I also don’t run AV software at home, although when I unleash a new version of Paint.NET to the auto-updater I definitely run it through an AV scan. I think it’d be irresponsible not to!
Regarding the poster who wanted a middle ground between restricted and admin, you might want to look at the Power User account. I don’t remember exactly what it allows/disallows but it might do some of what you want. It’s a bit of a hidden option though for some reason.
I would not be suprised if in the next version of Windows we see everybody running on properly limited accounts. Personaly I see Vista as a transition stage, there is still a lot of software that struggles not running under administrator and people need to be able to switch. The sort of software that fails is the sort of poorly designed software a lot of people will be using, and a lot of those people will be people who don’t really know much about computers. To request them to switch accounts or switch programs is a little much. Yes, the UAC could have been implimented better, but I think Microsoft are playing it safe (perhaps a little too safe) in creating an intermediate step before completely limiting access by default. By the next itteration of Windows all software in reasonable use should be up to speed on what it can and can’t do under a limited account.
I’ve always found anti-virus software to be a huge drain. I’ve not yet found one that I’m satisfied with to run on demand so I just occasionaly use a web one. One of the biggest problems with anti-virus software is scheduling; they often don’t realise that just because I’m not at the computer doesn’t mean I’m not running stuff that I would like to have higher priority than them. It will be interesting to see if Microsoft release any of the work they’ve done on scheduling and how that affects the way anti-virus software works.
A very interesting and eye opening article. I’m a big fan of NOD32 which I moved to after trying both Norton and Mcafee and seeing my games grind to a halt.
I’m disappointed that Vista did not promote the use of limited user accounts more. I’m certainly going to try running as non-admin if and when I actually upgrade to Vista.
As for alternatives to Antivirus software, although there were some interesting ideas discussed here did anyone actually consider that backing up your entire system, warts and all, is actually quite time consuming and also expensive in terms of storage? If you add unlimited levels of undo then surely that is going to be a big performance hit while the OS scurries around backing itself up all the time. That sounds like much more of an inconvenience than having a small drop in performance from running one of the better Antivirus solutions and just backing up my important documents across my network every night.
The VM approach may work well in the future but at the moment only IT pros can really set it up properly. It’s also useless for games, something your kids will most probably want to do.
In short, we can all moan about Antivirus software slowing our computers down and the braver, more techie people can even go without, but until Microsoft actually sorts the whole “admin for everything” fiasco, Antivirus is still going to be the most practical solution for most people.
As someone that built his first computer primarily as a gaming platform, I had to learn good security habits to prevent viruses on my system fairly quickly, as many games had (don’t know about the current state of the situation) a lot of problems with active antivirus software (especially Norton and McAfee). Therefore, I had to disable the AV software to play the games I built the machine to run, and then would usually forget to re-enable it, or simply not do so because the software was often such a hassle to turn on and off on the fly.
For a long time I kept AV software up to date and installed on my machine, and scanned the system whenever things started acting up, and simply kept the active scanning/prevention software from running. Eventually I found that the only time I got a virus on my system was when I did risky things, or purposely installed one to make sure the AV software was working (am RTS game loosely based on the movie WarGames originally shipped with a virus in the registration software on the disc, and I wanted to make sure the installation hadn’t run the registration software and infected the system).
I am now at the point where I simply use an online scanner to check for a virus if my system starts misbehaving. On the other hand, I now run frequent scans of my system(s) for spyware, since even sites that should be safe have a tendency to install spyware/adware on their users’ systems for whatever reason.
The biggest hurdle I had to face in the nearly 10 years I’ve been maintaining this regimine was teaching it to my wife, and in that case a User-level account helped significantly, and Vista’s UAC does help make this a little less painful for both of us (since we don’t have to switch users to install software, just enter the administrator user name and password).
One other thing I’ve found that helps in cases where I’ve really screwed something up is to maintain a completely clean administrator account on the system so that I can recover user files and manage user accounts when the administrator account used to install software on the machine does get corrupted by some piece of malware. In my personal experience, though, AV software finds nothing on systems where I’ve had this happen, and even when I go to the extent of installing AV software and running a complete scan (with up-to-date definitions) there’s nothing there until you scan the user account with 2 different anti-spyware engines, or you realize that Windows sometimes just eats users for breakfast when left to its own devices.
I’m also a gamer and I always leave the auto-protect feature of AV disabled. Most conscientious PC users who do not share their PCs with careless users/small children do not need auto-protect turned on. Anyone who is stupid enough to click on executables in e-mail, or even attachments from people they don’t know deserves whatever they get.
I leave it set for a weekly system scan at 4:30am when I won’t be bothered with it, and that’s been enough to keep my 5 PCs clean of any viruses. I have not had virus-related data loss on any PC using this technique in 7 years.
Anyway, there’s a fundamental problem with the idea, and I think you’d find this to be true on a Linux system as well: if you want the user to run un-elevated, they don’t have the authority to view the process list for anybody but themselves.
Not true. Linux does not restrict who can view the process list.
Although the there’s not much going on in the last two years.
John Prie wanted “task manager on steroids”. It’s not quite there yet, but Vista did add a column to the Processes tab called “Description”. It gives a long title (one line, probably 3-5 words) for each process that’s running. Of course, all ~10 svchost.exe processes just show up as “Host Process for Windows Services”, so I’d take that with a grain of salt…
Anyway, there’s a fundamental problem with the idea, and I think you’d find this to be true on a Linux system as well: if you want the user to run un-elevated, they don’t have the authority to view the process list for anybody but themselves. My problem with the article is twofold: one, no matter what sandbox you put the user in, the whole system can be compromised if the sandbox isn’t good enough; two, no sufficiently complex sandbox can possibly be known to be “good enough”. The truth is, no security system can be perfect. Your best bet is to have an offline backup of all your important data, and scan regularly with something you’re confident will catch malware – and don’t expect perfection.
Is there an advantage to running as a Standard User vs Running as Admin with UAC enabled?
The problem is that there’s too much dammed software out there that requires you to have freaking ADMIN level access just to run. I WANT to run as a limited user, but it seems that you need to diagnose, tweek, and sometimes just give up and run-as admin for about half the stuff you install.
And what’s the worst offender? frelling KIDS software. You think I want my 5 year old to be an admin on the system he gets to use? If EVER you’d think there was software that would be designed to run as a low-rights user, you’d figure it would be stuff designed for little kids, so that Dad or Mom can install using an admin account, and the kid could run it using their no-rights account. You might think this, but is it even close to reality? no way. no now.
Nearly 80% of the educational stuff we get for him won’t even run if he’s logged in as an ordinary user. About 30% of that you can figure out what permissions it needs in what out of the way directory (nothing under the user’s area in docs and settings, no that would be entirely TOO easy) and get it working using a lot rights account. But that still means I have to spend sometimes hours trying to figure out what stupid file in what out of the way place the thing is trying to access, and give him rights to it. Some of them REPLACE a file in the system EVERY STINKING TIME you run them. WTF? It makes me want to hunt down and KILL some dammed developer somewhere. Some I’ve yet to have the time/patience/interest to slueth out, and so he can’t run them on his own… He has to come over, interupt what I’m doing on my system, and get me to come over and use run-as to start up the programs. Given attention span of kid his age, that means every 15 min if I’m lucky…
Last August, I sold my Mac and returned to a PC running Windows. Here is what I have been doing on my Windows XP box:
- Run as a regular “limited” user account.
- Use Fast User Switching or RunAs to administer the box when needed.
- Use FSUTIL to turn off 8dot3 and last access in NTFS.
- Turn off System Restore and remote assistance.
It is pretty simple and easy to do. Since my initial installation and configuration of XP, I have hardly needed to use my admin privileges.
Every Saturday morning, I back up my user files and then run Windows Update. So far, everything has been peachy.
Personally, I wish more Windows software didn’t require installers, so that I could simply unzip it and run it from my home directory (which is what I did on my Mac).
In the process of upgrading my anti-virus, the installer removed the old version then installed the new version. In the short time while I was running without anti-virus and firewall (including the windows firewall) a couple of trojans appeared on my computer. I’m no idiot when it comes to computing, so I simply can’t believe it is possible to run a secure computer without any of these.
Paul, your computer isn’t using a hardware firewall (your basic $40 NAT router)? If that’s so, I urge you to immediately go out and buy one ASAP.
I wouldn’t directly attach any computer, regardless of OS, to the internet without putting it behind a NAT router first. Software firewalls are no substitue for a proper hardware NAT router solution. They’re incredibly cheap and, by now, quite mature (plus they allow you to share your internet connection among multiple machines at home). Once you’re behind NAT, no hacker can directly touch your system; they have to trick you into downloading their code.
But you’re right, if you directly attach an old version of XP (even SP2) to the internet, it’ll be compromised almost immediately. I just assumed typical computer users realized what a bad idea that was by now.
Ah I’d assumed you meant you weren’t connected to any sort of firewall. My mistake!
Seems your influence has spread to the BBC:
Jeff, what hardware firewall would you recommend? I’ve got one of the Pre-N wireless routers, but I’m guessing that it is just a software firewall?
As long as you’re using a router of some sort (and you’re using the default configuration), you effectively have a one-way firewall that blocks all incoming connections. I don’t have any particular recommendations, but I use the D-Link DGL-4300 which has 802.11b wireless, a gigabit ethernet switch and upstream QoS (meaning, you can saturate your link with downloads and still get excellent response times, even in twitch gaming scenarios). I recommend it wholeheartedly:
Interesting article Jeff, but I can’t necessarily agree with a standpoint of running no anti-virus system at all. A recent incident where the latest downloadable distribution of the WordPress blogging system was compromised by a cracker should be a warning that even the most sensible net user can unwittingly infect their system with something undesirable.
If I then accidently (as if anyone would ever do this on purpose) get something onto my system that is stealing personal information, perhaps banking details, then I want to know about it ASAP. Even running in a VM session there could be useful information to steal - with an increased level of integration between applications (e.g. Office 2007) users are more likely to want to run several applications (with their inherent data) together in a VM.
Prevention rather than cure
if people stopped using intercrap exploiter, then there would be little need for such “security” software.
Norton is bloat and everyone knows that.
For years I used security software on my machines. First I had Trend Micro PC-cillin Internet Security as a all-in-one security software but with the years they pressed more and more (useless) features in and it became slower and slower. Last week I tried to install Trend Internet Security 2007 on my old notebook Pentium 3 1.5 GHz 512MB Ram. That was a mistake! System slowed down and crashed. Now I switched back to avg.
On another Athlon64 machine I used Zone Alarm pro in combination with ESET Nod32 and Webroot Spysweeper. Webroot brought several upgrades and with each of them the system became slower and less stable. So I decided to kick out spysweeper and turn on the antispy in zonealarm. Not have been very lucky with that setup…
Now I bought a new core 2 duo machine with vista and thought about security software. I decided to do it without a personal firewall, antivirus, antispyware but decided to setup a virtual machine. With the new CPUs it’s a pleasure to work with such a setup as it doesn’t slow down your PC in any respect.
I will never install security software again (at least as long as manufacturers do build crappy functions in it). The Virtual machine setup really gives you peace of mind and do not fake security or slow your system.
Good Lord! You’re worrying about performance from AV and security software and you’re installing Vista? Really I feel that you might be looking in the wrong place for software that kills your computers potential performance…