1) I think the reason that most viruses are written to infect M$ Windows is because it has such a big market share

2) if you're running as non-admin you can still catch a virus that kills your data. It can't do everything but it still can do something

Jeff: great-post.

Since I usually only comment on your blog when I disagree with you, I thought I´d break that pattern: this post is right on the money, Jeff!

These are some of the same reasons that I haven't run any anti-malware products on my workstation(s) in about 3 years. First with XP and now with Vista, and I'm loving every minute of it.

A few basic precautions are all that are necessary. Treat your computer like you would your own body. If you don't sleep around with random people you meet in the bar, you won't get the clap.

If I really want to do something risky, I use a virtual machine. That's something that everybody should do, regardless of whether you run Windows, or the most hardened Unix OS. It's when you start thinking that you are invincible, and don't take any precautions at all, then you will end up as just another spambot.

I mostly agree with what you have said, but I don't think it fair to claim that windows only suffers from viruses, trojans and other malware.

I read a report where a research group set up boxes with unpatched OS's, and while the unpatched windows machines were, on average, compromised in under a minute, the Linux and BSD flavours were compromised, on average, in under an hour.

Like a post already said, window is a prime target, because of its market share, and yes, because it generally easier to attack then other OS's, but that doesn't make the other OS's safer, it just means you can pretend to be safer an hour longer than windows users.

What's really stupid is I've seen anti-virus packages that run appallingly badly for non-Admin users. http://www.geekrant.org/2007/06/27/ca-internet-security/

The problem is not running as non-root, the problem is how each OS handles a task that requires root to procede.

Windows works on a 'This program wants to do something, should I allow it?' which quickly becomes the nightmare that Vista has become, every action requires a Yes or No - and every application is allowed to (just like your previous article) annoyingly steal focus to ask for permission.

Whereas on *nix, everything is told to bugger off if they want to do a task they're not allowed. The only way a virus could do damage is if the user himself requests it by manually typing sudo.

Sudo can be annoying, installing new apps usually go along the line of:

$ apt-get install python
E: Could not open lock file /var/lib/dpkg/lock - open (13 Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
$ sudo apt-get install python
Password:

But I'd rather put up with a minor annoyance that happens only once in a while when I forget to type sudo, than every single damn process my pc runs demanding to run as root.

So run Unix or X

duhhh.........

You know, it may not be a good idea to say that running without administrator privileges means you "never have any chance of getting in trouble. Ever." It's true that most current viruses run as administrator, but that can easily change. Virus writers currently use their administrator status to dig deeper into the system, but the primary task is rarely anything other than making network connections (send spam, DDoS targets, join botnet), which is obviously something limited users can do. When Microsoft completes the switchover to limited default user permissions that Vista started, virus writers will simply adjust their tactics to avoid protected parts of the system.

I haven't run with a virus scanner since my last one expired. I've found that I know my system well enough to notice things that shouldn't be there and I haven't yet come across a virus that needed a special program (beyond regedit and a debugger in one case) to get rid of.

Since my last reformat (due to hard drive failure, not a virus) I've run as a regular user account (Power User is basically as bad as Administrator on XP http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx) and had no issues at all. "runas /savecred /user:administrator" is slightly longer than "sudo", but that's nothing a simple batch file can't fix.

@Joe: In theory virus code won't be able to break a non-admin account because it won't have the privaledges to run. Code would have to have permissions to be executed - and that would be set *deliberately* by the admin user.

Of course, Trojans can still be a problem:

1) User-A logs onto site and sees a screensaver/useful app/game that they want.
2) User-A downloads executable and elevates to admin to give it execute permission.
3) User-A (now back as an unpriviledged user) runs the executable, it has a trojan that copies their addressbook and mydocuments folders and e-mails them to a Russian* address (or does other stuff permitted by that account).

Education is the best way to reduce this (don't download from dodgy sites). But there will always be stupid people.

-Perros-

*nothing against Russians.

This'll sound naive, but what are the actions that we are saying that malware,etc does?

You do not need administrative purposes to:
1 - Delete a file owned by you (that seems pretty harmful)
2 - Browse to a website, connect to IRC, ftp (could be used for DDOS)
3 - Download large files (slow down computer) and save to directories owned by current user
4 - Connect to an arbitrary server (can be used for command and control of botnet)
5 - Send emails (spam)

(These all apply to *n*x as well)

As far as I'm aware, the only thing you can really do as administrator /without getting popups is try to *listen* on a port (or modify system files). Or maybe you *cant* do any of the things I mentioned because I'm so used to running as a user which has some admin privileges.

Most users care about their personal documents, music, photos which can be freely messed with without any privileges.

Nice post about the reality of the virus scanners, but there are a few points I would like to add.

Running in non admin mode would indeed limit the possibilities of an program. But there are enough privilege escalation exploits, for windows components but also for virusscanners etc. So it is possible to get infected while in non admin mode.

I myself have a virusscanner running, but I never do the daily/monthly full scan. I do however like the Active protection mode, which monitors the files which are executed and scans them (thats just the normal virusscanner stuff) but what I like more is the part which looks at the behavior of the program (for instance writing to registry where it should not). That kind of protection is a good extra line of defense which blocks the new exploits too. Allthough if you look on www.rootkit.com Kaspersky has a nice open gap in the communication to the kernel driver, so a virus could just disable Kaspersky and than do the dirty stuff.

Things are even worse. See the statistics page of VirusTotal.com: http://www.virustotal.com/estadisticas.html

Only 9 of 20226 threats (0.04%) were detected by all engines. This is terrifying.

Blacklists are useless, but non-admin is not panacea either. Btw, "computer hygiene" helps a lot.

Jeff, Have you seen this :

http://www.youtube.com/watch?v=Ga1crmF7uls

It seems that 99,9% detection rate isn't good enough. Botnets are getting more and more intelligent. They are changing their dsn-adresses so fast that blacklists are useless.

Tapio

Jeff I also don't run a virus scanner I just can't justify giving up all the system resources for as you said something that is unlikely to work for any new virus. But I do need to run my computer as admin for the reason of programming which is a pain I would go onto my normal user account for any other reason but don't want to maintain admin and personal accounts all the time it's tedious to keep settings etc.. on both accounts.

I think the perspective on anti-virus from this blog is different to average users as most people who read this blog will know what exe to run and what not to along with the processes and services that should be running on their windows machines. This means they can usually detect a virus themselves and then may find out about it and what antivirus program can cure it. At this point I bet for most it's either temporarily install a program to remove the virus or go back to the backup of their system they have. I maintain a ghost image of my drive on dvd's with all the software I use installed and no data.
I take this and install it adding any updates and any new software I might be using and back this up for usage next time. Then I add my latest data and hey presto new clean computer probably runing a bit faster than before all in the space of an hour.

A better antivirus program for me would be a small program that detect's new processes and services of unknown origin. I think this is included in some anti-virus but that is the only part I would want I don't care about on the fly scanning of files against an outdated blacklist.

Pete

Joe is right:
No matter which account you are using, a virus can (and will) destroy your data.

I don't care about the OS; i can install it in under 1 hour. I DO care about my data; it would take hours or weeks (depending on th etime of last backup) to recover it.

As already mentioned, you don't necessarily need administrative privileges to do nasty things. And to add to that, we have privilege escalation exploits; I'm sure there's plenty that haven't been found yet, also for *u*x based systems. And while the current generation of *u*x users are über tech-savvy people who read 42 security lists and keep their kernels updated by the hour, regular Joes wouldn't.

As for AV packages, well, what you want isn't a stupid BoyerMoore(patternList[idx], mappedFile), you want behavioral blocking that checks for suspicious program activity. The cost in CPU cycles in negligible, and it doesn't need the heavy disk activity that on-demand virus scanning does.

I am the System administrator for a small college. Mostly Linux servers, Linux/Windows clients. Users do _not_ get to run as administrator on any of our systems. We keep our software up to date. And I still have to deal with 4 or 5 security incidents a year. All on the Unix side (because that's where we serve user websites from, of course). Talk about the magical magicness of non-administrator accounts is flatly wrong.

Here's the fundamental law of computer security: don't be the easiest, most common, target on the net.

You can be sure that once most systems switch to running non-Administrator accounts, that malware writers will make the jump with only a few issues. Because, speaking as a Unix administrator, they already have.

As others have pointed out, running non-admin won't protect your user account's files and settings, but it does keep the system from getting totally borked (at least in theory).

I have been running my Vista powered PC without anti-virus for about 6 months now. With the built in Defender, Vista's UAC and other security enhancements built into Vista, IMHO, there is no need to install Anti-virus. As a backup precaution though, I did create an image backup of my OS and App partitions using Vista Ultimate's imaging feature. In the unlikely event that my PC is infected with a virus, I will just wipe the HDD clean and restore this image.

I do have an Antivirus software that I can use to scan my PC from time to time... it came with the Sandisk U3 USB key that I bought at a discount. I have run it only once to scan my Vista PC and as expected, it found no virus. If I were to run an anti-virus, I would rather run it off the USB key as oppose to install it on my PC's HDD.

I love this post. I share the same feeling and am happy that someone just posted it.
No i do not run as an administrator and yes it helps a lot.
But an antivirus is still essential.
What you are forgetting is how often do we end up installing something thinking of it as harmless and then voilaa!
I've tried to install a couple of(seemingly harmless) applications by launching them with the admin privileges and my AV catching it installing some nasty trojans. And believe it or not, one of them was an online car racing game supplied on a cd of famous pc magazine. How does one avoid these traps. So those annoying Antiviruses are here to stay and for long.
:(

"I don't care about the OS; i can install it in under 1 hour. I DO care about my data; it would take hours or weeks (depending on th etime of last backup) to recover it."

You may be able to install the OS in under an hour, most people can't. Mainly because "reinstalling the OS" means going to the shop and buying a new computer. Or at best getting someone else to come round and fix it.
Yes, data is precious and that can still be attacked. But a whole class or distressing, destructive and costly attacks have been thrown out the window. Now all we need is a primitive anti-virus and a much heavier focus on decent backup tools - which is good for more than just virus damage. That seems to me a much more logical way to proceed. People are currently so focused on an impossible prevention they don't spend enough time worrying about how to recover from it.

Wow, this is something that we should see on Penn & Teller, right? I mean if this is all true, and i do believe it is, then there's a huge amount of bullshitting going on. Can you imagine just how many people get money by producing anti-virus software.

I have had at several people ask me to help them sort out some kind of problem, connecting to printers or installing software, because they had recently bought a computer with Vista and were not running as administrator. Unfortunately I have not worked with Vista enough to support it over the phone... Anyway, obviously the core problem is _not_ that they are not running as administrator, since Macs manage to make it super easy to install stuff even without having a user always be administrator. But it seems like Vista gets it painfully wrong for the average user...

Hey Now Jeff,
I learned the while talking (http://www.codinghorror.com/blog/archives/001017.html) make sure to omit the blacklist model for security.
Coding Horror Fan,
Catto

"What matters most, I think, is detection rate for new threats. That's what's really dangerous, not some ancient strain of a long-forgotten DOS virus. I'm sure anti-virus vendors love comparatives like this. It makes for great ad copy"

Well.... AV-Comparatives also do retrospective/proactive tests...

The latest test (http://www.av-comparatives.org/seiten/ergebnisse_2007_11.php) is scanning all _new_ viruses within one month, with the antivirus updates from before the first sample.

From that test, ESET NOD32 scored the best with 71% detection, and no false-positives (AntiVir detected 81% but had many false-positives).

71% (81%) proactive detection is GOOD for "blacklisting software".

AV-Comparatives also have a bunch of proactive tests with a 3-month period also (no new updates for 3 months, check with new stuff from that period).

I'd say the biggest problem are the ones that are fooled to install a "codec" to watch their porn, or runs "My secret pictures.exe" they get from some random e-mail/IM.

End-user whitelisting won't work. They'll trust the pornsite that tells them to disable the protection, or whitelist the software.

For companies, most are probably running pretty strict with non-admins already.

And yes about *nix and macs not installing an antivirus.
Who cares? I mean, the comparative user base is tiny compared to windows, nobody bothers on wasting their time on them.
And yes i expect "some" criticism from the respective zealots.
:)

On my desktop, which I've been running since Vista's release, I've no antivirus running. I believe I'm a competent enough user to not foolishly execute suspicious looking files. I do have a backup process just like cylo which images the system once a week. I occasionally scan it with online virus scanners. So far, 0 viruses.

I've mentioned before previously in comment on your other AV article, the one rare time I did get hit by a virus which propagated itself throughout my home network, both AVG and SAV failed to pick it up. Yes, blacklists are worthless, all it takes is a small amendment to an existing virus to circumvent it, and a few days to months before the AV vendors pick up that particular variation.

The situation on my laptop is different however. In my working environment, flash drives are regularly swapped around, and often many of them contain viruses which are rather dated. An AV software works extremely well in this scenario.

I'd always recommend keeping an AV program running to the majority of the users (that is, people who don't read blogs like these) since the chances of them stumbling onto one due to the lack of technical expertise/experience is pretty damn high.

> Can you imagine just how many people get money by producing anti-virus
> software.

I don't know how much Grisoft get from the free AVG virus checker. I mean, I assume it's nothing, as that's how much they've got from me over the years. I don't notice any drop in the power of my PC running it, although I've not run exaustive tests or anything. I have no idea how much good it's doing but I guess it's doing something. Would not running it be better? I don't get it. Why? Even if I ran as a regular user and not administrator an executable could delete all my files. That's all I really care about.

While running as root/administrator is insecure, it doesn't mean that you are secure while running as a normal user. I maintain the position that the best protection from viruses, trojans and other malicious software is a decent education. Namely, one shouldn't trust everything on the web. A program running as user can still delete your data, for instance..very harmful.

In many distros you can find the repository installation model, where applications are installed from a central repository. I believe it is more secure than going on any random site and installing a program from there, unless the repository is compromised, of course.

The best antivirus is to always run on a virtual machine with a backup. If you want to surf the net, run on a virtualized linux. Not a perfect system, it takes some maintenance and eventually someone comes up with a virus that infects the base OS from the virtualized OS. The battle will never stop.

By the way, I'm running Vista with antivirus OFF. No problems at all for six months.

Did anyone stop to think about the vast majority of users that just want to *use* computers? Do you really expect everyone to know how to take care while using one?

Just like was posted in the previous posts about running as non-admin, I would like to point to Sudowin: http://www.lostcreations.com/sudowin/sudowin

Since I use that program I have had not a single problem running as a normal user.

Of course one problem that you could have is that a virus could wipe out all YOUR files but not those of others. Unfortunately, on my home system my files are approx. all the files on the computer.
Which leads to the other important thing everybody should do: backups!

Maybe an article about how TimeMachine revolutionizes backups?
(I don't know, don't have Leopard yet)

Joel Eidsath: and how were those Unix boxes owned? Via the HTTP server process, I presume? And I'll bet the hole wasn't even in Apache (or whatever you're running) but in a poorly secured PHP application. Well, regular users won't run a HTTP server, and a developer like me) will probably have it behind a firewall.

As for a trojan attacking my user account, that's of course perfectly possible. But it would have very few places to hide, and I can spot it at a cursory check. Which, of course, isn't true about your regular Joe, but this just proves that social engineering is the single biggest threat to security.

Ultimately, a virus that just deletes your data is:
1) really quite sad (it's about the same level as telling n00bs on the internet to type in rm -Rf /); and
2) pointless (you might care about your data, but -- in the majority of cases -- why should anyone else?).

15.7KB of post and comments, and only one person mentions the possibility of using a whitelist, albeit dismissively.

Do whitelists not work either? They don't have the same scaling problem as blacklists.

I would feel much safer, even on my userland Mac, if any binary or script that didn't match a list of known-safe signatures was executed in a sandbox. I'm sure that I could be tricked into whitelisting something nasty, someday. But at least the attacker would have to be trying, which is a lot better than the current state of the game.

Blacklists work perfectly fine for my awesome ad/popup blocker, AdBlock Plus. Every other month (seriously) one gets through, and I have to manually add it. But it catches SO much that often I forget that normal people still have an ad-littered internet.

As for viruses, I think that topic is widely misunderstood and misinterpreted (by Jeff too). For starters, there is no reason why viruses would need admin rights, they just use them because right now they can. You think if tomorrow everyone would stop using the admin accounts viruses would be dead ? That idea alone is ridiculous. Also, only a small percentage of viruses actually intentionally damages your PC. Most try to do some annoying stuff, true, but the chance that a virus will eat all your files is next to zero.

On Windows, I think that most virus and other bad things seem to come from using Outlook (Express) and/or Internet Explorer. If you don't use either of those apps, your chances of picking up anything bad go way down.

In fact, on my Windows machines I have recently removed all my anti-virus software. In years of running Windows, I have never had a single virus detected.

However, I've fixed plenty of people's computers who have become infected and they did have anti-virus software, but it typically wasn't up-to-date (and they were using IE and Outlook). I've switched them from those apps and any issues when away.

(1) I agree that realtime antivirus scanning on Desktops is absurd, but virus scanning is a necessity for e-mail servers. I had several accounts that got 100,000+ viruses a day during the MYDOOM/NETSKY crisis. My mail reader and my mail server both ran Linux, but that didn't keep my /var partition from filling or my e-mail client crumbling under the load. Virus scanning eliminates one major category of BS that mail server administrators need to deal with.

Similarly, I've created several systems that accept uploaded files in MS formats. Malware scanning at that point doesn't stop bespoke attacks, but it prevents incidents that waste time.

I haven't seen false positives to be a big problem with malware scanners. In the last ten years I've seen one false positive for a virus scan... And I've dealt with the consequences of 10,000+ false positive "spam" emails.

(2) It's completely wrong that the UNIX permission system stops virus activity on UNIXoid systems. It's entirely possible for an email virus to:

(a) Attack an e-mail client via a buffer overflow
(b) Install itself in the user's account
(c) Add itself to a cron job that belongs to the user, to the .xinitrc, .cshrc or other place that will cause it run whenever the user is (or isn't) logged in
(d) Connect to port 25 (and other ports) on other hosts: propagate itself
(e) Hijack the email sending mechanism of a user's e-mail client, or login credentials for sending email
(f) Install keylogging software, steal data that belongs to the user, etc.
(g) Port scan, serve as a proxy and otherwise be a stepping stone to attack other machines
(h) Open ports above 1024; become part of a botnet
(i) Send spam email

That's more than enough to support viable malware. Yes, having a secure "root" domain makes it easier to clean up the mess later, and prevents malware from boogering the kernel and/or userspace to hide it's activities. But so what?

People don't attack Linux because there are far fewer Linux machines, and the software they use is less homogenous. Nothing dominates the market like Outlook in the Linux world... An attack on a particular e-mail client would only affect 10% of Linux users if that -- and Linux users are 1% of the market.

Why spend time developing malware that works on 0.1% of users when you could write one for windows and infect 50%?

I beg to differ: blacklists, specifically for spam, can help if the context in which they are used is very narrow. Speaking from experience, mail filters and firewall rules tailored for a specific mail server can cut down the volume of junk mail by more than 90%.

Trying to extend the blacklist approach from the specific context to the general case is where the wheels come off the cart. What works reasonably well as a first line of defence against spam for a small shop will become unmanageable the wider you have to cast the net, e.g. how often you have to update the spam mail search patterns, or the IP address ranges you block.

Also, how you choose what to put into the blacklist will differ between a company's internal mail management and, for example, if you have to cater users for which you offer webmail services. If the blacklist is still "sharp" enough for one scenario, it becomes a much blunter tool if you have to include both, or more.

In the end it's a trade-off. What kind of resources are you willing to spend to keep your mail server operational? And a blacklist, or a combination of several such lists, may be more effective than a different solution that consumes more resources (memory, CPU time, false-positive rate, etc.).

I agree with the last comment - I think that the "future" of security will be a combination of whitelisting and virtualization (AKA sandboxing).

Actually, the .NET Framework already handles the whitelisting in a variety of ways. And while there's nothing preventing spammers from obtaining digital certificates from Verisign for all their new worms, it would break down their economic model very quickly. The entire world does not run on .NET, of course, but a simplified model (without CAS) could be adopted for ordinary Win32/Win64 stuff.

Spam in email has been largely defeated by Bayesian spam filters. Maybe it's about time we started doing something similar for comments. There is the possibility of false positives but comments marked as spam could just be marked and sent off to the blog author for review. This would work equally well flame comments.

Regarding running as non-admin users to avoid the need for an anti-virus solution: my AV recently launched my browser under the LOCAL SYSTEM account so it could show me an advert! Not quite moving in the right direction...

http://www.daybarr.com/blog/2007/12/06/avg-antivirus-and-internet-insecurity

Amen! to the non-admin user account.

I surf the web using a limited account. I've yet to get anything more serious than tracking cookies. I think I got hit with 1 virus in the 4 YEARS I've had the computer. the anti-virus killed it and we're back to good again. I'm not sure I agree with you on the no antivirus, but I DO agree with the limited user account.

Besides, if I *need* admin access, I'll just right click and "run as" my admin account. Best of both worlds.

There is another reason Macs and other *nix machines are less susceptible to viruses. Not everything is executable. Windows decides what can be executed based on filename. *nix uses permissions for executing. That needs to be addressed in Windows, but it would break so many applications.

At the core of it, Windows was designed to be a single user, isolated system. *nix were designed to be a multi-user and on a network. They had the opportunity to fix it with the move to NT (3.5.1) but decided not to. Now it is so entrenched that there is no way to fix it an retain backward compatibility. If they break that, there is no reason for people to stay on Windows, and they will have to compete on the merits of the system, which is not something they have ever been good at.

P.S. Many of the applications I am required to use for my work will not execute as a normal user, and work only as admin. The registry was a poorly conceived concept, and whoever came up with it should be taught the most important phrase for their new profession "Would you like fries with that?"

My biggest problem with the Windows non-Administrator user is that some programs have a automatic startup configuration (ADOBE in particular) that needs to complete for every user... but can't if you're not Admin. Really annoying. Even Firefox has problems with it's auto-update. You have to log back in as admin, and then re-log as your user.

Not all blacklists are ineffective.

Adblock is a perfect example of a blacklist that works. It blocks out all those flashy bright annoying ads. It won't fool the smarter advertisers, like Google, but it gets rid of most.

Jeff, relax, you're not always right and there is not always a simple solution.

Yes, running as a non-Admin is better, but not always practical.

I would never run Norton, which is a fat pig, but have been running Avira AntiVir for several years (the free version) and am very happy.

I also use a router, and rarely get a virus. What is more annoying is the crap that Ad-Aware blocks.

When a rant is spot on 100% correct does that make it not a rant?

I think Josh's comment is on the right track. Jeff, your claim that not running as an administrator magically makes the user invulnerable to viruses is just plain wrong. There are whole categories of attacks (Josh mentions most of them: DDOS, data loss/corruption, e-mail, etc.) that running as regular user will absolutely not protect against.

How about this: you convince users that antivirus software is worthless, and I'll write a virus that scans through a user's documents and web cache looking for credit card information, SSNs, and other personal information and then e-mails it to myself using a webmail system, all of which can be done without elevation in a non-admin account on a reasonably-configured system. We'll split the proceeds 50/50.

Can we switch to whitelists? They seem to be much more reliable in security. Of course, they don't scale up very well, but for desktop - they don't have to/

I mean, let the system do an md5 hash of each executable (DLL / etc. as well) I install and then warn me if something runs that's outside of that list. Then I can add it to my whitelist or deny.

I don't install / upgrade software too often.

This is all true, until you find someone with no anti-virus software who has a problem. Someone I knew had a problem with there machine and when we installed AVG and rab it, it found 197 viruses!

His computer ran OK after that!

But I get your point and it's a valid one, to a degree - just take my example above.

To be honest, one of the first things that I do when I boot up, is pause the scanning, so that I can get on with things. It takes an age to scan everything and at the speed the machine runs at, sometimes I'd be better of with an Abacus! But on the odd occasion that I do let it run I'm relieved to find that there were "No threats found".

Ok - that should have been install AVG and RAN it!

Jeff, please get a preview button!

> Spam in email has been largely defeated by Bayesian spam filters.

That's at odd with the article, which says:

"Spammers register dozens of new domains each day; you can’t possibly keep up with them. They’re bigger and smarter and faster than you. It’s an arms race, and you’ll lose, and along the way there will be casualties, massive casualties as innocent bystanders start getting blacklisted."

Which is it? Is there a spam problem, or has it been `largely defeated` or are both statements true?

I would love if my Windows box worked the way my Ubuntu test box worked (unfortunately, I ended up with just enough gam.. I mean, "applications" that were Windows only to make the switch).

You install software, a nice popup asks for the admin password. Took three seconds to type it in, and that is small change in the usual download-unpack-install-configure process.

The point is that a virus can't set itself up to run every time you boot windows, in a really nasty and hard-to-get-rid-of way, unless you're running as admin.

I know this article is about blacklists. However I would like to point something out. Almost all software can be run as a non-admin, it is part of my job to figure out what needs to be adjusted in the system or the application to allow an application to work in our enterprise environment without administrator privs. Often it is simply a case of requiring access to a very specific resource that normally isn't available to an unpriv user.

Developers need to learn how to test their software with ordinary user accounts. You can even develop as an ordinary user, we do it in our environment. You do it the same way you would in the Unix world, you use RUNAS to run specific operations as Administrator, and when you don't need to be admin, you aren't.

I really don't believe that developers "need" to be admins, especially when what they are producing really DOES need to run as an ordinary user.

"Like Mark, blacklists make me angry."

Mark makes you angry? :)

It doesn't matter. What prevents a virus from running "rm -rf $HOME/*". Most users will store their data in their home directory as I do on my unix machine(OS X and Linux) I don't do chgrp on my data because I need to access it and I don't want to have to enter passwords for my data each time I access it.

It's a lost cause and a virus scanner is the only tool that will prevent a fair bit of the available viruses.

While this is a bad way of thinking, are system resources at that much of a premium anymore? This more than anything else is the cause of the AV bloat I see. And at least some companies are addressing that speed issue for real-time scanning.

As for the full system scans, run them overnight, or while you are out. It's the same with any system resource intensive maintenance.

But, I would love to see whitelists for AV programs. Move to the deny all except those allowed explicitly to run, and *poof* most AV software is no longer needed. If the program changes, it asks again for permission, but none of this constant Cancel/Allow stuff.

Sounds like my firewall.....

I would imagine almost everyone reading this post could live pretty well without AV software. But we're not the ones who cause a considerable amount of collateral damage through our foolishness.

Imagine your small office, maybe a local real estate agent or your dentist, with no real IT supervision, people install whatever cute dancing kitty thing on their PCs, and get suckered into who knows what. They're the ones who need oversight and discipline, and yet are the least available to help themselves in that respect.

As for old viruses, they're not gone. I still get old viruses attached to e-mails in my inbox. For me, having AV software installed is like drivin defensively on the turnpike. I try to be more aware because I know there are other morons who are drunk, falling asleep, on the cellphone, whatever. I have AV on my machine because it's valuable to me, and I know there are idiots out there who I have to interact with who don't have AV.

I run as an administrator every day, and the ONE time I've gotten a virus in about the last two years was when somebody used my computer and downloaded a codec somewhere that carried the nasty bugger right in through it. Here's the kicker, I was running anti-virus, and it didn't do a damn thing to stop or remove the virus. I had to manually diagnose and remove the virus from my system.

The lesson I come away from that with is very simple. If you work intelligently on your computer, install updates, don't open suspect e-mails, and only download from trusted sources, then you won't have a problem. The only way someone can sneak past those defenses is with some sort of aggressive network attack, and that's what the firewall is for.

The vast majority of people who I see with viri have them because they're doing something horribly stupid on their computer, like running the bane of my existence, LimeWire. I have yet to find one person who ran LimeWire on a Windows system and came away virus-free. My roommate, who also runs anti-virus, caught a virus a few weeks ago, and when I took a look at his computer I found a LimeWire shortcut and handed it back to him. I told him to just back up his music, wipe the computer, and never run LimeWire again.

Anti-Virus computers worked well something like 10+ years ago. Back before you had every eastern european kid with a laptop and 10 minutes writing some new exploit about once a week. Now, they're nothing more than a "warm and fuzzy" for users who don't really know how to protect themselves.

I absolutely agree with the tone of this post. I don't use an antivirus for quite a few years now - and life is beautiful.

After I read your earlier post about performance issues caused by antiviruses, I wrote a short story that explains how to live without an antivirus: http://www.lazybit.com/index.php/a/2007/08/05/why_i_dont_use_an_antivirus

Blacklists should be replaced with whitelists - each user has their own list, and maintain it themselves, so that they don't depend on a vendor (who can require fees for each update). This is bad news for antivirus companies, because users don't depend on them anymore.

Once I whitelist all the programs _I_ use, I don't care about all the other programs out there. While the number of threats is infinite, the number of programs I run is finite - so I won't bother trying to count the uncountable, and focus on the countable instead.

I saw one other comment mentioning this, but I thought it was an important enough point to bring up again. You're correct in saying that signature based virus and malware detection is nearly pointless, however there is another option.

BEHAVIORAL based detection. Instead of trying to classify threats based on signatures you already have, it is cheap and almost trivial to classify a process as harmful by what it is trying to actually do to your system.

This isn't the same as Vista's UAC where a user would be asked about every action. This involves observing normal use of the system to develop a set of rules for what certain programs should and shouldn't be allowed to do. With these rules set up correctly, protection is nearly transparent to the user, I've seen it done.

Stupid Kaspersky group scheduled scan runs all day every day at work!

Man does it suck!!!!!!!

I don't run any AV on my computers at home because I think the overall chance of getting a virus is low. If you pay attention to what you're and what you're opening, then you'll be fine. There are exceptions, of course, but overall that thinking has worked well for me.

And part of me thinks AV software is just a scam that feeds off people's fear and paranoia of technology. My father is into his 60s now and has a great fear of his computer, even though he's been using one for almost 20 years now. He won't NOT run AV software no matter what I say, but then he also bitches when his computer starts dragging ass because the AV is running in the background.

If you do feel you need AV then I you can't bitch about your computer dogging at boot-up and when things load and open.

The thing that Vista does with trimmed and normal tokens is as good as running as non-admin for most users. (My sister is an exception. She has to be kept as a regular user lest she download and install some spyware-laden program in order to download music.)

Elevation is implemented pretty well. Since I fully set up my box I had to elevate privilege at most once a week, so it's not a giant pain in the ass as some depict it.

But let's talk about threats: What's happening right now is either turning PCs into botnets or fishing of financial details. Both are done wholesale and not on an individual basis. It's very rare that somebody is after your data.

Regarding the probability of ignorant users becoming parts of botnets, it's only a question of time when trojan authors will start checking whether the process they have hijacked has admin privileges and then install it under user's startup folder instead of getting into the machine startup.

With regards to financial details the situation is much better. Create a separate account for logging into your bank. If both your normal account and the separate account are not admins, the chances of you getting hit by something are minimal.

Dejan

It's interesting that you mention Kaspersky. This last week, their heuristic detection mechanism (whatever trade name they call it) started picking up or company's software as "suspicious activity" and quarantined our main executable. Fantastic. After some analysis, it turned out that the activity it was picking up as suspicious was a process priority reset from Normal to Below_normal which we do to prevent long running, ~10 minute, calculations from tying up the CPU bandwidth and degrading performance for short running, ~2-5 second, calculations. A bit over aggressive on the part of the AV, if you ask me.

Um, even if you run as non-administrator on a Windows box, you still need anti-virus, because somewhere on your computer, something is running as an admin, whether you like it or not, and it was likely coded by chuckles the microsoft programmer, to whom "security" was not even an afterthought.

So a worm/trojan/spyware/malware/baddie/baddite will come along and use a security exploit and Privilege Escalation (http://en.wikipedia.org/wiki/Priviledge_escalation) to run as Admin on your machine.

Great article it touches on things I have been advocating for years. I used antivirus software for a couple years back in the late 90s and realized I was still getting virus's. I used to work as a tech and learn much better ways of handling this without costly antivirus software (costly being CPU and resource usage). There is great software out the for ghosting a machine, creating disk images that will not take up disk space and refresh your system back to the way you want it.

Also, you can always reformat your machine which is what I was doing for awhile. But then you have to always reinstall everything. That was costly in time, which is valuable. So in my humble opinion it is best to create a ghost image of your machine how you want it, all your software set up and the settings you prefer. Then when something goes bad just reload the image. There are some small costs I should outline. First everytime you add new software you use often you must create a new image, but how often does that happen? One might also argue everytime they do that they will lose there data. But that isn't true media and drives are so cheap now that all usable or valuable data should be kept on those mediums so not to be effected by this process.

Lastly, working with images is a bit tricky at times. It takes some knowledge. But once you get it down it will save you time, money and the head aches that come along with dealing with virus's, spyware and everything else. Oh and as a fellow developer doesn't restrict your development process by running as a non-admin which I love! Hope my 2 cents is helpful.

Jeff hit idea #2 of the six dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ and I totally agree. It is just a scaling issue.

If you want to visit the secret war room like in "Dr. Strangelove" they don't let 6 billion people in but then check to see who they should kick out, nope, they probably have a list of who should be in there in the first place. If you aren't on the list, you don't get in, or at least must have a good reason. I agree with the other Chris about whitelists, it makes the problem more *tractable* at least. You have a list of things that are permitted in memory and that's it. You can add a new program to this list, and this is a security hole, yes *but* maybe you should examine the source before you do so? Closed source? Why use it? How valuable is your data?

Even when running as non-administrator but with the administrator password, when malicious code wants to make system calls (lets say in Vista), I would expect to see an "allow" or "continue" button. I would believe most users (or those who don't read your blog) would naively click allow/continue (or type in the admin password).

Viruses are commonly hidden in software people download. Most people want no hassle software and click through whatever they think the system requires for them to get their software.

I am not an average user, but being a software engineer, I am also the proclaimed family IT specialist (such a burden on many of us in technology!). This is probably the #1 reason for infections or malicious code execution in my experience.

This is why anti-virus software is important. I think it compensates for an average user's naivetés.

You could enforce security with a whitelist, but you cannot stop end-users from adding harmful applications to that whitelist. Especially if the file comes from someone they trust.

i tried running as a non-administrator in windows xp for quite a while. my xp partition is solely for gaming and all my email, picture printing, browsing, etc. is done in vista.

i really wanted to play games as a non-administrator. really. i created an administrator account called "installer" and a different "limited account" to run my games. i'd install a game as the installer user, log off, then log in with my gaming account to play.

first i had problems running my saitek programming software. research revealed this program can't run without some admin privileges. after modifying permissions for specific registry keys i had it working.

the next problem is that anytime there is a game patch released i'd have to jump through hoops to get it installed. here's how it would go:
1. log in with limited account to surf web and download patch
2. log off
3. log in with administrator account to install patch
4. log off
5. log in with limited account again to play the game

what a pain.

some games won't even run if you aren't an administrator.

others will exhibit very odd behavior. for example, the original soldier of fortune game was well known for its over the top gore. i installed this game with my installer account. when i went to play it with my gamer account--no gore!?! even performing a "run as..." with admin privileges would not show the gore. i even went into the registry and gave all the soldier of fortune entries admin privileges. no gore. only if i played the game with an administrator account would i see the game how it was intended to be seen.

after about 6 months i gave up, deleted the installer account and made my gaming account an administrator account.

"There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator."

Even you're not admin/root/superuser/whatever your OS calls it, a virus/malware/trojan could still write to every file your user-account has write-access permissions for (e.g. all your documents, any songs you've composed, your music, picture and movie collection, etc.) which is pretty much all the files I care about.

If I had to choose between losing my personal data files and losing core system files, I'd rather lose core system files, because I can always just reinstall the OS (whether than OS be Windows, Mac or *nix). I can't just "reinstall" my personal data files.

When running as non-administrator basically this happens: you can not destroy or otherwise modify 'important' system data. Included in that is that you can only modify your _own_ data. But think of it, what is more important to mister I-only-write-documents? His 'C:\'-disk that he can repair with one button and a manual of his PC, or his 'My Documents' with all his work documents that he forgot to back-up in the past month?

I am not trying to say that running as non-admin is a _bad_ thing, I'm justing saying that for average Joe it is nothing at all better than running as admin.

"Why perpetuate the broken anti-virus blacklist model when we don't have to?"

well, I believe as of now, we HAVE TO.

no offence but blacklisting does save my ass off hundreds of viruses from flash drives and public machine...

well look at Vista and the future I think MS already heard you but it might take some time... I guess you'll just have to be patience! I believe everyone already realizes part of that it'll just take some time.

I am of the opinion that most people expect too much of AV software. Most people draw the wrong assumption, and it is because of misleading advertising strategies, that AV software actually protects you from threats. AV software is supposed to compliment good practices as a user, proper configuration of the machine/network etc.

What they -AV developers- should be doing, is advertising that their software eliminates the hassles of older and known threats as well as most 'strains' of these, and then take a pro-active position in actually warning their users and potential users that the world is an evil place, with new undetectable threats arriving daily that are not going to be blocked until they get a chance to disect, classify, and send out the detection update.

In all honesty, I'm thinking that the best thing any AV company could ever do is to abandon the age-old tactics and start from the ground up, a new attitude and less gimmicks. We need to start towards a system that looks for behaviours in running processes. The amount of triggerable events that can be defined as being 'harmfull' would be far smaller than any blacklist or detection signatures.

Jeff,

Write another article discussing how much damage a virus could do if you were running Windows in non-admin user mode. Suppose you visited a website that hijacked Firefox with buffer-overflow and installed a the website installed a virus-infected version of Firefox with a keylogger. It installs firefox binaries within "My Documents" folder, so it doesn't need any special permissions. It changes the links on the Desktop to this launch this infected version.

The next time you ran firefox you would have no clue that firefox was infected with a keylogger. Finally you go to your bank site and every key is logged and sent to a remote host. A browser can encrypt your information and send it to the bank securely, but if the client is hacked, who can you trust?

Scary.

running anti-virus software in the largest virus in the world is an oxymoron.

I enjoy the feeling of security I get from running Linux, but even back when I was running Windows I was able to avoid (visible) malware just by never using Internet Explorer and always running questionable executables (e.g. keygens) in a virtual machine.

I agree with you about blacklisting, but I think you're overestimating the value of not running as admin. The most important files to me is my personal data, my source code and writings and pictures I've created, etc. I can easily and quickly reinstall and setup Linux, but my personal data is irreplaceable.

Check out sudown for Windows machines. No need for AV.

> I can easily and quickly reinstall and setup Linux, but my personal data is irreplaceable.

Then of course you regularly back up your personal data, right? To an off-site host (typically, "The Internet")? Many services out there make this easy, such as Mozy (http://mozy.com/) and Carbonite (http://www.carbonite.com/).

Again: I want to encourage things that work, things that make sense. Anti-virus is neither. I do believe regular backups fit both of these categories.

> Now all we need is a primitive anti-virus and a much heavier focus on decent backup tools - which is good for more than just virus damage. That seems to me a much more logical way to proceed. People are currently so focused on an impossible prevention they don't spend enough time worrying about how to recover from it.

Exactly.

I love the folks who install three anti-virus-"solutions", and another two personal firewalls, in addition to the built-in firewall.

All active simultaneously, of course.
They really believe that they are this way more protected.
In fact, they are, but only because nearly nothing runs any more.

They effectively managed it this way, to block all auto-update functions, which led to year-old programs like quicktime, full of buffer-overflows.
But they just feel safe, because they throwed money away.
It's a little bit like snake oil.

If you promise you solve a problem, and they only have to pay, instead of learn, most people prefer to pay.
Even if the solution is proven to fail mostly.

I run as admin all the time and don't use any anti-virus software. The only thing I do not run as admin (via DropMyRights) is firefox and thunderbird. Where else am I going to get a virus? A floppy disc boot sector virus? uhh...right. Don't download executables from unknown locations and you'll be fine. I think the last time I had a virus was pre-1990. And yes, it was from a floppy boot sector virus.

Actually AV software vendors tend to remove all the old and outdated signatures. Otherwise, the sig files would bloat and become massive.
Thus, many of the tested virii are fairly recent and moderately relevant.

That's why WindowZones exists... it allows Windows users to continue their bad practice of running as admin but it locks things like IE/Mail/etc into non-admin sandboxes. Check it out at WindowZones.com

This is -exactly- the scenario and rationale that the product was created for!

In my opinion, Microsoft Vista's "Allow/continue" dialog boxes have nothing to do with security for the exact reasons that many people have already commented on: No ordinary user is going to do anything more than click "allow" whenever they are confronted with the dialog. I can't picture my mom (or any of a number of accountants in our company) saying, "oh look... this software is doing something suspicious. Should I allow it?" She's just going to click ahead.

Instead, Microsoft is using the age old method of CYA (Cover your ***). By putting up incessant warnings to the user, when something goes bad Microsoft can claim, "Oh, but we told you about it, so the damage is really your fault."

Quite possibly the most ridiculous post I have seen on your website. Everyone else has your mistakes covered though so I just want to register my disdain for this.

I did not read all your comments (too many). But the notion that nix/OSX does not suffer from malware is because of non-administrator default settings is quite absurd. The reason there not affected is because its not profitable for the malware writer at this point in time, and for no other reason. There is *nix malware, two new ones just this week. Check sophos.

"There's almost nothing a virus, malware, or trojan can do to a user who isn't running as an administrator."

That statement is completely inaccurate. A trojan can steal the data from your home directory and HTTP it back home, no need for administrator there. Malware wants your data, not just your box or root account. And since you run most apps as non-administrator, I think its safe to say that most malware has access to that data.

The link provided to AV Comparatives is broken, however after looking around the site a bit, I found this recent report:
http://www.av-comparatives.org/seiten/ergebnisse_2007_11.php

The detection rates range from 3 to 81% (with many false positives) on the proactive report. So, basically, all AV software is only useful if somehow magically patched and given new detection patterns before malware even hits the wild.

ALL damaging new malware is test against AV and tweaked until it's invisible prior to distribution. Blacklisting is a semi-pointless remedial action, much like banning liquids on aircraft because someone might have once made a bomb with liquids. This awkward security theater prevents nothing.

Jeff,

What about white-lists? More often than not the software that stays on your machine is very static.

Even developers do not change their software stack all too often. You need to white list build output folders though but since there is no consistency as to where these are from machine to machine, a virus writer would have trouble exploiting that weakness.

I've found that a good counter-measure is to use XP Pro's built in functionality called Software Restriction Policies. Let Google be your guide.

It works beautifully on my parent's machine and has kept them Virus free for a couple of years now.

Simon

Antivirus software has always worked fine, for me, both at home and at work. Realtime protection blocks the intruders every time.

And why unix or mac users don't need an antivirus? Simple: because there are 0,1% the number of viruses for those operating systems than for Windows.

Like real viruses, the best way to fight viruses on your computer is prevention. Learn to use the Internet. If a site looks suspicious, stay away. If you're looking for porn, don't click anything that says "free". It's not, and you'll regret trying. Watch out for places with lots of ads. If you see a banner offering a free toolbar, DON'T DOWNLOAD IT. In fact, you may want to use an ad blocker. I recommend Adblock+ if you're using Firefox. And if you get email attachments, don't download them unless you know exactly what they are. If you got an unexpected attachment from a friend, it doesn't hurt to ask if they actually sent it themselves.

If you're going to spend money securing your computer, PLEASE, don't waste it on antivirus. If you play your cards right, you won't need it. Get a firewall or something.

Personally, I'm glad to be on a Mac. I just don't have a problem with viruses.

In fact, as an added measure of security (though not perfect), absolutely do not surf for porn with IE, and don't use Outlook Express to read email (and make sure whatever email program you use lets you read them as text-only and isn't rendering HTML automatically).

The unfortunate fact is that the most effective "virus" problems are trojans and worms taking advantage of exploits in common software (IE, OE, WMP, QuickTime in the case of Mac users). Instead of keeping anti-virus software up to date, people should be keeping their every-day programs, including but not limited to the OS, up to date. This is especially true for anything that renders HTML and/or includes scripting support for any reason.

Of course, these are all things that everyone here should already know. Furthermore, we should all know that it doesn't really matter what OS you're on, because they all have the same basic issues when someone decides to go ahead and let a piece of software that should be suspicious to them execute on their system.

One thing that I'm surprised that nobody has touched on is the fact that most (if not all) good software firewalls these days include action prevention mechanisms and Application Behavior blocking. Granted this is similar to the Vista Permit/Deny setup - but sometimes preventing unwanted behavior isn't just a matter of preventing it from actually reaching your computer. Having the tools ready to prevent unwanted behavior from even 'good' applications can protect you as surely as never running 'bad' apps.

As for myself, I don't run anti-virus on my main PC either - but I also use a completely separate computer as a 'workhorse' to do downloading & extraction so as to be able to continue whatever I happen to be doing on my main PC without interruption. Virtualization taken to an extreme, heh.

Off topic but does anyone have a suggested list of blogs similar to this one.

I'll talk about RDF... please don't run away ! :-)

The Decentralized Information Group at MIT has a whitelist policy based on FOAF and OpenID which is IMHO very interesting. Basically, you're have to be a foaf:knows (two level deeps) of a foaf:member of the DIG group. Sean B. Palmer has a nice summary on the subject : http://inamidst.com/whits/2007/10

Also, other people started to implement exactly that but based on XFN (you know, the microformat) and for WordPress, as a plugin : http://code.google.com/p/diso/

the only reason antivirus vendors dont change their practice is because they rely on the profits generated from continued subscription - they wont "bite" the hands that feed them in a sense, since its in their interest to just fix up symptoms of a problem, not the cause.

this is similar to some pharmaceuticals - they produce drugs which suppress symptoms, but not cure the disease. that way, the patient will need to continously buy the drug, and thus the company makes more dough. replace with antivirus vendor, and the scenario still makes sense.

You are of course right about blacklists and anti-virus software Jeff, but have you considered the use of blacklists for browser ad blockers?

In this very different circumstance they appear to work rather splendidly. It feels like years since I've seen an ad on the internet. (Of course I never clicked them anyway, _ever_. Was it you who Twitter'd http://blogs.mediapost.com/spin/?p=1085 ?)

(FYI your tasteful and notated ads are not blocked by the Firefox Adblock Plus extension)

Agreed 110%, with 1 concept the author introduced. That's "HEURISTICS" & it RULES! Being able to detect what NOBODY ELSE HAS ALREADY, is key!

I just mentioned that here in fact, to a person debating ESET NOD32 vs. AVG, & ESET went 12/12 at av-comparatives' website on HEURISTICS (best guess/"smells like a duck, tastes like a duck: MUST BE A DUCK!" type stuff), here:

http://www.av-comparatives.org/seiten/ergebnisse_2007_08.php

AND, the same @ VB100 website too & it passed ALL of their tests with FLYING colors (40 vendor's antivirus offerings tested, & only 3 did this). See here:

http://www.virusbtn.com/vb100/archive/results?display=summary

ESET NOD32 #1, & not only where it's important (heuristics) the most, but also for SPEED (written MOSTLY in assembler, & this helps, with a good algorithm!)

APK

P.S.=> Personally, also professionally (I kill these things daily, both spyware &/or virus, etc. et al)? I see FAR MORE spyware the past year now, by far, vs. std. classical "viruses"... apk

Where I debated this (as to what I feel is important in antivirus products today, sorry, missed posting it here earlier):

http://www.neowin.net/forum/index.php?s=3953b2d51f1210e888e8141875774601&showtopic=602537&hl=

HEURISTICS (best guess tech for UKNOWN threats) rules, & ESET NOD32 seems to "rule that roost" per evidences in my last post here, above!

APK

"I love the folks who install three anti-virus-"solutions", and another two personal firewalls, in addition to the built-in firewall.

All active simultaneously, of course."
Of course they're not all active simultaneously. They're all expired, but no-one knows how the buggery to uninstall them.

Running as non-admin won't protect you from something taking advantage of a buffer overflow. But then neither will most AV software. Not in time. That's the whole point of the article - blacklists don't work. So you've got this behemoth of a utility churning away in the background that's protecting you less than, currently, running as non-admin in most respects.

Again, to reitterate my previous post. We are fighting a losing battle with completely the wrong emphasis. A normal persons computer gets infected, and it will whether they have the latest shiniest AV software or not. If they're lucky it just bogs their machine down until it slows to a crawl. A simple AV can help prevent/detect and fix this sort of thing - so long as it doesn't slow it to a crawl in the first place. At worse it takes their machine down and they've lost all their data (all they can do is take it to the shop, and they will more often then not wipe the HDD just for good measure, even if they promise on pain of death that they wont). Backup is now the only answer. Or it mines their machine for sensitive information, and the only prevention against that is education.

AV software as it is currently marketed is a false hope.

A solution :
* You have 10 differents softwares for performing the same task T
* Each time you need to do T, you pick randomly one of the 10 softwares

Against saturation attacks, let's use saturation defense :D

Look, its not about statistics or anything: its about practicality.

Practical, real world example
-------------------
1) Long ago: windows XP from 2002-2005 WITH Mcafee Virus protection, SpyBot and Adaware on a computer thats junk now. By 2003, its so infested that spybot and adaware can't do anything. Especially with "CoolWWWSearch." 2006: I used xubuntu and made sure it ran well as a server up to now.

2) I used Ubuntu, from 2004-now. I've actually tried to catch a virus. Nothing bad has happened to it. Oh wait, it has had things happen to it, like the bootloader getting screwed up, but that was from installing something wrong. Namely, a windows driver. And all I needed to do to right that was to use my super grub disk. NEVER has it been from any site.

Can virus writers change OS's? Theoretically, yes. Practically, they know "everyone" uses windows. Hell theres a good chance they do. But even ignoring that, they'd have to discover an exploitable flaw in linux (and in what flavor of it? what distro? many have different architectures, some are bleeding edge...) and then they have to make sure linux users even visit their sites or whatever. All that hassle to write something...they dont/wont do it.

Not to mention the OSS community's insane patching speeds. And Mark Shuttleworth is friggin awesome, hes been to outer space xDDD

Sorry for double posting: But my example just goes to show that for me, using non-windows has proven to be 100% effective.

Period.

disappointingly naive.

Do this, on a Windows Machine (ALL of this):

http://forums.tweaktown.com/showthread.php?s=8c20469080ebaac688073e175d7aa796&t=25596

You won't get any virus/spywares, period, if you do the CIS Tool test, & practice some common sense & be smart!

APK

P.S.=> It's HOW to secure Windows 2000/XP/Server 2003, & yes, EVEN VISTA (via principles used) really... No virus/spyware etc. here, & same setup since 2002-2003... apk

So all those times my anti virus scan my pc and used all my resources it had a to-do list ? Software does that not work = crap and should be treated as such.if you are worried about your data and maybe backing up isn't enough for you then :
1.Get yourself an external hard (a big one) drive or an 8GB(or more) pen drive.NB:this storage device is only for backing up and nothing else, DO NOT use it to transfer files.
2.Everyday after work make archives (using winrar) of your data and store them on your HD or pen drive.
3.Repeat step two (2) everyday and you should be fine .

Blacklists didn't USED to work.

They do now.

Most of the spam that gets through my Gmail spam filters nowadays, however, is from "legitimate" marketers with real email addresses. Conde Nast/Gourmet are among the very worst, but SONY is another bad actor.

Blacklists work very well for these senders.

It is ironic that a decade after they became obsolete blacklists are back again.

I work on a team of three developers that has been developing ASP.NET web sites, WCF services, and ClickOnce WinForms apps for the past 18 months in the following environment:

* NON-ADMIN! XP and Vista, VS2005 and VS2008.
* Vista with UAC on.
* 64-bit Windows.

It is *NOT* hard.

And, yes, blacklists suck.

Hey dude, your blog is great. It makes me want to blog too. Today's topic is pretty silly though, but at least it's doing the blogger's job of creating a dialogue here.

Anyway instead of leaving my comments on the issue, I thought I'd blog about it too!
http://fuzzyschemes.blogspot.com/2007/12/naive-computer-security.html

Nice article, Jeff!

I haven't run a virus scanner on my desktop during my working life (I work as a .NET developer, previously Win32 and some Java on Linux).

I've yet to cause any problems on the corporate network (going on eight years sans a scanner now).

I don't run one at home either. Its pointless, and I never intend to.

Virus scanners are only as smart as their users:

Users who click on every attachment, just because they *have* a virus scanner promising to protect them will still catch a virus sooner or later. That's statistics law, as long as the detection rate does not equal 100%. Which is - as we all know - impossible to achieve, because the virus has to be in the wild, before it can get analyzed and added to the signature data base. IOW: Someone has to get sick before you can invent the vaccine. It'll never work the other way around.

The other sort of users who don't trust their software and think before they execute any kind of software, don't need a virus scanner, because they have a brain doing its job. And the brain's heuristics seem to be much more efficient. ;)

After all, there's this universal truth:

Virus scanner can only show the presence of a virus, never their absence.

That is what makes virus scanners useless as a protection measure. They may have their use as part of an intrusion detection system, though.

P.S. Telling me that a virus scanner actually protects you from getting viruses onto your machine is like telling me that software can get "bug-free by testing".

The reason why admin rights is such an issue is because of the deployment strategies of many programs.

In my workplace, I had to get admin rights because I needed to install a newer version of Java Development Kit. Compare that to Digital Mars C++ Compiler, which can be installed by unzipping the folder, and adding the bin directory to the path.

For years, I ran my XP system without virus software. Then somebody claimed it was irresponsible for me to do that, and I was probably infected with all kinds of public nuisances. I doubted it, but I installed one of the well-known anti-malware packages just to make this somebody shut up. It found nothing. I left it installed, and in the years since installing it, it has found nothing. Noting nothing nothing. These people who are inadvertently helping run the spam botnets... Who are they and what are they doing to "join"? It's not as if I'm extra-careful, though I do view all filename extensions and I am suspicious of email enclosures. Does that make me super-anti-malware-expert-man? I am starting to think malware is about as real a threat as WMD in Iraq. Maybe it's something you notice if you're responsible for maintaining a thousand computers operated by complete idiots, but that's not me (the responsible one or the idiots).

I believe the OS should simulate the Admin account for non Admin users. This will make the viruses believe they've infected the system... Also, the OS should kill programs that try to infect OS system files or that tries to write to user files that were created with other programs, unless the program uses a system dialog to open the file.

This way, the user can work without having to logon as an Admin and user files are protected adequately.

Of course, when a user wants to install a program for a group, he should have the privileges of that group.

Just some ideas, probably not too original (but Vista could have used some clarity of ideas in the conception of the OS).

All OS's have vulnerabilities. And many of those vulnerabilities allow code to execute with elevated privileges, so running as non-admin will not save you if you come across one of these little nasties in the wild that was written to take advantage of that.

And yes, this is even true if you are running Linux or Mac. There are exploits that can do this on those OS's too.

Telling people to ditch their antivirus and to instead run as non-admin, is a very irresponsible thing to do.

I hope nobody takes you seriously and actually does it.

What they should be doing is using a non-admin account AND running their antivirus as admin.

1) whitelists work fine ... but how do I get mail from people who have not sent mail to me before? - Oh it's in the spam box with the 10,000 spam emails (and since it's an order from a new customer it's the most important email I will get today)

2) Unix security is not just don't run as an admin, it is don't run things just because they are a program as well

A particular buffer overflow exploit will only work on one version of one program, this means that all the users with their autopatched latest Outlook are all the same but the user running another client is less likely to get hit

Buffer overflows, and stupid users will compromise any system, but the other methods of infection are stopped on Unix systems, and the most common one, of a user trying to run the program that someone sent them or they found on a website, is difficult enough to to so that they won't bother

3) Why is Development so difficult to do on Windows without running as Admin? Unix users developed most of Unix without thier development tools running as admin? Is this just Microsoft taking the easy option?

Great article. Antivirus software is voodoo but Unix as a personal OS has holes too. For example. . .

Lots of users have a personal bin directory prefixed on their $PATH. They could be tricked into running sudo malware with a file like $HOME/bin/apt-get.

Sudo is often configured to only ask for a password if some amount of time has passed since the last sudo because entering a password constantly is annoying. Unprivileged malware could watch the process list for a user command known to require sudo and time it's attack to gain root privileges by calling sudo itself. It is also possible to never require a password for sudo and I'm sure this feature is used more than it should be.

As pointed out by commenter Joe, malware on unix can still wipe out your data without root privileges.

A good sudo configuration and regular backups are a more general and cost-effective solution than any Antivirus.

@Sam

By default, sudo will tie its password timeout to a given tty, so a malware that's daemonized or running from a user's crontab probably won't be able to use it. It's possible to configure it less securely, and there are sometimes good reasons to, so you're right in general.

> Anyway instead of leaving my comments on the issue, I thought I'd blog
> about it too!

But I'm not reading your blog - I'm reading this one.

"Learn to use the Internet." - that's arrogant and naïve, WurdBendur. All it takes is one compromised banner ad server serving a surf-by exploit, and bang - you're dead. You don't need to be surfing pr0n sites or downloading warez.

Remember that the problem here isn't to keep power++users, programmers, and *u*x living-in-parent's-basement geeks free from viruses. It's keeping the average Joe safe.

I think we have a lot of people bashing Vista who have never run it.

Reggada holds up Unix-based systems as better because if users try to do something that requires admin privileges, it fails, then you can run it again with sudo to give it admin privileges if you choose. I fail to see how this is better than Vista detecting the app wants to do admin stuff and asking if it should be allowed. Is it better because it's harder?

That plays into the comment that Vista's UAC accomplishes nothing but CYA for Microsoft because it lets them say they warned people. Well, they DID warn people, so their A should be C'ed.

Do you think the Unix approach would make much difference to computer-illiterate people? They simply won't be able to do certain things until a computer-literate person tells them how to run sudo, then the lesson they'll take from that is if something gives them an error use this magic sudo program to fix it. They'll share with all their friends. Hell, they'll probably just start running EVERYTHING with sudo and share THAT trick with all their friends.

Allen says he'd love if his Windows computer worked like his Ubuntu computer, which just has a popup asking for an admin password when he installs something. Vista's UAC will do that if it is a normal user account or will simply ask for an OK if it is an admin account.

I think what people fail to understand about Vista's UAC is that for the most part it is meant to transition us to apps that work correctly. Once I settled into my PC where I wasn't installing things frequently, and once I got updates to several of my apps, I hardly ever see the UAC prompt. I wonder if the people talking about every app actually run Vista or if they picked up this impression from the Mac commercials. If you are getting an annoying number of UAC prompts, then you probably have a bunch of apps that need to be fixed. This is the exact kind of bad app that people are complaining about, so you'd think they'd be happy that the app essentially gets a badge of shame (the UAC prompt) plastered on it at every startup.

"Do you think the Unix approach would make much difference to computer-illiterate people? They simply won't be able to do certain things until a computer-literate person tells them how to run sudo, then the lesson they'll take from that is if something gives them an error use this magic sudo program to fix it. They'll share with all their friends. Hell, they'll probably just start running EVERYTHING with sudo and share THAT trick with all their friends."

Continuing this line of thought, I think it boils down to telling Grandma that she is to answer "no" to this prompt (or not run sudo or whatever), always, unless she is sure it is something that is OK to run.

I tend to be more on the side of not requiring much expertise from the typical users, because some of these "how to keep yourself safe" lists are ridiculous, but this is one place where the line has to be drawn. Sorry, Grandma, but if you allow everything or whitelist everything then you're on your own.

I don't agree with you.

- They do work. I downloaded kaspersky internet security and ran it. It found a lot of crap on my computer.

- Just because they don't catch every single malware doesn't mean they suck. Catching most of the malware is much better than catching nothing. Plus how would you know if it doesn't catch everything unless you know you planted a malware and your av software didn't recognize it.

- Some of the AV slow down your machine considerably. Find one that doesn't. Scan your machine when you're not using it. That makes good use of its idle time. I run backups and scanning when I am sleeping.

- You personally have a fast machine. Do AV software they really slow your machine considerably?

- AV software do not replace your security and safe guards. They complement it. If you depend on them to give your a false sense of security, it's your fault, not the software's. An automatic shifting car makes it easier for you to drive, it doesn't teach you how to drive or drives your car. AV software help you against malware.

A decent article of antiviral security is here : http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1247943,00.html

"They do work. I downloaded kaspersky internet security and ran it. It found a lot of crap on my computer."

So the intrusion detection finally waved the red flag? Great. Congratulations.

Now, let me guess, what do you do? Let this snake oil software remove all the stuff it found, and continue running the already compromised machine?

Ignorance is bliss. *shrug* - Still, just having this warm fuzzy feeling inside your belly now does not change the fact that your machine is owned by someone else already.

Only one person seems to have mentioned vaccinations. Which is kind of what antiviral software is like. They don't guarantee every individual is safe from the disease, but rather, than the one disease can't damage the whole of society. If antiviral software wasn't around, then all those ancient viruses it can detect might still be floating around. But with near 100% "inoculation", the "disease" is gone.

So the stuff is useful, but not at the extreme level to which it has been taken.

Additionally, the key security insight which both Windows and Unix developers need, is that their software should be developed with no more expectation of security privileges than is actually necessary to accomplish the task.

Windows developers (and users) are still used to doing everything as admin. Whereas every introductory text on Unix administration says "don't do any more as root than is necessary." That little line in the books is what gives Unix the advantage. Even if the end users don't take it to heart, the Unix software engineers do, and that goes a long ways.

(Unix also has available to it "chroot". No idea if that is available in Windows, but it would eliminate many, if not most of the "rm -rf $HOME" concerns being mentioned. Right as soon as the Unix software engineers readjusted their thinking to expect chroot jails for their software.)

Although I agree with your point(s), running as a "normal user" under Vista is really unbearable if you do anything more than listen to some music or tap in some documents. All sorts of software will not work anymore (to name one, HDD Thermometer, which I downloaded after this post: http://www.codinghorror.com/blog/archives/000748.html). Even running as administrator doesn't cure everything. For example, there is no way I can download a file over direct connect using DC++ when I am not an administrator.

Now this can be Vista's fault, or the fault of other software vendors, but in the end, I'm semi-forced to be an administrator...

Still, not being an idiot and not running IE and/or MSN does help a lot...

Jeff, here's my response: http://weblogs.asp.net/jgalloway/archive/2007/12/13/why-codinghorror-is-horribly-wrong-about-blacklists-and-virus-scanners.aspx

"So, in the end, perhaps I should apologize to Jon."
So... I'm waiting... :-)

I look forward to seeing you Monday, and I promise not to sneak a virus onto your totally unprotected computer.

I am with you. Only idiots get viruses.

Ever think that maybe some of the folks injecting viruses into the community may be actually "employed" by some of the major anti-virus companies?

It brings me back to an old Charlie Chaplin skit where he is a window replacement salesman and he pays a street kid a few cents to go throw rocks in windows right before he makes his pitch...

Let's not be naive about their intent, and most of all, just be smart in how you guard your computer. With proper precautions you can completely protect your computer for malware.

@Mark
Read about the Storm virus (virus+worm+trojan, etc.). It's not created by AV companies, it's created by people who are intent on using malware to steal.

Very nice article.

But what do you think should be done? It's fine to shoot down something that doesn't work. But what does work?

I've been reading CH for a long time, possibly most of it's existence. I have to say, this has been one of the best posts I have ever read. And the shear fact of the matter is, it all makes too much sense to me now. I think I have spent too much time messing with what I will have to now refer to as the black list of doom. And I should have been spending my time focusing on the hardware and software of recovery. I'm glad I'm young, as I would have felt like I spent too much time on it if I 10, 20 or 30 years further on. It's still something I don't wish to admit really. I gotta thank you.

On another note, and I don't know that this is the place for it, but my library runs a newsle