Just how good is Microsoft's security?

Here's a little experiment; say you have the following -

- fresh install of Windows 7/Vista, fully updated, no tweaks
- MSE installed and fully updated
- browser is IE 8 with protected mode
- pc is behind a router with NAT
- Windows update, firewall and UAC turned on (i.e. on their defaults)

No other security app is installed. Given the above, can you still get infected with malware, assuming when you get a UAC prompt (desktop dims) then user does not select yes, and she does not download and run anything from the web she does not know about - i.e. basic understanding on the part of the user.

I'm just curious if -

1. Does the danger of drive by downloads/rootkits etc still exists in this situation?
2. If so what other layers (like HIPS) are needed?
3. Do you think Firefox vs IE PM is more or less secure? (I hope we get Firefox PM soon)

 

Less likely but still there is a chance . What about malware from USB drives?

 

Detection from local drives and shares would depend on the realtime scanner which won't be 100% for any program. I'm more concerned with browser attacks and getting hit by botnets/remote attacks as these happen without the user doing anything.

 

Well, I'm not running MSE or windows defender.But I am running with my router DMZ'd to open all ports to the PC, And without a firewall.I have zone alarm installed but with the firewall off, which i verifed by running online checks that all my ports are closed and visable to anyone on the internet and can be opened by a malicious person at any time.I hope it starts raining worms and trojans ETC. onto this PC, so I can do a little experiment here.I only have the HIPS of zone alarm going, as well as threatfire along side of NOD32 3.0, i'll let you know how it goes if things start going haywire.... lol

I have 2 seperate partitions, I will use this test on the partition I use the most to surf the internet, but I do not do any kind of online banking or have any saved passwords or info to steal on this partition, this should be a good test of my security, lets see how it goes and if anything actually happens.

 

browser attackes and botnet attacks - as you call them - does not happen without the user doing anything . You must visit malicious site in order to have "browser attack" . Botnet attack - you must have a malware installed on your PC

You should understand that there is no 100% in anything , no 100% protection but what you described as your protection is very strong one.

 

I have to disagree here... there have been malware that infected systems without any intervention and you do not need to visit specific malware sites to get infected. In fact, malware usually spread to the users across legit but compromised sites while taking advantage of the many unpatched systems out there!

Soooo... protect and isolate your browser and you will contain most of the infections nowadays.

Fax

 

Please read carefully... He has UAC fully activated and IE8 is running in protected-mode. The browser IS isolated. That means, without any user interaction (UAC) there isn´t a way to infect the system with drive-by-downloads/installations. Please read the security model of Vista/W7 also.

 

Two sentenses with completely different meaning .

So , let's accept you have read the Original Post . We have a PC behind a NAT device , with Windows Firewall - enabled , Windows Update(s) - enabled and applied , UAC - enabled => IE runs in Protected mode , MSE running and enabled , updated .

And we have a person , a human ( a typical blonde ) doing NOTHING but just WATCHING the monitor and enjoying the Windows 7 wallpaper(s) .

Tell me how will this computer get infected ?

Thousands of THANKS for the explanation !

 

Truth is, in Win 7 and Vista, security has been much improved. The only way to infect yourself, is by shooting yourself on the foot, ignoring UAC alerts and unverified activex and replying "yes" to all prompts.

It will happen to some people, but for users that were used in HIPS in paranoid mode in XP, things are totally different now. The need for such an extensive HIPS protection under Vista/7 is IMHO not needed anymore.

The most easy way to infect yourself now, is by running cracks, no dvd games patches, which instead are malware and you allow all UAC prompts.

Drive by infections are a much more remote danger now. Phishing is the best way to harm you while you browse.

Unless, the bad guys find undocumented Windows vulnerabilities, that can also bypass UAC and exploit them before MS takes notice and releases an update.

 

I 've a lot of friends that regularly were infected in XP, simply because they refused to drop IE. Many of them still run IE6 just because "they are used to it".

Another usual way of infection in XP is files from p2p, that are not what they appear to be.

Unfortunately, the human factor will always be the weak link. Some people even they see a prompt that "iwilltrashyourharddisk.exe wants to make changes to your computer, do you want to? They will reply yes, if they think it's the latest no dvd patch that will allow them to play their game without having to insert the DVD in the drive every time...

I 've a friend infected twice by a supposed mp3 with double extension (executable really). When i showed him how to enable showing file extensions he said to turn it off, because it was disturbing him when he wants to rename files.

 

That's true. If you are really determined to reply "yes" to anything, there is nothing that will protect you from it.

However, i do consider IE8 + UAC as a vast improvement. If not else, they can at least make you suspicious about drive bys. Also the user account will mitigate the damage. Of course you had user account in XP too, but how many actually used it...

Same goes for the other UAC alerts when you install something. It MAY make some people think twice.

The real benefit about them is for users that were already enough informed about security. Those will make the best use of UAC , IE 8 and user account.

 

Hi,

There are a lot of applications I use that I believe are very good, but sadly bundled with malwares (one such example is a popular P2P software from China, xunlei - literally quick thunder). So although the LUA(or UAC, they're the same thing right?) protects a lot of trouble, it cannot do much against softwares bundled with malwares... or can it? Are there anyway to just get the good bit out of a software and block out the bad bit? Please advice, thanks

 

This is the really important part of the equation; enable these three and already you've got a very secure machine, never mind heaping on the 3rd party compliments (or in many cases, detriments - LOL!). I would also throw in a vote for configuring Win Vista's/7's firewall for some two way protection, although this takes some time and effort to do.

No, LUA and UAC are two different things. As for software bundled with malware, why use it?

I doubt it. Simple resolution to this is use only good, trusted software.

 

Why having a computer then? To watch the wallpaper? uuuhm... you don't need any security in that case not even limited accounts.

But in case a blonde surf in a compromised fashion or gossip site.... then she can be infected .... malware can take advantage of vulnerabilities related to running third party software as well as the OS, this is how commonly infections happens without user intervention even with UAC/UIC/UOC or future WIN7.

In an ideal word, yes... the setup is secure. But we are not in ideal world otherwise there will be no infections.

Fax

 

1. This whole discussion assumes seems to assume the software has no vulnerabilities. Most attacks aren't aimed at the OS - they are aimed at application level vulnerabilities. Holes in Adobe apps and plug-ins have been particularly popular of late.

Vulnerabilities often allow malicious code to install even where proper security procedures are in place.

2. Malware creators have been very effective at fooling users into installing their creations. Even a smart user can be fooled or can make a rash click.

IE8 + UAC is a vast improvement - though I prefer Firefox or Chrome (IE opens new tabs so sloooowlllllly). I actually recommend Firefox with the noscript extension.

So my suggestions

1. Get a mac or linux - if that's not feasible, get W7.
2. Automatic updates are a must
3. Run a good security suite - now I'm from Symantec, so I would say that, but I mean it - patching together a bunch of freeware for AV, antispyware, HIS, firewall, linkscanning .. . . is a bad idea. To many vendors, no many points of failure, no comprehensive stress/vulnerability testing. a good security suite has all the components - built and tested to work together.
4. Be smart with passwords - including changing them regularly
5. Check your accounts - look at bank and credit card accounts regularly and carefully.
6. I love having my Google search results checked for safety. Norton has this feature as does McAfee and AVG - and it helps.
7. Backup backup backup
8 Backup
9 backup
10 Rinse and repeat


Oh yeah, how good is MSE? - It is not a complete security solution. PC Magazine found it was middle of the pack in most areas while doing terribly with keyloggers. It does a poor job with drive-by downloads - which are a threat because (as I said above) they target vulnerabilities that allow them to break your OS/browser's security model or they target your own brain dead moments (maybe I do need that codec update).

Here are PC Mag's test results : http://www.pcmag.com/image_popup/0,1871,iid=245073,00.asp

I wouldn't use MSE - there is better freeware and better still, use a good security suite.

 

FWIW starting with Vista when you go to rename a file it only selects what's before the extension rather than the entire file name like in XP. In most cases you can just click rename, type the new name, press enter, and continue going about your business without worrying about accidentally changing the extension. It's not completely idiot proof, but it's still a welcome improvement IMO.

 

Yes, same in Win7, but he was running XP (still is). I had also told him to run a user account or SuRun, since he gets regularly infected, be he never wanted. That's the good part of moving to Vista or 7. You have to use user account by default. For people like him, it's the best thing that an OS can do for them.

 

I moved to Windows 7 recently, created an admin account and disabled UAC.

I don't like this childish simplicity of MS security.
They never let you know what's really going on and what exactly will happen if you allow something.

Every installer has to be run at least twice, because after run as admin and UAC prompt it still doesn't work and this foggy-brained UAC thing offers another prompt with new, but now recommended settings.

That's not security in my opinion, that's more like under the patronage of a drunken monkey.

That's why I use third party security programs.

Cheers

 

ssj100 - I don't have total statistics ready at hand - but the answer is clearly 10s of thousands of users have been infected through infected pdfs.

13% of web based attacks in 2008 were aimed at pdfs (see the Symantec Internet Security Threat Report Volume XIV, spring 2009). We recorded something in the neihgborhood of 410 browser plug in vulnerabilities with Active X the source of around half (one more reason to abandon IE)

Look, for example, at the Gumblar malware - which has infected thousands of sites and uses vulnerabilities in pdf and in flash to stealthy infect users.

http://www.theregister.co.uk/2009/10/16/gumblar_mass_web_compromise/

At Symantec we are blocking, on average, 348,000 malware attack a day (and we are seeing approx 20,000 new, unique malware each day)

 

What is the % if you use something like Foxit, and no browser plugin for those .pdf exploits?

Sul.

 

The explosion in the number of rogue AVs that rely on the user to infect themselves backs up your assertion for sure.If they weren't so successful they'd disappear.Malware is all about business,nothing personal so the bulk of threats follow the highest rate of infections.

 

These softwares (especially the one I mentioned above) are very popular from where I live. It's like one of those things that comes with a computer, like the Windows OS. I just don't know many alternatives. I know I'm wrong, my roomie said I should read more too, haha, but I'm feel comfy as it is

 

In virtually the same setup, I've seen advertisements (on FrostyTech.com) shut down IE8, in a standard user account, and then open dozens of browser pages that ask to install rogue anti-virus software. IE can only be terminated through Task Manager (if at all) unless the user clicks to install the software, as closing the browser windows in a normal way is not possible.

 

That's definitely bad UI design.

 

This has solved 99.99% of the problems for people I know.

1) Leave UAC on (Macs and Linux have have had this for a long time)

2) Make sure the vista firewall is on.

3) Download Avast Free, or Avira Free, and now Microsoft Security essentials, run one on access.

4) Keep auto updates on for flash, adobe etc.

5) keep Updated browser of choice (most people I tell this to use IE, but I use Firefox...doesn't really matter.)

6) Use common sense before you download anything, and be especially careful when giving private info on a website, at least check the address bar, and look for an SSL certificate (read the properties) when you enter stuff like banking info.

7) back up personal info to a DVD....full backups too if you want.