I think Josh’s comment is on the right track. Jeff, your claim that not running as an administrator magically makes the user invulnerable to viruses is just plain wrong. There are whole categories of attacks (Josh mentions most of them: DDOS, data loss/corruption, e-mail, etc.) that running as regular user will absolutely not protect against.
How about this: you convince users that antivirus software is worthless, and I’ll write a virus that scans through a user’s documents and web cache looking for credit card information, SSNs, and other personal information and then e-mails it to myself using a webmail system, all of which can be done without elevation in a non-admin account on a reasonably-configured system. We’ll split the proceeds 50/50.
Can we switch to whitelists? They seem to be much more reliable in security. Of course, they don’t scale up very well, but for desktop - they don’t have to/
I mean, let the system do an md5 hash of each executable (DLL / etc. as well) I install and then warn me if something runs that’s outside of that list. Then I can add it to my whitelist or deny.
Spam in email has been largely defeated by Bayesian spam filters.
That’s at odd with the article, which says:
“Spammers register dozens of new domains each day; you can’t possibly keep up with them. They’re bigger and smarter and faster than you. It’s an arms race, and you’ll lose, and along the way there will be casualties, massive casualties as innocent bystanders start getting blacklisted.”
Which is it? Is there a spam problem, or has it been largely defeated or are both statements true?
I would love if my Windows box worked the way my Ubuntu test box worked (unfortunately, I ended up with just enough gam… I mean, “applications” that were Windows only to make the switch).
You install software, a nice popup asks for the admin password. Took three seconds to type it in, and that is small change in the usual download-unpack-install-configure process.
The point is that a virus can’t set itself up to run every time you boot windows, in a really nasty and hard-to-get-rid-of way, unless you’re running as admin.
You won’t get any virus/spywares, period, if you do the CIS Tool test, practice some common sense be smart!
APK
P.S.= It’s HOW to secure Windows 2000/XP/Server 2003, yes, EVEN VISTA (via principles used) really… No virus/spyware etc. here, same setup since 2002-2003… apk
It doesn’t matter. What prevents a virus from running “rm -rf $HOME/*”. Most users will store their data in their home directory as I do on my unix machine(OS X and Linux) I don’t do chgrp on my data because I need to access it and I don’t want to have to enter passwords for my data each time I access it.
It’s a lost cause and a virus scanner is the only tool that will prevent a fair bit of the available viruses.
While this is a bad way of thinking, are system resources at that much of a premium anymore? This more than anything else is the cause of the AV bloat I see. And at least some companies are addressing that speed issue for real-time scanning.
As for the full system scans, run them overnight, or while you are out. It’s the same with any system resource intensive maintenance.
But, I would love to see whitelists for AV programs. Move to the deny all except those allowed explicitly to run, and poof most AV software is no longer needed. If the program changes, it asks again for permission, but none of this constant Cancel/Allow stuff.
So all those times my anti virus scan my pc and used all my resources it had a to-do list ? Software does that not work = crap and should be treated as such.if you are worried about your data and maybe backing up isn’t enough for you then :
1.Get yourself an external hard (a big one) drive or an 8GB(or more) pen drive.NB:this storage device is only for backing up and nothing else, DO NOT use it to transfer files.
2.Everyday after work make archives (using winrar) of your data and store them on your HD or pen drive.
3.Repeat step two (2) everyday and you should be fine .
I would imagine almost everyone reading this post could live pretty well without AV software. But we’re not the ones who cause a considerable amount of collateral damage through our foolishness.
Imagine your small office, maybe a local real estate agent or your dentist, with no real IT supervision, people install whatever cute dancing kitty thing on their PCs, and get suckered into who knows what. They’re the ones who need oversight and discipline, and yet are the least available to help themselves in that respect.
As for old viruses, they’re not gone. I still get old viruses attached to e-mails in my inbox. For me, having AV software installed is like drivin defensively on the turnpike. I try to be more aware because I know there are other morons who are drunk, falling asleep, on the cellphone, whatever. I have AV on my machine because it’s valuable to me, and I know there are idiots out there who I have to interact with who don’t have AV.
I run as an administrator every day, and the ONE time I’ve gotten a virus in about the last two years was when somebody used my computer and downloaded a codec somewhere that carried the nasty bugger right in through it. Here’s the kicker, I was running anti-virus, and it didn’t do a damn thing to stop or remove the virus. I had to manually diagnose and remove the virus from my system.
The lesson I come away from that with is very simple. If you work intelligently on your computer, install updates, don’t open suspect e-mails, and only download from trusted sources, then you won’t have a problem. The only way someone can sneak past those defenses is with some sort of aggressive network attack, and that’s what the firewall is for.
The vast majority of people who I see with viri have them because they’re doing something horribly stupid on their computer, like running the bane of my existence, LimeWire. I have yet to find one person who ran LimeWire on a Windows system and came away virus-free. My roommate, who also runs anti-virus, caught a virus a few weeks ago, and when I took a look at his computer I found a LimeWire shortcut and handed it back to him. I told him to just back up his music, wipe the computer, and never run LimeWire again.
Anti-Virus computers worked well something like 10+ years ago. Back before you had every eastern european kid with a laptop and 10 minutes writing some new exploit about once a week. Now, they’re nothing more than a “warm and fuzzy” for users who don’t really know how to protect themselves.
Blacklists should be replaced with whitelists - each user has their own list, and maintain it themselves, so that they don’t depend on a vendor (who can require fees for each update). This is bad news for antivirus companies, because users don’t depend on them anymore.
Once I whitelist all the programs I use, I don’t care about all the other programs out there. While the number of threats is infinite, the number of programs I run is finite - so I won’t bother trying to count the uncountable, and focus on the countable instead.
Most of the spam that gets through my Gmail spam filters nowadays, however, is from “legitimate” marketers with real email addresses. Conde Nast/Gourmet are among the very worst, but SONY is another bad actor.
Blacklists work very well for these senders.
It is ironic that a decade after they became obsolete blacklists are back again.
I saw one other comment mentioning this, but I thought it was an important enough point to bring up again. You’re correct in saying that signature based virus and malware detection is nearly pointless, however there is another option.
BEHAVIORAL based detection. Instead of trying to classify threats based on signatures you already have, it is cheap and almost trivial to classify a process as harmful by what it is trying to actually do to your system.
This isn’t the same as Vista’s UAC where a user would be asked about every action. This involves observing normal use of the system to develop a set of rules for what certain programs should and shouldn’t be allowed to do. With these rules set up correctly, protection is nearly transparent to the user, I’ve seen it done.
I don’t run any AV on my computers at home because I think the overall chance of getting a virus is low. If you pay attention to what you’re and what you’re opening, then you’ll be fine. There are exceptions, of course, but overall that thinking has worked well for me.
And part of me thinks AV software is just a scam that feeds off people’s fear and paranoia of technology. My father is into his 60s now and has a great fear of his computer, even though he’s been using one for almost 20 years now. He won’t NOT run AV software no matter what I say, but then he also bitches when his computer starts dragging ass because the AV is running in the background.
If you do feel you need AV then I you can’t bitch about your computer dogging at boot-up and when things load and open.
The thing that Vista does with trimmed and normal tokens is as good as running as non-admin for most users. (My sister is an exception. She has to be kept as a regular user lest she download and install some spyware-laden program in order to download music.)
Elevation is implemented pretty well. Since I fully set up my box I had to elevate privilege at most once a week, so it’s not a giant pain in the ass as some depict it.
But let’s talk about threats: What’s happening right now is either turning PCs into botnets or fishing of financial details. Both are done wholesale and not on an individual basis. It’s very rare that somebody is after your data.
Regarding the probability of ignorant users becoming parts of botnets, it’s only a question of time when trojan authors will start checking whether the process they have hijacked has admin privileges and then install it under user’s startup folder instead of getting into the machine startup.
With regards to financial details the situation is much better. Create a separate account for logging into your bank. If both your normal account and the separate account are not admins, the chances of you getting hit by something are minimal.
It’s interesting that you mention Kaspersky. This last week, their heuristic detection mechanism (whatever trade name they call it) started picking up or company’s software as “suspicious activity” and quarantined our main executable. Fantastic. After some analysis, it turned out that the activity it was picking up as suspicious was a process priority reset from Normal to Below_normal which we do to prevent long running, ~10 minute, calculations from tying up the CPU bandwidth and degrading performance for short running, ~2-5 second, calculations. A bit over aggressive on the part of the AV, if you ask me.
