Microsoft Begins anti-virus Software Development

An anonymous reader writes "From the article: Microsoft's announcement that it will enter the AV market next year, with initial trials starting next week, could be a sign of many things to come, says SecurityFocus's Kelly Martin. " Not unexpected, given their recent purchase.

Re:Goals?

[Craig+Ringer]

The ability to run as a limited user is, in my experience, nigh useless. Users will regularly encounter things that require admin priveleges to install, even things like browser plug-ins, and then won't run except as the user they were installed as. This requires temporarily modifying a user's account - always fun - to get them to install and work.

Even better, some apps won't run except as admin because they try to fiddle bits of the registry and/or filesystem they assume they'll have access to, because "everyone runs as administrator". Games are the #1 culprit here, but a large proportion of general use software has that problem too. It's not Microsoft's fault that app developers are idiots, but it still makes the limited privelege accounts nigh useless. Unfortunately, they can't conjure a long history of least-privelege-by-default so they're stuck with breaking compatibility with old apps (90% of users would equate "need to change user account to run program" with "broken OS") or retaining the current braindead defaults.

I do agree with you on the fine-grained priveleges in NT, though I wish they were consistently inherited instead of propagated through the filesystem tree. The issue with ACLs is that unless very carefully administrated they tend to become a hideous and unmanageable rats nest where nobody can clearly state what happens in a given case. This is as true on UNIXes with ACLs as it is on NT. I've always been way happier with the groups-within-groups model, which lets you get 90% of the benefits of ACLs with 10% of the complexity. It never seems to have become all that popular, though :S