Choosing Anti-Anti-Virus Software

Now that Windows Vista has been available for almost a month, the comparative performance benchmarks are in.


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/02/choosing-anti-anti-virus-software.html

Windows had originally followed the well-worn UNIX convention of separating standard users from privileged administrators.

There has to be somebody out there besides me that understands why Windows did this. Anybody?

You don’t even need VMs for family members, separate OS installs will work too. In fact, for anyone into hard gaming, or almost anything using DirectX really, VMs are essentially a non-choice. (At least until the next generation of designed-for-VM hardware comes out; I understand ATI’s DX10 card will have some support.) For someone who just wants myspace or a compiler, VMs are a great solution.

Just give them useful names on the OS selection screen, and use passwords to back that up.

I personally feel that the place for anti-virus is the firewall. Although it can’t stop all infection routes, it can handle the most common (direct files, zips, rars, bad html) with aplomb. My only issue with Fortinet’s implementation is that it won’t do Samba A/V. You can even get it on junker Linksys with user-developed firmwares, although you have to be a unix whiz to get it working well.

One more thing I always disabled on XP was the System Restore. All it did was take up time and space and I never once had an occassion to use it.

Some people swear by System Restore, but it’s really just a poor man’s virtualization.

http://support.microsoft.com/kb/306084
http://windowshelp.microsoft.com/Windows/en-US/help/517d3b8e-3379-46c1-b479-05b30d6fb3f01033.mspx

And to be fair, most uses of System Restore are legitimate; it’s due to a botched third-party driver install, which would hose ANY operating system. I just don’t like it because it’s invasive and incomplete. But in the right circumstances it is better than nothing (and it beats doing an in-place reinstall of the OS).

understands why Windows did this

Enlighten us. I think it’s due to the endless backwards compatibility. Vista couldn’t use regular user accounts because it had to be compatible with software for XP, which in turn had to be compatible with software for Win98 and NT4, which in turn had to be compatible with software for Windows 3.1, which in turn had to be compatible with software for DOS 6.22, and so forth, and so on, ad nauseam.

http://www.joelonsoftware.com/articles/APIWar.html

Sometimes I think this backwards compatibility stuff (eg, the Raymond Chen camp referenced in the above Spolsky article) is hurting us more than it helps. Of course, the minute that MS creates an OS which doesn’t bend over backwards to run the crappiest of crappy, ancient Win31 apps, journalists and users have a field day with complaints about how “Windows doesn’t work with my software”. Microsoft can’t win.

Well, unless they choose the virtualization strategy. Then they win, because every bit of software is locked in a VM time capsule and is perfectly compatible.

Improved bandaid:

Seems like antivirus software wouldn’t have to be so slow if the OS was careful about marking files as executable or non-executable. Non-executable data files would never be examined. Executable files would be examined, as would non-executables made executable. Applications with data files with embedded executables (e.g. Word documents) would not run scripts unless the file was marked executable. If there was that sort of boundary, disk access could suffer less.

Solution:

Personally, I like the OLPC approach. Apps run in separate containers, and cannot affect each other without the user’s permission.

Hardware-based DEP can go a long way to help.

You seem to have been reading my mind lately Jeff. I gave up on anti-virus years ago when I did my own performance checks. I find it endlessly amusing that people will spend another 600 bucks to get a 10% improvement in cpu speed and then they go install an AV program and a software firewall (in addition to their perfectly good router firewall).

Get RAIDed 10k rpm Raptor hard drives and no AV and boot times are nearly bearable.

Wouldn’t it be easier/better to have virtual machines for each family member? And inside the VM they are running as standard, non-privileged users?

I’m all for virtual machines, but you can’t seriously believe that your family members are going to use a virtual environment inside of a regular one, do you? Just so you could keep them isolated? Seems a bit ridiculous.

Agreed. Is playing games a good idea on a virtual machine? Kids often play heavy games. But lower privileges isn’t really a solution either, some anti-cheat software needs admin privileges (lame i know).

Hasn’t anyone heard of a multi boot system or whatever it’s called? With something like Partition Magic you can divide your hard drive into partitions, and install a separate windows on each drive. They can’t see each other. So you have a clean windows1 with password for mum and dad, and a windows2 for the kids. Kids (like me, i did it often enough…) can mess up whatever they want on their win2, parents don’t notice anything :smiley:

MS need to release an OS that has zero backwards compatability, even if it just for the MSDN and technet crowd for the next few years, and do it soon. Virtualisation will suffice for those old apps, if required.

Another perf boots, turn off Aero and go back to windows standard. No more distracting animations, laggy menus and crappy menu highlighting contrast.

Every good IT administrator knows that they need to run users as standard instead of admin. I think 85% or so (Microsoft number) want to run users as Standard instead of Admin. About 15% do. Enough sidebar.

With the IT side of things, antivirus is more of the IT person covering themselves. I work IT, and I will throw a FIT if one of my users isn’t running antivirus. I don’t run anti-virus myself; it’s a waste of resources, as nicely proven by that article. However, if I get a virus, I just blame myself. If a user gets a virus, they blame me. Or, worse yet, they tell my boss to blame me, which ends in a job-losing situation. You really just want to cover all your bases. Even through intensive user education, there’s no guarantee that a user won’t open an .exe attached email. Even if you’ve been over a hundred times before, it’s still your fault that there wasn’t antivirus on the machine.

Running antivirus is of course horrible, horrible, horrible performance degradation. Tons. However, from an entire business perspective, it works out. Machines now are costing less than they were in the past, which is a net savings. The extra horsepower available combined with antivirus software brings them to be about equal. The increase of speed a user would get from not running antivirus (which, sadly, most of them couldn’t use anyways) would NOT be more of a financial benefit then the four or five virus-removal helpdesk calls. As much as I couldn’t stand to see it on my own machine, the extra 30 seconds of load time every day for a user is validated and justified by the fact that I probably won’t have to spend three hours of my day backing up their files and de-virusing their machine. It may sound arrogant, but it just makes good business sense.

And since i’m already being pedantic, the definition of Trojan Horse software is not that it destroys your performance or productivity, the definition is that it’s hidden inside something else.

This is from the legend of the Trojan Horse, where soldiers hid inside a big wooden horse so they could get into the city of Troy.

And furthermore, “begs the question” means to presuppose that which one is trying to prove. You mean “raises the question”.

I hope that helps, have a nice day.

I don’t see how multi-boot helps at all. It may keep your kids from messing up YOUR stuff but they can still mess up their own (forcing you to constantly fix it).

Someone else pointed out that VM’s only work for this as long as you treat them basically as readonly. As soon as you start saving your important emails, Word documents, source code, etc. to them it is no longer feasible to just ball them up and throw them away.

The best answer is to use the OS the way it was actually intended to be used. Run as a Limited/Standard user drum continues to beat…

definition [of a Trojan Horse] is that it’s hidden inside something else.

Right, the complete destruction of your computer’s performance is hidden inside the illusory, incomplete promise of security offered by anti-virus software vendors.

It is hidden. If Symantec told people how much slower their computers would be after installing Norton Internet Security, they’d never let it inside the gates.

(the percentages were definitely wrong, though, so thanks for that correction)

Hey, I’m an engineer at VMware and a fan of your blog. Wanted to say that if you want to see unlimited undo in action, you should check out the new/experimental ‘record/replay’ feature in Workstation 6.0 (it’s in beta right now). You can turn on ‘recording’ for your virtual machine, and this gives you a continuous checkpoint of all state at the hardware level. You can then return to any previous moment in time exactly by ‘replaying’ the recording, and then hitting the ‘go live’ button during the replay at the moment you want to return to. You can also mix snapshots with continuous recording, if you want to checkpoint “known good states” to quickly return to.

As you can imagine, there are a lot of possibilities this opens up, particularly if you were to tie it in to guest level facilities like e.g. Windows System Restore, Windows Update and so forth.

The performance hit is quite serious but you can expect to see that improve as the hardware support for this feature shows up in the future.

An amusing aside is that the performance hit is actually smaller on some older Pentium chips due to peculiarities of the hardware that work out in our favor.

As soon as you start saving your important emails, Word documents, source code, etc. to them it is no longer feasible to just ball them up and throw them away

Well, I have a few thoughts on this

  1. use web-based document shares.

  2. Have a script that copies the contents of the \User\ folder to a quarantine folder on the host machine before destroying the VM. This is one scenario where you would want to run anti-virus software on demand to give the files a (reasonably) clean bill of health before letting them out of quarantine.

  3. Have a script that periodically and silently backs up the \User\ folder to a quarantine folder on the host. That way if something malicious destroys the file, you’ll have a ‘checkpoint’ on the host to roll back to. No need to virus-scan the files at this point, although I guess you could.

Also, there is “Application Virtualization” which unlike full-bore virtual machines only virtualizes away the disk access. Still a pretty decent solution since you can basically undo everything that any application has written to disk, ever, including its installation.

http://en.wikipedia.org/wiki/Virtualization#Platform_virtualization

Look under “application virtualization”. Just think of it as a magic layer between a particular application (it is per-app) and the disk.

Granted that unlimited undo is available, how can you protect yourself against the mechanism itself being compromised? The idea to throw the compromised state cleanly away is good, but I don’t think using that state to undo to a previous, presumably uninfected state will be effective.

it just makes good business sense

Maybe. You present a compelling argument. But we’re still spinning our wheels treating the symptom and not the disease. The status quo /has/ to change.

Antivirus brinksmanship is just a digital form of endlessly chasing our tails.

And I don’t like being sold fear.

I honestly didn’t think that ZoneAlarm slowed down my pc that much, at least not to noticeable levels. However, I’m not using version 7 of the engine - which version were you using as apparently they aren’t using the same anti virus engine at all? I don’t think the latest version supports Vista yet.

Two things made the difference for me:

  1. Router firewall: block ports 135 and 445.

  2. Disable ALL JavaScript (NoScript extension for Firefox).

I still run AVG and Spybot but it has been a long time since they have detected anything.

I never run any anti-virus software either, and the only time ever I got a virus was when a roomate got a little insecure and had to read one of THOSE emails, and run the attachment.

However, I’m not sure using virtual machines or backups or anything like that really solves the problem. Viruses by nature attempt to corrupt the system, so even in a VM it will try to do that. If your VM has access toyour data drive, the virus will end up on that drive waiting for the chance to break everything. If you backup before you notice the virus, the virus can go with it and destroy your backups.

Mac/Linux users don’t worry about antivirus because they don’t have to, for the most part. They’ll probably have to some day, but right now most virus writers just don’t care to write viruses for those systems. You can talk all you want about how secure those OS’s are, but users are the weak point in any system.