back to article Naked Win 7 still vulnerable to most viruses

Out-of-the-box Windows 7 machines are still vulnerable to eight out of ten viruses, according to a test by security firm Sophos. The experiment proves that the improved User Account Control (UAC) features built into Windows 7 are not enough and that additional anti-virus protection is still required. In fairness to Redmond, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Linux

    lol - UAC in name only

    ... because if the system was built to respect different user levels to run more priviledged commands then it should stop more than just 1 virus.

    So UAC like WGA is just nag ware then?

    Before you flame me, remember the next version of Ubuntu just came out to rapturous dissappointment.

  2. Craig 12
    Stop

    Hope I'm not the first to say

    This is so much BS I can't believe el reg reproduced it without critique. The assumptions, methodology , and conclusions are mind-numbingly wrong.

  3. Avalanche
    Headmaster

    "constant pop-ups"?

    I have UAC turned on on my Windows Vista PC and I do not experience the 'constant pop-ups' that The Register and other people attribute to Windows Vista.

    I have only once experienced a program that caused some UAC popups during normal use and that was a program that didn't follow the guidelines for file placement etc and was designed and written long before Windows Vista was introduced.

    All other software I use only cause a UAC popup on installation, update or deinstall, just like they should.

  4. pat 14
    Black Helicopters

    time, gentlemen, time!

    how long did it take to get ten viruses?

    dr-own?

  5. John Freeman
    Pint

    Let Me Stop You Right There,,,

    "Get a Mac", blah, blah. This should take care of hundreds of comments. Point is once Mac starts supporting 95% of the worlds market with all of the interoperability issues (hardware/software) and can still say what they usually say, then I will listen; until then, grab a pint and p**s off with you.

  6. Toastan Buttar
    FAIL

    Trojan != Virus

    How many times does this need repeating ?

    Autorun ? Isn't that disabled by default in 'Naked Win 7' ?

  7. Anonymous Coward
    WTF?

    Hummm...

    This is a bit daft really, you might be the cleanest person in the world but without a condom you are likely to catch an STI... You might pop along to the sex clinic and get some johnies for free, in fact Microsoft do much the same thing with Security Essentials. I'm guessing they can't include this with Windows becuase the European bonks would cry about anti-competition!

  8. Ken Hagan Gold badge

    Lesson learned?

    Apparently not. The real lessons are that you need to stop running as admin and you need to stop running attachments.

    If the assertion is that these viruses launch themselves, without the end-user's consent, in an ordinary user account and still manage to end up with full privileges, then I'm all ears. I suspect, however, that this is more a case of "admin runs attachment, system owned, film at 11". (Reminds me of something else I read here today. Oh I remember, it was that Linus quote about the surprise discovery that running arbitrary code as root is a bad idea.)

    Anyway, MS apparently just don't get it. They've spent the last ten years trying to hide the "administrator" account but consistently made the ordinary user account a member of the administrators group. Er, hullo? Does *anyone* in Redmond still understand the NT security model?

  9. Cameron Colley

    UAC would be less annoying if it worked properly.

    I spent a tedious hour setting up a new Win7 Laptop and was frustrated by the need to select the UAC dialogue while trying to install Flash and another couple of applications (whose names I don't recall) -- it was lucky that I decided to Alt-Tab or I would have had no idea why the installers failed since the UAC dialogue, and its darkening effect, were hidden behind Internet Explorer.

    I know it's a minor thing, but you would have thought that after all these years Microsoft programmers would be able to write system modal dialogue boxes which are on top.

  10. Anonymous Coward
    Stop

    UAC is not strictly about security

    The idea of UAC is to make software houses write software that can be run as an ordinary user with the end game being users will be able to run their software logged on as a 'restricred user'. This will of course eventually bring about a default secure system.

  11. Anonymous Coward
    Anonymous Coward

    So go ahead and disabled UAC

    as 90% of the time it doesn't work anyway.

    Besides, the sad fact is people likely to get malware will click "yes" to anything and everything they see without reading it.

    Maybe they should replace the "yes" button with a second "no" button?

    Then users will 'choose' the right option but applications can still bypass it because it doesn't work. It's win win!

  12. Dave 129

    @Toastan Buttar

    Autorun: nope, alive and well - you have to disable it :( And the default is to run a prompt to ask what you should do with the CD/DVD. Oh yeah, and you still have to turn off "hide extensions of known file types".

    @Avalanche: with Vista I would get on average 3 or 4 UAC prompts a day just from using it. BUT I was doing dev work and needed to be able to edit the hosts file and various other config files and run services etc. I dare say for normal email and letter writing / web browsing you wouldn't see any prompts at all, other than those you already mentioned.

    Finally: were the tests conducted using a "limited user" account or an "Administrator" account? I would be interested to know what the results would be in that instance and if that makes any difference at all (likely not).

  13. King John
    FAIL

    news?

    Some AV firm says windows 7 needs AV..........

    Thanks for that.

  14. Paul Charters
    Stop

    Y-aaawwwnnn...

    If you really expect an OS, any OS to be safe from viruses and/or malware you really are living with your heads in the cloud...and the cloud is a very stupid place to be.

    Look, let's all just grow up a bit. The simple fact is that there are a bunch of a*seholes out there who want to take your private data and financial information (called Google - ahhhh, fight! fight! fight!), and the ability to spread the software that does these very things. There will always be more ways to make it happen being spread, and there will always be methods to combat it.

    (And yes, I don't need any pedantry surrounding the term 'always')

    The sooner we just get visual confirmation of people spending the better. I mean, we live in the most camera'd country in the world...why not put cameras to some real use and only purchases to be sent along with an on-the-spot-taken image?

  15. Anonymous Coward
    Welcome

    A contender for...

    ..."least surprising headline of the week/month/year/decade"

  16. Anonymous Coward
    WTF?

    Can of worms

    Fair enough, this is just a "Hey, you'll still have to buy OUR product!!!" announcement - and a bit of what would appear to be free advertising to boot.

    The pity is that we now have a situation whereby should Microsoft actually implement effective malware controls (for prevention as well as cure) in the next Windows release, several companies will go scurrying to the EU to complain and demand some sort of system to allow their own product instead. Throw costs into that, and it's just made it almost pointless for MS to bother securing Windows - to the detriment of us all, no matter what the OS.

  17. Anonymous Coward
    Anonymous Coward

    Imagine...

    ...the outcry from the freeloaders (like the Opera saga) if they included an anti-virus

  18. Richard 102
    Jobs Halo

    @John Freeman

    I'll go further than that, I'll get off at the depot. Why not get a mainframe? Afterall, do you hear about home users having trouble with a virus on their mainframe? And with 70% of the lines of code in the world written in COBOL, it's obviously got more software than anything and the de facto standard for software.

    Seriously, though, with OS X being built upon BSD, the security model is going to be inherently better at a base level than the Win.* model, which is based on slapping things together. I know that any computer system that is connected to a network is going to have risks and issues. However, there is such a thing as degree of difficulty. It is true that the WinNT core/kernel/etc is based on the work of Dave Cutler, who was a key player in the development of VMS. However, per the culture of MS, a lot of slapdash work has been done along the way and, in the name of backwards compatibility, has been fixed in the nature of spit-and-bailing-wire.

    OS X may have its issues (I own Macs and I admit that they aren't perfect), but good gravy, the comparisons speak for themselves. If the big money places (banks, corporations, governments) use a lot of *nix and mainframe servers, wouldn't that be the best target for the black hats? Recall the John Dillinger line, when someone asked him why he robbed banks: "Because that's where the money is." Okay, so why aren't Linux, Solaris, Oracle, DB/2, etc, breached far less often than Windows? Perhaps there is something inherently less secure in Windows ...

  19. Ed Blackshaw Silver badge

    So my question is...

    What AV software would people put on their machines?I used to use AVG on my home PC until it started to become intolerable bloatware. Now I use Avast and it seems to work quite well. Does anyone else have any recommendations?

  20. Paul R
    Big Brother

    @Cameron Colley

    I think you'll find that the MS programmers very specifically designed it so that they didn't pop up on top of everything else. Its less intrusive that way, and much less likely that you'll accidentally click the wrong thing. Imagine if you will that you're typing away in a Word document and a UAC prompt pops up from something running in the background just as you come to the end of a paragraph and press Enter. You've just given permission to something to do what it wants. What was it? No way to tell now.

    MS listened to many many users who complained that the UAC prompts were coming up system modal an interrupting their work flow. So they stopped them being system modal and allow you to carry on with whatever your foreground task was until you decide that you're ready to deal with that background UAC prompt.

    Much better that way.

  21. mittfh
    Linux

    UAC - good idea, implemented far too late.

    If UAC had existed from Win 95 onwards, then I suspect we wouldn't be seeing most of the problems associated with it.

    After all, UNIX/Linux was built from the ground up to request elevated permissions when doing potentially risky stuff (e.g. Mandriva Control Center, writing to any folder other than /home/username) application developers made darn sure their apps only wrote user data to 'safe' folders.

    Windoze didn't have anything like that, so app devs were free to write user data wherever on the system they darn well wanted to ( C:\Windows used to be a favourite, then the app folder within Prog Files). So trying to shoehorn a set of security protocols onto a system that wasn't designed to have any was bound to cause problems - as oodles of applications tried to write data to 'unsafe' locations and prompted the UAC prompt.

    Oh, then there was the problem of graphics drivers. Unless you had exactly the right version of graphics driver (not necessarily the latest), switching to the "Secure Desktop" would take painful seconds to do so. And between taking a snapshot of your desktop, storing it somewhere in the recesses of your computer's memory, and drawing the image onto your screen, you'd be presented with err...nothing. Literally.

    And with this research, once you fall off the end of the 30 day AV trial most PC manufacturers bundle with Windoze, if you haven't already upgraded to a full AV package, you're b*gg*r*d if you venture onto the 'net...

  22. Wolf 1
    FAIL

    So user bitching results in less protection

    REALLY?????

    That's why I slide the UAC setting back up to its Vista-level equivalent. And install MSE. So far MSE actually caught (and cleaned) a browser modifier trojan that Bitdefender missed. This was on Vista though.

    Home users with Win 7? Definitely use MSE, and return that UAC slider to the highest setting! It's simple:

    1. On the Control Panel click "Review Computer Status".

    2. Click "Change User Account Control Settings" (second choice on left pane)

    3. Give an administrator password

    4. Slide the UAC slider all the way to the top.

    5. Click OK. You may be prompted for the admin password again.

    Sorted!

  23. Cantankerous Old Buzzard
    Gates Horns

    Sarcasm time

    "The most secure version of Windows yet."

    Need anyone say more ??

  24. AndrueC Silver badge

    Hmm

    Running 'as an administrator' in Vista/Windows 7 ought to be less of an issue because of UAC.

    The privileges are (or should be) disabled until required. When something tries to use those privileges that's when the screen darkens and the OS asks if you want to be elevated. If you select 'No' then you don't get elevated and the operation fails. If you aren't running as an administrator the prompt invites you to specify credentials for a different account.

    It's basically just an automated version of the 'su' command with the advantage that it automatically rescinds the privileges when the process ends.

    It all sounds perfectly reasonable and in my experience it works well. You don't get prompted very much in normal use and selecting 'No' always seemed to terminate the operation. The only time the prompting is a pain is if you are dicking around in system folders. Then again that's when it's doing it's job.

    UAC was designed to encourage users and developers to move toward a more secure environment. That ought to offer some protection against malware but it still relies on the user. It's the difference between having a condom in your bathroom cabinet and actually stopping to put it on :)

  25. Andy Cadley
    FAIL

    UAC? Viruses? Huh?

    *sigh* UAC has nothing to do with preventing viruses. It's not designed to stop them working. As a "security researcher" you'd think Chester Wisniewski would know this. Perhaps he needs a lesson in basic research.

  26. Anonymous Coward
    Thumb Up

    In other news

    Rumors of the Pope's conversion to Buddhism prove unfounded.

  27. Bilgepipe
    Gates Horns

    @John Freeman

    The only mention of Mac in this entire page up to now is your post.

    Back on topic - Windows get viruses. Hardly shocking news.

  28. windywoo
    FAIL

    Sophos seem to be pushing for

    An antivirus ballot page just like the web browser ballot page. Either that or they want Microsoft to release an OS so secure that it puts them out of business and breaks backwards compatibility.

  29. Anonymous Coward
    Anonymous Coward

    Methodology?

    Did the UAC prompt up and the tester click on OK? If it wasn't invoked then did the malware actually do anything other than run and, if so, did it infect more than the local user account? Do any of these pieces of malware use remote exploits, or are they all run by the user themselves?

    Every single operating system in the world is vulnerable to executable code that the user explicitly runs (and elevates) themselves.

    Plus, 10 cherry-picked pieces of malware is hardly a representative sample size. And the headline is incredibly misleading.

    Then again, Sophos is trying to sell a product. Makes you wonder whether the AV vendors are any different to the scareware vendors.

  30. Captain Save-a-ho
    FAIL

    8 of 10 viruses?

    Maybe I've lost count of how many viruses target the OS, but I thought that the VAST majority of viruses target specific applications like Office. I have no doubt that there's a large number that still apply, but not 80% applying to a fresh OS install.

    This really smacks of searching for a stat to justify a POV rather than developing a POV based on overwhelming statistical data.

  31. Toastan Buttar
    Thumb Up

    What AV software ?

    I've been impressed by MSE. You'll need more than 512MB of RAM on XP, or else your system gets a bit bogged down. Apart from that, it's the least conspicuous AV package I've ever used under Windows.

  32. magnetik

    @AndrueC

    "It's basically just an automated version of the 'su' command with the advantage that it automatically rescinds the privileges when the process ends"

    So like sudo then ...

  33. PirateSlayer
    WTF?

    @Richard102

    "If the big money places (banks, corporations, governments) use a lot of *nix and mainframe servers, wouldn't that be the best target for the black hats...so why aren't Linux, Solaris, Oracle, DB/2, etc, breached far less often than Windows? Perhaps there is something inherently less secure in Windows ..."

    Or perhaps soft targets are easier than banks and companies with teams of guys to do battle with the black hats. Path of least resistance. As for Dillenger's quote, if you rip of ten thousand cretin's credit cards that's where the money is...I'd like to see the bank that stores their account details on USB sticks and leaves them on trains.

  34. Cameron Colley

    @Paul R.

    System modal does not have to mean "default==yes". Whether you take the Gnome-style approach of asking for a password, or an easier tick-box or default to "ask me again until I decide" the UAC window means that something very important is about to happen to your PC and you have to know about it.

    In what situation would you be working on an innocent document and UAC had to pop up?

  35. Inachu
    Unhappy

    stupid title.

    thats like saying.... Yep poopie still gets on toilet paper!

  36. AndrueC Silver badge
    Thumb Up

    Ah yes :)

    Yup, I'd forgotten about sudo, it's been a while. I wouldn't wish to claim that Microsoft had invented anything here, just making the point that 'running as an administrator' is not the stupid idea that it used to be. It's debatable just how much more safe it is but UAC is a huge improvement over running as a limited user under XP :)

  37. Anonymous Coward
    Gates Halo

    UAC

    UAC in Vista was never an ends in and of itself, it was a means to an ends.

    The point of UAC was to start disciplining software developers to write code properly. Which they now have to do to use the Windows 7 platform.

    This is a GOOD thing, and only the completely ignorant and arrogant could suggest otherwise.

  38. WinHatter
    Pint

    Two Trojans down.

    "Two Trojans - a variant of Bredo and a banking trojan - failed to work on Win 7 machines."

    Woawww

    Meaning APIs have changed and that many other things will turn out to be broken. Probably the Trojan's code is fixed already/

  39. Lord Elpuss Silver badge
    Thumb Up

    @Paul Charters re virus-free OS

    'i' running on IBM system i. Oh, and all it's predecessors too - right back to OS/400 running on the AS/400.

    There, fixed that for you.

  40. Ty
    Jobs Halo

    @Freeman

    Wassup with you?

    Can't afford a Mac so you go all anti?

    Stick with Windows and use the money for AV software. Much better choice.

    Some people.

    You poor Windows zealots. You poor poor people.

    Get a grip get a life get a Mac.

  41. Anonymous Coward
    Stop

    Shocker

    Windows in "still a bag of old shit" shocker.

    I DEFINITELY didn't see that coming.

  42. bex

    Rock and a Hard Place

    Microsoft can't win here MSE which is very low end and does a more or less decent job should be included with the OS but if they did the Antitrust lawyers would be rubbing there hands.

  43. Rune Moberg
    FAIL

    Hang on... It is designed to do WHAT?

    "UAC debuted in Windows Vista as a technology designed to prompt users for permission before allowing applications to run."

    No. That makes absolutely no sense.

    It was designed to prompt users for permissions before letting applications run as root/admin/thebigkahuna. Normal usermode apps will still execute normally without prompting, just like God intended. Only elevation will trigger the prompt.

    So... What exactly did the researcher do? See if a bunch of infected apps would run? Duh... Of course they would! The interesting bit is: Did the virus manage to infect something that an admin could be tricked into launching later? Did it corrupt the system itself? Or did it simply just jerk around with the user's own files? (the latter solved by simply creating a new fresh user profile for the victim)

  44. Anonymous Coward
    Anonymous Coward

    @Richard 102

    Err, banks do use Windows, as well as unix, linux, OS400, ZOS, Tandem, VMS etc, etc. You name it, banks run it. Typically in major financial comapanies all desktops are Windows (some flavour of NT) and there is a ratio of about 3 to 1 Windows to UNIX servers. You'll usually find a few AS400s, a couple of Tandems (usually for payment processing) and one or more Z Servers. There is also various lecacy crap hanging around too.

    In answer to your question, banks are targeted, but not that often because banks employ people who know how computers work. You'll never see a UAC pop up in a bank, because joe user isn't allowed to do anything that would pop it up in the first place. Far easier to target someone who isn't going to understand what is happening and if you're going to target a company, best not to target one that has a direct line to the fraud unit of the Met.

  45. Anonymous Coward
    Anonymous Coward

    Competition is an excuse for security?

    'I'm guessing they can't include this with Windows becuase the European bonks would cry about anti-competition!'

    I'm guessing they couldnt code a secure OS if they tried...

  46. SpinMe
    Megaphone

    Damned if you do ....

    To the guy who is saying mainframes, corporates have the most market share so why don't they get hacked (win vs linux etc) .. These are corporate environments that are secured with multiple firewalls, intrusion detection systems, security at all levels and IT professionals who design and operate it all. Hardly a comparison to your average home user. Sure they're not 100% secure but a damn site more than my granny's router.

    Take it back to the desktop and the majority of market share is windows. If the majority was OSX or Linux there would be an equal number of viruses, of that I have no doubt. If you believe otherwise you are deluded. In fact, I would say it would easier with Linux as the source code is staring you in the face.

    I've used all the main OS's and my experience leads me to believe a few rules:

    1. People who want to get things done quickly - go with windows.

    2. Gamers can only realisticly go with windows.

    3. People who want to invest the least time in learning computers go with Macs.

    4. People who want to invest the most time learning computers go with Linux,

    They all have their ups and downs, some are good for certain situations, some or not.

    What I would say is that the global recession has certainly boosted the case of open source. The new Ubuntu release has damaged their reputation. Jackalope was spot on :(

  47. Tam Lin

    UAC Security Theatre 3000

    Just like the US's tragicomic TSA, UAC is brought to you by incompetent sadists enjoying your pain.

  48. DannyAston
    Stop

    Get a grip get a life get a Mac.

    Can you honestly tell someone to get a life with that quote?

  49. Ty
    Jobs Halo

    @SpinMe

    ROFL

    There is so much wrong and misguided about your comment it's unreal. Seriously.

    I suggest you visit other sites than technology from now on. It's just not your thing.

    Poor old chap.

    Thanks for trying though!

  50. magnetik
    Thumb Down

    @SpinMe

    "If the majority was OSX or Linux there would be an equal number of viruses, of that I have no doubt. If you believe otherwise you are deluded"

    No, it's you who are deluded. Tell us why BeOS and OS9, both of which had significantly less market share than OS X, had plenty of viruses. Or why there has been a virus in the wild for Linux powered iPods which number only in the thousands, yet there are still no viruses in the wild for OS X which number in the tens of millions. Also, please explain why, when somewhere near half of all web servers run Linux, we haven't seen the vast number of viruses and worms that have plagued Windows servers.

    If everyone who drove a cheap Hyundai switched to driving a Volvo instead would there be more or less road deaths?

  51. A J Stiles
    Black Helicopters

    You all miss the point

    Windows is *meant* to be vulnerable to viruses.

    It's a very convenient way for the authorities to be able effectively to shut down the Internet in times of civil unrest, to prevent it from being used to broadcast anti-government propaganda. That's also the reason for the urgency to switch to digital radio and TV broadcasting; analogue is simply too easy for any old subversive to break into, especially when the parts you need to build a transmitter can be obtained almost anywhere.

    And don't think for one minute that you're safe from all this if you're running Linux. The Evil Penguin Shagging Communist's weakness is Flash Player, which can be remotely patched to make it not play unsigned (read: potentially seditious) content.

    (Alternative, less conspiracy-theory-influenced reason: The day Windows starts screwing the locks on from the inside of the doors the way other operating systems do, is the day that every legacy application written by a self-taught programmer using a pirate copy of Visual Studio breaks ..... and there's no good reason to prefer something expensive called "Windows" but that can't run legacy apps, over something else that also can't run legacy apps but isn't called "Windows" and costs nothing.)

  52. Rune Moberg

    @magnetik

    OSX and Windows have several things in common, one of which is that they allow most users to run executable applications.

    If a user insists on running some piece of malware, just how exactly will OS X stop him from doing that?

    Maybe OSX have no way to let a particular application start every time the user logs on. If that is the case, then yes, it is probably more secure. It would also be a helluva less convenient! I don't think that is the case, do you?

    So... A piece of malware is ran by the user, it sets itself to start every time the user logs in... Damage done. No difference between OSX and Windows so far, right?

    UAC is designed to only question the user in case an application request admin priviligies. It is not designed to secondguess the user in case the user simply runs a normal user-level application (or piece of malware).

    What the morons over at Sophos have shown, is that a user can screw with his own setup. If they had also shown that other users of the same machine were infected, then they would have bragging rights. As it stands now, an admin of that computer simply have to wipe the infected user profile and create a new one. (or simply clean it manually -- whatever is easiest)

    That does not change much, no matter what OS you're using. PS: I've not used resident AV products at home for twenty+ years -- no infections so far. Of course I patch security holes often, but I would do that with other operating systems too. (except OSX where updates are often running quite late)

  53. Xavier Serret
    WTF?

    When people will get this: UAC is not for admin accounts!!!

    UAC is for running as a normal user and been properly prompted to "Sudo" whenever an admin-permission requiring operation is executed.

    This article is misleading!!!

    You don't need an antivirus if you do not run as admin!!!

    AND THE MORAL HAZARD IS: And if you run as admin, an anti-virus is always too late when a truly efficient worm emerges!

    But the constant marketing message is that Antivirus == total protection!

This topic is closed for new posts.

Other stories you might like