ie8 fix
madison

The Ed Bott Report

Ed Bott
Home / News & Blogs / The Ed Bott Report

Do you really need antivirus software?

By | November 23, 2010, 5:26am PST

Summary: Do you need antivirus software on your PC? If you’re not sure of the answer to that question, then the short answer is yes. The longer answer is that security software is only one piece of what should be a simple, straightforward, and systematic approach to your PC’s health. Here’s my seven-step program.

Do you need antivirus software on your PC?

If you’re not sure of the answer to that question, then the short answer is yes. The longer answer is that security software is only one piece of what should be a simple, straightforward, and systematic approach to your PC’s health. I’ll outline my recommendations in this post. If you’re visiting the family over the holidays, you might want to take my list along with you.

But first, let me rant a bit. It’s no secret that I dislike the security software industry. In one of my very first posts here, nearly four years ago, I called it a “protection racket” and said, “I can already see the beginnings of an ‘arms war’ among security software companies, with ads and whisper campaigns based on fear.” Back in 2005, I wrote a post arguing, “The security software industry wants you to be afraid.”

I have deeply mixed feelings about antivirus software, especially when it’s part of a big security suite that tries to protect you from every imaginable form of online threat. The companies that sell you that software have an interest in keeping you afraid, and so they publish countless studies proving how dangerous the online world is.

They also have a vested interest in proving that you haven’t wasted your subscription dollars on their product, so they need to occasionally (or continually) pop up messages and alerts and reminders to show you exactly which threats they’ve blocked. Even when those “threats” are trivial or nonexistent.

Just how dangerous is it out there? Here’s what you need to know:

  • No computing environment is immune. Every platform can be exploited by an attacker. This month’s Mac OS X v10.6.5 and Security Update 2010-007 included well over 100 fixes to critical security vulnerabilities, many of which could lead to arbitrary code execution. These are exactly the same types of vulnerabilities that Windows malware writers take advantage of. Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply haven’t bothered with them. If you use OS X on a Mac, I don’t think you need to install security software, but that recommendation could change someday if Apple’s platform continues to grow in popularity and attracts enough attention from bad guys.
  • Good behavior alone is not enough to protect you from attacks. Visiting porn sites and downloading pirated software puts you at a much higher risk of infection, but even legitimate web sites can be compromised, and seemingly innocent results in a search engine can lead to hostile sites.
  • Antivirus software is one layer among several. Depending on the type of threat, it can be very helpful, even if you consider yourself an expert PC user. But it is not a magic bullet, and it is no replacement for a well-rounded approach to security.
  • No antivirus software is perfect. It is literally impossible for any security product to identify every possible threat, especially when malware writers are constantly updating their products to avoid detection. Most of the leading antivirus programs can identify and block the overwhelming majority of threats you’re likely to encounter online. The fact that they can’t reach 100% protection is why security software is only one part of a layered security strategy.
  • Many types of malware are installed voluntarily. Among the most common threats are Trojans, which spread via social engineering. The job of a malware writer is to convince you to run his innocent-sounding program, which secretly does something other than its stated purpose. It might claim to be a new video playback plugin (like the one I saw last week) but actually turns out to be a program that hides on your PC and steals passwords or sends spam. Social engineering explains how an entire class of malicious fake antivirus programs made it onto the top 10 malware list for the first half of this year.
  • Malware writers make their living exploiting unpatched systems. One of the top 10 threats found and removed from Windows PCs in the first half of this year was Win32/Conficker. The vulnerability that Conficker exploits was blocked by a Microsoft patch released in October 2008. In fact, that’s true of most of the top PC malware variants found in the wild. Four of the entries on the top 10 list for 2010 are based on vulnerabilities that were identified and patched in 2007 or 2008, and none of the others could have been installed without explicit user interaction on a fully updated copy of Windows.
  • It’s not just Windows that needs patching. Some of the most effective malware vectors these days are coming through vulnerabilities in products like Adobe Flash and Reader, in the Java runtime, and in Microsoft Office. In most cases, the vulnerabilities were patched quickly by the software maker, but if you didn’t apply that update, you remain vulnerable. Ironically, most of these exploited programs are cross-platform; in theory, malware authors can add code to their PDF or Java exploits that target Macs or Linux PCs. So far, they haven’t done that. 
  • Attacks via zero-day exploits are rare. Zero-day exploits get a lot of publicity, but they rarely have a widespread impact. The worst variants of these attacks are the ones aimed at specific companies, like the targeted wave of attacks against Adobe, Google, and other high-profile companies in early 2010. And even those only succeeded because they exploited unpatched systems using an outdated browser.

So how do you protect your PC online?

Page 2: My 7-point security regimen –>

More from “The Ed Bott Report”

Topics

PC, Malware, Antivirus Software, Exploit, Spyware, Adware & Malware, Cyberthreats, Microsoft Windows, Security, Viruses And Worms, Operating Systems, Software, Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

Disclosure

Ed Bott

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.

Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books written prior to fall 2011 have been distributed by Que Publishing (a division of Pearson Education) and by Microsoft Press. As of November 2011, Ed is a partner in the independent publishing company Fair Trade Digital Exchange, which exclusively publishes his books.

On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate.

Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMware. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than two years ago. All stocks are held in retirement accounts for long-term growth.

Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.

Biography

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
205
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Do you really need antivirus software?
JACOBSONR 14th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
RE: Do you really need antivirus software?
Pete "athynz" Athens 23rd Nov 2010
Personally I consider antivirus software to be more of a safety net - IMHO using common sense is the best deterrent to getting any sort of virus. I'm good about keeping things up to date and I tend to leave the pirated stuff and porn alone and to me that is simply common sense as is having antivirus, ad blockers, and flash blockers installed.
1 Vote
+ -
I agree, it is a safety net
NonZealot 23rd Nov 2010
@athynz
AV isn't a security tool. If your AV catches anything, it means your security has FAILED, just like falling off a high wire means your training has FAILED. In both cases, it is nice to have something that might catch you.
0 Votes
+ -
RE: Do you really need antivirus software?
CobraA1 23rd Nov 2010
@NonZealot Not necessarily. If you stumble across malware on a normally good website and AV catches you trying to download something bad, then which security measure has failed?

No security measure I know of other than AV prevents you from downloading malware.

"just like falling off a high wire means your training has FAILED."

Umm, no. Ask anybody who's done the high wire, they're human, stuff happens. There's a safety net underneath them for a reason.
0 Votes
+ -
Not a security tool?
PlayFair Updated - 23rd Nov 2010
@NonZealot

I'm not sure what you are defining as security, but from what I know, security occurs prior to and subsequent to a possible breach, if necessary. Security guards don't just say: "Dang. Well, the crook got in already. Nothing to do now." But they try to find the culprit even after entry.

Then they work to prevent the same and more in the future.
0 Votes
+ -
Way to show your ignorance.
Snooki_smoosh_smoosh 23rd Nov 2010
@NonZealot... Many AV program will catch a known threat before it even enters your system, as many monitor active browser sessions. On my home machines, I very rarely get a notification, of course I do have predictable browsing habits, coupled with using Chrome or FF with extensions that block flash based ads, IE fails in this regard.

I am also smart enough to know that if a video prompts me to update my flash player, to go directly to adobe for the update, if it still tries to get me to update, I know the video is phony and is only there to try to get people to voluntarily hijack their computer.

For my security at home, I am using Microsoft Security Essentials and Windows Firewall. Seems to do a fair enough job, and not at the expense of system resources.

Windows of course is set to update itself, which includes IE, MSE, and all of Microsofts Software. Chrome does a nice job of updating everything it needs including the flash player. Adobe does a good job of notifying me on the updates it needs.
-1 Votes
+ -
RE: Do you really need antivirus software?
trickytom3 23rd Nov 2010
@NonZealot

You can't be serious. You're trying to tell us that you have the ability - through nothing more than using "best practices" - to eliminate the threat of malicious code and other exploits?

You're nuts.
1 Vote
+ -
RE: Do you really need antivirus software?
ukbrown 24th Nov 2010
@NonZealot , up the ante, use OPENDNS and siteadvisor, so that you cannot even browse to most dodgy sites. Suprised that this is not even one of the 7 steps, seems very worthwhile to me.
-1 Votes
+ -
failed
buddhistMonkey 29th Nov 2010
@Zealot ((( "If your AV catches anything, it means your security has FAILED..." )))

It also means you aren't running OS X.
0 Votes
+ -
RE: Do you really need antivirus software?
WookieFan 23rd Nov 2010
@athynz honestly, I don't even think of it as a safety-net. I am speaking from an enterprise POV. The worst bad-ware is the newest - the stuff that none of the security firms have figured out or even heard of (not just zero-day, but new ways to exploit old weaknesses). And it basically boils down to bad habits. Bringing USB flash drives from home. Believing you'll get a free Xbox by clicking a link. Believing that your enterprise computer is unprotected from viruses. Or trying to update your Flash just because a website says you're out-of-date.

People do this to themselves, and then get angry at me (us) when they have a virus. Security firms live off this fear, not off effectiveness (by and large).

My company is moving to managed desktops, just to be sure that patches are implemented, and they will be locking out USB flash drives soon. But honestly, there is no way to protect most people, short of disallowing the internet OR teaching everyone in the world how to use common sense in avoiding viruses. Neither of these options is very practical.

My daughter, bless her heart, has a talent for finding the newest exploits and installing them. Makes me very thankful for home servers.
0 Votes
+ -
The worst is...
zkiwi 23rd Nov 2010
The one(s) that gets through. Presuming these will be the newest is base naivety.
0 Votes
+ -
The Newest Are More Likely
CFWhitman 24th Nov 2010
@zkiwi
What you're saying isn't really at odds with what WookieFan is saying. He is just pointing out that the same ones you'll be protected from by keeping up-to-date are the ones that anti-virus will catch. The newest ones won't get caught by anti-virus. It's not that old ones can't get through. It's just that the odds are better that new ones will.

Of course, if you're willing to download and install malware yourself, then it won't matter much how old it is.
0 Votes
+ -
RE: Do you really need antivirus software?
Pete "athynz" Athens 24th Nov 2010
@WookieFan I understand where you are coming from - fortunately I support a very small user base as a side for my own job and really it's more like residential use as we do not have an enterprise system (very small office) so usually by the time something comes down the pike for us most AV software companies have figured how to block it... and fortunately for me the users have common sense which makes my job much easier than most... happy
1 Vote
+ -
knowledge gap
Tom6 Updated - 24th Nov 2010
Its a shame Ed earns money by spouting about things he is clearly clueless about. Where he does know stuff it seems to make sense but security is not his strong suit.

While claiming to distrust antivirus companies he then re-iterates some of the popular misconceptions they try hard to perpetuate. Perhaps his experiments with using a Mac platform might open his eyes to some truths.

While Windows dominates on the desktop it cannot make any headway in Server Markets because it is inherently unsafe and unstable as keeps being proven. While it is fine to have to reboot a desktop once a day or more this is not ok for servers. Linux and other unix-based platforms are used on servers precisely because they are inherently safer and more robust than Windows systems.

If you were a virus writer do you think you would want the fame and kudos of writing something that just infected a few desktops or would bringing down massive servers and crippling the entire internet be more enticing? Yet we almost never hear about large chunks of the internet being brought down by anything, not viruses, not other malware. We sometimes hear of a couple of machines suffering under large-scale concentrated and highly skilful attacks but these are usually dealt with quite fast. Faster than getting rid of malware on a few desktop machines.

So, if all Operating Systems are equally vulnerable, then why don't we hear of servers going down, why do we only hear of desktops getting crippled? Think about it.
Regards from
Tom
1 Vote
+ -
RE: Do you really need antivirus software?
Martmarty 24th Nov 2010
@Tom6: "So, if all Operating Systems are equally vulnerable, then why don't we hear of servers going down, why do we only hear of desktops getting crippled? Think about it."

Because desktops are mostly maintained by kids and granny's and by non-tech savvy types, while servers are mostly maintained by IT professionals/admins who are at risk of losing there job if they fail securing their servers.

So logically, a desktop secured by a non-tech savvy type is more vulnerable than a server being maintained by Professional IT admins.
-1 Votes
+ -
RE: Do you really need antivirus software?
bmonsterman 24th Nov 2010
@Tom6,

Why do you have to be insulting? Ok, so here it is. Servers are not at as much at risk because:

1. They are usually behind a very restricted firewall, unless they are a webserver. Even then, every port besides 80 and 443 are locked down. Other ports that might use webservices are only allowed access to a certain range of IP addresses.

2. Installation of programs are planned, and the applications that are installed are well vetted.

3. Access to install programs on servers is very limited.

"While Windows dominates on the desktop it cannot make any headway in Server Markets because it is inherently unsafe and unstable as keeps being proven."

What are you talking about?

Link:
http://www.zdnet.com/blog/microsoft/behind-the-idc-data-windows-still-no-1-in-server-operating-systems/5408

This shows Windows Servers at about 73.9% of server share in terms of dollars. Now the Linux guys will say, "That's because Linux is free". Noted. But you're saying that Windows hasn't gained any traction in the server market? Give me break.
0 Votes
+ -
RE: Do you really need antivirus software?
DannyO_0x98 Updated - 29th Nov 2010
@Tom6
Servers generally have more capable administrators than the home computer. Even if that were not strictly the case, for the administrators security is the job and why they get paid. For the home user being an administrator is friction and cost.

Servers are also passive. They don't decide to download a poisoned cat video because a Facebook friend linked it.

They are also isolated and have minimized the threat posed by physical access.

I guess you are bristling that Windows gets some sort of pass for security issues because of its popularity. Or that Linux and OS X are given back-handed compliments. (Yeah, no one's breaking in, but that's because no one uses them.)

Stop it. Doesn't matter. Operating systems are a lower layer to the real functionality, as manifest by the applications we use. Security is a cost and is offset manifold by the benefits of the entire stack we use. Problem appears? Patch it please, because wiping the machine and using Linux, re-training our workers, re-sourcing our applications, performing ports, etc., while doable, is not how we want to utilize our resources.

All the modern operating systems are better than their predecessors five years back. They will be better still in the future, though not as rapidly, because "security" is an asymptote.

And the real weak spots are higher up in the stack, in the software, and vulnerability will still exist via the inescapable vector of a user connecting with a strange computer somewhere out there.
1 Vote
+ -
Security
Tom6 Updated - 24th Nov 2010
People that are serious about running secure, robust systems (such as people running large-scale servers) use linux or other unix-based systems. Well over 60% of the top 500 supercomputers run on linux.

People that want to make a fuss and don't mind suffering a bit when it goes wrong run Windows. Less than 1% of the worlds top 500 supercomputers run WIndows. Why?

Why is it only Windows desktops that get taken down so often by security issues? Surely malware writers would be more interested in taking down vast chunks of the internet rather than just a few old desktops?

Yes, with Windows you need to take Ed's advice but with linux most of this sort of stuff is built-in. For example updating the system and then separately going through each app and driver to update them separately is insane. Linux updates everything in one go and also does that more politely.

With linux you don't have to block people from making use of the machine in order to keep them safe. Users can often install programs themselves without having to call for some SuperUser Administrator to do it for them. Since programs are NOT run as Root/SuperUser/Administrator in linux the system remains safe. It is possible (easily) to totally lock-down a system so certain users can do almost nothing but unlike Windows there are many intermediate steps which can give certain users access to certain devices and systems but not others and this can be easily set-up on a per-user basis.

There is a story about a doctor performing something fairly crucial by remote where Windows suddenly decided it's updates were more important and then forced a reboot despite being told not to. Linux doesn't automatically assume it is more important than the tasks the user is doing. It lets you know that a reboot is required to bring the updates online and then sits back allowing you to choose when YOU want to reboot. So, if you are stuck in the middle of brain surgery (it wasn't brain surgery in the recent story) you wouldn't have to wait 15mins for the machine to sort itself out.
Regards from
Tom
-1 Votes
+ -
As been said tens of thousands of times: Market Share.
ye 24th Nov 2010
@Tom6: Why is it only Windows desktops that get taken down so often by security issues?

You're welcome.

Since programs are NOT run as Root/SuperUser/Administrator in linux the system remains safe.

They are if you're running them as Root/SuperUser/Administrator.

There is a story about a doctor performing something fairly crucial by remote where Windows suddenly decided it's updates were more important and then forced a reboot despite being told not to.

The only existence of this story is right here in your post. I was unable to find a reference otherwise. Perhaps you can provide a reference?

Like it or not Linux and Windows are very similar in their security design.
1 Vote
+ -
Closer Than They Used to Be
CFWhitman Updated - 24th Nov 2010
@ye
The market share myth has been disproved in a few different cases. For example, Apache grew to a much greater market share than Microsoft IIS. However, even after this happened, IIS still had many more worms running rampant across the Internet. Another example: Sendmail has taken a lot of abuse among Unix/Linux administrators for it's many security exploits. However, the last I looked, Sendmail, the security embarrassment of the Unix community, still had fewer exploits than Exchange, though it's been around longer.

Recently, in general, Windows has gotten a lot more secure than it used to be. It's much more like Unix and Linux than it was. However, there are still a couple of legacy issues that Windows has to deal with which damage its security model.

One issue is that it's still much more convenient to run Windows with administrative privileges always available than it is to run it as a regular user and switch to administrator only for certain tasks. Part of the issue here is not just with Microsoft, but with the expectations of third party software vendors when it comes to how their programs will run on Windows.

A second nagging issue with Windows is that it depends upon the file extension rather than a file property to tell whether a file is executable or not. Microsoft has put safeguards into Internet Explorer and Outlook and Exchange recently to warn users about this issue when they download an executable file (a file with a .exe, .com, or .scr extension). Basically, there is only so much that they can do about this issue because of the weight of all the legacy software out there. This is something so basic about the way the operating system works that it makes it difficult to change.

Of course Windows' improved security has led to the focus of malware authors switching a lot to phishing attacks, since they depend on breaching the user's safeguards rather than the system's safeguards. Focus has also switched somewhat to third party avenues to breach security like Java, Flash, and even PDF reader exploits.

Edit: Incidentally, I had meant to mention that phishing exploits really do scale with market share. So to some extent, as more malware becomes dependent on social engineering to be installed, the market share myth gains more credibility.

Edit: Fixed typo.
1 Vote
+ -
RE: Do you really need antivirus software?
bmonsterman 24th Nov 2010
@CFWhitman,

Pretty fair critizism of Windows OS. I wish Microsoft could use file properties instead of file extensions to determine whether the file is executable. I'm not sure what the impact would be for backwards compatability.
-1 Votes
+ -
No, it has not.
ye Updated - 24th Nov 2010
@CFWhitman: The market share myth has been disproved in a few different cases.

At least not that I've seen.

For example, Apache grew to a much greater market share than Microsoft IIS. However, even after this happened, IIS still had many more worms running rampant across the Internet.

I keep hearing this yet no where do I see supporting evidence. People just keep repeating this as if it's fact.

Recently, in general, Windows has gotten a lot more secure than it used to be.

Windows NT started off secure. Recent versions haven't done all that much to change the underlying security model. It started off strong and it has only been improved.

One issue is that it's still much more convenient to run Windows with administrative privileges always available than it is to run it as a regular user and switch to administrator only for certain tasks. Part of the issue here is not just with Microsoft, but with the expectations of third party software vendors when it comes to how their programs will run on Windows.

This is not a Windows security failure. It is a failure of third party developers to properly code their software to run as an unprivileged user.

A second nagging issue with Windows is that it depends upon the file extension rather than a file property to tell whether a file is executable or not.

How is this a security weakness? How is having the file marked executable through a file property any more secure than using the file extension "property"?

Edit: Incidentally, I had meant to mention that phishing exploits really do scale with market share. So to some extent, as more malware becomes dependent on social engineering to be installed, the market share myth gains more credibility.

The market share "myth" always had credibility. At least to rational, thinking people.
0 Votes
+ -
How is this any more secure than using a file extension?
ye 24th Nov 2010
@bmonsterman: Pretty fair critizism of Windows OS. I wish Microsoft could use file properties instead of file extensions to determine whether the file is executable. I'm not sure what the impact would be for backwards compatability.

Not that I agree with using the file extension as an indicator of a files ability to be executed or not. But how is not using it any more secure?
1 Vote
+ -
Sorry - totally out to lunch
radleym Updated - 24th Nov 2010
@ye
1. thanks. (I assume you designed windows and/or linux)
2. Why would you deliberately circumvent security?
3. Regardless of the story, Windows (pre-7 anyway - I don't have 7 yet) and linux are totally different wrt security. Linux design comes from unix which has been refined since the 50's. Windows design comes from sales expediency. Windows asks "Are you sure?". Linux/unix secures the entire system by design, behind (hopefully) secured user/root management and permissions.
p.s. - sorry I couldn't reply directly to "ye" and had to post this as a reply to Tom6
0 Votes
+ -
How is this any more secure than using a file extension?
bmonsterman 24th Nov 2010
@ye

Well there is only one reason that makes it more secure. If executability is determined by extension, then anyone who sends you a file with a certain extension makes it automatically executable. It's up to the user to know what file exensions not to open (although it's less risky now with UAC). When the user has to elevate his previlege then change the property of the file to be executable, then the running of a file of as an executable has to be more deliberate. Besides, wouldn't it be nice to just look at the properties of a file to see if it's executable vs knowing which file extension are executable? Keep in mind, I'm a Microsoft fan and I'm not trashing the OS. I think this would be a welcome improvement, if they could pull it off without destroying backward compatability.
0 Votes
+ -
RE: Do you really need antivirus software?
bmonsterman Updated - 24th Nov 2010
@radleym,
"Regardless of the story, Windows (pre-7 anyway - I don't have 7 yet) and linux are totally different wrt security. Linux design comes from unix which has been refined since the 50's. Windows design comes from sales expediency. Windows asks "Are you sure?". Linux/unix secures the entire system by design, behind (hopefully) secured user/root management and permissions."

Dude, what is the difference from needing Admin privileges in Windows to do something and need root to do something (rhetorical...there is no difference)? Post Windows XP, you need elevated access to do anything that could harm the OS. I don't understand the distinction. Can you explain?
-1 Votes
+ -
How did you know?
ye 24th Nov 2010
@radleym: totally out to lunch
Eating a Big Mac right now.

1. thanks. (I assume you designed windows and/or linux)
2. Why would you deliberately circumvent security?

???

3. Regardless of the story, Windows (pre-7 anyway - I don't have 7 yet) and linux are totally different wrt security.

No, they're not. Anyone claiming otherwise is clueless.

Linux design comes from unix which has been refined since the 50's.

What does this mean?

Linux/unix secures the entire system by design, behind (hopefully) secured user/root management and permissions.
Just like Windows. The difference being one calls the administrative user "root" while the other calls it "administrator".
-1 Votes
+ -
That doesn't answer the question.
ye 24th Nov 2010
@bmonsterman: If executability is determined by extension, then anyone who sends you a file with a certain extension makes it automatically executable.

Which has nothing to do with security.

When the user has to elevate his previlege then change the property of the file to be executable, then the running of a file of as an executable has to be more deliberate.

Nothing in UNIX enforces this. An e-mail client could easily set the execute bit on behalf of the user for convenience sake. The OS would be none the wiser.
1 Vote
+ -
RE: Do you really need antivirus software?
bmonsterman Updated - 24th Nov 2010
@ye,
I said:

If executability is determined by extension, then anyone who sends you a file with a certain extension makes it automatically executable.

You said:

Which has nothing to do with security.

I say:

Sure it does. Anything that allows a user to do something unintentional is a security issue.

I said:
When the user has to elevate his previlege then change the property of the file to be executable, then the running of a file of as an executable has to be more deliberate.

You said:
Nothing in UNIX enforces this. An e-mail client could easily set the execute bit on behalf of the user for convenience sake. The OS would be none the wiser.

I say:

Now you're just being argumentative. An email client could also be coded to delete all user files from the home directory without the user or the knowing about it or the OS caring about it. That doesn't make it Unix or Linux's fault. Poor developed apps are just that...poorly developed apps.
-1 Votes
+ -
Still doesn't make it a security issue.
ye Updated - 24th Nov 2010
@bmonsterman: Sure it does. Anything that allows a user to do something unintentional is a security issue.

You're reaching. You really are. Whether you can do something unintentional or not does not make something a security issue. Or do you consider the following, run as root, a security issue:

rm -rf /

When the user has to elevate his previlege then change the property of the file to be executable, then the running of a file of as an executable has to be more deliberate.

A user has to do no such thing to change the execute property. All they have to do is issue the "chmod u+x " command. Or "sh . No elevation of privilege necessary.

Now you're just being argumentative. An email client could also be coded to delete all user files from the home directory without the user or the knowing about it or the OS caring about it. That doesn't make it Unix or Linux's fault. Poor developed apps are just that...poorly developed apps.

My point being: The lack of the execute bit not being set on file attachments is a function of the mail client and not the OS. If someone wanted to write a mail client which set this bit the OS is not going to stop them. IOW it's the application developer enforcing the "security" and not the OS.
1 Vote
+ -
RE: Do you really need antivirus software?
bmonsterman Updated - 24th Nov 2010
@ye

"A user has to do no such thing to change the execute property. All they have to do is issue the "chmod u+x " command. Or "sh . No elevation of privilege necessary."

Oops. My bad. It's been a while since I messed with Unix/Linux (I am a Windows guy). I assumed you needed 'su root' for that.

As far as it being a security concern: I remember the first email trojans that I remember (i.e. "I love you") were batch files. If the user were required to save it, then run chmod on it, then execute it...that trojan would have never been successful. If a Unix/Linux email client automatically runs chmod on a file without telling the user, given the history of email and trojans, then that is a seriously jacked email client.
0 Votes
+ -
I understand where you're coming from.
ye 24th Nov 2010
@bmonsterman: But it's still not a security weakness of the OS. It may be a poor convention but it's not a security issue. And it's essentially a non-issue because the user is warned, multiple times, about running the file.

If a Unix/Linux email client automatically runs chmod on a file without telling the user, given the history of email and trojans, then that is a seriously jacked email client.

Or it's giving the users what they want. History has shown time and again users will choose convenience of security most every time. The majority of Windows users aren't going to want to save a file, change its execute permission, and then run it. They want to click on it and run it.
1 Vote
+ -
RE: Do you really need antivirus software?
CFWhitman 24th Nov 2010
@ye
I keep hearing this yet no where do I see supporting evidence. People just keep repeating this as if it's fact.

There is plenty of documentation of IIS 4 and 5 worms that plagued websites particularly up through 2001. Now, especially since the release of IIS 6, the security of IIS has improved a lot. However, this does not change the fact that it had more problems than Apache during a time that its market share was much lower.

Windows NT started off secure. Recent versions haven't done all that much to change the underlying security model. It started off strong and it has only been improved.

Well, Windows NT was an infinite number of times better than Windows 95/98/ME. That's because they had no security whatsoever. Windows NT's underlying design was a huge improvement, but the necessity to carry legacy code written for the completely unsecure platforms of the DOS based Windows series undermined its security.

From Windows NT 3.51 to Windows XP Service Pack 3 is a huge improvement in security. Actually, it's nearly as big of an improvement from Windows XP Service Pack 1 to Service Pack 3. Microsoft fixed a lot of legacy security issues during that time, and broke a lot of software that expected bad operating system security in the process. They had to do it slowly or they would have broken much more software, but they warned third party vendors and gave them time to rewrite their software for the improved security model.

This is not a Windows security failure. It is a failure of third party developers to properly code their software to run as an unprivileged user.

It's funny, but I thought I pointed that out in my comment. However, it is again related to the insecurity of legacy versions of Windows. Microsoft was forced to improve operating system security, but their old way of doing things made it an uphill battle.

How is this a security weakness? How is having the file marked executable through a file property any more secure than using the file extension "property"?

Particularly when combined with hiding file extensions by default (which Windows does). This makes social engineering attacks much easier to pull off successfully.

When extensions are hidden, you cannot tell the difference between for instance, jessica_alba.jpg and jessica_alba.exe, as long as the person crafting the .exe file gives it an appropriate icon. This of course makes it so that someone who thinks they are downloading a picture of someone/something and wants to view it by double clicking on it can end up executing a program rather than opening a picture in a viewer.

This is exacerbated by the fact that all that you have to do in Windows to end up with an executable file is to copy or download it to a drive that the computer has access to. Once it's there, it's executable. In Unix or Linux, you have to download or copy it, and then go in and change its executable property to make it executable. There is another step to take, and you have to be more deliberate about it.

The market share "myth" always had credibility. At least to rational, thinking people.

The market share myth is based on circular reasoning. It starts with the assumption that security is similar between different operating systems. Based on that assumption, it says that market share is the main reason for more exploits on any particular system. Then it goes on to say that because market share will be the main reason for exploits on any particular system, the reason for more exploits in Windows is because it has a greater market share. So the thing it "proves" is the assumption that it's base upon in the first place.

You can make the statement that 'if two systems have equal security and are used for the same application in the same environment, then the one with the greater market share will have more exploits.' That reasoning is sound. However, it does not follow (it is not proof) that any system that has both greater market share and more exploits than another system has equal security. It is not proof that every difference in number of security exploits can be explained by market share.

Basically, the market share myth is that all systems have equal security, and that is obviously not true. Just adding a phrase and saying that all systems have equal security, so the one with more market share will have more exploits, does not make the statement true.
-1 Votes
+ -
Then by all means let's see some of this documentation.
ye Updated - 24th Nov 2010
@CFWhitman: There is plenty of documentation of IIS 4 and 5 worms that plagued websites particularly up through 2001.

The only well known "IIS" exploit was Code Red. And, IMO, it was successful because every version of Windows 2000 Server had IIS installed and running by default whether the system was being used as a web server or not. Thus while IIS might have represented a smaller number of web hosts on the Internet it represented a significantly larger number of non-web hosting servers in total. I recall this well because the company I worked for had many non-web based servers infected as a result.

Aside from Code Red where are these documents you speak of?

Well, Windows NT was an infinite number of times better than Windows 95/98/ME. That's because they had no security whatsoever.

Agreed. However since the current version of Windows is based off the NT code base don't you think it's a little desperate to be dicussing the Windows 9x code base?

From Windows NT 3.51 to Windows XP Service Pack 3 is a huge improvement in security. Actually, it's nearly as big of an improvement from Windows XP Service Pack 1 to Service Pack 3.

Really? What fundamental thing change in Windows security model between Windows NT 3.51 and Windows XP SP3?

Microsoft fixed a lot of legacy security issues during that time, and broke a lot of software that expected bad operating system security in the process.

Such as? The only major thing I can think of is enabling, by default, the already built in firewall. Many programs that assumed no firewall broke. Other than that...what?

It's funny, but I thought I pointed that out in my comment.

Then why bring it up? It has nothing to do with Windows' security.

However, it is again related to the insecurity of legacy versions of Windows.

Versions of Windows that are at least a decade old. Care to join us in the present?

Particularly when combined with hiding file extensions by default (which Windows does). This makes social engineering attacks much easier to pull off successfully.

Except the user is warned, multiple times, about the actions to occur. Regardless this is not a security failing of Windows.

n Unix or Linux, you have to download or copy it, and then go in and change its executable property to make it executable. There is another step to take, and you have to be more deliberate about it.

Which is why UNIX will never be accepted. With that said this has nothing to do with the OS but rather the application not setting the execute bit. The application could set the execute bit and the OS would not prevent it. IOW it's a security convention followed by the application developer but it's not enforced by the OS.

The market share myth is based on circular reasoning.

It's based on sound reasoning: The bad guys want to hit as many systems as they can. With 95% of the market Windows easily fits that bill. No other OS even comes close.

It starts with the assumption that security is similar between different operating systems.

They are so similar it's not even debatable.

So the thing it "proves" is the assumption that it's base upon in the first place.

It "proves" it based on the law of supply and demand and common sense. The latter seriously lacking in those who argue against it.

You can make the statement that 'if two systems have equal security and are used for the same application in the same environment, then the one with the greater market share will have more exploits.' That reasoning is sound.

That's the argument many are making...including myself.

However, it does not follow (it is not proof) that any system that has both greater market share and more exploits than another system has equal security.

No one said this. Or at least I haven't read it. Do you have a reference to someone saying this?

Basically, the market share myth is that all systems have equal security...

Then you would be the first one using that definition of it. Others, including myself, say the security of the two are so similar as the difference in exploits can be explained by market share.

Just adding a phrase and saying that all systems have equal security, so the one with more market share will have more exploits, does not make the statement true.

You're right...just saying it doesn't make it true. It's true because the two have security that is more similar that not. The core security architecture is essentially identicle. Implementation details may be slightly different but conceptually they're almost identicle.
-1 Votes
+ -
Less than 1 percent of top 500 supercomputers use Windows...?
kaninelupus Updated - 25th Nov 2010
@Tom6

This has NOTHING to do with security (a super computer is almost NEVER connected to the internet, and is commonly limited-access only). Supercomputers most commonly run UNIX/Linux derivatives as there is a need for highly specialised and optimised/customised OS's according to the tasks to which they will be put to (especially at the level of the top 500). Proprietary OS's rarely offer this level of customisation/specialisation, due to much of the code-work being closed-source.

"Linux doesn't automatically assume it is more important than the tasks the user is doing. It lets you know that a reboot is required to bring the updates online and then sits back allowing you to choose when YOU want to reboot."

You just described Windows... get a life!
-1 Votes
+ -
Thats just 3 links
Stan57 26th Nov 2010
@Tom6
http://news.cnet.com/8301-27080_3-20017011-245.html?tag=mncol

http://www.h-online.com/security/news/item/Hole-in-Linux-kernel-provides-root-rights-Update-1081317.html

http://www.h-online.com/open/news/item/Root-privileges-through-Linux-kernel-bug-Update-1061563.html

Thats just 3 links,i have more if you like. Linux is perfect for geek,hobbyist,cheap bastards. Oh and less then 1% of the worlds population use linux so anything you say is meaningless rant. No one cares!
1 Vote
+ -
Exactly. There are no interruptions.
Joe.Smetona Updated - 4th Dec 2010
@Tom6 ......I'm using Linux Mint 10 64-bit on a dual core AMD 7550 CPU with a 19" Acer monitor. I have never used AV for Linux in 8 years. My family uses this desktop and numerous Linux Mint netbooks and notebooks. It installs in about 8 minutes with no product code or activation. You can tell you are using Linux when you are responsible for 10 computers and you never get calls for help with virus infections or breakdowns.

Ed's comment, "Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply havent bothered with them. " really does not make sense considering the vast amount of money behind Linux servers. Linux does not get broken into and it's based on it's design. Saying market share is the reason attempts to put Windows on the same quality of design as Linux, which it is not.

Geek Squad does not service Linux (I called). If Windows was secure they wouldn't have to service it either.

As far as Windows, whenever I read about a major data theft or identity theft, I always consult Netcraft.com and my suspicions are confirmed: They're always using Microsoft.
1 Vote
+ -
Antivirussoftware are becoming increasingly useless
Mikael_z 24th Nov 2010
@athynz, because AV only catches 30% of existing malware is it easy to understand how vulnerable windows pcs are today on-line with its lousy or non existent security. I don't care particularly much if a couple of million clueless pc users have infected pcs and others steal their information and bandwidth, it's when these infected pcs steal MY and other innocent users' bandwidth I become concerned.

A drastic measure perhaps but I think it's necessary to regulate the net much like the rest of modern civilizations and force ISPs to take responsibility and deny infected pcs access to the net, at least for periods of time.
1 Vote
+ -
If you use Windows then YES
Tom6 Updated - 24th Nov 2010
Hmm, desktop often get viruses and are vulnerable to a lot of different threats. Servers seem a LOT safer. Odd really. Taking out several large servers would be more kudos than taking down a few desktops.

While Windows dominates desktop markets it is unix-based platforms dominate the server market. Windows has less than 1% of the top 500 supercomputers apparently.

Is there something worth thinking about there? Are all OSes equally vulnerable or are there signs that some may be safer than others?
Regards from Tom
-1 Votes
+ -
RE: Do you really need antivirus software?
bmonsterman Updated - 24th Nov 2010
@Tom6,
"Windows has less than 1% of the top 500 supercomputers apparently."

What percentage of the server population are supercomputers? It's got to be pretty low. My understanding is that a supercomputer is a very fast computer that is designed to solve a very specific problem. Windows server operating systems are designed to be used for much more general tasks. I would guess that supercomputers make a very small fraction of the server population. The fact that Windows occupies 1% of the top 500 supercomputers...doesn't really bear that much relevance to me. Besides...what does any of this have to do with security? I would be very surprised if any supercomputer is actually hooked up to the internet.
1 Vote
+ -
RE: Do you really need antivirus software?
CEFNBRITHDIR 25th Nov 2010
@athynz Well, now, I?m with common sense. I?m the archetypal elderly home user, who needs Pcs (I have six doing different jobs in the house, studio and aquarium). I still use Windows 2000 on all. Only one is connected to the internet, and that?s it?s sole job, and it?s on all day. Anything downloaded and needed elsewhere is transported on memory sticks. In 20 years, I can remember 4 virus attacks; and I have no AV software installed. Whenever I have tried to use it, paid or free, it has behaved in most irritating fashion, crashing programmes and disrupting workflow, so has promptly been uninstalled (along with Windows automatic update, although I?m not a doctor). I do have a free and simple firewall, I treat anything unfamiliar with suspicion, and I don?t do daft things.

I use non-updated W2K in association with an equally old programme called Hyper OS, which sets up virtual PCs on the hard drive(s), exact copies of each other, and with pristine backups in the wings. When either a virus hits, or, more commonly, Windows malfunctions (rarely now I?m used to this version?s vagaries after so many years? experience), two clicks replaces it with a pristine copy, or switches to a clone. All data is kept on separate partitions which have no OS. I have an entire duplicate copy of my most important hard drive on a removable drive (so cheap now).

I dislike the MS semi-monopoly on grounds of principle, and will never update W2K so long as I can get legacy-friendly hardware; I just wish Linux was written in a PC-speak we can all understand, when I would switch instantly, but life is too short and time too precious for me to learn a new language full of words I?ve never even seen before.

This is my experience of 20 years; so I agree emphatically with the view that AV software is too aggressively sold, but disagree equally so that upgrading to the latest windows or buying an expensive Mac or two is the way to go. Tom should get out more.
0 Votes
+ -
RE: Do you really need antivirus software?
CEFNBRITHDIR Updated - 25th Nov 2010
@athynz Well, now, Im with common sense. Im the archetypal elderly home user, who needs Pcs (I have six doing different jobs in the house, studio and aquarium). I still use Windows 2000 on all. Only one is connected to the internet, and thats its sole job, and its on all day. Anything downloaded and needed elsewhere is transported on memory sticks. In 20 years, I can remember 4 virus attacks; and I have no AV software installed. Whenever I have tried to use it, paid or free, it has behaved in most irritating fashion, crashing programmes and disrupting workflow, so has promptly been uninstalled (along with Windows automatic update, although Im not a doctor). I do have a free and simple firewall, I treat anything unfamiliar with suspicion, and I dont do daft things.

I use non-updated W2K in association with an equally old programme called Hyper OS, which sets up virtual PCs on the hard drive(s), exact copies of each other, and with pristine backups in the wings. When either a virus hits, or, more commonly, Windows malfunctions (rarely now Im used to this versions vagaries after so many years experience), two clicks replaces it with a pristine copy, or switches to a clone. All data is kept on separate partitions which have no OS. I have an entire duplicate copy of my most important hard drive on a removable drive (so cheap now).

I dislike the MS semi-monopoly on grounds of principle, and will never update W2K so long as I can get legacy-friendly hardware; I just wish Linux was written in a PC-speak we can all understand, when I would switch instantly, but life is too short and time too precious for me to learn a new language full of words Ive never even seen before.

This is my experience of 20 years; so I agree emphatically with the view that AV software is too aggressively sold, but disagree equally so that upgrading to the latest windows or buying an expensive Mac or two is the way to go.
0 Votes
+ -
RE: Do you really need antivirus software?
beijing2008 14th Sep
Awesome post! chanel bags
0 Votes
+ -
I don't mean to be pedantic but...
ye Updated - 23rd Nov 2010
...I think you should substitute "vulnerabilities" for "exploits" in the first bullet point ("No computing environment is immune.").
0 Votes
+ -
Contributr
You're right
Ed Bott 23rd Nov 2010
@ye

Not pedantic at all. A mistake I try to avoid but missed on this draft. I edited the post to reflect that change. Thanks!
1 Vote
+ -
You can't have it both ways, Ed
ahh so Updated - 23rd Nov 2010
On the one hand, you bemoan the scare tactics of the AV industry (which to a certain extent, I agree with you), yet on the other hand you and your fellow shills here insist that Apple and Linux users aren't safe either and must adopt the same tactics as windoze users. Meaning, buying irrelevant AV software for those OSes and feeding that very same industry you condemn.

With the notable exception of ye, of course... wink

Sorry Ed, but you can't have it both ways. I know the game being made here. To make Apple and Linux security as irrelevant as possible, thereby discrediting those systems and having everybody rush back to windoze because security-wise (to any neophyte out there reading this), it won't make any difference. Just throw some flammable FUD on the fire and they will come back a runnin'.

Right, Ed?

Btw, vulnerabilities & theories aren't the same as exploits. Don't ever forget that.
-1 Votes
+ -
How cute
ye 23rd Nov 2010
@Ahh so: Not only is your handle lacking originality so is your spelling of Windows.
0 Votes
+ -
What about windoze, ye?
ahh so 24th Nov 2010
Were you saying something?

I didn't catch that.

lol... grin
1 Vote
+ -
Maintaining updates is the key to improving security
Michael Kelly 23rd Nov 2010
MS has sounded the ship with Windows 7, and that's a good thing. But as you mention with the Conficker example, the biggest threat to security is keeping your software up to date, because the easiest flaws to exploit are the ones that are already known.

I know I'm going to get flamed for saying this, but so be it. The biggest reason why Linux distros have an advantage over Windows is not the "many eyes" thing or any inherent F/OSS advantages, its because they have central updating systems that do not rely on central servers. Meaning with these updating systems (RPM and APT being the most popular) you can add any third party servers for third party software to make sure that if you do go outside the distro approved software you still have an automatic update mechanism.

MS does a great job in making sure its own software gets updated through the Windows default updater, but third party products wind up having to come up with their own solution, and that gets very confusing to the masses. An example: my mother was convinced she had updated Acrobat and Flash and kept wondering why she kept getting popups to update, and it turned out that because she did not read the small print on the small update windows that she was not checking an "Agree" box, thus the final update button was never available to her. Yes, she should have read the messages more carefully, but people are busy when they use their computers and do not want to (and should not have to) learn all the nuances with every update mechanism they come across. So I think the best way for Windows to further improve security (and again, I give them credit for the work they've done in that department starting with WinXP SP2 with each subsequent release being a big improvement) is to move towards an update mechanism that all Windows programs can use with no strings attached other than whatever requisite security measures need to be in place to prevent abuse.
0 Votes
+ -
I hate having to agree to a license in order to obtain an update.
ye 23rd Nov 2010
@Michael Kelly: If I'm updating / patching software then the original license terms should remain in effect with no changes.
0 Votes
+ -
RE: Do you really need antivirus software?
PollyProteus 23rd Nov 2010
@Michael Kelly - What I get from this is that you advocating that Microsoft be responsible for pushing down patches to third party software, is that a correct interpretation of what you wrote?

So how would that work from a business point of view, do those third parties supply the updates and then pay Microsoft a "hosting" fee? And how long would Microsoft responsible for providing any given update? Should the third party app company provide a rollup update (think service pack) after every x number of individual updates? And how many versions of that third party software should be supported? Current plus one previous? Plus two previous?

I understand what you're saying but it's never quite as simple as it seems. Hell, Microsoft can't even get portable device and optical drive hardware vendors to provide firmware updates as much as the would like to (yes, I have insider knowledge on this and no, I'm not a Microsoft employee. I used to be, but not now) and firmware updates for hardware don't come out all that often.
0 Votes
+ -
RE: Do you really need antivirus software?
JACOBSONR 14th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix