postcard.exe" - I'm not that stupid, as evidenced by the fact that I use a Mac in the first place).
Alex on March 11, 2008 5:42 AM"Blacklists Don't Work"
Every time I use virus software the "blacklist" takes files from my legitimate programs due to "guilty by association (similar file names)", and then I have to repair the damage...
Jeff: great-post.
Aaron White on February 6, 2010 10:14 PMI have had at several people ask me to help them sort out some kind of problem, connecting to printers or installing software, because they had recently bought a computer with Vista and were not running as administrator. Unfortunately I have not worked with Vista enough to support it over the phone... Anyway, obviously the core problem is _not_ that they are not running as administrator, since Macs manage to make it super easy to install stuff even without having a user always be administrator. But it seems like Vista gets it painfully wrong for the average user...
jlarson on February 6, 2010 10:14 PMI agree with the last comment - I think that the "future" of security will be a combination of whitelisting and virtualization (AKA sandboxing).
Actually, the .NET Framework already handles the whitelisting in a variety of ways. And while there's nothing preventing spammers from obtaining digital certificates from Verisign for all their new worms, it would break down their economic model very quickly. The entire world does not run on .NET, of course, but a simplified model (without CAS) could be adopted for ordinary Win32/Win64 stuff.
Aaron G on February 6, 2010 10:14 PMSpam in email has been largely defeated by Bayesian spam filters. Maybe it's about time we started doing something similar for comments. There is the possibility of false positives but comments marked as spam could just be marked and sent off to the blog author for review. This would work equally well flame comments.
Rickahedron on February 6, 2010 10:14 PMThere is another reason Macs and other *nix machines are less susceptible to viruses. Not everything is executable. Windows decides what can be executed based on filename. *nix uses permissions for executing. That needs to be addressed in Windows, but it would break so many applications.
At the core of it, Windows was designed to be a single user, isolated system. *nix were designed to be a multi-user and on a network. They had the opportunity to fix it with the move to NT (3.5.1) but decided not to. Now it is so entrenched that there is no way to fix it an retain backward compatibility. If they break that, there is no reason for people to stay on Windows, and they will have to compete on the merits of the system, which is not something they have ever been good at.
P.S. Many of the applications I am required to use for my work will not execute as a normal user, and work only as admin. The registry was a poorly conceived concept, and whoever came up with it should be taught the most important phrase for their new profession "Would you like fries with that?"
Grant Johnson on February 6, 2010 10:14 PMThis is all true, until you find someone with no anti-virus software who has a problem. Someone I knew had a problem with there machine and when we installed AVG and rab it, it found 197 viruses!
His computer ran OK after that!
But I get your point and it's a valid one, to a degree - just take my example above.
To be honest, one of the first things that I do when I boot up, is pause the scanning, so that I can get on with things. It takes an age to scan everything and at the speed the machine runs at, sometimes I'd be better of with an Abacus! But on the odd occasion that I do let it run I'm relieved to find that there were "No threats found".
Charlie McMahon on February 6, 2010 10:14 PMOk - that should have been install AVG and RAN it!
Jeff, please get a preview button!
Charlie McMahon on February 6, 2010 10:14 PMI know this article is about blacklists. However I would like to point something out. Almost all software can be run as a non-admin, it is part of my job to figure out what needs to be adjusted in the system or the application to allow an application to work in our enterprise environment without administrator privs. Often it is simply a case of requiring access to a very specific resource that normally isn't available to an unpriv user.
Developers need to learn how to test their software with ordinary user accounts. You can even develop as an ordinary user, we do it in our environment. You do it the same way you would in the Unix world, you use RUNAS to run specific operations as Administrator, and when you don't need to be admin, you aren't.
I really don't believe that developers "need" to be admins, especially when what they are producing really DOES need to run as an ordinary user.
Scot McPherson on February 6, 2010 10:14 PMJeff,
What about white-lists? More often than not the software that stays on your machine is very static.
Even developers do not change their software stack all too often. You need to white list build output folders though but since there is no consistency as to where these are from machine to machine, a virus writer would have trouble exploiting that weakness.
I've found that a good counter-measure is to use XP Pro's built in functionality called Software Restriction Policies. Let Google be your guide.
It works beautifully on my parent's machine and has kept them Virus free for a couple of years now.
Simon
Simon Johnson on February 6, 2010 10:14 PMI work on a team of three developers that has been developing ASP.NET web sites, WCF services, and ClickOnce WinForms apps for the past 18 months in the following environment:
* NON-ADMIN! XP and Vista, VS2005 and VS2008.
* Vista with UAC on.
* 64-bit Windows.
It is *NOT* hard.
And, yes, blacklists suck.
Jason Stangroome on February 6, 2010 10:14 PMThe reason why admin rights is such an issue is because of the deployment strategies of many programs.
In my workplace, I had to get admin rights because I needed to install a newer version of Java Development Kit. Compare that to Digital Mars C++ Compiler, which can be installed by unzipping the folder, and adding the bin directory to the path.
Jon Abaca on February 6, 2010 10:14 PMJeff, here's my response: http://weblogs.asp.net/jgalloway/archive/2007/12/13/why-codinghorror-is-horribly-wrong-about-blacklists-and-virus-scanners.aspx
"So, in the end, perhaps I should apologize to Jon."
So... I'm waiting... :-)
I look forward to seeing you Monday, and I promise not to sneak a virus onto your totally unprotected computer.
Jon Galloway on February 6, 2010 10:14 PM@Mark
Read about the Storm virus (virus+worm+trojan, etc.). It's not created by AV companies, it's created by people who are intent on using malware to steal.
This reminds me of a problem I had at the last company I worked for. We maintained a set of applications for Pathology Labs around Australia that the business relied upon every day. The application used VB6 and in order to log data to the administrator of the system, would E-mail responses via an 3rd party DLL.
This was all working very well. That is until two of our biggest clients suddenly and inexplicitly went down. Turns out, they were both using the same Anti Virus software. The software falsely recognised the component as a work and promptly removed the DLL site wide. This included all ZIP and CAB files containing the DLL.
It took around 3 days for the anti virus vendor to fix the software and in this time, the customers systems were essentially unuseable.
It tought me a very good lesson. Virus software is bad. Very bad!
Aaron on February 6, 2010 10:14 PMNow a days people are currently so focused on an impossible prevention they should spend enough time worrying about how to recover from it. May i know that which the best antivirus that supports the pc very well. Thanks for posting such an awesome article.
_______________________________
Paul
Security Tool
@tim
no matter how careful you try to be, you are likely to get one someday, and a fear for data by then.
Oghenez on June 1, 2011 9:59 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |