I hate anti-virus.
There, I said it. And it felt good.
For many years, I chose not to use AV on my personal systems, choosing vigilance about my downloads, e-mail attachments, and application and OS updates over relying on a third-party solution to keep me free from infection.
However, once drive-by-downloads and hijacked Websites became more prevalent, I lost faith in my ability to avoid such covert trouble. I caved in and installed AV on most of my systems, and began a journey of frustration and lost productivity.
We all know that security solutions are typically major resource hogs. I suspect that, with the exception of desktop virtualization software, security suites have been the biggest beneficiary of the rapid increase of CPU cores and available memory on the average recent-model computer. I’m somewhat surprised that some software suite hasn’t tried to reserve an entire CPU core for its own use yet.
But beyond that obvious complaint, over and over, I find that security suites are the buggiest, most troublesome applications on my systems. I’ve spent innumerable hours nursing these “solutions” along, working around them, fixing them, reinstalling them.
The problems are still fresh in my mind: There was that time a Panda signature update killed my network connection until I uninstalled the software. And that other time when Trend Micro’s software kept telling me to get my parents’ permission to view every single Website I went to, even though parental controls were turned off. Kaspersky’s suite caused downloads that should only take 2 minutes to take 20 instead, and BitDefender would not let TiVo Desktop download from my DVR. And don’t even get me started on the time a Symantec vulnerability opened the door for a crippling worm to get into the network.
Ah, good times.
I’m leaning toward forging ahead without AV again once Windows 7 comes out. Win 7 improves on and streamlines security measures already baked into Windows operating systems.
With Vista, I operate my desktop under the principle of least privilege, which requires me to input my administrator credentials when making any changes to the system. I feel pretty good already about the security that measure affords, particularly when I read things like this Beyond Trust white paper, which states that 92 percent of Microsoft vulnerabilities can be mitigated by running with reduced privileges. In essence, most malware operates with the rights of the user; if the user can’t write to %System% or %Program Files% directories, then neither can the malware, blunting its ability to stay resident after a reboot.
Of course, that still leaves 8 percent. But that’s better than 58 percent-the percentage of malware detections ScanSafe claims are zero-day threats that would be missed by signature-based security detections-but still not perfect. Under least privilege, there remains the chance for malware to run in user space and perform some privilege escalating attack.
Thankfully, some Windows 7 SKUs-Enterprise and Ultimate-include a complementary technology called application whitelisting. Known as AppLocker in Windows parlance, application whitelisting takes the opposite approach of signature-based malware detections. Instead of blocking bad code from running, whitelisting allows only known (presumably good) code to run. If not explicitly permitted, code shouldn’t run at all.
I’ve been using AppLocker on my main Windows 7 desktop in the lab since the RC launched a few weeks ago, and I have to say, I usually can’t even tell the difference (which is a good thing). I set the feature with the stock default rules-Users can run only applications housed in the Windows or Program Files directories, while Administrators can run anything from anywhere-and applied these rules to executables, installers and scripts.
Since my limited rights user account already cannot write to either of those directories without entering an administrator’s credentials (due to least privilege), I find I haven’t needed to change my computing habits very much at all. Sure, instead of double-clicking on a downloaded application and entering my admin credentials in a UAC pop-up box to install something, I now need to right-click the package to Run As Admin instead. But that’s really a different avenue to the same end result.
Whenever I am on hold, I like to randomly click on downloaded packages, just to see if they somehow escape AppLocker’s control. To date, I’ve found only one executable that would launch from a nonauthorized location in the file system. That executable-the update engine for an Award BIOS-escapes AppLocker protection, and I’m not sure why. So I know this solution isn’t perfect, but what is?
As I get more comfortable with AppLocker, I expect I will fine-tune the rules further down the road, taking advantage of Windows 7’s ability to approve code based on hash or application signing certificates. This hopefully will tighten things up further without getting too onerous.
Of course, I also recently bought a MacBook, so maybe by the time Windows 7 comes out, none of this will matter to me.
Senior Analyst Andrew Garcia can be reached at [email protected]