MS To Build Antivirus Into Win8: Boon Or Monopoly?

jfruhlinger writes "Microsoft has quietly announced that it's planning on baking anti-virus protection right into the Windows 8 OS. Users have been criticizing Windows' insecurity for years — but of course this move is raising howls of protest from anti-virus vendors, who have built a nice business out of Windows' security holes. Is this a good move by Microsoft, or a leveraging of their monopoly as bad as bundling Internet Explorer?"

Anti-Trust

[0123456]

I would love to see governments attacking Microsoft for making its software too secure. That would keep me laughing for years.

Good for consistency; bad because of consistency

[show me altoids]

I think this would be a great idea as long as MS keeps it well updated and people don't rely just on it. It would immediately improve the security of the PCs of all the people who don't bother with antivirus, but it may lull others into a false sense of security and give them an incentive to not get any other antivirus which would put a target for virus writers squarely on MS's solution.

Monopoly

[im_thatoneguy]

Why on earth would Microsoft want to put the AV competition out of business? It only costs them money.

It's neither boon nor monopoly, it's acknowledging a begrudging reality that no matter how secure your OS you need AV on top and you can't rely on your users to purchase it.

I'm sure Microsoft would be more than happy for everyone to run Norton and save the development expense but... that would be like requiring your customers to buy hamburger bun separately.

Bill was right

[Anonymous Coward]

Bill Gates was right. Microsoft had every right to add whatever features and applications it wanted to its OSes. Look at Chrome OS, Android, Mac OS X, iOS. All have browsers and other applications "built-in". In fact, Chrome OS doesn't even allow you to use an alternate browser, while Windows always allowed this. Adding non-intrusive and automatic antivirus to Windows 8 is a step forward.

Re:Perspectives

[jd2112]

The capitalist in me screams, "Anti-competitive!"

The IT guy in me exclaims, "It is about time."

The consumer in worries, "How will this impact performance?"

Microsoft AV is among the lest resource intensive AV programs I have seen.

Re:Anti-Trust

[ByOhTek]

Given that you can (or at least, for a couple years, could) jailbreak iOS by visiting a web site, I'm surprised there aren't more viruses for it. It seems a pretty wide open target, with a rather profitable victim base (they, at minimum, could drop a couple hundred or more for a cell phone).

Re:Anti-Trust

[gnasher719]

Sandboxing on MacOS X 10.7 solves this quite reasonably. A sandboxed application can request access to all files _that the user opens_.

Antiviruses are like unofficial patches

[Hentes]

Security should not be handled by a third-party program, and equipping Windows with a builtin AV is a step in the right direction. Banning it because of antitrust claims would be ridiculous, but only a minor annoyance, those who want could still get it.

Re:Anti-Trust

[shutdown -p now]

A large chunk of the enterprise sector uses Linux, as do a large chunk of web servers.

We were talking about viruses. Viruses are useless against servers, since virus, by definition, requires that the infected program is run on the attacked box. People don't usually run random programs on servers. Windows servers don't have a virus problem, either.

A big part of the problem is that Unix and Unix variants have been designed for security from the beginning. They've been designed to sandbox apps, and not run everything with full rights.

Most Linux distros don't sandbox apps - they still run with full user permissions, so any app has access to all user data of any other app. Proper sandboxing would be creating a separate set of permissions for every app that only lets it access and write data that it actually needs - as seen in Android or SELinux.

Of course (as also seen in rooted Android), if your sandboxing has a "full privileges" option, and it only takes an explicit user approval to enable it, casual users will do so when an infected app asks for it. You basically can't trust the user on making that decision if you want security on a platform that's being used by non-tech-savvy users. That's precisely why there's all that heavy sandboxing with no opt-out on iOS.

Windows was designed for users to have admin rights from day 1. Even when Windows started to introduce UAC, they did so in a manner that just annoys most people into turning it off. And so many Windows applications need full rights (because of the Windows mindset that they always could before) that it is difficult to properly sandbox everything.

I've been using Vista since 2008, and Win7 since it came out. I have a lot of applications on my system, but none of them require full admin rights. This really is mostly in the past - it has been 5 years now that applications couldn't reasonably assume to have full admin lest they break the user, so anything that still does so is either old software that hasn't been updated in a long time, or some POS line-of-business app that's written to run on corporate PCs that all still have XP.

Re:Anti-Trust

[jbolden]

Capability computing. You don't grant applications the rights of a user. Rather an application is granted the right to do X to thing Y. So getting access to a user's file doesn't mean access to all of them. Some other problem controls granting capabilities.

As an aside the NT kernel 3.51 had an excellent capabilities and Windows still has it. Microsoft just never made their own software, including the shell / GUI work with it.

Re:Anti-Trust

[devent]

The only reason why Linux don't have viruses "in the wild" is because it is extremely difficult to write viruses for Linux that can be run or installed without user interaction.

Sure, I can get a virus for Linux if I go to virus.com, download and run the virus. But for Windows you can get a virus with different means. Like via Email attachment, autorun from a USB-stick, via remote access (in Windows XP I get virus only because I was online).

In Linux you have explicitly tell the system to run the file. But on Windows everything with a .exe is run. Also, many programs are run automatically for the "convenience" of the user, like autorun USB or CDs. Windows still hides the file extension from the user, so if you have a file like porn.jpg.exe Windows will show you porn.jpg.

Also it's very easy to get rid of a virus in Linux. Just delete the infected file and replace it with the original from the package manage. In Windows you can't even delete the file because it's still in use.

Plus the whole-system update management of the Linux distributions. I can run my updates weekly and in the background and it will update the system and all of the applications.

Re:Anti-Trust

[ILongForDarkness]

I think there is a fundamental flaw in the assumptions here though. You can't trust a package just because it happened to get added to Debian or Apples repositories. It does probably mean someone, probably a large number of someones and tools have been used to check the app which is a good thing. But you still shouldn't have to fully trust or fully not trust (by not downloading) an app. Just because I install Firefox doesn't mean I want it to be able to access everything I can on my computer. Apps should be installed in a sandbox and only allowed outside of the box when a user grants them access. That way for example the user can say "wait a minute why does Angry Birds want to access my email account?" Or "why is Google Desktop trying to send my data back to the mothership?" There is a lot of cool FOSS software out there I like to try, but it shouldn't mean that I'm giving bob@coolhacker.org "full trust" on my system because I want to see if his text editor is really as cool as it looks and more than I should be giving full trust to some random app that landed in a deb package on debian.org. The old rule: trust but verify holds.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Anti-Trust

[Anthony Mouse]

So how do you make a file compression program that uses a Sandbox?

Imagine gzip without the ability to read or write to the filesystem. It's still just as useful: you just type 'gzip -c file.gz' and your file gets compressed, and if gzip is broken it can't do anything other than compress the file wrong. And there is no reason why a GUI application can't be designed to work in an analogous way.

It does mean that the world of Windows software development would look a lot different. A zip program doesn't need its own UI. All it needs is to provide an algorithm to the OS and a hook that tells the US it can put it in the 'things you can do to a file' menu. Then the zip program never gets access to the file system, the OS just feeds it data to compress on stdin and takes the compressed data from stdout.