In Test, Windows 7 Vulnerable To 8 Out of 10 Viruses

As Windows 7's market share passes 3.6%, up from 1.9% the day before launch, llManDrakell notes an experiment they did over at Sophos. They installed Windows 7 on a clean machine — with no anti-virus protection — with User Access Control in its default configuration. They threw at it the next 10 virus/worm samples that came in the door. Seven of them ran; UAC stopped only one baddie that had run in the absense of UAC. "Lesson learned? You still need to run anti-virus on Windows 7."

Not News!!

[Kohenkatz]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get. Especially with the number of good free anti-virus programs available for Windows, there is no excuse not to have one either way. I use Avast Home Edition. It's free (just registration required), fast, and small-footprint. Even if 9/10 viruses would be blocked by UAC, an anti-virus program that blocks the last one is worth it.

Re:Not News!!

Well, if they'd used a fully updated version of Sophos how many would have gotten through?

Re:Not News!!

[tomhudson]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get

Sure - just that you won't get a virus by running linux. I have yet (in over a decade of tending linux and bsd servers) had a single machine get infected.

Lesson learned - friends don't let friends run Windows.

Re:Not News!!

[Drakin020]

Anyone that installs Anti-Virus on their PC and expects it to protect them from their own stupidity deserves what they get.

Re:Not News!!

[mcgrew]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get.

Yeah? Can you point to ONE virus in the wild that has ever bitten any Mac or Linux user? Trojans don't count. Install Linux on your Windows box and you do NOT need any antivirus (unless you boot into the Windows side), provided you're not stupid enough to run an executable from an untrusted source.

Re:Not News!!

[Barny]

Why would you need an anti-virus if you have a router whose firewall is worth a damn, have a browser that doesn't develop un-patched exploits like college kids develop acne and you don't click and run every damn executable bit of code you see on web site?

If you have a good firewall and secure applications, the only remaining way to get a virus is if you download it and run it yourself.

Virus and virus-checker free for over 8 years.

Re:Not News!!

[jeffb+(2.718)]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get.

Yep, I've been "asking for what I get", and getting what I ask for, by running Macs without anti-virus for almost 25 years now.

I use Avast Home Edition. It's free (just registration required), fast, and small-footprint.

Yeah, I'll pop that right onto my Macs, especially after reading these five-star reviews. Five reviews with one star each makes five stars, right?

Re:Not News!!

[InsertWittyNameHere]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get.

HAH! What else? Should Slashdotters buy boxes of condoms, just in case?

Re:Not News!!

[black3d]

I have yet (in over a decade of tending windows and NT servers) had a single machine get infected.

Lesson learned - Give the same system rights to your windows users as your Linux users have, and they can't get infected even if they wanted to.

Re:Not News!!

[Xest]

No, people who run shit they shouldn't are asking for what they get.

I don't run a real-time scanner, it's too much of a resource hog, I do let AV do an overnight scan once a week though. I've done this for years and never had a virus. Why? Because I don't run shit I know may not be safe to run. I do not open attachments I was not expecting to recieve.

It's not as if AV software is even that effective anyway, even when it does detect threats half the time it fails miserably at dealing with it and just gives the option of deleting, and sometimes some AV software doesn't even manage that. The paradigm used for AV software is that which has been used for a couple of decades, and it never even worked particularly effectively back then, let alone now that viruses have evolved whilst AV software really hasn't. Again, the best option is really to cover all the attack vectors - don't run executables you don't trust, don't have Javascript enabled on sites you can't be sure are safe, don't open attachments you weren't expecting and so on.

Re:Not News!!

[jbacon]

Out of curiosity, how exactly do you verify that you are infection free without a scanner? Sure, you probably don't have anything overt, like a botnet hijack, but what about less obvious things like rootkits?

You should probably take your magical ninja virus detection powers and do some consulting for those poor bastards who run Norton....

Re:Not News!!

[Kohenkatz]

Yeah? Can you point to ONE virus in the wild that has ever bitten any Mac or Linux user?

Yes, I know it's from 2006. But it answers your question: http://www.internetnews.com/dev-news/article.php/3601946

Re:Not News!!

[kimvette]

Lesson learned - Give the same system rights to your windows users as your Linux users have, and they can't get infected even if they wanted to.

The corollary to that rule is that many applications won't run because they're poorly architected and require administrative rights to run. Oh, sure, you can finagle around with permissions and get many of them to run, but is it really worth the time to work around broken software? (running Windows which itself is broken notwithstanding)

Re:Not News!!

[whoever57]

I have yet (in over a decade of tending windows and NT servers) had a single machine get infected.

Let's be clear here (and the same is true for anyone running Linux), you don't know that none of your machines were infected. You know thatyou never discovered an infection.

Re:Not News!!

[Jazz-Masta]

As a Windows (and Unix) System Administrator dealing with numerous users of the 'average' type, I must say giving users limited rights only work if the programs they need to run can do so within those rights.

We deal with a lot of industry specific software (ie. badly produced software) and many of the users need to have full access to absolutely everything in order for it to work, including mapped drives to the data!

Some of the users I support are absolutely mind-numbingly stupid. You tell them over and over to NOT do something and they do it again. You try and educate them on attachments and safe web browsing, and they don't care! Many of them will try all the risky things at work that they wouldn't do at home - because they know if they screw up their home computers they'll have to pay to get it fixed. At work, I fix them, someone else pays.

Re:Not News!!

[abigsmurf]

Remote Shell trojan (which despite the name is self replicating and therefore a virus). Designed specifically to be spread by users running trustworthy executables without the need for admin rights. And yes, it did infect a number of systems 'in the wild'

Re:Not News!!

[maxume]

It isn't real clear from the Sophos article, but at a glance, it looks like 8 out of 8 of the viruses discussed are trojans (or were executed as if they were trojans, a couple of them are autorun worms, but the article implies that they just copied each of the programs to the system and then ran them).

Re:Not News!!

[Atraxen]

Getting the sound card, network card, and multibutton trackball working on my Linux machine took plenty of finagling too. Just sayin', neither this cast iron pot nor kettle are LeCresuet red - they look black to me...

Re:Not News!!

[CyprusBlue113]

How do you tell if you have one *with* a scanner? Root kits by definition do not show up, thats why they are called root kits.

Re:Not News!!

[zelbinion]

Yeah? Can you point to ONE virus in the wild that has ever bitten any Mac or Linux user?

Well, here's one: Ramen. Got that about 8 years ago when I was pretty inexperienced with Linux. I placed an unpatched RedHat system on the internet with no firewall, and picked up a worm and rootkit for my trouble.

There's actually a number of malware programs, worms, etc out there for linux:
Linux Malware

There are bound to be people out there that have been bitten by these guys. Oh, and while my family members have gotten viruses on their windows machines, I never have. I don't even run anti-virus. I'm just a lot more careful now....

Re:Not News!!

[DoofusOfDeath]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get

Sure - just that you won't get a virus by running linux. I have yet (in over a decade of tending linux and bsd servers) had a single machine get infected.

... that you know of.

Re:Not News!!

[black3d]

Indeed - it is a nightmare that so many applications run as administrator by default. I remember once I got into a locked machine by going into Netscape Navigator (back in the day) and setting command.com to be the default application to open HTML files. While such access was disabled at user-level, applications running as administrator can do so freely.

Yes - it does require a lot of work to make Windows secure. The difference I see is that Linux comes with this out of the box, whereas Windows is designed to give users as much power as possible, with it being an administrative option to tune it down. And simply - that is the job is a system admin. Deploy an installation that is secure in the first place, keep it updated and patched, and try to keep appraised of security considerations while giving users access to everything they NEED.

I'm not anti-Linux at all, but am merely pointing out that sure it's worth the time maintaining Windows systems, since it's my job. I use Linux servers as well, and don't find their upkeep any less troublesome.

Re:Not News!!

[Bacon+Bits]

When you have little or no say in what software gets selected for use but are required to maintain local support for the same software as well as maintain the security of the network, it is not a waste of time at all. You do not give users Admin privileges. You give them the permissions they require to do their job and no more. That's basic best practice.

It's really not even that difficult to figure out. Nine times out of ten, the program either wants to write to HKLM\Software\$appname or wants to write to two or three configuration or log files in %programfiles%\$appname. About a quarter of the time (IMX) the documentation contains detailed information about what permissions are necessary. After that it's merely a case of using the various SysInternals monitors to figure out what's causing the problem. Between Xcacls and regini it's not difficult at all to script the changes. I typically maintain a single script which checks for the presence of each application and, if found, applies the necessary permissions changes.

Re:Not News!!

[Animaether]

Exactly.

From GP:

Trojans don't count.

Well there go the vast majority of Windows viruses, too.

In fact, from the test they did...

- didn't run
Troj-Bredo-M
W32/Autorun-ATK
Troj/Banker-EUT

-- Ran
Troj/FakeAV-AFY
Mal/EncPk-KY
Mal/EncPk-KP
Troj/Agent-LIW
Troj/FakeAV-AFX
Troj/Zbot-JN
W32/Autorun-ATC

So 6/10 were definite Trojans (Troj/). I.e. some piece of software saying it's all sorts of good stuff, but in reality is a virus.

Then there's the Autoruns - last I knew, autorun, even on Vista, by default doesn't open a darn thing. So I guess either they changed Autorun settings, or they simply told Windows to run the program (a virus).

Lastly, the Mal/EncPk ones. They're deemed malware because they're packaging and encryption signatures that often get used by malware authors (even though they have legitimate uses, blabla). What do they envelop?
Mal/EncPk-KY: sadly sophos' site doesn't detail, but other sites will tell you that this, too, is a Trojan with Bredolab blargh.
Mal/EncPk-KP: "About this threat: The Trojan arrives as an attachment in fake e-card messages, with text as follows"

So that's 8/10 trojans, and 2/10 that might as well be classified as such unless I'm wholly mistaken about autorun.

Again GP:

provided you're not stupid enough to run an executable from an untrusted source

That's the real issue - and one that applies to any operating system.
Not saying Windows isn't less secure.. on the other hand, I don't remember Microsoft suggesting that UAC was a 100% solution against viruses. Just against those that try to do admin-y things when you yourself aren't running as admin. That's usually the thing people point out with Linux "it can't infect the rest of the system". Well that's great - but that won't stop it from, for example, turning your machine into a spam zombie as long as the user is allowed to send e-mail.

Re:Not News!!

[PRMan]

You don't need a virus if you have Linux. Just upgrade to the next version. That will take down your machine way quicker than getting a virus...

Re:Not News!!

[PRMan]

On that note, if a virus did sit idly doing nothing for years on end, why would I care that I had it?

That would already make it 10X better than running McAfee to avoid getting it.

Re:Not News!!

[Abreu]

Please remember that the vast majority of hardware and peripherals are designed from the ground up to work with Windows and that most computers are sold with Windows preinstalled and preconfigured.

If you want a similar experience, I suggest buying a computer with Linux preinstalled and preconfigured. I recommend System76

Re:Not News!!

[mabhatter654]

None of the 10 they picked!

Re:Not News!!

Pro-tip: Windows security has changed a little in the 13 years since NT 4.0 was released.

Re:Not News!!

[RobDude]

The Linux community, as a whole, needs to get it's story straight. (Yeah, I'll probably get modded troll, I'm okay with that).

One day I hear Linux has great hardware support. It's not like Linux in the past, we even have *BETTER* hardware support than Windows now.

Then, the next day I hear, 'Well, yeah, Linux doesn't work; but you don't have the right hardware. You need to BUY A NEW FRIGGIN MACHINE if you want to bank on Linux working without spending hours trying to get it to work.

Which is it? It can't be both.

Re:Not News!!

[Lord+Ender]

On Windows you can get along without AV, too. The three main vectors for malware to get on your machine are:

1. Direct network connections - mitigated by firewall/NAT router
2. Browser exploits - mitigated by avoiding IE and using adblock
3. Clicking dumb (running executables that come in from email or the web) - mitigated by not installing shit unless you know exactly what it is you're installing

I have followed these practices for about ten years, without ever using AV, and I have never had malware on my machine. Avoiding AV is important to me, because I play fast-paced online games.

That said, 99% of Windows users absolutely should be using AV, because my third point (not clicking dumb) requires technical sophistication most people lack.

TL;DR: You don't need AV if you know what you're doing.

Re:Not News!!

[sexconker]

And MS pays heavily in terms of $, time, and raw manpower to get hardware vendors to create Windows drivers. And MS creates their own generic drivers for millions of hardware devices.

What's your point?

Re:Not News!!

[99BottlesOfBeerInMyF]

The funny thing is the article you cite doesn't mention any virus for Linux or OS X that is in the wild. It talks about malware, which it claims is increasing, but does not list any specific item. It doesn't say if any of the malware is a virus or if any of it is propagating in the wild. You've failed in that regard.

Re:Not News!!

[digitalunity]

I recall the days when I would download the newest slackware, install it and spend days getting my X config just right, reconfiguring my kernel an endless number of times to get just the right balance of built in options and building modules, trying to get the hardware to work right and basking in the supreme glory of getting everything to work just right.

Some days I miss that. Other days I boot up Ubuntu and just enjoy the fact that I don't have to do shit and it supports everything but my old canon multifunction printer.

Re:Not News!!

[PixieDust]

This article is little more than FUD aimed at Windows. This just in, FIRE HOT! I run without AV, and I haven't had a virus in years. The few things that ALMOST happened, were caused by exploits within Flash or Shockwave. Vista stopped those cold. Yes, VISTA. How do I know I am virus free? Because I know how to scan my system without installing AV. I know how my system should perform, and I know how to see what's running. I periodically check the health of my system by checking what's currently being accessed compared to what's running. I haven't found something out of place in years. Since about 2003 to be exact. Since that time I've had at least 2 machines that I haven't run any sort of protection on. There has yet to be a difference between the machines WITH AV, and the machines WIHTOUT AV. Lesson Learned? Stupid users are stupid. And even the best AV won't protect from that. When I worked retail (shudder), the following was a fairly regular occurrence: Me: So, it looks like your computer is severely infected. Without even running a scan I see about 30 different infections of viruses/spyware. Them: Oh my, well how did I get them? I have (insert Popular Anti-Virus program here)! Me: Well, I do see (insert random P2P app, shady internet history, random items in download directory, etc. here). That could be it. Also it looks like your (insert popular anti-virus here) has been turned off. Them: Oh well yea everytime I (insert high risk activity here) it popped up and annoyed me so I turned it off. Again, stupid users are stupid.

Re:Not News!!

[punzada]

Apparently you weren't around when Blaster hit. All you needed was a machine that was online to get infected. DCOM Exploit and such.

Re:Not News!!

My roommate used to get drunk, take off his pants and put them over his head and run through traffic.

He never got hit by a car. I still wouldnt recommend the practice.

Re:Not News!!

[negRo_slim]

And I would be willing to bet the same could be said for Security Essentials.

Been running AVG for years, but ever since I installed SE it's caught shit in video files before they've even finished downloading. As well as a couple JavaScript attacks from websites I wouldn't think twice about visiting. I can't even remember the last threat AVG found aside from cookies.

Re:Not News!!

[drsmithy]

Trojans don't count

Why on Earth not ? The bulk of Windows "viruses" are, in fact, trojans.

Install Linux on your Windows box and you do NOT need any antivirus (unless you boot into the Windows side), provided you're not stupid enough to run an executable from an untrusted source.

I've spent nearly 15 years running Windows using this principle, without an AV problem, and - unsuprisingly - have yet to be infected by anything.

The problem is not the OS.

Re:Not News!!

[david_thornley]

I don't know about MacOSX malware in the wild (although any system can get trojaned), but if you've been running for 25 years that includes the old OSs, and they did have viruses. Some of them, like WDEF, were pretty virulent, and my habit of carrying my own Disinfectant diskette proved very useful. Were you just really, really careful what you exposed your system to?

Re:Not News!!

[tomhudson]

Not really. First, the most it could do is infect your own files, not the system. Second, you would have to run it - it can't spread by itself. Do people running linux run strange executable binaries that people send them? No. It's not like Windows, where reading your email can infect your machine.

Re:Not News!!

[RobDude]

The claim I frequently hear is that, in order for Linux to really work as intended, you need to buy a machine with 'Linux supported' hardware.

The other claim I hear is that Linux has vastly superior hardware support than Windows.

When I said it can't be both - I meant that both of the above can't be true. You can buy any PC - even one preloaded with Linux and there is zero doubt in my mind that Windows will be able to run on that hardware.

The fact that you have to hand-pick hardware for Linux means that it can't be better than Windows.

Re:Not News!!

[Andreas+Mayer]

I can't, but google can:
[...]
http://images.google.nl/search?q=osx+virus+in+the+wild

I guess you did not bother to actually check the search results, right?

Because I can't find any report about a real virus in the wild.

Oh, by the way, Google says Barack Obama is a Jew:

http://www.google.com/search?rls=en&q=barrack+obama+jew

(Hint: He's not.)

Re:Not News!!

[RobDude]

I think there is an understandable difference between not meeting the minimum requirements and not being able to use a device because of lack of driver support.

Crysis won't run on seven year old hardware; but that doesn't mean Crysis doesn't support that hardware.

Anyway, I certainly wouldn't disagree with the claim that 'Linux has much better support for seven year old hardware'. My objection is that the hardware support is presented as being both infinitely better than Windows *and* so bad you need special Linux hardware....at the same time.

One or the other.

My personal opinion is that, while Linux 'can' run on virtually anything under the sun (I'm sure some guy, somewhere, has managed to install Linux on his toaster...just because he can) the typical PC hardware that I see people using has much better 'out of the box' support in Windows. But I'm not trying to say Linux has bad support - just that I constantly see Linux supports claim both things, at the same time.

Re:Not News!!

[drsmithy]

Please remember that the vast majority of hardware and peripherals are designed from the ground up to work with Windows and that most computers are sold with Windows preinstalled and preconfigured.

How do you design a piece of hardware "from the ground up" to work with a particular OS ?

Re:Not News!!

[shaitand]

"When I said it can't be both - I meant that both of the above can't be true. You can buy any PC - even one preloaded with Linux and there is zero doubt in my mind that Windows will be able to run on that hardware."

Both can be true. I've never seen a non-preloaded windows system where windows supported all the hardware. In every case full hardware support required downloading third party drivers. Ubuntu may or may not support the hardware but if it is going to work at all, it most likely worked out of the box with no additional configuration or third party downloads required. In the few cases where they are needed the system uses detects it and prompts you to download them.

The difference might not be especially troublesome for you today but it will be when that hardware is a few years old. For instance I guarantee when many windows users "upgrade" to vista aka windows 7 their perfectly functional printers/scanners/multi-functions/digital cameras/web cams that are a few years old will have to be replaced to accommodate the upgrade. Ubuntu will continue to support nearly every piece of hardware it supported with the last release on into the future until some compelling TECHNICAL reason makes it infeasible.

Re:Not News!!

[Tubal-Cain]

One day I hear Linux has great hardware support. It's not like Linux in the past, we even have *BETTER* hardware support than Windows now.

It does.
Linux supports hardware.
Hardware supports Windows.

Re:Not News!!

[tomhudson]

I never claimed that ISS or Apache were operating systems. You might want to brush up on your reading skills :-)

What I *did* claim was that the whole "there are more exploits because it's more popular" argument is simply not true - Apache serves much more traffic than IIS, and yet the study showed it was much less vulnerable, so the "more popular" argument isn't supported by evidence.

According to that argument, there should be more exploits the more popular instances of EVERY class of software, from operating systems to web browsers and servers to email clients. Apache vs. IIS disproved that, so we can fall back on the "Windows has more design problems" theory. Given that they still insist on maintaining backward compatibility (because they need to preserve their customer lock-in at any cost, including security), bad design flowing from that bad choice is more reasonable.

Re:Not News!!

[tomhudson]

The original person made the unsupported claim that Windows market share was solely responsible for it having more viruses and trojans. Only ONE counter-example, no matter how old, is sufficient to burst that bubble.

Correlation does not mean causation. In this case, the larger market share might correlate with the larger number of viruses, but there is no causation agent. To put it more plainly, increased market share does NOT in some way create more bugs, or the products with the smallest market share would be the most bug-free. Bugs are created solely by bad coding practices, and again, there's no way that an increase in market share can suddenly make code worse. There's no "spooky action at a distance" effect that would allow an increase in market share to suddenly retroactively introduce new bugs into existing code.

Code is either defective, or not defective. Buggy or not buggy. A decline in market share can't suddenly make code less buggy, just as an increase in market share can't suddenly make the same code more buggy. Any apparent correlation, absent a mechanism for causation, is just that, an "apparent" correlation, not a cause and effect.

What's new?

[arctic19]

Is this supposed to be a surprise?

Re:What's new?

[hesaigo999ca]

Well, yes seeing as the whole purpose to upgrade is to be able to have little or no security issues, and no need for AV.
Cancel or allow, so what, it is bypassed, so I will just stick with XP seeing as I already have my license and already have my Av on it.

M$ needs to come out with an OS that has no possibility of being owned by a virus, sort of like linux does, linux only has rootkits. Sysinternals is good for rootkit detection and is owned (now) by M$, so if they could tweak their OS to be more like linux, we would all be in a safer place.

Not suprising

[plague3106]

For one, they watered down UAC. Second, UAC won't do anything if the virus simply attaches itself to your user account, instead of the whole system. UAC is supposed to help keep malware gaining admin rights and infecting your system, not to stop it from running.

Re:Not suprising

[mcgrew]

For one, they watered down UAC

I did in fact RTFA, and they did NOT "water it down"; they ran it in its default configuration.

Re:Not suprising

[bakawolf]

Microsoft did, due to all the complaints from vista.

Re:Not suprising

[SparkEE]

I believe the GP meant they=MS, not they=Sophos

I'm shocked!

[jtownatpunk.net]

Next you'll be telling me that 8 out of 10 people who have unprotected sex with HIV-positive, syphilitic, sore-encrusted prostitutes will contract some sort of venereal disease.

Re:I'm shocked!

[Capt.DrumkenBum]

This is /. 8 out of 10 people here will only ever have sex with their right hand.
And the other 2 with their left hand. :)

Re:I'm shocked!

[Archangel+Michael]

What about ambidextrous people. I'm just asking.

Re:I'm shocked!

[jimicus]

Think of it from the wife's perspective.

They've been good and faithful for ten years, and BAM, syphyllis, HIV, and herpes.

Because they KNEW their husband wasn't a dirty cheating bastard.

Can tell you're not married. No woman who's been married for 10 years still has sex with her husband.

Re:I'm shocked!

[Capt.DrumkenBum]

We won't be talking about those slimy ambidextrous people.
Damn it, just make up your mind people!!!

Re:I'm shocked!

[war4peace]

Wait, I don't get it. Are there any other ways to have sex?

Re:I'm shocked!

[Nadaka]

Depends on what you mean by "self propagating"? There are a number that run on macs with MS office. There were quite a few for OS9 and earlier.

Ah... Found a few references for os x virus's.

http://www.sophos.com/virusinfo/analyses/osxleapa.html (spreads via ichat)
http://www.sophos.com/virusinfo/analyses/osxinqtanaa.html (spreads automatically via bluetooth)
http://www.sophos.com/virusinfo/analyses/shrenepoa.html (spreads to other macs on the same network)
http://www.sophos.com/virusinfo/analyses/osxinqtanab.html (spreads automatically via bluetooth)
http://www.sophos.com/virusinfo/analyses/macamphimixa.html (spreads as an mp3 file)

Was it ever in doubt?

[dijjnn]

So, for (1) Windows 7 is very similar to Vista, with a lot of code reuse, and (2) the people who develop viruses target *almost exclusively* windows, so how would the need to run an antivirus on a new version of windows ever be something you would doubt?

Interesting market share stat there

[tygt]

Windows 7's market share ... 1.9% the day before launch

Windows 7 had 1.9% market share before launch?

Re:Interesting market share stat there

[w0mprat]

I'd like to point out the Windows 7 beta and RC were not advertised or marketed in the usual sense for a commercial OS. So what we have is a head to head comparission with other freely available OSes. Yet Windows blew away linux market share in a month or two, relying largely on the word spreading through the blogosphere with a link to the download page.

I would consider it harder to get started with a new Windows OS, since you have to install it, there is no live-CD option, you have to install alot of software from scratch for your system to be able to do anything rather than having a good usable set out of the box.

This should give some insight into the problems with Linux and how it could be addressed: for all it's strengths, it's not something people want. They want Windows, despite it's weaknesses. Make Linux wantable, watch market share change dramatically.

High quality!

[jpmorgan]

So 8/10 viruses don't require administrator permissions and conform to Windows development standards. If only the rest of the software industry had such high standards.

In other exciting news...

[frist]

New tests show that software written for Windows runs on Windows! Copycat studies have also shown conclusively that software written for Macs run on Macs and software written for Linux runs on Linux! More at 11.

Re:In other exciting news...

[carrier+lost]

...software written for Linux runs on Linux

After years of experience, I can say that this is not always the case.

Re:In other exciting news...

[cgenman]

...software written for Macs...

You lost me here. Is there a Wikipedia entry you could point to?

Actually, that is sort of news

[Space+cowboy]

I'm running several macs, both at home and at work, and the only time I've ever run an anti-virus on any of them was at the request of my ISP last month - there was a report of a virus originating from my home IP address. I downloaded and ran the latest ClamAV, and of course there was no virus on the machine, it was a spoofed IP address...

Over the past 5 years, that's the only time I've ever run a virus check. It came up with 0 viruses. I conclude that the likelihood of me getting a virus on a mac is still small compared to my XP box, which every time I run a virus check flags *something* new as wrong/suspicious. Sometimes I can even tell if the something is innocuous or dangerous...

Slashdot likes to say that anecdotal evidence is meaningless (which of course it is), but when a sufficiently large collection of anecdotes all say the same thing, we call that consensus. The general consensus is (I believe) that Macs are a lot less likely to be infected than Windows boxes, so your 'Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get' statement is in fact news to me.

Simon

Re:32 or 64? I guess 32

You call this a test worthy of coverage here? The guy don't even state whether he's using 32-bit version which I suspect is the case. This won't happen on 64-bit Vista/7.

Bullshit. Microsoft made the same claim when they made the switch from 16-bit to 32-bit - "Viruses will be a thing of the past." 64 bits is not "magic pixie dust" - it's just the size of a native integer or memory pointer on your cpu.

no, majorme is right... 64-bit does make a big difference since you're not allowed (even as an admin with elevated privileges) to run kernel level code that's unsigned. 64-bit Vista/Win7 is more resilient to malware than 32-bit Vista/Win7.

More data needed

[PhxBlue]

Did the account set up on Vista / Win7 have an administrator role, or was it a "normal user" account? By not disclosing that, Wisniewski is only giving us half the story.

Re:More data needed

[Johnno74]

And another thing the "article" (and by "article" I mean "infomercial") didn't mention was how many of those malware apps successfully *infected* the machine.

Out of the 10, 2 threw an error and crashed, 8 "ran". Whats his criteria for "ran". I'm betting that means "didn't crash and burn horribly with an error message shown to the user."

I looked up the details on the first virus sophos listed (troj/fakeAV) here and apparently one of its actions is to add a link to the all users start menu folder here:

%Documents and Settings%\All Users\Start Menu\Programs\XP_Antispyware\Uninstall.lnk

I know for a fact you can't write to this folder without UAC elevation on vista/7, so I'd say it is more likely than not that when the malware ran it tried to write to this folder, failed, and *caught the exception*. The machine was NOT infected.

I'm not going to check each of the 8 malware apps he ran "successfully" but I'd be surprised if any of them were able to "infect" the pc in any meaninful way with UAC enabled, or if the user was running as non-admin.

In other words 8/10 malware apps are probably well written enough to have some sort of error handling that eats any errors that may occour without alerting the user.

MS did by default

[Sycraft-fu]

So in Vista, UAC had only two settings: On and off. When it was on the system functioned with real separate privileges. You had to escalate to perform administrative actions. Ok well people bitched and whined and bitched and whined about that since you had to do it for things like changing file permissions or accessing system control panels. Thus Microsoft relented and watered it down for 7, having two settings in between on and off. It is set to one of those by default. More or less it asks for permissions for a program trying to get admin access, but not a user initiated operation.

Re:MS did by default

[jpmorgan]

Not quite. Microsoft added a cryptographic whitelist of programs that are automatically allowed to elevate. Certain parts of Windows are then allowed to automatically elevate (like file properties dialogs, the control panel, etc...). Since there's no way to distinguish the source of events, NT 6.x also enforces mandatory access controls, and places programs with administrator privileges in a high integrity level, which prevents low integrity processes from interacting with them.

That's why some things still require two steps. The 'first click' causes explorer (or whatever part of Windows you're dealing with) to automatically elevate and switch to a high integrity level. But since that click could have been injected by unprivileged malware, rather than an actual mouse click, the program then requires a 'second click' confirmation. Since it's running at a high integrity level now, that second click can only come from other high privilege programs or drivers. One special case is the UAC settings control panel... that places itself into a high integrity level immediately so that malware can't inject keystrokes to turn off UAC.

Re:MS did by default

[Jugalator]

Also, on this topic...

http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/

You can elevate arbitrary code in Windows 7 to admin privileges with the Windows 7 default settings, no UAC questions asked, and MS won't fix that.

Re:MS did by default

[Foolhardy]

Yeah, I tried the linked proof of concept on the RELEASED version of Windows 7 (the site only references beta and RC versions), and it didn't work. Either it prompted, or it failed to acquire admin or high integrity rights. I notice the site hasn't been updated for build 7600 (the RTM version), even though it's been available for some time. Even if MS patched the specific thing the proof of concept was using but failed to fix the underlying problem, they still need to release an updated version to be taken seriously. The fact that pre-release versions of Windows 7 were incomplete is hardly surprising.

Is this really surprising?

[Sc4Freak]

Viruses use security holes to get onto PCs in the first place - once the virus is running on the PC, it's got free reign. There can be absolutely no security vulnerabilities on a system and the virus usually still do what it wants if it's preloaded onto the system.

You don't need administrative privileges to do many things that viruses want to do (eg. send mail, monitor keypresses). They ran the test by loading the virus onto the machine, then letting it execute. That doesn't demonstrate that the system is full of holes - it demonstrates that the system is very good at backwards compatibility!

Re:Firewall?

[clone53421]

Agreed, to know whether this is scary would require me knowing whether these were drive-by exploits or require me being stupid enough to run their virus.

I'm pretty confident in my ability to avoid the social networking sort of viruses. It's the drive-by exploits that I'm concerned about.

It's the defaults

[Jim+Hall]

They could have at least tested it with Security Essentials . . . it's freely available to Windows users.

And yet the post at the Sophos blog says: "On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults [emphasis mine] for User Account Control (UAC) and did not load any anti-virus software." The point is that they installed Windows with the defaults like 99.999% of the users out there would do.

My mom is probably a typical Windows user, and when she eventually installs "the new Windows", I'm willing to bet she'll just go with the defaults. Because it's easy. So if the default install of Windows 7 doesn't include & configure Security Essentials by default, then this test reflects what real users will see.

Sure, they could have done a followup test to install Microsoft's Security Essentials, then see how that would have fared with the same 10 viruses. But these guys sell their own anti-virus software, so I don't really expect them to take the extra step.

The newfie virus?

[H0p313ss]

In other news, running "sudo rm -rf /" as may cause migraines in up to 90% of linux administrators.

Wall of Shame

[NoYob]

The corollary to that rule is that many applications won't run because they're poorly architected and require administrative rights to run

Slashdot should have a Wall of Shame for programs that are like this.

Kodak Easy Share is my pick.

Re:Wall of Shame

[CrazyKen]

It would probably be easier to list the applications that do work, fully, without administrative rights... or power user rights.

In Test, Kdawson Posted 10 out of 10 FUD Stories

[Sycraft-fu]

Seriously, this guy is almost pathological in his determination to distribute as much FUD as possible about Windows.

Taco: Fire this retard. The stuff he posts is NOT news for nerds. It is thinly veiled, and ineffective, smear pieces. Real stories about OS problems are interesting. Kdawson's FUD isn't.

Re:Firewall?

[natehoy]

Sophos was testing Windows 7 in its default configuration. I don't know if the Firewall is enabled on a default install, but I suspect it probably is based on the defaults in XP Service Pack 3. If it's not, then the firewall is going to be irrelevant to a good number of users who are also likely to run Windows without AntiVirus on board. If it is, then it's not providing any protection to speak of, apparently.

One of the tests failed, not because Windows provided protection, but because the virus itself wasn't Win32 code. I'm sure the developers of Bredo-M are on it and will have a fix out soon.

Particularly disappointing in this test, however, was UAC's failure to protect against all but one of the eight buggers that did try to run in Windows 7. That is/was supposed to be Microsoft's response to allowing most applications to run as Administrator rather than a limited user (thereby enabling or even encouraging the existence of a large base of applications that REQUIRE Administrator access).

Big surprise

[FunkyOldD]

Antivirus software vendor has reached the conclusion that you still NEED antivirus software.

Missing the point of the article

[dwlovell]

This article is not saying Windows 7 is insecure. You couldn't even come to that conclusion if you look at what they did. They ran untrusted code known to contain viruses on a Windows 7 machine. UAC only blocked those that tried to perform administrative tasks, which is what its job is. They did not try to do remote infection.

I could write a virus attached to an executable that deleted your favorites file or all of the documents in your user's document folders. This would still be a nasty virus and would not be classified as an administrative activity, thus not triggering UAC. This would not indicate any flaw in the OS or it's level of security. This is no different from any other platform, running as admin or not, if you run untrusted code, it will be able to do anything your logged in user can do.

The point of the article is that people should not pretend UAC *is* virus protection. Microsoft doesn't market it as virus protection, and people shouldn't be under the impression that UAC prevents viruses from running.

Re:Missing the point of the article

[1s44c]

I could write a virus attached to an executable that deleted your favorites file or all of the documents in your user's document folders. This would still be a nasty virus and would not be classified as an administrative activity, thus not triggering UAC. This would not indicate any flaw in the OS or it's level of security. This is no different from any other platform, running as admin or not, if you run untrusted code, it will be able to do anything your logged in user can do.

It's not a virus if it doesn't replicate, it's a Trojan. Virii often using administrative functions and/or OS bugs to spread and hide. UAC should at least make some difference but it's unclear if it makes any.

Re:Missing the point of the article

[trouser]

Valid point but......the plural of virus is viruses. No need to capitalize trojan either, unless you're referring specifically to The Trojan Horse or the brand of condom.

http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us#Virus

It depends on how you read the article...

[Last_Available_Usern]

It could also just as easily read: "Two out of every ten virus writers deploy their work without testing it first."

Re:Firewall?

[natehoy]

Side thought: Of course, this WAS written by Sophos, an AntiVirus marketer. One could hardly expect them to choose viruses/worms that cast "naked Windows 7" in a good light, now could they?

newsflash...

[damn_registrars]

... you can use your preferences to choose which authors you do or do not want to see stories from. If you dislike KDawson's choice of stories so much, you can opt to not display them. Hell, you have a lower UID than I do, and this feature has been available for the entire time I have been a member here. Why you don't know about it is beyond me; why you opt not to use it is even more of a mystery.

Or you can just continue trolling. The choice is yours.

You still need to run anti-virus on Windows 7

[1s44c]

You still need to run anti-virus on Windows 7

There's a classic example of abductive reasoning. I do not have to run anti-virus on Windows 7 because I don't, nor do I ever plan to run Windows 7.

Re:May require admin privileges anyway

[jpmorgan]

Windows 7 has a whitelist (based on authenticode signatures) of programs which are allowed to automatically elevate. However, it also has mandatory access controls, which segregates programs into different integrity levels. When UAC elevates a program, it is placed in a high integrity level. Lower integrity levels aren't allowed to inject things like keystrokes into higher integrity levels.

So you are somewhat right, but mostly wrong. Malware could trick a trusted program into bypassing UAC and autoelevating, but after elevation the malware won't be able to interact with the trusted program anymore. And since all the trusted programs require a second user interaction before doing anything after elevation, tricking a part of Windows into auto-elevating doesn't help malware at all.

Re:Why blacklist instead of whitelist?

[ledow]

The facilities are there, in Windows registry and group policy for instance (Software restriction policy, I believe it is called). Some networks might even use those settings, but in general it's FAR FAR too much hassle (especially for a home user). Some software firewalls even work this way already too - I know that pay-for versions of ZoneAlarm come with signature checking of the most popular apps and allow users to black/white list them from accessing the Internet/local network.

The problem is that people would still authorise the same crap as they do now to run because they just click yes when they see a security dialog. And every time that software is updated (as specified by good network practice), you have to update all the signatures again (and query the user again, who gets bored/annoyed and just keeps clicking Yes). And most viruses on home machines are because people *chose* to run a program that they didn't know the origin of, either by downloading, clicking I Agree or turning their security settings off. And viruses still get through program exploits (macro viruses would be one old example - they appear to be Microsoft Word, which would obviously be "allowed" on the whitelist).

Also most "whitelists" can usually be hacked / added to by the virus itself if it gains the permissions of the user (how else would the user authorise it to run?) so they again become useless. There are ways around this but they all annoy the user.

Basically, either these schemes stop everything working (and users cry foul every time they want to run something new or update their software) or throw so many "Do you want to allow this?" dialogs at the user that they quickly disable it or just click Yes to everything when they want run their spiffy new download from disreputable sites.

Network admins find it far too much hassle to exercise this level of control because of the problems it can cause (basically, users want to be able to run arbitrary code under their user accounts).

The problem is not viruses, or the whitelist/blacklist, the problem is providing glaring holes in the OS, running as administrator (or making privilege escalation trivial) and running programs that you don't know the origin of. Stop those three things (the easiest of which is just to stop people wanting to run every program they download) and you stop the problem of computer viruses. Whitelists just make that a little trickier, but always provide an avenue to either bypass the whitelist (by the program itself inserting itself into the list, like Windows Firewall allows in some Windows versions) or piss the user off with so many dialogs that they turn the security off / click Yes to everything each time (Windows UAC).

Re:NEWSFLASH!

[1s44c]

A machine without AV is vulnerable to viruses!

News at 11!

Talk about a useless piece of FUD...

My Linux, Solaris, HP-UX, and OpenBSD machines don't run antivirus software. Yet they have never had a virus.

It's not the 'machine' that gets the virus, it's the badly written operating system.

Re:Best anti-virus next?

[1s44c]

So...what's the best anti-virus software for Windows 7?

Disconnect it from the network.. You asked..

Lesson learned?

[Yunzil]

"Lesson learned? You still need to run anti-virus on Windows 7."

Or you could start by turning up the UAC level.

People complain that UAC in Vista was too intrusive, so MS turned it down by default. Now people are complaining that it doesn't do enough.

Stupid test?

[140Mandak262Jamuna]

They got some malware, and ran it. If these malware did not need elevated privileges, they are expected to run. You download a bash script from the net that goes "\rm -rf ~" and then complain that your $home is hosed? I am not sure the test is fair. Did the malware get root privileges? Did they do any damage that simple plain process with user privilege could not do? Unless such things happened, this test amounts to nothing more than testing backward compatibility of some old binaries in new OS. Duh.

But UAC works perfectly fine at frustrating me!

[Tomji]

Just recently had to edit the Host file. (Local DNS file).
Could not save it because of UAC, and didn't get a UAC prompt either, had to give up and disable UAC first.

Re:Firewall?

[LordLimecat]

I thought it was common knowledge that viruses dont need admin to do a large number of things? I could swear this comes up every time arguments about whether linux can get viruses start. Viruses dont need admin to auto run (users can have per-user settings on that), send packets, send email, launch popups, install BHOs, install firefox addons, read files, etc etc etc.

The things "non-admin" stops are the important things, like installing drivers, installing rootkits, installing LSPs, hooking system files, patching system files, etc etc etc. THOSE are all that matters. If you have a computer set up for the family to use with a non admin account (on XP), the point isnt that you think itll prevent them from getting crapware, its that the crapware wont affect other parts of the system (hopefully).

Its also a hell of a lot easier to remove viruses installed with non-admin priveleges-- the difference is night and day. Non admin viruses usually just stick a single entry (maybe 2) in the startup list, and SysInternals Autoruns or HijackThis cleans that in about 15 seconds. Admin-installed viruses tend to take on the order of 15-30 minutes of manual removal, or booting into linux, or running combofix, or some combination of the 3, and if you screw up once and miss a file the whole thing reinstalls.

FWIW Im an IT consultant (part of my job is helpdesk) and I have yet to deal with a nasty virus / rootkit on Vista. XP on the other hand, I've seen viruses that took 45 minutes to remove even with tools like SDFix, the SysInternals suite, and launching ubuntu to manually remove the infected DLLs sorting by date.

hmm

[nomadic]

You still need to run anti-virus on Windows 7."

Or, alternately, DON'T INTENTIONALLY RUN VIRUSES ON YOUR COMPUTER. Geeze.

And in other news . . .

[Tanman]

You still need seat belts in cars with airbags, fire departments for neighborhoods with fire resistant code compliance, and ambulances even if a doctor lives next door.

I mean, really . . . this is stupid.

why is this news though?

[flappinbooger]

I dont recall seeing MS claim win7 was virus proof...

Re:Error in summary

[kestasjk]

On what OS can you run viruses written for that OS, which will not run? RTFA; they ran virus.exe on Windows 7 and were gobsmacked that they ran. This is FUD and/or a slashvertisement for Sophos..

Typical slashdot bias...

[Requiem18th]

This is proof slashdot is biased, do you notice how slashdoters like to pick on Windows? You'd never see an article talking about people having problems with Ubun... wait... fuck...

The Mac threat is non-zero but overblown.

[Valdrax]

Hitting Google is apparently easier than doing research. I went through the articles on your "osx+virus+in+the+wild" link, and what I found on the first pages was...

• 4 pages on Leap-A: A Trojan that requires one to give an admin password after opening what's supposed to be an image file. It propagates itself via iChat file transfers, but it still requires an idiot to give a password upon opening a file that shouldn't require one.
• 1 forum post by someone worried about an unidentified Mac virus in the news around the same time as Leap-A.
• 1 page on Inqtana-B: A false positive from an AV package.
• 1 blog post by someone bragging about how there aren't any self-propagating Mac viruses in the wild.
• 1 nigh-incomprehensible wiki article on AV software for Macs.
• 2 articles on Inqtana-A: (See below.)

None of these (except possibly Inqtana-A) would be a threat to semi-competent users, and the only article that isn't from 2006 is the garbled wiki page.

Now if you want some actual research on Mac OS X viruses, you can check a vendor's site:
http://www.sophos.com/security/analyses/viruses-and-spyware/search-results/?search=OSX&action=search&x=0&y=0

Interestingly, what the site won't tell you is that most (if not all) of these viruses are phantom menaces; you have to Google each one yourself for that kind of detail. Many are proof-of-concept never seen in the wild, and most exploit holes already patched in the OS. All are trojans that require serious PEBKAC to run, even the only two known "worms" for the plantform -- Inqtana and Tored.

Inqtana, a virus one that got some notoriety and media attention is an example of all three -- a proof of concept (with an expiration date) that attacked an old hole in the Bluetooth stack and which required victims to consent to accept the download from an infected machine. Tored was an email worm that required you to execute an attachment on a very stupid looking spam email payload. Both are basically glorified trojans -- nothing on par with Conficker.

Now, trojans aren't complete non-issues, but savvy computer users currently have very little to fear from running a Mac w/o AV software since there are currently no self-instantiating viruses for the platform in the wild. Don't download pirated software (and risk something like iWorkS which hides itself in installers for certain programs), and don't trust installers where none should be present.