What if Jim Allchin is right about no AV on Vista?

Summary:Scott M. Fulton, III wrote this very thoughtful piece about "Vista, Antivirus: What If Allchin's Right?

Scott M. Fulton, III wrote this very thoughtful piece about "Vista, Antivirus: What If Allchin's Right?"  Fulton was the man responsible for all the flurry recently about Jim Allchin implying that Vista may not need anti-virus because he ran no Anti-Virus software for his son's computer.  Allchin later clarified that he was not talking in general about Vista needing Anti-Virus or not.  running a locked down PC with no Anti-Virus is more effective than running a PC as Administrator with Antivirus.Fulton asks the question if the "technology press" has gotten so jaded that it has lost its ability to think objectively on Microsoft and that it's like "thousands of knee-jerks going on simultaneously".

Even our own Mary Jo Foley was shocked that Allchin would dare run "a heavily locked-down, parental-control-ridden PC, in non-admin mode" as if this was somehow abnormal and that it would be ludicrous to suggest that Vista may not need Anti-Virus software.  My question is, why would we be shocked at running a heavily locked-down configuration for a PC?  Isn't this the default configuration for Vista?  Why change the default configuration of Vista to run in an insecure mode?  Why aren't we MORE SHOCKED that people run Windows, any NT-based version of Windows for that matter in administrator mode?  I've been doing this for years with my family WITHOUT Desktop Anti-Virus and I think you'd have to be insane to let the kids or any novice computer user run as a system administrator.  The fact of the matter is, running a locked down PC with no Anti-Virus is more effective than running a PC as Administrator with Antivirus.

Having the locked down PC also has the wonderful side effect of some actual privacy between family members so that they can't read each other's mail.  Only the administrator (the most knowledgeable adult in the house) would be able to unlock files by taking ownership of files or changing the user passwords.  Furthermore, the only way to prevent children from disabling their Internet filters is running them in a locked down desktop configuration.  Many kids are probably smarter about computer than their parents so they can easily disable Internet filtering software if they're given administrative privileges.

Oh but what about the Administrator running Vista without Anti-Virus?  Administrator accounts in Windows Vista has been downgraded from previous versions of Windows such that it no longer has automatic system access.  In order for an Administrator to perform system-changing tasks, Windows Vista goes in to a special lockdown mode where the entire desktop dims and nothing else on the screen can be clicked until the user gives explicit permissions to change the system.  So if an Administrator is installing software or changing the system configuration, it will be rather obvious that permission to change the system should be given.  But if the Administrator is surfing the web, open up an Office document, or read an email and the Desktop goes dim and asks permission to change the system, it's fairly obvious that something is horribly wrong.  Coupled with other security mechanisms, this should provide more than adequate protection for moderately advanced Administrators.

Fulton continues his article with:

The prospect of my being able to allow my child to use an operating system complete with failsafes, user access controls, parental lockdowns, and malware-foiling architecture -– never mind who invented it first -- designed to the point where, at least for the next few years, I don’t have to rely upon anyone's third-party, performance-degrading, resource-hogging behemoth of a protection system capable of doing more damage than any virus ever dreamed, is a prospect I look forward to with undaunted enthusiasm.

I've been saying for a long time that the resource cost of Desktop Anti-Virus software is too great to justify its use because it makes your PC slower than molasses.  I've even gone further to show examples of how running Desktop Anti-Virus can make your PC even less safe because it's like having a bomb squad diffuse a bomb inside your house standing next to you since there are exploits targeted specifically against plentiful Anti-Virus vulnerabilities.  Furthermore, you're paying good money for software that slashes the performance of your PC four fold.

I can make a good technical case that Anti-Virus running on a locked down PC provides a very dangerous vector that would not have been there without the Anti-Virus software.  For example if a non-administrative without system privileges triggers a virus, that virus cannot infect the system because it lacks the privileges to do so.  But if there was Desktop Anti-Virus running with a vulnerability, any malicious payload that takes advantage of that vulnerability has immediate root access to the system!

Of course some people have taken this to mean that I am saying that people shouldn't be running Anti-Virus when I have said no such thing.  I said people don't need DESKTOP Anti-Virus when other defensive measures are engaged, I never said people should not run Anti-Virus.  I have said over and over again that I favor offloading the job of virus detection to a Gateway device that scans for viruses coming in via HTTP, FTP, and SMTP.  I've even offered cheap hardware and software suggestions and some more robust solutions for an Anti-Virus gateway.  Using a gateway device means you have a single box to update as far as AV definitions are concerned and it protects every single PC in the house!

Does that cover all possible vectors such as sneaker-net via USB or CD?  No it does not.  But having the family run in locked down Desktop is more valuable in terms of security to begin with.  The combination of the locked down desktop and gateway Anti-Virus scanning means you can have your PC scream to its full intended potential while being more secure than you have ever been running Desktop Anti-Virus on a wide-open PC.  The concept is even easier for an IT department to implement since professional Desktop support staff should know how to lock down a computer.  Not everyone will agree with my philosophy on Desktop Anti-Virus and I don't expect them to.  I just want my performance back while maintaining equal or better security than the status quo.

Topics: Malware

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.