dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed


reply to scross

Re: Are you using security protection

Am I using some kind of anti-virus scanner type protection? Nope, quit doing that a looong time ago, although such scanners still have their places for John Q. Public type users who are more likely to meet even the kind of malware that such scanners can reliably detect, and who are unlikely to be able to detect those infections in other ways, such as Mk I Eyeball.

But sure, everyone who's reasonable is likely to be using some kind of security protection, be that operating system security features, or something else. Me too. I run firewalls on the perimeter, set up the operating systems and other software as tight as feels comfortable, and most importantly, rely on my enormous ( ) brain to keep things secure around here. Physical security is provided by mean old geezer with lots of weapons and skill to use them.

said by scross:

PS: And for those of you who say that you've never been hit with malware - the question has already been asked: "How do you know if you've haven't run a deep scan for this?" (Actually, multiple scans using multiple products are usually necessary for full disclosure.)

Without getting into the regularly scheduled and always as tedious "Windows suxx0rz or oh noes it doesn'ts" debate...

For those who ask the question "How do you know you haven't been infected with malware if you haven't run scans with anti-malware products?", I have a few things to say.

"How do you know" is wrong. They don't know, and neither do you. In many cases, even most, you can know when you are definitely infected: maybe one of those wonderfully effective (when they don't miss malware that have been ITW for several months and even years, such as Flame and Stuxnet or Induc and many others) anti-malware scanners beeps and tells you (and then you put in the required elbow grease to make sure it wasn't yet another false positive), or maybe you detect some things that shouldn't be happening, like processes that shouldn't be running. But, you can't really know you're not infected, although with decent precautions you can be pretty confident that the chances of being infected are rather small. That confidence has to be enough for even the more paranoid security professional types, because getting perfect certainty of being clean is just not gonna happen. That would require things that no one can have: perfectly designed software on perfectly designed hardware, all completely safe from tampering, used only by people who can't possibly ever make a decision that could lead to running malicious code.

Anyone who actually believes that running scans with anti-malware products, even dozens of them, can ever prove that there isn't any malware on the system is simply wrong. The only things running scans proves is that you know how to run scans, and if they come up negative, that you don't have any malware so outrageously common and well-known that even anti-malware scanners detect it easily. It's a little like going to a doctor and getting some imaginary test for influenza viruses infection. When it comes up negative, you will know you likely don't have a flu, but it doesn't mean you're healthy - you could still have, say, ebola or HIV, or terminal brain cancer.

Limited User Accounts.
Software Restriction Policies.

Steve Smith

I can see not using protection on a non-windows OS, entirely feasible. But Windows? You are asking for trouble, even with a heavily locked down system infections are common, and some of the threats are beyond the capability of the vast majority of people to detect. For example a replacement of services.exe would go undetected and ultimately result in a full system compromise without realization of such. I've seen it, and I have seen it go undetected around several very good techs.

I'm pretty confident in Webroot these days because it picks up enormous numbers of unknown threats with it's heuristics and deep cloud analysis. For example on one of our machines it snagged two fresh ITW a couple days ago that only 1 other AV/AT/AS product on the planet detected these. These threats would be installed and go unnoticed by 99% of everyone. NOD32 was the only other one to pick it up out of the 40ish AV engines tested, and it only got 1 out of the 2 threats. Webroot got them both.



said by Steve Smith :

I can see not using protection on a non-windows OS, entirely feasible. But Windows? You are asking for trouble, even with a heavily locked down system infections are common, and some of the threats are beyond the capability of the vast majority of people to detect. For example a replacement of services.exe would go undetected and ultimately result in a full system compromise without realization of such.

Before commenting on whether or not I could agree with that, I'd like to hear your definition of a "heavily locked down system", and what kind of infections such systems get so often as to be called "common", and how such infections occurred exactly. I get the feeling our definitions for heavy lockdown might be rather different (it can't be heavy lockdown if your users can intentionally and easily execute untrusted new software they just downloaded, as one point).

From my point of view, seeing any infection on a heavily locked down system is, slightly exaggerated, rarer than a dog who speaks Norwegian. Seeing a heavily locked down system used by smart users that has still gotten infected with something is rarer than a dog who speaks Forest Nenets. Yes, on Windows.

As for the services.exe part, I do realize I'm nitpicking here, but heavens forgive me, I can't resist: if something malicious can replace services.exe, then that there malicious thingamabob is already executing with admin privileges, and that's enough of a full system compromise right there, so I don't see how the replacement would "ultimately result in a full system compromise" when the system already has to be fully compromised for the replacement to occur in the first place.
Limited User Accounts.
Software Restriction Policies.


The thing is, having a totally locked down system doesn't make it a good system to use. You can always pull a box off the net, but what's the point? There are a lot of quality, and secure OS's out there that allow you to operate with relative impunity whilst not sacrificing operational stability, ease of use, and functionality. Windows is not one of those.

99.999% of the world won't find a heavily locked down windows box to be acceptable. Yet those same people would run other OS's and not even notice how secure they are, or any lack of functionality. Windows - frankly - probably has already peaked and is on the way out. I guarantee you when this state sponsored cyberwar starts to really ramp up, windows will be rendered virtually unusable as an all purpose OS. That day is long welcome for many of us. I had to laugh when the military used heavily locked down windows boxes, and discovered even then, they could be quite readily compromised. Just wait, there are threats already ITW that basically render windows boxes bricks, and it is getting much much worse.

I think the most viable solution at this time is to have a vanilla, hardened windows for only pure high end gaming with a dual boot of a secure, functional, and full featured OS as your primary. This is how I am seeing well over 30-40% of the boxes being setup these days from non-big box sellers (like Dell). But isn't Microsoft doing something to that Windows 8 abomination to prevent dual booting? Say goodbye to microsoft.



"Totally" locked down is, I agree, not comfortable to use. But "heavily", is, in my experience. That doesn't require disconnection from networks, even the Intertubes.

But for the sake of conversation, let's go with the thinking that Windows is not viable as malware gets meaner and nation-state cyberwar ramps up. Somebody please give me a brief technical explanation of what exactly makes non-Windows operating systems, say Linux or OS X or even OpenBSD, so much more resistant towards such malware dangers than Windows that they shall remain happily viable where Windows goes into smoky ruin of infection. A technical explanation is needed here: I'm not looking to hear "because MS just codes for ease of use over security", I want to hear something rather more like "because operating system SS is coded in an elvish variant of C that removes all vulnerabilities except ones forged in the fires of Mount Doom with considerable personal soul powah, and also takes all control away from the user so they can't stupidly execute malware". Because, I keep hearing that Windows can't survive the increasingly nasty malware ecosystem, but what I don't hear is what exactly makes other operating systems immune or even much better protected. Let's say Windows dies next year, and by 2015, everyone who runs Windows today is running, say, Ubuntu (I have the feeling that OpenBSD isn't gonna get popular any day soon). Now what is the tech that makes those formerly Windows but now bravely Linux boxes and their mostly computer-ignorant users all that much safer from malware and even that cyberwar threat? Anybody have that technical explanation?

Because the day that something else usurps Windows' place as most popular desktop OS, the evil folks are going to be on it like white on rice, they're going to find vulns to exploit and get their code running - sometimes as just a luser, more rarely escalating to root - and they're going to find easy ways to socially engineer the human users to run evil code. And guess what? Readily compromised, unusable OS, here we come!
Limited User Accounts.
Software Restriction Policies.


Cordova, TN

3 edits
The registry in a huge weak spot in Windows, for starters. What a conveniently centralized location to implement all kinds of nastiness! I had to manually clean up an ugly, registry-centered infection once - because even the most powerful anti-malware programs of the time couldn't find it, much less clean it up. (These anti-malware programs were already loaded and running on that system before the infection occurred, BTW. Some of them got replaced after this particular battle, while the remainder got upgraded - and stay upgraded - and some additional ones were added.) It took a considerable amount of investigation and work on my part, but ultimately I was successful. Most PC "experts", however, would have just given up on it pretty quickly and completely wiped the box - OS, programs, data, and all.

And even on a "clean" (assumed to be uninfected) system, the registry is often such a cluttered and nasty mess that a sane and reasonable person is usually afraid to go near it. They might occasionally run a registry scanner, though, which will almost always call out so many real and potential registry problems that it makes even the most hardened PC cynic (like me) blanch!

Now, like many things in Windows, it may be true that as of late Microsoft has attempted to address issues here (I haven't really kept up with the latest). But this type of after-the-fact remediation tends to fall into the "too little, too late" category; also generally into the "we'll promise a lot more than we will actually deliver" category, too. And until basically every Microsoft PC out there gets upgraded or replaced and reaches this level of "maturity" (a term that I use loosely here), then essentially the entire ecosystem still remains at risk.

It's true, though, that the end user is the weakest link, and that social engineering and such will remain a huge danger point. Which is one reason why smart organizations these days are moving away from the "PC on every desktop" paradigm, and back towards a more centralized, controlled, and secure environment.

PS: I noticed a bit too late that you specifically asked about other operating systems. OK, then. I've worked on true enterprise-class systems (which were originally designed and implemented decades ago, before Windows even existed) that among other things (a) secure the individual programs in such a way that they can't really be tampered with - and if they do get tampered with, they won't even load, much less run; (b) don't generally allow you to make critical system-level software changes without direct physical access to the system - which usually requires a special password, and often a special key or key-like device, plus placing the system in a special maintenance mode (granted this can be inconvenient at times, especially for remote systems, but these types of system-level changes are relatively rare - unlike Windows updates); (c) have always had powerful, flexible, multi-level, all-but-unbreakable security built-in, from the ground-up (not as some late-to-the-game relative afterthought); (d) have never had a successful virus or other similar malware attack that I'm aware of - and although some theoretical attacks have been speculated about on paper but maybe never executed outside of a special test environment (AFAIK), the vendor went ahead and addressed these theoretical weaknesses with software updates anyway (unlike Microsoft - and too many others - who will leave known exploit vectors unpatched for months or even years).

I can't speak specifically to Linux or OS X or OpenBSD (although I know OpenBSD takes great efforts to be secure by design, and Wikipedia gives a good overview on this), the fact that they are all derived from Unix - itself a relatively enterprise-class system, with a long operational history, and generally designed and built by people who knew what they were doing - means that they started from a sounder foundation. And while none of these systems - not even then one that I described above - can be assumed to be defect-free and totally secure, their "attack surface" is generally much, much smaller than that of Windows (even in its new, "improved" versions), and they suffer less from the legacy problems that have plagued Windows from day one.

David E Cox

Very nice post. Essentially the entire windows ecosystem(planet) is so corrupt it needs a new foundation (great flood), and a rebuilding of a new platform.. I agree, and I see this happen so much for example FF is becoming so bloated these days they really need to sort of just start over. Essentially they have a contaminated bloodline on their hands.

Unix, and it's derivatives, I believe had a stronger foundation partly because the people doing it loved what they were doing, it really wasn't done for profit. While Microsoft has greed, corruption, and the lust of money at the core of what they do. They lack the passion, love, and drive these other OS's had when they grew up, and spawned derivatives. It's the old adage that anything done for greed is blessed by satan, anything done for love is blessed by God. Essentially Windows is a cursed system because of the greed that drove it's execution, rather than the passion that drove Linux/Unix type systems along.

It makes perfect sense, and it means MS will likely never fix it. The world needs to wake up and move away from it to let it die. The longer people buy boxes with Windows on it, the longer people wait in line for each new release spending hundreds of dollars, the longer this abomination will plague our world. I think we can all do our part by educating people about alternatives, then ensuring we help them move to them. Ubuntu or Mint are outstanding operating systems to install for general consumers! Secure, virtually problem free, easy to use, attractive, and feature rich.. So why do we keep installing windows on their machines?

I hope MS drops the ball on their next few releases, so much so, that people collectively start moving to alternatives, which will then force game developers to develop on these other boxes. It's a crime right now how developers in the game business essentially ignore the linux market, and we need to reverse this - which would then put the final nail in MS's coffin. Deny Microsoft money, any way you can, and you starve the beast.