Windows Chief Suggests Vista Won't Need Antivirus

LadyDarth writes "During a telephone conference with reporters yesterday, outgoing Microsoft co-president Jim Allchin, while touting the new security features of Windows Vista, which was released to manufacturing yesterday, told a reporter that the system's new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without antivirus software installed."

If users can...

[LiquidCoooled]

Run a program which sends out mass mails, or communicates with a server or does other actions then malicious people will write malicious code.
Just because a virus cannot harm the operating system does not mean it is harmless.

no antivirus?

[Quasar1999]

Sure... and I'm comfortable driving a car with no airbags! Doesn't mean that everyone doesn't want an airbag!

Jeez..

[FunWithKnives]

After summarizing that past statement, Allchin continued, "Please don't misunderstand me: This is an escalating situation. The hackers are getting smarter, there's more at stake, and so there's just no way for us to say that some perfection has been achieved. But I can say, knowing what I know now, I feel very confident."

If you RTFA, and then go back and read the title of this post, it's quite apparent that it's sensationalist and stupid. Of course Allchin thinks that this version of Windows will be the "Most Secure Evar". He works at Microsoft. Taking what he said out of context is just childish. But really, I suppose I shouldn't expect any less.

My first thought was...

[Brad1138]

To laugh. It always surprises me when someone says "we'll never need this" or "computers will never..." I remember a computer magazine editorial saying we would never store music on Hard Drives, it would take up to much space. These people never seem to think more that a few months or maybe a year into the future.

Duh

[ewl1217]

Of course a seven-year-old on a locked down computer wont be able to do any harm. Kids that age aren't into the sites (porn, illegal downloads, etc.) that are notorious for viruses and spyware. Not to mention that the kid's using a machine secured by parental controls and is most likely on a limited account. Wake me up when the average teenager can safely use Windows with an administrator account and no extra security software installed.

Why do execs say things like this?

[jsheedy]

I have always wondered why execs make claims like this?? Hey this is so great nothing will ever break it, I dare you to try. Really, do they think it will be virus proof, or is it just better? Just makes me wonder?

Anti-virus software

[Mostly a lurker]

A case can be made for running all Windows versions without anti-virus, especially if browsing the Internet routinely as a limited user. Unfortunately, the popular anti-virus products (McAfee, Symantec, Trend Micro) almost never prevent targeted attacks by cyber criminals, so one is tempted to avoid the performance hit and potential system destabilisation that comes from using these products and just rely on common sense, good backups, encryption of sensitive data, and acting all the time as if a keylogger might be installed on your system. I still use an anti-virus product personally, but I do not regard it as a reliable means of preventing infection.

Well gosh...

[IANAAC]

Let's just call the new "lockdown features" what they really are:

NATIVE ANTIVIRUS

Seriously, isn't this what third party antivirus vendors have been whining about?

And I though Allchin had at least half a brain...

[Anonymous Freak]

I do understand the sentiment. His son is young enough, that as long as he has a decent firewall, and decent parental control software, (i.e. disallowing email and IM,) he should be fine.

But it's still an irresponsible thing to make as a blanket statement.

Any OS can be virus-ridden...

[mark-t]

... when a statistically significant percentage of administrators (this includes people who administrate their own home computer) are too ignorant to take precautions against executing unknown code as a superuser.

What else is new?

[istartedi]

I've had two infections on my Windows over the years--Nimda and a video codec trojan. I'm not counting the second boxes that I used to use for experiments--I never put anything important on them, so I tended to just not care, and blow away Windows when they got nasty--that was back in the bad old dialup days when potential damage to others was minimal, and Windows was a lot less secure. I don't know if AV would have stopped Nimda, because I didn't use AV back then. AV didn't stop the trojan. I used to disable AV routinely because it *is* a virus. It used to slow boxes down way too much, and cause all kinds of problems with installers. I always un-do the stupid defaults in Windows and IE, and I try not to be too careless. Nimda is really the only one I can blame on MS, and it was patched ages ago. I would probably disable AV on my current box, but they seem to have gotten better about not hogging resources and/or crashing the box so I just leave it alone.

I wonder if Vista is finally going to display extensions by default. That was always irritating. It would be *nice* if you had to enable active content on a per-site basis by default. It would be better if they just didn't have so much active content out there. Would I "just trust" a Vista box? No way. But would I run it without AV if there was none pre-installed? Yes, in a heartbeat--but I would still be very careful about how I conducted myself on the web, and I would still want to go through all the settings to make sure there was nothing stupid in there. And I would *still* be checking up on processes and registry keys from time-to-time.

But anyway, XP without AV is not a big deal--if you know what you're doing. Unfortunately, that's a big if. Nevermind 7 year olds. It's the 57 year olds that you have to worry about.

It's not the viruses you need to worry about...

[NeumannCons]

Viruses, these days, are not what you need to worry about.

The main attack vectors these days seem to center on "drive by downloads" or pop ups that trick you into downloading executables ("WARNING! Your PC is infested with SPYWARE - CLICK HERE to remove"). Most Antivirus software is unbelievably pathetic when it comes to identifying/dealing with spyware. I've seen dozens of clients who have so much spyware, it can take 30 minutes or more to boot up and then spend more time closing all the popped-up windows. FF and it appears IE7 as well will hopefully go a long way to closing this attack. Now we just need to wait for everyone with win95,98,ME, NT, etc. to upgrade.

Coming soon to a virus near you?

[QuantaStarFire]

"I'll give you an example: It's my favorite feature within Windows Vista, it's called ASLR (Address Space [Layout] Randomization). What it does is, each Windows Vista machine is slightly different than every other Windows Vista machine. So even if there is a remote exploit on one machine, and a worm tries to jump from one machine to another, the probability of that actually succeeding is very small."

Anybody else thinking that we'll have Vista viruses that mutate and adapt to the ASLR of a particular system within a year or two? I mean, seriously, what is it with software companies (or rather, security companies) and this apparent hubris that "our product is bullet-proof"? I mean, haven't we seen enough security systems and copy protections go down in smoke, even when people were convinced that "it can't be cracked"? Give me a break...

It's not the OS that needs antivirus...

[h4rdc0d3]

If you think about it, it's not the OS that needs an anti-virus program; it's the user(s). I have been working in Windows since the 3.1 days, and I have never gotten a virus. And I have never once installed anti-virus software. The average user is just ignorant and sometimes a bit lacking in common sense. These users need virus protection, but technically the OS itself doesn't. They only need to educate themselves and be a bit more careful.

Re:I've used XP SP2 without AV for years

[the_unknown_soldier]

I have that experience as well... Any mildly technical user of windows can avoid viruses. I haven't run virus checking ever since SP2 came out. The truth is that most viruses are executed because of user stupidity.

firefox + nat=no anti virus not needed

You're crazy for using ie7 though.. you can still run activex, its not safe.

If his son is not an Admin on the box, why not?

[dioscaido]

Without Administrator access, a virus can at best mess around with his son's account. Easy enough to fix by killing and recreating the account. This is actually true of XP as well (and OSX/Linux, obviously), but Vista is the first MS OS to handle Standard User in a straightforward way.

And with UAC, since Administrators don't even run with full token by default, 3rd party applications will quickly move away from assuming Admin access (a huge problem with running XP as limited -- apps blow up).

Context

[lilfields]

I don't believe he was saying "Vista can't get viruses", but rather UAC (user account control) stops code from executing, thus making him feel safe that even his son could surf the web (with UAC on) without obtaining a virus blindly. I think the biggest weakness with past Windows have been uninformed users thinking that clicking "yes" in dialog boxes to execute an unknown program or script is a witty thing to do. I believe UAC tries to solve this, and most "average" users will be too lazy to turn it off (or won't know how), while advanced users can simply surf responsibly with it off.

IMHO

[nickheart]

I contend that no OS ever needs AV software. They need backup, and smart operators. AV has never pro-actively detected something, only slowed normal usage of my PC.

disturbing...

[yagu]

BTW, Vista Is Still The Anti-OS.

That said, a disturbing quote to me from the article was, "His [Allchin's son] machine is locked down with parental controls, he can't download things unless it's to the places that I've said that he could do, and I'm feeling totally confident about that," he [Allchin] added. "That is quite a statement. I couldn't say that in Windows XP SP2.""

It's not disturbing they/he claim the security in Vista, it's disturbing I've been around long enough it's an old tape. Every single new Windows, every single new version, every single new service pack brings the old saw "this time ${WindowsVersin} is really secure and stable". I guess I'm tired of saying "told you so", when it's not. (Oooops, I did it again.)

Prediction (not too hard...): Vista will be riddled with stability and security issues.

Re: I've used XP SP2 without AV for years

[rHBa]

I haven't had a virus/adware for >3 years and I do use P2P. I think using XP SP2 (if you have to use windoze)/Firefox/Thunderbird and not clicking on every attachment/download I get without checking:

1. file extension,
2. trusted source

is the key.

P.S I just noticed that 'Firefox' and 'Thunderbird' aren't in the FF2 English dictionary!

Never mind, the solution is quite intuitive really, just highlight the 'misspelled' word, right click and select 'add to dictionary'. Sweet...

Users define the (in)security of a system

[Anonymous Coward]

I've been using my home computer(s) to connect to the internet for well over a decade and I have never been a regular user of anti-virus software. I have gotten bitten by it precisely once, when I caught sasser while running windows 2000 on dialup (and I was able to disinfect myself by hand).

I don't leave all my default servicing running. I don't, usually, let my bare ass hang out on the internet, I try to stay behind a firewall or a NAT box. When I do run a server it's apache / mysql (even on windows), and I turn off / don't install all the external administration crap (ssh is more than good enough). I don't run random files I find on, or that are sent to me over, the internet. I keep my systems patched. Etc.

It's not that difficult to avoid viruses and worms today, it just requires a little discipline and critical thinking.

Re:no antivirus? No SEATBELTS!

[mikelieman]

You don't HAVE to wear your seatbelt, but WHEN you crash, you're gonna get really banged up.

And if you're SURE you're NEVER going to crash, WHY do you have INSURANCE???

Re:And XP has no buffer overflows...

[zbeba]

To be fair, he never claimed they removed *all* buffer which could overflow, only the ones they _found_ "in an automated way" [eweek.com].

That said, since he's "outgoing" and with a comfortable financial situation [sec.gov], I doubt he much cares. Perhaps in his spare time he can lounge by the pool and read something [nsa.gov] enlightening.

Re:Also reported:

[BronsCon]

Which is why it won't need antivirus, if the line from MS about Linux and MacOS not needing antivirus because nobody bothers with them due to their small marketshare turns out not to be complete BS. If nobody runs Vista, nobody will write a Vista virus, right?

Or are hackers just like all other humans, just like electricity, water, wind and pretty much everything else and take the path of least resistance? "I want my virus to work, so I'll code it for the weakest platform."

Re:I've used XP SP2 without AV for years

[Anonymous Coward]

Never had a problem.

Or your PC has been sending out millions of spam emails but you've been clueless because nothing unexpected shows up in process list and your PC isn't crashing or behaving badly as far as you can tell.

How many of the litterally millions of infected spam zombies out there do you think are on PCs who's owners "Never had a problem" with viruses? I wonder how many of them tell Mac and Linux users they are crazy for suggesting that Windows security is a bit... lax.

Re:Also reported:

[w3weasel]

The average user doesnt need windows. Whichever version you care to discuss. But they have it because its the ubiquitous option. Market saturation of Vista will take about 2 years to hit that magic 20% mark, but once that happens, most businesses, homes and institutions will upgrade too... not because they 'need' it, but because its what everyone uses (and XP wont be sold any longer, and they are too scared to try Linux or OSX).

Re:Also reported

[Agram]

Zealotry aside (FWIW, I am a Linux advocate although I use all three platforms mentioned here), the businesses are not "scared" to use Linux and/or OSX, they don't want to due to a simple reason that APIs in Linux and surprisingly enough OSX are moving targets which constantly break stuff left and right. Granted, this is not accross the board, but it is prominent enough to affect the overall product and warrant a significant rise in TCO. Case in point, I purchased an $800 OSX software 1 month ago. Upon installing it, it turned out to be a PowerPC-only application which surprisingly ran quite well under Rossetta in 10.4.7 (especially considering that it was altivec optimized). Then came the 10.4.8 and suddenly my application icon was crossed out saying this application is not supported. So, now I either have to wait for the original software makers to release an update (which they've been promising for some time but nothing has shipped yet and there is a lingering suspicion that in the end I'll have to pay for it), or use my new software as an $800 paperweight... Either way, I am losing in productivity and/or money.

Now if you consider how many times did the Apple platform switch in the recent years and how much overhead has that generated for the Apple third-party software manufacturers, not to mention how many API changes have taken place since 10.0, you'll quickly realize that Apple platform is almost as "enthusiast" as Linux. OTOH, whether you like it or not, XP in 2006 can run software made in 1995 without any problems whatsoever. All this means that businesses can get more mileage from their custom solutions and hence the market share disparity...

Re:I've used XP SP2 without AV for years

[955301]

Get a girlfriend and let her use your computer. In less than two days you will have a trojan horse. One bed and breakfast site with a guestbook and it's all over my friend. Here's a piece of software to run before your first date:

http://www.runtime.org/dixml.htm [runtime.org]

Re:Antivirus is a cure worse than the disease

[Stradivarius]

As such an obvious "people person", do you wear a seatbelt?

The seatbelt analogy doesn't fit very well. Even the safest of drivers have a sizable risk of getting into an accident because other less-safe drivers share the road with them. Unless this guy is sharing his PC with someone with less-safe computing practices, he doesn't have a comparable risk of spyware/virus infection.

Which is not to say there's no risk - even the safest of computer users can get hit with some 0-day exploit in Windows or the like, unless they leave their machine physically and permanently disconnected from the Net. But like anything else, it's a tradeoff. Do you want that incremental increase in safety at the expense of antivirus subscription fees and computational slowdown? Some people will, some people won't. It's a matter of risk tolerance and the cost/benefit ratio.

And you, sir, are not the "average joe" computer user

And that's exactly why AV programs should let you specify what level of understanding or risk aversion you have. Provide a "Typical User" and "Expert User" selection, with a "Typical User" default setting. There are few things more aggravating than someone or something continually assuming you're an ignoramus despite any and all evidence to the contrary.

Norton's been driving me nuts because I disabled some of its options to save my (pretty old) computer some performance. Every time I log in Norton nags me with this dire warning about "items affecting my status"; those items being the things I told it not to do. I'm very well aware of what I did and the implications, and don't need the app to be my nanny. I'm sure lots of people do want the nanny, and Norton should give it to them. But there's no need to apply that extreme risk aversion to everyone. It's been enough to make me seriously consider uninstalling Norton entirely.