Anti-virus systems: can't live with them, can't live without them. But that may all change with Windows 7, which improves on and streamlines security measures already baked into Windows operating systems.
I hate anti-virus.
There, I said it. And it felt good.
For many years, I chose not to use AV on my personal systems, choosing
vigilance about my downloads, e-mail attachments, and application and OS
updates over relying on a third-party solution to keep me free from infection.
However, once drive-by-downloads and hijacked Websites became more
prevalent, I lost faith in my ability to avoid such covert trouble. I
caved in and installed AV on most of my systems, and began a journey of
frustration and lost productivity.
We all know that security solutions are typically major resource hogs. I
suspect that, with the exception of desktop virtualization software, security
suites have been the biggest beneficiary of the rapid increase of CPU cores and
available memory on the average recent-model computer. I'm somewhat
surprised that some software suite hasn't tried to reserve an entire CPU core
for its own use yet.
But beyond that obvious complaint, over and over, I find that security
suites are the buggiest, most troublesome applications on my systems. I've
spent innumerable hours nursing these "solutions" along, working around them,
fixing them, reinstalling them.
The problems are still fresh in my mind: There was that time a Panda
signature update killed my network connection until I uninstalled the software.
And that other time when Trend Micro's software kept telling me to get my
parents' permission to view every single Website I went to, even though
parental controls were turned off. Kaspersky's suite caused downloads that
should only take 2 minutes to take 20 instead, and BitDefender would not let
TiVo Desktop download from my DVR. And don't even get me started on the time a
Symantec vulnerability opened the door for a crippling worm to get into the
Ah, good times.
I'm leaning toward forging ahead without AV again once Windows 7 comes out.
Win 7 improves on and streamlines security measures already baked into Windows
With Vista, I operate my desktop under the principle
of least privilege, which requires me to input my administrator credentials
when making any changes to the system. I feel pretty good already about
the security that measure affords, particularly when I read things like this Beyond
Trust white paper
, which states that 92 percent of Microsoft
vulnerabilities can be mitigated by running with reduced privileges. In
essence, most malware operates with the rights of the user; if the user can't
write to %System% or %Program Files% directories, then neither can the malware,
blunting its ability to stay resident after a reboot.
Of course, that still leaves 8 percent. But that's better than 58 percent-the
percentage of malware detections ScanSafe
are zero-day threats that would be missed by signature-based
security detections-but still not perfect. Under least privilege, there
remains the chance for malware to run in user space and perform some privilege
Thankfully, some Windows 7 SKUs-Enterprise
and Ultimate-include a complementary technology called application
whitelisting. Known as AppLocker in Windows parlance, application
whitelisting takes the opposite approach of signature-based malware
detections. Instead of blocking bad code from running, whitelisting allows
only known (presumably good) code to run. If not explicitly permitted,
code shouldn't run at all.
I've been using AppLocker on my main Windows 7 desktop in the lab since the
RC launched a few weeks ago, and I have to say, I usually can't even tell the
difference (which is a good thing). I set the feature with the stock
default rules-Users can run only applications housed in the Windows or Program
Files directories, while Administrators can run anything from anywhere-and
applied these rules to executables, installers and scripts.
Since my limited rights user account already cannot write to either of those
directories without entering an administrator's credentials (due to least
privilege), I find I haven't needed to change my computing habits very much at
all. Sure, instead of double-clicking on a downloaded application and
entering my admin credentials in a UAC pop-up box to install something, I now
need to right-click the package to Run As Admin instead. But that's really
a different avenue to the same end result.
Whenever I am on hold, I like to randomly click on downloaded packages, just
to see if they somehow escape AppLocker's control. To date, I've found only one
executable that would launch from a nonauthorized location in the file
system. That executable-the update engine for an Award BIOS-escapes
AppLocker protection, and I'm not sure why. So I know this solution isn't
perfect, but what is?
As I get more comfortable with AppLocker, I expect I will fine-tune the
rules further down the road, taking advantage of Windows 7's ability to approve
code based on hash or application signing certificates. This hopefully will
tighten things up further without getting too onerous.
Of course, I also recently bought a MacBook, so maybe by the time Windows 7
comes out, none of this will matter to me.
Senior Analyst Andrew Garcia can be reached at firstname.lastname@example.org.