Internet security software

It is that time of year again when the better half's security software suite needs renewing (she is using Trend Micro currently).

What are the recommendations from people here?

Thanks!

Don't buy anything, just install Microsoft Security Essentials. It's the most lightweight program I've found for this sort of thing, and it gets high marks from every report I've seen on the subject.

I install MSE on all my clients' computers (in addition to my own), and if something ever sneaks through (no antivirus will catch everything), I run Malwarebytes' Antimalware (terrible name, good product). It's also free for the version that doesn't actively scan.

Now, queue the many people on this board who don't think you need antivirus. Oh, and Mark will chime in with a "install Linux."

Okay, sure: Install Linux.
Say goodbye to the need for all of that stuff.

Seriously.

Cheers

Thank you for the reply Dignan. I have heard that MSE is supposed to be adequate on its own, the only thing that concerns me is that I found a test done by AV-test.org who are supposed to be independent (they are used by Choice Magazine in Australia for antivirus reviews) which shows that they don't rate MSE as 'certified'.
Now I don't know how independent they really are, but going by their testing methodology they seem to apply the same criteria to each product. The area in which they think MSE fails appears to be protection against 0-day attacks (heuristics based?).

While I like the idea of not paying for antivirus protection, I also like the idea of stopping more nasties before they install rather than cleaning up later.
The other side of the argument is that Microsoft should be more knowlegeable about their own OS than an outside vendor and so should be able to provide a higher level of protection.

Mark, I wish I could get her to use OSX like I am, but unfortunately she needs Windows for her accounting software (Quicken - the new Mac version is too feature limited and doesn't seem to be available in Australia anyway) and she is familiar and comfortable with the Windows UI so uses it for everything else too.

I seen the most stuff fixed by Malwarebytes but that was using it after the computer was already infected. A scan with windows defender would come up ok but Malwarebytes would find stuff. I don't know what the difference is between windows defender and microsoft security essentials.

Here's my answer.

http://social.answers.microsoft.com/Foru...4f-0dcedb9ab9fd

I use Comodo internet Security and have been fairly happy with it. I don't know how good the anti-virus part is, but the firewall part get very good characters in www.matousec.com firewall challenge.

Stig

I really have no idea how good any of these "independent" testers are, but most of the ones I've seen have rated MSE very well, including this one (though it's a bit old now).

Also, I kind of take issue with that AV-Test chart. MSE isn't "certified," but Avast is, even though its protection score is lower? Because it's slightly better at repair and is more usable? Usability won't help my click-happy clients


Here's my thoughts on antivirus:

I stand by MSE for day to day protection. For computer users who are pretty good about not clicking on the wrong things, it does a great job. Most of my clients have not had viruses return after I've installed it.

As far as I've seen, a disturbing number of antivirus programs do not catch the type of virus that I see most often these days and that disturbs me greatly. I can't tell you the number of times I've removed viruses from people's computers that got onto the system pretending to be an antivirus its self. I've seen these for years now in many different variations, and they're only getting worse. What gets me is that I haven't seen a single one of the major products block this thing. Norton, McAfee, and the second tier ones including MSE and AVG, none of them even see these viruses on an infected machine let alone block it.

The only one that consistently finds this type is Malwarebytes. You can tell it's effective because in several instances, I've seen the installer targeted specifically by the virus. I'll be able to install other programs, but when I try to launch "mbam.exe" the file is deleted. Sometimes I've even seen the virus search the USB drive I insert, and delete the installer right off of it. That tells me it's effective

So that might be my recommendation, in fact. For my clients, I don't mind recommending a for-pay program, but usually the only way I can get them to stop using Norton or McAfee is to draw them away with the promise of dropping that yearly fee. If they don't mind paying, Malwarebytes would be the one I'd go for myself.


I do have one more tool that I use on seriously infected computers, mostly as a last resort. It's called ComboFix, and I primarily use it as a last resort. It's most certainly not a day-to-day antivirus, but I've rarely seen it fail at getting a computer clean, although occasionally at the expense of certain user settings or programs that have trouble launching again. It's the last step I take before nuking and reinstalling Windows.

Lastly, no offense Stig, but I don't use software firewall products. It might be a good idea, but I'm fine with the combination of the Windows firewall and the hardware firewall I get with my router, which is probably more effective anyway. It might be good to have one just to know if anything you've installed is making unexpected calls out to the internet, but I don't care that much.

All the friends and family member who I've seen get infected recently have been hit by those fake anti virus products claiming that their machine was infected and tricking them into installing them. Or they've been tricked into installing a trojan that was pretending to be an update for Windows or IE (even the ones that aren't using IE).

All of them had either MSE or AVG installed, it is extremely annoying that they make no effort to target this malware.

This whole area is a pain in the arse. My Mum is a new computer user. When she Skypes me and asks if a particular message saying an update is available for something it basically impossible for me to tell her whether it is legit or not without viewing her screen.

What are you doing inserting a USB stick into a live infected system?
Trying to help the virus spread?

Curious.

At least she asks.

I'd just tell her to never install any offered updates. Then set her computer to automatically apply Microsoft updates and log in remotely every once in a while to check for other stuff.

That is sort of what I do, but it doesn't stop her getting stressed out by any messages that popup. I wish I could tell her to just close them and not worry, but that won't make any difference to her stress level about it.

Hey hey hey now! Give me some credit! I use protection!

After using a thumb drive for a client, I take the drive back home to my computer (which has auto-run disabled), and format it. Then it's just a drag and drop to put my usual arsenal of applications on. This way I'm safe and I have the latest versions of the programs, which I download on a regular basis.

Andy, I know exactly what you mean. Usually my mom just waits for me to come over, which fortunately is easy because we live close by. She's very cautious so that's good, but sometimes I worry she'll miss an important Windows Update. She doesn't do a lot of wild clicking though, and at least I was able to move her off of IE

I will admit, I'll be a little happier when she's on the Mac one day. She already brings one home from work when she works from home, and wants to get one for herself when she retires. She called me one day, sounding worried. She said "I just got a message saying that I have all these viruses! What should I do?" After a little worrying myself and telling her to just click the X, I thought to ask "which computer are you using?" When she said the MacBook, I admit I chuckled a little (not to her amusement).

Some thumb drives have switches to put them in read-only mode. Maybe you should just get one of those.

An excellent idea, it would eliminate a step or two. I'll look around.

Just following up on your comment - why would you not run a firewall as well as an AV product on a windows box? Firewalls should be low enough load not to impact your CPU adversely in any significant way, and anyone on a broadband link is a target for any number of scans followed up by attacks. My advice, as a security professional for the last 15 years, is just to get the basics in there before the decision comes back to bite you...

If you're just talking about "the basics," wouldn't the Windows firewall and your standard router be considered the basics? Isn't the router better at staving off much of that stuff anyway?

My complaint about software firewalls is that all the ones I've seen are far too in your face. It's one of the reasons I try to get Norton off my clients' computers, because the built in firewall tells them about every single little occurrence, and it gets to the point where the user is just so fed up with it, they either start approving everything (making the firewall useless) or denying everything to be safe (which breaks a lot of good programs, including AV updates).

I guess write once cd's are passe.

Just like floppy discs now.

Not sure if you're kidding around or not, but CDRs also can't be overwritten, so I could never update the applications I put on there, which is essential. And I'd rather carry around a thumb drive than a CD.

[rant]
For sure, and I am certain I am not the only one who wishes that the miserable little turds that write malware would apply their time to writing more useful software or improving open source projects. Perhaps penalties for this sort of thing should be more draconian and more effort should be put into catching and prosecuting these pricks. However that is a separate topic.
[/rant]

Anyway, I would have been happy enough with MSE, but swmbo decided that she wanted Kaspersky after checking various reviews, so I went with that.

Download and installation was quite painless, the only issue I have with it is the size of the updates (hundreds of megabytes for 2 PCs which is significant when our quota is only 1GB per month), particularly as I downloaded the most up to date version initially.

As much as I hate those little turds too, they fill an interesting niche: If the little turds didn't write their mild-annoyance malware, then we'd only discover the security holes in our software long after the seriously dangerous folk (spies, thieves, superpowers) had already compromised our systems, stealing our money and our secrets.

Not that that sort of thing doesn't already happen anyway, it's just nice to know that most of our front line security battles are being fought over malware that's merely an annoyance as opposed to something truly frightening.

The malware I am talking about exploits no security holes on the client machines what so ever. I am talking about the sort that you go to a website, a popup is shown that pretends to be a Windows dialog doing a virus scan. It then says that you have X viruses and prompts you to download and exe. The victim clicks on "yes please download and run the exe". The victim the says "yes please run it with admin perms" to the Windows dialog designed to protect them.

Those are the annoying ones. The ones that don't break in. The ones that to you and I are instantly recognisable as a scam. The ones that to a normal human being appear to be just as valid as the Windows update dialog.

Without disallowing the user from ever downloading and running an exe from the web, I don't see any way round it for the sorts of users who are taken in by it. The same users would end up downloading and running the Trojan whichever desktop os they were on.

That is why I think restricted systems like iOS are the future for normal users. Androids approach of telling you what perms the app wants does nothing to help these users.

Social engineering is still an exploit. Just an exploit of a different kind.

I know that kind of thing is hard to fix, but there are a lot of steps being taken with security software right now that are trying to address those issues. A computer can never fix the basic social engineering exploit of "some people are gullible", but I think there are still gains to be made in the area of protecting the gullible people from themselves while they use the computer.

Which takes us back to where we started, the mainstream security tools dont seem to target these attacks and I dont understand why.

I bet these guys in Iran wish they had been running better virus scanning software...

http://www.foxnews.com/scitech/2010/11/26/secret-agent-crippled-irans-nuclear-ambitions/

The virii that was used against Iran is a fascinating story in it's self.

Designed to attack programmable controllers used in industrial settings. It had to propagate across both, different platforms and an airgap. It used multiple never seen before vulnerabilities.

You're accepting at face value a story reported by Fox News?

tanstaafl.

The plural of virus is viruses.

It could be complete fiction - it doesn't make it any less amusing.

And the Latin plural is viri.

Viri, virii, viruses,

Only the last was not flagged by the FF spellchecker.

That doesn't mean much. The dictionaries in these browsers are woefully inadequate. They miss pretty common words all the time. Yes, ones which I know are spelled correctly, because I'll be so shocked that it isn't recognized that I'll research it even though I'm certain of the spelling. I don't know why they're missing so many words.

He specifically said the Latin plural, though, so maybe the spellcheckers miss that. The English form appears to be viruses...

No, it's not.

Whoops. Misread my dictionary. Damned Latin declensions.

This reminds me of last night's episode of the Office for some reason....

-=Chuckle=- Agreed. I will be sad when that show is over.

Indeed! Wow. I had to share it with some friends (and for the first time in my life I shared it on facebook. Whatever).
Thanks for posting this, Bruno.

And yes, Virus, as far as I remember from highschool, is 4 declension. Nonetheless, why use Latin? "Virus" comes from Latin, but is very well into the modern English language.

Mostly because they can't. It isn't a technical control that is required or possible.

Actually, you can build technical controls that could do this but users don't want them as they impact on usability. Annually, about 5% of all the security work I do is awareness training. It isn't sexy or glamourous, and the downside is every time we do it we need to change the approach as users forget/are indifferent after about 6 months at best.

I think it is human nature (normals, not geeks) to ignore any of this stuff as it doesn't seem to have a direct impact on safety (in the old fashioned 'will it stop me being eaten' kind of way)

The attacks I wad talking about is the fake anti-virus tools, there is no reason why the mainstream tools couldn't treat those fake tools as viruses and block them from running.

Because anti-virus is unlikely to spot the majority of them before install as they don't require anything to be installed before the user clicks. Once they do click, you can scan the app but if it doesn't match an existing signature it won't get picked up. And enough get through on each version that the bad guys keep at it.

Bitt, I know you're right about this because I've seen them before, but I can't seem to find any now! Any Amazon links?

Newegg


They have others as well, I used the keyword 'write protect' when looking at their USB Flash Drives.

Like this?

tanstaafl.

Nah, I don't need it to be secure or anything, I just need something that can't be written over.


Thanks, that should work fine. It's not the greatest looking/smallest one I've ever seen, but it'll be fine for this purpose. I ordered a couple from Amazon.

Reviving an old thread because my NOD32 anti virus licence expires in a week and I'm looking out if there are no better alternatives out there since the last time I renewed my licence. (and no, I'm not switching to Mac or Linux )

I've been using NOD32 for years now and I'm pretty happy with it. In fact, I would have no problem renewing the licence for it's anti-virus skills. It's just that lately, I've noticed a different type of infections are now quickly becoming the most dangerous and most widely-spread ones. Up to a few years, email attachments were the most dangerous. Nowadays, simply clicking on the wrong link in your browser can make a lot of bad things happen for you. I'm not sure NOD32 is capable of intercepting this kind of thread. No, let me rephrase that: I've known NOD32 to intervean on a few occasions but I'm not sure if it's their forte or not. Online review claim it's not in any case.

So now I'm considering installing Microsoft Security Essentials for the anti-virus part, and buying Malwarebytes Anti-malware Pro since the pro version comes with a live scanner.

Would this be a good idea? Or should I just stick with NOD32? Or is there an even better option?

Thx!

Whatever you end up doing, don't install two real-time virus scanners. MSE does live scanning as well.

At the end of the day, the best antivirus is good user behavior. I've been rocking MSE for years now, and haven't had a virus in that time, but none of these programs are 100%. It's always possible for a user to do something that gets them infected.

The reason I decided to go with MSE was that it was the most lightweight antivirus out there. It never annoys me unless it sees something nasty go by. It doesn't put a strain on my system. It doesn't bother me constantly about renewing anything. It doesn't prevent me from going to any websites or from setting up a networkable printer (which I've seen several times with stupid Norton). MSE gets out of my way and gives me some security.

I would say that combining MSE with the free version of Malwarebytes (which you run every once and a while), is all you really need.

Why not? Does this significantly slow down your system or something?


Agreed, but back in the day you only had to be aware of your email attachments. Nowadays, simply clicking on the 'wrong link' is bad. There's no way of checking that beforehand and cautious surfing beaviour won't help you here.


I have the same feeling about NOD32. It's never failed me, not once. But multiple online review I've read seem to indicate that their live scanning could be improved, especially when it comes to rootkits. This is the reason I've started to look at alternatives.

I was going to say the same thing... but about AVG. Maybe it's just my naivete and ignorance speaking, but I have been 100% satisfied with AVG for the five years or so I've been using it.

tanstaafl.

I've been wary of AVG ever since they made that error in one of their updates so it pointed to some essential windows system files as being malware and removed them, resulting in a inoperable pc. Granted, that was some time ago, but I guess I haven't been ready to forgive them.

Which suspenders would you like to wear with that belt?

But seriously, why have everything you do run past two sets of eyes? If you have a decent AV you shouldn't need a second one, and it'll make your computer happier. It's not really going to help you anyway.


I really think you're being a little more scared of viruses than you probably need to be. Your language makes it seem like you're peeking around every corner of the web, afraid that a criminal is right on the other side ready to accost you.

What I was trying to say before was that I've been using plain old MSE for years now, with nothing but the Windows firewall and a router, and I haven't had a disaster yet (*knock knock!*). Even if it did, I have all my data backed up.*


Here's what I suggest to my clients:
MSE
Google Chrome browser (I like Adblock Plus but some have understandable ethical issues with it)
Windows Firewall enabled
An average router
Malwarebytes (run every month or so if it makes you feel better)
TDSSKiller (for rootkits - same frequency)

I understand that you like AVG, and I have nothing against them. My problem with them, as I've stated before, is that I see them getting out of control with the feature creep that did Norton and McAfee in. Eventually their software is going to start impacting system performance just like the big guys they supplanted.

That, and the false positives that Archeon mentioned. Also, you do get bugged for renewals, don't you?

Ah, so malwarebytes is also just another AV program? I thought malware was a different category alltogether, thus requiring a different approach. I'd rather also squash the infection as it is happening than clean up the mess afterwards, hence the lookout for a utility that does real-time scanning. Of course, if all this is not the case, then I can just as well stay with my NOD32 (which I've been happy with for a long time) and indeed use the free version of Malwarebytes now and then.

I've also heard good things about Bitdefender. It's malwareprotection is supposed to be pretty good, as well as it's virus squashing ability. The only problem is I have no idea how slow it might make my pc.
Does anybody have any info on that?


No, not at all. I'm sorry if I made it seem that way, but I'm not paranoid about security at all. I just like to be prepared to the best of my ability. For years, I also didn't use an AV suite (only since the last 5 years or so)


Thanks for that list, that may come in handy in the future! Also, thanks for your feedback!

Never use two live scanners - it doesn't just slow things down twice, contention sometimes means it could be slowed down an incredible amount.

Plus, there's no point :-) They are all pretty much the same on this front. I still would prefer MSE over the others, for the reasons described above, but they all just work.

Thanks guys, I guess that settles it then. I won't install MSE now (maybe on my next pc or with a fresh install), but upgrade my NOD32 licence for another year. I'll also make sure to run the free version of malwarebytes now and then.

Thanks!

Nope, just a regular antivirus. Some programs use different methods to detect viruses, but they're still just antivirus programs. The free version of Malwarebytes has to be run manually, and the paid version includes a live scanner. If I were to pay for an antivirus, personally I'd use Malwarebytes. It seems to be the only one that identifies and removes those fake antivirus viruses. Or at least it did until those guys got better about getting around almost anything.

These days, some of these viruses are so bad that the only thing I can use is Combofix, which I try to save as a last resort. I haven't had it mess anything up, but the potential is there, and it can mess with settings and applications. Still, it's one of the few weapons that work against many of the more infected machines.

But that's not something you have to worry about. You aren't the type who is going to let a virus like that get ahold of your system. These viruses typically start as a pop-up, and trick a user into clicking on them by claiming they're infected. No matter how many times I warn some of my clients, they'll still click on those fave AV's. I feel like I should make them a sign that says "If it doesn't say Microsoft Security Essentials, DON'T CLICK ON IT!" But they still would...

No.

I buy a two-year license that expires about on my birthday, and I just remember to renew it before the renewal notices start.

About the only time I am even aware that I have AVG is very rarely, maybe once or twice a year, I get a pop-up saying AVG has quarantined known malware, asking if I want to take further action.

tanstaafl.

I've set a few people up with the free license for Avast - which gets renewed yearly. They've only had good things to say about it. I use it on my VM's but never pay much attention to it since I rarely install software on them.

Avast is fine, though I've seen it bog a couple systems down, and it's more in the user's face in my experience. But whatever gets people away from Norton or McAfee is fine with me.

I did that too until I found that instead of adding another year to the subscription, it changed the next renewal date to 12 months after the date I renewed so I kept losing a few weeks subscription each time. Now I just wait until it bugs SWMBO and she bugs me, then renew it the day before it expires .

This is all I do if I'm forced to install something when in Windows land. Paying for security software always felt like paying mob protection money.


If I was a day to day Windows user today, I would have something installed. Over a decade ago, yeah, I didn't feel the need for virus protection. Most back then either exploited Windows machines directly connected to the internet (not behind a router/NAT/firewall setup), or were the trojans from the bad parts of the internet. These days, the malware/viruses come from plenty of legitimate sources, either via an ad banner, or a site being hacked to inject the malware.

Thankfully on OS X, Apple is staying on top of the issue for the most part. They were a bit slow to address the vulnerability in Java, but have now responded with not only a patch, but also a cleaner for anyone infected. Turns out, none of my systems were vulnerable anyway, but good to see the response. Same thing happened with the last trojan spread malware, Apple just built the cleaning/detection into the OS behind the scenes. So far nothing targeting the Mac has hit rootkit like levels. If it does, then maybe I'll consider realtime security software.

The modern Linux threat seems to be from having a repository compromised. It's happened a few times, but the damage seems to be pretty minimal before someone notices. Or just installing a completely untrusted distribution, such as the recent "Anonymous Linux".

Kaspersky estimated 600,000 infected systems. That's pretty significant.

Yeah, not downplaying the significance of it. Just not personally worried by it enough to run around and panic (I was immune since the malware checked for XCode, and wouldn't install if it saw it). The estimate is that 600,000 represents roughly 1% of the estimated active user base, which percentage wise is larger then the 0.7% Conficker hit on the Windows side.

It's been a constant issue on Windows for, well, decades. Much more reason for proper panic there

I wouldn't say you have to worry about this particular threat. Rather, I'd worry that Macs are finally reaching the point where it's worth it for virus creators to target this large untapped market.

It's also worth pointing out that this wasn't a virus or worm, but a trojan. It still required that people type in their passwords. (It pretended to be an update to Flash.)

Ummm...
"However, this latest version of Flashfake does not require any user-interaction and is installed via a “drive-by download,” which occurs when victims unwittingly visit infected websites, allowing the Trojan to be downloaded directly onto their computers through the Java vulnerabilities"

tanstaafl.

I stand corrected.

What is the proper classification of a browser (or plugin) based drive by exploit? It still requires user intervention to be installed, but no need for the user to manually bypass security. I've personally never referred to these as proper viruses.

It should be noted that Java is not installed by default on OS X 10.7, and is removed if a user upgrades from 10.6 to 10.7. Apple did add a dialog to install it on first use. If the user ran just a normal Java application, the web portion isn't enabled. If a user browses first to a Java web page, they would have to manually click the little box where the Java applet was embedded to then get the install dialog. Makes me wonder how many of the infected installed Java for the first time just for the malware, compared to actually using Java prior to it.

For Matt, marketshare is likely part, but not the complete picture. History has lots of examples of the smaller marketshare systems being exploited like crazy (such as the real, proper self spreading virus problem classic Mac OS had), or systems that have a commanding marketshare without too many issues (Linux servers). Malware is evolving over the ages too, initially just being destructive for no good reason. Now it's mostly interested in turning a machine into a participant of a bot network used for spamming or other activities that can be bought and sold on the black market. Or stealing personal data to be resold in some form, including MMO logins to sell off their virtual currency.

It helps that OS X's core is a pretty battle hardened Unix variant. Multi user operating systems demand security like features more then single user systems (Classic Mac OS and Windows, and to some extent NT on the desktop with XP,Vista,7), due to the nature of also needing to ensure one user couldn't impact another back in the mainframe days. Modern single user systems (iOS/Android) still benefit a bit from their Unix like heritage, and choose to add more security from day one with code signing and other technologies to help minimize the risk.

It's not self-propagating, so it can't be called a virus or a worm.

It's not remotely initiatable, so you can't really think of it as an automatedly run remote exploit.

SANS defines a trojan horse as "A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program."

To me, Flashback falls in this category. Flashback is part of a program that appears to have a useful function: Java. (No jokes about whether or not Java actually or only appears to have a useful function.) It could also be considered part of the web browser being used. It clearly matches the other parts of the definition.

There are obviously some leaps of logic in that argument, though.

Agreed. And the bad thing is that Apple decided to build on this silly idea of a "safer" system, which is not inherently true, and now many unaware users will pay the price for it. Not that this surprises me a bit, honestly, and I've been expecting this time to come for a while given the increasing market share of OSX. The thing is, at work we all expect more and more users to crowd our tech support offices, and that's going to be a lot of work and resources to be organized, and a lot of money. And it is going to be the same in many organizations with an expanding OSX userbase. Thank you Apple for telling all these people they can be safe and they don't need any AV product. Is there going to be another "I'm a Mac-I'm a PC" commercial series where the sneezing guy with the cold is the young and cool one, now? That would be less smug and more responsible, for once.

This is what I don't understand. One semi major incident means that OS X instantly loses the safer title? While Windows has been a security nightmare for ages and only has recently begun to improve? I want to say there is a specific term for this, but can't name it currently.

It took Microsoft decades to respond to their glaring virus issue with a free product (Microsoft Security Essentials still not installed by default and Windows Defender which is). Apple on the other hand responds within weeks to clean up any mess on their side. Including the effort when trojans first started appearing on OS X to build in a new security feature akin to Windows Defender.

Call it smug if you want, but I think Apple has every right to still promote their desktop system as a safer alternative to Windows. Not only due to the pure numbers of security issues on both sides, but also because they were more responsible then their competitor every time an incident has occurred. If you go back and look at Apple's claims, they never said virus proof, or any sort of similar language. Their direct claim was that their platform didn't suffer the same sorts of problems that Windows did. Yes, the echo chamber and fanboys turned it into virus proof, but that is not Apple speaking.

http://www.youtube.com/watch?v=GQb_Q8WRL_g

I'm a strong advocate for OS X as a desktop OS, but it's worth pointing out that OS X was really late to the party in having a half-decent ASLR implementation, and has earned much of its reputation for security by being a smaller target in terms of market share. I'm not saying Windows 7 is more secure if you control for the market share effect, but I bet it's closer than most people think, and most of Apple's gains came from the most recent 10.7 Lion release, while the claims about being more secure were made when OS X was still vulnerable to many classes of attacks that other OSes solved many years prior. (Of course I'd rather get pwned and restore from Time Machine several times a day than use Windows or any Linux distro as my main desktop machine.)

Given how long it took Apple to issue a patch for this very prominent exploit, I think they'd be in trouble if OS X were suddenly on 80-90% of all desktops tomorrow.

The normal Apple "technique", of not saying a thing until they have a fully-fledged solution, is always going to look irresponsible when applied to security issues. It's the way Microsoft behaved before they realised they had a security problem.

Peter

- Current OSX is not >inherently<, per se, a safer OS than any competitor. It is simply benefiting from not having been targeted as much. And this is not to say that Windows/Linux/whatever "are better" than OSX or viceversa, or to foster any specific fandom point of view. Both statemets would be wrong unless you narrow them down significantly to focus on specific features or paradigms, and highly subject to personal preferences. And even more so, this is not saying that the producer overall as a corporation is better than another corporation overall. In what way would it make sense?
The fact is that OSs come with bugs, and their users are not from different breeds: they all can be fooled.

- Until today Apple has deliberately and openly fueled with clear and effective advertising the popular myth according to which Apple products "don't get viruses" (whatever that actually means in technical terms). The "I am a PC-I am a Mac" commercial you linked is as irresponsible as it gets. It does not elaborate, explain, or put any disclaimer on screen. It actually makes many users feel safe when they're not. The target audience of that commercial is not the tech savvy, and the message anybody w/o advanced/average IT knowledge gets is that a PC sneezes while the Mac does not and is not scared to stand next to it. The fact that they have not precisely stated that Macs are invulnerable to virues is at the same time true and a devil's advocate's argument to defend Apple.

Apple can make mistakes, both technical and ethical, like any other company. And like any other company, they actually do make them every now and then.

Yes, it is. It's designed from the ground up to be a multiuser system with privilege separation.

Windows is still dealing with cruft, both technical and psychological, from its single-user days. It's a little better now than it used to be, but not a lot.

My biggest beef with "Windows Security" (if such a thing exists) is that the system and applications all have this mindset where they like to automatically find and run random programs. Regardless of the under-the-hood heritage, that kind of behaviour is just begging for infection.

For most personal systems and products, I feel that security is way overdone in general, making systems harder to use than they need to be. Most of that could go away if apps would simply stop including loopholes to automatically run code they find in attachments, documents, websites, and/or inserted media.

Cheers

Assuming this is true, this would not be a valid reason to consider Windows a less secure OS than OSX. Security depends on much more than that.

But, in any case, is it true?

1. When has Winodws NT3.5, 4.0, 2000, XP, Vista, 7, been single user? Windows 3.x, 95, Millennium are a >different< OS, starting from Kernel up.

2. Would you please provide or point me to any official paper, tech specification, factual technical evidence that supports your statement? And, please undertsand I am not referring to historical data. I am referring to Windows 7 vs OSX in their respective latest versions.

Please, understand I don't mean to disagree with you or challenge your statement for the sake of it, or prove you wrong. I don't have an opinion myself on that (Windows 7 and OSX inherent technical security) nor >>real<< data, in spite of the hundreds of articles and opinions one reads here and there in years, to support any specific view. I just want to separate generic personal appreication for this or that product from from facts, and since you are a very strong supporter of one of the two platforms, I am honestly curious to understand exactly what you are referring to.

See, in the last 10 years I've seen, on the field, hundreds of Windows machines in public locations in our organization used by hundred of users per day, and I have real stats on that. Never a machine was infected by malware or viruses beyond the boudaries of the user environment, never the OS was compromised, and we don't reinstall the OS for years (3 to 5, which is simply the life-cycle of the hardware), and never because it "naturally slows down" as the common popular belief would suggest: never we've seen performances decrease because of simple, standard daily usage by a very wide range of different users, ranging from complete user illiterates to fairly advanced ones, all with everage/high level of education.
I mean: never.
So, see, while my experience would 100% support the idea that Windows by default puts uses in the condition to do a lot of damage still today, that does not at all reflect what the OS is technically capable of and how safe it inherently, thechnically, is.
And actusally, all this is based on the 11-year-old Windows XP.

In any case, any additional info is useful and welcome.

Yes NT3.5/NT4/Win2k/WinXP were all technically multi user. However, to actually use them as a typical non corporate user, you pretty were pretty much guaranteed to be logged in as a user with admin permissions.

This was because for a long time Microsoft made little effort to make things easy for an end user to get things done logged in as a non admin user. They tried to improve this in Vista and made a mess of it, thankfully in Win7 that got a lot better*.

Things were even worse for developers, I still have to run Visual Studio as admin to do a lot of things (though they are fast reducing that list of things now).

* though it still doesn't really solve the problem for non technical users. There is a horrible irony where browsers and other Internet facing apps need to update themselves to keep the user safe, but to do so they need to ask the user for admin permissions if the user isn't logged in as an admin. To the uneducated user of course one dialog looks much like any other, meaning they can never tell a real update from something malicious also asking for admin rights. All of which leads to my mother emailing me screenshots of update dialogs on a weekly basis, asking if it is safe to press OK

Unfortunately that completely fails as soon as an end user owns a Windows machine. I've never quite worked out why, but most of my friends can turn a perfectly ok Windows machine into a slow bloated thing within 12 months.

They never seem to have installed anything particularly interesting, but whatever it is it slows them down. Occasionally I can track down what is dragging it down and improve matters. But I'm afraid most of the time my advice has to be reinstall the lot.

This has never really been my experience with my own Windows machines, but just about every non techie friend I know has the same effect on their Windows machine in the end.

For what it is worth, I think Win7 is a better than OSX. I now use OSX as my daily OS, but that is only because I think the Apple hardware is the best you can buy. For me OSX is still not as stable as Windows (I can count on one hand the number of blue screens of death I've had since WinXP arrived). I can't say the same about kernel panics on OSX

If I wasn't for Chrome and VirtualBox I'd probably be booting this MacBook into Win7 rather than running OSX

And that isn't to say there aren't lots of good things about OSX, but it does get some very basic things horribly wrong. Like window management and Finder for a start.

Andy, agreed on all accounts. This has been my experience too, approximately.

We also distribute more or less 3000 Lenovo window-based laptops and 1000 OSX-based laptops to our users. They come with a standard software endowement, but users are admins on these machines and can change the configuration as they want.

Data I have and my direct experience tell me that:

1. Non techie users will most likely slow down their windows machine. Causes for this, accounting for almost 95% of all cases, are, however, known, at least as far as we experienced, and they are:
a. Insufficient amt of RAM to accomodate all running tasks that users end up having after installing a significant amt of software;
c. poorly designed software keeping power or RAM hungry processes always running;
d. Concurrent AV software some users install w/o knowing they should not install more than one at the same time.

And then, of course:
e. Virus/malware, which ends up being part of c., above, if you wish;
f. Hardware issues (n1 one being by far HDD damages, followed by faulty RAM modules) that cause the PC to look unresponsive for some time, and occasionally crash. That is also what users report as "slow" machine.

Interestingly:
1. Apple hardware is as reliable as the best Lenovo we have. Not better than it, though. Some Lenovo lines, such as the Edge family, seems a bit more delicate than the other more "corporate" lines. Faulty screens, keyboards, touchpads, batteries, PSUs, ram modules, occur just as often with Lenovo and Apple. But, my guess is that this is the best market has to offer and other brands would not perform as well. Interestingly, I can't seem to notice any worsening of quality since the transition from IBM to Lenovo, so far.

2. We do seem to have quite a few older Apple laptops (two years old, since we would not distribute Apple before then) who are brought to tech support because they are "slow". I do not recall fgures though, nor the identified causes for that. My best guess though would make me think the reasons are the same as for Windows machines, except for virus/malware. Which is, unfortunately, going to change and if we don't succeed in providing some basic education to non-experienced users, it is possibly getting bad.



I tried OSX as my main laptop experience and reverted to Windows 7 mostly because I never fully adapted to the different paradigm and got tired of being less productive than with Win7 without any actual gain. I consider this a personal thing and not objectively a limit of the OS itself, but I very much relate to your comments on Finder and window management in general. I did not use OSX as main OS long enough to speak from my experience directly, but it is true that we (well, not me in particular, but I get that info and sometimes get to play with those machines if I have time) see daily OSX laptops crashing and hanging. Users and the way these machines are physically treated (bad!) do play a role in that.

All this just to bring my personal experience. Not at all meaning anything in principle against or in favor of OSX, which, however, overall, I like.

For Mac OS X, just install Path Finder and forget about the default Finder. It's much much better than Explorer in Windows with a lot more features/power. Needless to say it clearly makes Finder look like what it is, basic (and getting crappier with every OS update).

The unfortunate thing about Mac OS X is that with every new release while a few positive features are added, a lot is getting worse. The default software is getting a lot more buggy, features are not properly conceived and developed and fixes are not being propagated to older hardware because the model cut-off is moving up rapidly.

Mac OS 10.7 Lion is the worst OS Apple has shipped since 2003, IMO. Prior to that Mac OS wasn't worth even considering as a primary OS.

Look at the default file permissions on %SystemRoot% on most of those OSes. It's pretty much wide open; any user can screw with any of those files. (This seems to no longer be the case under Win7/2k8, and it was a little better under 2k3, where only "Power Users" could screw with those files.) Part of that had to do with the fact that the OS would install on a FAT filesystem and convert it to NTFS.

That said, there's a fundamental architectural difference, in that the privilege separation available in Windows is an afterthought and not built into the design of the system. Many experts agree with me and can speak about it much better than I can. Just google for "windows privilege separation". Here are a couple of good articles: "The Importance of Privilege Separation", "Bolted-on security features aren't secure".

It's also worth noting that Microsoft's resolution to security holes in the OS was not to fix those security holes, but just to implement a firewall. Not that there's anything wrong with a firewall, other than it kind of keeps you from remotely accessing the computer, and if you have to expose one of the exploitable services, it does no good.

Also, if you look at security fixes for other OSes, they largely amount to coding mistakes and are usually easily fixable because the change won't affect anything that's not trying to exploit it. On the other hand, Windows security fixes frequently break existing functions because they've had to rearchitect the offending code. (This is obviously a generalization, but it tends to be true.)

The other, and perhaps bigger, problem is that generations of Windows users have gotten used to being able to do whatever they want on their computers without being bothered with security. There were a lot of problems with Vista, but the one thing that got the most complaints was the intrusiveness of its UAC. And that was potentially the one thing it got right. Regardless, it's a psychological problem. Windows users are irritated when they have to deal with privilege separation, and Microsoft kowtowed to them by scaling back UAC significantly under Windows 7. That said, if they hadn't, people would have just turned UAC off. (In fact, they did, and they still do.)

And the fact that you can turn UAC off is just another example of how superficial Windows' privilege separation is. It just proves that you're allowed to do anything on the computer unless UAC recognizes that you're not supposed to. It's effectively a default-allow policy instead of a default-deny one.

Yep. And I'm one of 'em. Turned the damned thing off, as soon as I could. And I'm a veteran Linux user who quite happily uses a non-privileged account, reserving sudo usage for the appropriate tasks.

But, in fairness, I know I can do so safely, because I run Win7 in a virtual machine, and only for testing purposes. No email, no web-surfing, etc. Heck... I don't even have it connected up to our domain.

That's my point. No longer the case.
Leaving aside that a bit of work even on the 10-year-old Windows XP would secure the machine very well (which included changing permissions to %SystemRoot%, which we used to do) - provided some basic maintenance (App upgrades, mostlyu, as OS upgrades are typicaly scheduled and automatic -, today the problem you mention is just not there any longer. Which is why I don't consider Windows inherently less secure in this respect.


Assuming this is true, how is this speaking about how secure Windows is today? An afterthought does not necessarily mean "poor implementation". There have been excellent cases of afterthoughts in history of IT, and technology in general.
That's why I was asking for facts (papers, tech documentation) that shows where this inherent lack of security is.


And many others don't. Again, please don't think I am trying to prove you wrong. What I am saying is that as far as I am concerned there really is no final word, there; security of various current OSs in the market has been constantly increasing over time, and at each new release, version, patch, if we could scientifically and factually measure security, the winner cup would shift from one hand to the other continuously.
Claiming that Windows (or OSX, or Linux) is a "more/less secure" OS in such general terms, maybe just because of that OS specific history, or because we "like it better", is just not convincing at all, to me.


As to: http://sec.apotheon.org/articles/the-importance-of-privilege-separation
That article contatins opinions at most. Information on Windows is just wrong or inaccurate, possibly referring to the other DOS-Based Winodows (95/98/ME) which has nothing to do with current Windows and its predecessors (7/Vista/XP/2000/NT4.0). Mostly, it is all but factual.
Same goes for http://www.techrepublic.com/blog/security/bolted-on-security-features-arent-secure/376 , which clearly claims (again with not facts) that Windows evolved for DOS, so clearly the guy is referring to the other Windows, not the one most people use in 2012. And again, not factual. And they're both so old that the authors, clearly ignoring most basic facts of Windows in those years, would not even imagine what the years-to-come Windows 7 would be.


What makes you say that? I see hundreds of hotfixes every year that do exactly that: fixing. And they have nothing to do with the firewall. And, they don't break any existing code. Again, for years, we've adopted various update strategies, in various departments. Some machines (hundreds) where updated right away upon release, others were updated via the internal WU server after test and approvals by us. In either case, very, very few cases of incompatibility came up. Maybe 2 or 3 in 10 years. And with specific old applications. Saying that Microsoft updates "break" existing code is in my experience just a popular myth. But again: do we have any >>stat<< from a third party analyst that shows with actual data how MS updates broke existing code more or less frequently than any competitor, if there's any: MS Update service is possibly the largest and most complex in the world (but still); and, in a specific timeframe, possibly in the last 5 years, just to look at data that has any relevance today? not that I know of, but any hint is welcome.


I agree on this, in these terms:
I too think that Windows never successfully allowed generic user to work easily without using the Admin account. But thechnically it has always been possible and doable, in the past with most applications, today with virtually ALL current apps. And it was done, and it is being done, every day, successfully. Still, doing any such thing, in the past more than today, would require a more experienced user, at times a professional, to prepare the machine properly. Nothing that the average user would be able to. So, in homes, all use Windows as an Admin.
But this is why I do not consider this an >inherent< lack of security of the OS, but rather a User Experience Design fault. But this is just how we define "inherent", I suppose, so maybe I am wrong in the meaning I assign to the word itself.


Today, I simply believe that it is possible that Windows 7 64bits patched few days ago and OSX Lion patched and updated as well are one more secure than the other. And, whichever is the most secure, situation may change next month.
One thing is sure, I think: we'll see more and more viruses and torjans for OSX as it is now popular enough.