Do I need to install virus protection?

A Software Developer's Advice For Avoiding Viruses In Windows

I've written millions of lines of Windows code with dozens of tools; and perhaps I should delineate the viral susceptibility issues of Windows, as, just for instance, I maintain a political website which receives hundreds of thousands of unique visits a month, and I respond to email received on a development system, onto which have landed millions of viruses over the course of the last few years. None have ever unleashed; and neither has anyone who has followed my advice suffered a viral infection.

The problem is really the underlying philosophy of Windows software; and if you understand this first, you can easily enough protect yourself without viral ware. That's right. I run no anti-viral ware, and so I will first explain that if you rely on viral ware (even supported by a good firewall) for protection, you will suffer viral infections.

Why/how?

It's simple. Viruses/Trojans/worms... or whatever... are recognized by *known* patterns. The trick of course then to designing an effective new self proliferating threat is to devise an unknown or undetectable pattern. Of course, detection continually becomes more sophisticated; but just the same, if any detection scheme were wholly foolproof, then we all might be using those wares, and no problem would exist.

This is not the case.

The truth is, the virus which escapes any kind of such *assumed* protection is the one to worry about; and the further truth is that your ISP is probably running anti-viral/spam filters on your email which already eliminate most *known* threats from landing in your mail.

The *unknown* threat defeats this partial umbrella; and all the great viral infestations of existence are a result of this fault: Pattern matching only provides limited protection (which you will not even need unless you introduce unwanted material to your system from sources other than mail [which should already be effectively filtered]).

The trick to *real* protection then is never *executing* potentially dangerous material.

Why; and what does this mean?

As I said, the real threat is the way Windows software works. Windows objects are designed to be able to interact with each other; and even while the processes by which they do so are highly inefficient, this ability for independent objects to execute processes distinguishes the whole vulnerability of the Windows software philosophy. Understanding the difference, you can protect yourself by exercising standards.

Collectively, the many objects and/or processes of this nature are often referred to as ActiveX. To protect yourself on Windows boxes, you have to wholly disable ActiveX (including scripted forms) wherever it is possible to do so; and you have to refrain from running any processes which will run unknown ActiveX.

This means that you must disable all ActiveX activity in Internet Explorer's custom security settings (which actually configure the operating system). Neither can you have a preview pane open in your mail program, because *previewing* any material containing a virus essentially runs the virus ostensibly to display ("preview") the material.

The thing is, a virus is always just a file or a part of a file. Laying dormant on your machine (whether that be on the Mac side or the Windows side), they actually pose no threat to you (except that you might inadvertently run them). *It is only when you run them that you unleash them.*

Many ActiveX controls are treated as attachments. Thus one obligatory protection (even if you run anti-viral ware) is to set up mail rules which divert incoming mail with attachments to a "Potential Virus" mailbox. From here, you open *the source code* to the mail to read the mail. Sure, I understand this is a huge impediment, but if you want to protect yourself against viruses that will get by filters, you absolutely have to do it; and if you do it, your anti-viral ware will be performing redundant operations for you, won't it?

Indeed that's so.

A further thing to understand is that AVware itself is often a substantial threat to the sanctity of your system. Being a software developer, I refuse to run it because it poses unnecessary threats to contending processes.

You *do* however need a firewall to protect your file system not only from internet threats, but from threats infiltrating your network (if any). ZoneAlarm is the best out there for Windows, because in its stealth mode, your IP isn't even visible to potential intruders. Not being able to find you even means they cannot target you.

So furthermore, this is the great general difference between UNIX/Linux software and Windows software for which you have gravitated to the Mac. It's also something for all of us to remember who develop or use software; because it prescribes two classes of software design -- one which is wholly vulnerable and is impractical to truly protect; and another which simply refrains from running potentially vulnerable entities.

We might say then that good software engineering philosophy is to purposely refrain from running *any* potential threat -- versus celebrating the adverse idea that interoperability of *any* potential process (which inherently includes potentially adverse processes).

What makes the prospect of the latter even more displeasing is that the alternate design philosophies are also far more efficient.

 

Thanks for the help.

 

You're welcome.

I recommend making Firefox your main browser and Thunderbird your email application. Turn off ActiveX and all scripting in IE; and run ZoneAlarm in stealth mode, and you will be running the tightest, most impervious Windows security possible, if you are careful about introducing any further material onto your system, and if you check out all suspicious email by viewing its source. Incidentally, Thunderbird reduces the several steps of doing so in Outlook Express to a single control+u keystroke combination. You can instantly tell if a mailing has executable content -- scripts, exes, program information files (.pif -- why these allow dangerous execution is a huge mystery), or embedded content described to be images for instance, which are not.

The rule is simple: if you don't know what the additional content is, you never view the email -- you only read it from its source. You get pretty good at that pretty quick.

 

As previous posters have mentioned, if you use Windows, then you need protection for it. Your Windows install doesn't care that it's virtual. You can get a virus and lose data just the same as if it was native on the hardware. AVG is a great, low footprint antivirus program that gets updated daily. Get it free at . I would also agree with the poster who mentioned ClamXAV for Mac. If you are sharing folders with your Windows then your Mac could infect it without you even realizing you had an infected file. I hope that makes sense.

 

Your AVWare wouldn't need updated daily if new viruses couldn't slip by to infect your system -- which is why it doesn't really protect you: It doesn't protect you until *after* you might have opened that new email with the virus.

On the other hand, neither will reading the source of the email invoke the processes of the virus, so it is perfectly safe to do so.

But as to being infected by the Mac... no way. What on the Mac would run a process that would run a *Windows* process? Absolutely nothing.

To do that you would have to invent a Mac virus that would infect a Windows partition *and* invoke the virus on the Windows partition -- which is a pretty far fetched scheme indeed.

Ever actually hear of such a thing? I don't think so.

Moreover, to protect the Windows system, you'd have to have Windows-secure AVWare running on the Mac.

 

I don't think you understood what I was trying to say at all. I'll try to dumb it down for you this time. I didn't say Mac processes could infect Windows, but I did imply that files on your Mac could be infected without you knowing it, and thereby infect Windows if you should open them through the shared folders. You do realize there may be documents you work on in Windows and on Mac? As for "Windows-secure AVWare" on your Mac, just what do you think Clam definitions contain? All those thousands and thousands of Mac viruses? No, Clam defintions update the same whether you are running Clam on Linux, ClamWin, or ClamXAV and you better believe they include signatures for Windows viruses. There's a reason it is primarily recommended for gateways and mail servers. You can still be ignorant of the facts all you want, but at least try to keep it polite on the forums. The OP had a legitimate concern. If you can't offer constructive insight then just keep it to yourself.

 

What could be more constructive than advising that AVWare doesn't protect *anyone* from the patterns it doesn't recognize yet?

*Of course* I recognize that files may be shared. Sure, they can enter the system through the Mac, which doesn't even have to care about Windows viruses, *because it never runs them.* Which is exactly the point: if a person wants to protect their system, what they really have to do is avoid running exploits. If they can get by AVWare (and they can get by AVWare), then they can be run; and if you're counting on your AVWare to prevent your running the virus which has slipped by because the AVWare can't even recognize it *yet*, that's the flaw in your system which makes you vulnerable.

If anything could be construed to be impolite, it would be your dumb it down assertion. Even your post confesses that you have to *run* the file to infect the system.

A fact of the matter is that all of the many people I have known who "got" (ran) viruses were running AVWare. The only ones I know who received viruses and never unleashed them simply exercised a set of practices which preclude running them.

 

You're not going to troll me on this one so you can just stop right there. You're posts were condescending and I admit I stooped to your level with my dumb it down comment. Basically it boils down to your comments make it sound like AV is worthless so why bother? The OP just wanted to know if he should be protected. You give some good tips but then turned around and gave the impression that it would be a futile effort, and that is bad advice. That is all.

 

Well that's the first time I've ever been accused of trolling.

Let's entertain the question, how worthless or worthwhile is AVWare running on your Mac or Windows installation?

First of all, as your post points out, pattern matching is regularly invoked at mail servers and gateways. To say that you can benefit from running it on your local system then is as to say that we can run the same SQL statement many times on the same source data to render a better result set. But no matter how many times you filter the same source data, the logic of the SQL statement will render the same result set.

Similarly, if there were no flaws in the outer filtering, then no benefit can exist by subsequent filtering. If there are any flaws at all, then absolutely we cannot run what can pass by, or we will be infected.

Thus you can run filters on the Mac and the XP VM or wherever, and things will get by *because no AVWare of today protects us against all of the future exploits it has no power to recognize.*

We don't have to be insulting about this (as you are again). I'm sure you recognize these things.

So how do we solve or perfect our system of what can get by?

The answer is simple. *Because* things can get by, and while yet their mere dormant existence on our system itself is no threat, and as it is only when the virus is run that it becomes a problem, what we *really* have to avoid is running the virus.

Plain and simple.

I don't want to trade insults, so smile for just a second. Imagine a sailor who wore rain gear to stay dry, believing it would keep him from drowning: "Water is bad -- it makes you drown," is his idea. He thinks by keeping it off of him he protects himself from drowning.

Crazy, isn't it?

Sure... so everybody runs AVWare. But it won't recognize everything; and so some things will get by; and because some things will get by, if we aren't deploying provisions which keep us from running exploits, then no matter the fact of our AVWare, it won't be long before an exploit bites us.

We already have the umbrella at the gateway and mail server, so what do we gain by also running AVWare on the local system? Regular caution will prevent the wrong kinds of material infiltrating our systems from CD-ROMs and so forth.

Regardless of what filters we benefit from, we still have to avoid running exploits without exception if we are to deploy perfect protection.

Without that, you are vulnerable. With that, whatever gets by can damage nothing, because you never run the exploit.

Here's just an example I ran into yesterday. A web site followed a vulnerable pattern to submit what could have been deployed instead as a CGI form: They presented a Word document. I was running Firefox, and the doc wouldn't even display -- not even the URL of it.

Hmmm. Pretty interesting. You may remember the early word doc viruses, and if you're like me, you just won't open docs generated elsewhere. "No can do."

Alright. But guess what? That online doc opens readily in IE7.

This is the same kind of problem. To protect ourselves, we have to cut off every *complete* avenue of deployment. Only if the visitor is running the browser which won't open the potentially unsafe material; and only if the developer deploys the long proven CGI form is everybody doing their job in a way that will work for everyone.

Gateways and mail servers are the best place to run AVWare. Why? Because that relieves us of the need to run it locally. But filters do not provide absolute protection; and that's the point -- you can only protect yourself by *also* exercising provisions which preclude running unwanted processes.

Anyway, last I recall, trolling is not taking such extreme measures to qualify arguments leading to explicit solution -- in my experience it's always been to deliberately attempt to raise ire by unqualified disclaim, insult... all of that sort of thing.

If you think you don't need to rule out running unwanted processes which can and will get by AV filters, that's alright with me. This is the best help I can provide. I've literally received millions of viruses, without a problem -- and without AVWare.

Frankly then, for all of the *reasons* cited so far, with filters *already* running at your mail server alone, I wouldn't anticipate any appreciable, possible benefit of stacking multiple filters on the local system at all, unless a person was extremely foolish with what they did with the few other possible entry points; And here yet as well, we are only truly protected not by impervious filters which do not exist, but by simply refraining from all practice which can potentially run any exploit.

Why run filters on [your own] gateway then? Because that's where you take responsibility for the possible failure of exterior filters, the administration of which is out of your hands.

 

So Mike, basically you are saying that unless the user does something, he is immune from viruses? How about saying something clear and concise? You drone on forever and ever.

Also, it appears on a quick read that you assume that the user is protected by things at the gateway level. Sure, it is best practice, is it always done? No. Do all the small ISPs do it? No.

*** Edited 09/21/07 ***
Added 'it appears on a quick read that' prior to assume, my apologies for missing this on a quick reply on the way out the door.

 

I said "unless the user *does something*?" That's all you derive from all that explanation?

I gave explicit instructions -- albeit not wholly complete in every detail, only because I don't have time to write a book. The only reason to repeat any of them was they were challenged. Now you say I droned on and on, because I gave the instructions and background so that those who questioned the instructions and method could *get it.*

It's a closure -- a method of wholly closing the door on exploits; and it's explained (evidently, necessarily) in terms of background so that the fact it is the one and only system which provides *closure* can be understood.

I *never once* assume the user is "protected at the gateway level." Your assertion is preposterous. Read the posts again. What I'm saying is you don't need to run material through but one filter before you have filtered it: *Filter once and you are filtered* is the point. That's basic practice in all computer science. You don't check if a boolean value is false three times before you process for a false value, do you?

I don't even run filters on my gateway because they would be redundant! On the incoming mail server only. Why? Because the only potential avenue for intrusion on this network is thru the mail. That therefore is *where* to place the filter -- not on the *many* local machines. Neither for instance on each Mac and XP VM, and so forth.

I suppose you don't think I should defend your summary of all the explanation I have provided -- to round up a conclusive explanation how to *really* protect yourself from exploits and say all that I have said is "that unless a user does *something*, they are protected?"

Sure, Eru. All this is just stupidity.

In that defense only, here (again) is the gist of it:

1A. Filters ("AVWare") only catch what they know how to catch, so they *do not provide COMPLETE protection.*

Methods only catch what they presently know how to catch. New exploits will get by. Those exploits, if ever opened/run, will wreak whatever havoc they are intended to. *THIS IN FACT IS ALMOST ALWAYS HOW EXPLOITS SUCCEED -- IN THE TIME THEY ARE NOT *YET* RECOGNIZED.*

Filters do not protect you (in the sense of closing the door on whatever you want to prevent from happening). They only minimize the number of *known* exploits which can land on your systems by way of whatever avenues are *filtered* by the AVWare.

1B. The advantage of filtering incoming material therefore is merely to minimize the number of potential exploits landing on the subject systems.

1C1. The typical security issues of business/work/serious computer networks are most vulnerable to email exploits. Running one filter on the mail server from which mail is received therefore accomplishes filtering. No reasonable further benefit whatever can be realized by running further/subsequent/*redundant* filters on local mail systems. *This is why we generally realize no benefit from running filters on the local machine.*

1C2. If you do *stupid* further things which subject your machine to exploit such as visiting low-life sites of the genre known to invoke exploits, you best use an ISP which filters the outer gateway. One umbrella for all. No need to run AVWare (filters) on the local system*S*.

2A. It is *running* an exploit which unleashes the exploit. They can set dormantly on your system forever without harm. In fact, many times I've had intruders carefully engineering ways to get into our network, and so I KEPT the viruses to examine the code to understand what they were doing.

Yep. You can *safely* view the source or open the source in a source/text editor.

2B. To *partially* "protect" yourself from *running* exploits, you must disable all ActiveX.

Ostensibly, this should *itself* conclude your protection. But in fact, MS operating systems and software will still elect to run *much* ActiveX because MS relies so excessively on this redundant, vulnerable "technology," evidently that *their* "vital" processes (redundant reliance on vulnerable philosophy) can implemented. Why else the redundant holes/disobeyance of security setting exists, I cannot imagine -- unless of course it is just further ineptitude.

So you still have to exercise whatever care is necessary to avoid manually running exploits.

3. You manually avoid running exploits by never opening a file in the operating system or an application which will run them.

3A. You do that everywhere you have to do that: The basic system in Outlook Express is to create a mail filter which will place all mail with attachments in a Potential Virus folder; and (in all mail applications) by *never viewing mail in a preview pane* (close the preview pane forever).

Having already disabled all options to run ActiveX in IE's custom security settings; and intentionally communicating with people who will not deploy ActiveX (which is redundant to *communication*), just about anything with an exploit is going to land in your Potential Virus folder. You *never* open this email in your mail reader, because (even with ActiveX disabled), OE *may* run the ActiveX, ostensibly to render it.

***INSTEAD***, you *view the source* (right click... properties... view source) to read the mail.

*IF YOU ARE EXPERT* you may even securely open attachments after viewing the source and determining unequivocally that the attachment is not an exploit. How? If there is anything executable in the attachment, then if you open it, that executable will/may be run. Seeing executable code (vbs, etc), files (exes), etc., you just don't do that.

3B. Reasonable precautions of like kind preclude running potential exploits potentially introduced via avenues such as CD-ROMS, etc.

Now, if you read my previous posts you'll see I've already explained all this which you have summarized to, "basically you are saying that unless the user does something, he is immune from viruses?"

Really, Eru? You mean that?

Here's my summary: "Security" is closing *every* door to any and every exploit. AVWare does not close the door, because all it does is filter *known* exploits. You run filters most conducively on the outer reaches of avenues to which your network/system is subject. Because exploits are only unleashed by *running* them, you close all potential doors to whatever will pass the filters in the outer reaches by exercising practices which without exception will not run potential exploits."

"So Eru, your proof that anything can get by *and run* on subject systems is simply to disclaim this closes the door?"

Security is about competence, Eru. Is it competent to run AVWare EVEN EVERYWHERE and assume you are protected? Or is it "smart" to run additional filters (locally) on avenues which are already filtered?

As I said, it is all the future viruses in eventual history which AVWare yet has no power to recognize which are your concern (because you should already be benefiting from filters in outer reaches, which is why you shouldn't have to run them locally); and your only real protection is "not doing ***something***." Yep, that was my advice: "Basically, just don't do something." And that was all I needed to say. "Hey there everybody, here's some expert advice: just don't do something and you'll be protected." Yep, even you would have known exactly what do then, wouldn't you Eru?

In every case of unleashed exploits I know of, the users were running AVWare. If you can prove new exploits cannot get by AVWare, you will be the first to do so. If you can prove there is any reasonable benefit whatever (but different deficiencies in the filters) from running local filters on avenues already subject to exterior filters, you will be the first to do so -- even if inept paranoia alone explain why *everyone who is ever attacked successfully indeed runs such redundant filters.* If you can prove there is any other possible way of protecting yourself then but eliminating every possibility of running exploits, more power to you. I'm waiting anxiously.

If you are supposed to be deriving the meat of matters here however, I don't think your purported summary is a good sign. You gotta be able to connect the dots, if you are to solve the matters before us.

 

I can wade through your things, or I can ask you to summarize them. Geez. How about summarizing your thoughts clearly (at least you made some attempt last post). I threw together something on the fly trying to HELP you be able to communicate your ideas to the viewers of this forum (judging from the response you got from someone else they aren't following you). How many people on this forum are actually going to read through your whole long posts? Therefore, I threw together a summary based on how a typical reader would take your... uhh... weighty (although very technically detailed) and unsummarized (or at least improperly summarized) posts.

Part of assisting people is the need to have the ability to communicate, part of the ability to communicate is knowing how to speak to your target audience (with a study in the Classics, i.e. beginning student of Rhetoric knows this). You seem to have taken no time in getting the idea of how people on this forum work. It's a lot of soundbytes on the internet, most people multi-task, as you very well know and are quite happy to proclaim to the world. As a result, the whole WAY you write has to support this. I'm sure you are aware of this, but in your joy for going into the details you are forgetting first principles.

While I didn't want to start a flame war, I just pushed a summary based on a typical quick read, you seem to be wanting to start one by your responses to ALL of my various posts that respond to yours. You try to just 'tear' them apart, never once did I go out and state my opinion contrary to yours.

I was proposing a summary of connecting the dots for the reader, that way we can see what you mean in summary. DRAW the conclusion, that is your job in convincing us, not our job as the reader to draw the conclusion for you. In a discussion of something technical to convince someone, you need to show knowledge in the subject (you seem to have this), you need to present convincing arguments (you seem to lay out a lot of things backed by experience), and you need to draw A CLEAR summary at the start or end of your post (although if you are writing longer things, you need to tie things together at the beginning and end). Nowhere do you do this. Once you get it through your head not every response is an attack on your ideas, then I will delve into the details with you, until then rethink your approach.

 

Evidently, what it comes down to is *you* believe you are helping people better than I. The fact is, that if they don't study whichever *one* of these posts they choose, they're vulnerable. They will not prevent the thing they are trying to prevent.

You say your response isn't an attack. Then what possibly did it *contribute*?

As to your dissertation on writing structure, where do you abide by it? Moreover, you already object to length -- and yet you want qualification. You can't have your cake and eat it too.

 

PS.

"Nowhere do I do this?"

Damn, not only are the essential points enumerated above, the OP ventured their thanks for the first post -- which would have been sufficient if it weren't contradicted by the following post.

As to your ability to shoot a hole in the proposed closure, you mean your reference to lacking filters on *some* gateways was not your real attempt?

Bah.

 

Furthermore, there are so many summaries already, your assertions are preposterous. Here's just one:

"The answer is simple. *Because* things can get by, and while yet their mere dormant existence on our system itself is no threat, and as it is only when the virus is run that it becomes a problem, what we *really* have to avoid is running the virus."

Just one sufficient summary of many.

 

Thanks for the summary that ties together everything you say, clearly set out from the rest.

As to the question of what my posts contributed, very little, as it seems as if you did not even bother to read this line: "and you need to draw A CLEAR summary at the start or end of your post (although if you are writing longer things, you need to tie things together at the beginning and end)." But whatever, I guess I'm a loser on the forum wasting people's valuable time.

As to believing I am helping people better, in this particular thread I am providing no assistance other than the attempt to get you to summarize your expertise. It sounds like you are the expert here, I was attempting to have you flesh out what you are trying to say. Which you have now done.

"there are so many summaries already, your assertations are preposterous."
Uhh... You are entirely missing the point. You summarize what you have to say at the beginning and/or end for the contents of the whole. Yes, you summarize as you go along too, but that should tie together a series of points, not the entirety of your points. Rather the idea that you don't summarize a lengthy discussion at the beginning or end is preposterous.

Enumertated points != summary.

Frankly, I am sick of bantering back and forth. Go ahead and make another round of posts about summaries if you would like, that is fine, I've made my points, if you need the last stab 'just because', go ahead and take it now. My future posts will be targeted only on the discussion of the need for virus software.

Anyways, now that we have your posts summarized in a clear way, set aside from the middle paragraphs of a large post, we can get to the meat of it, no?

 

OMG, of the many summaries provided in the posts you claim to have read, you're an expert on structure and relevance after denying any summaries existed?

You're tired of bantering?

Great.

 

I meant it when I said "that is all" so this is not going to start another round of pointless dialogue with Mr. Mike. I just would like to point out that most of Eru's posts I've read are helpful, and Mike's at first glance seem okay, until he starts arguing with people. It's truly fascinating from a psychological standpoint, but just plain annoying and very OFF-TOPIC. I'd say this question was answered and this thread can now be closed before anyone else starts him up again.

 

On the contrary, if you can't justify your ostensible technical position, it's obvious what your posts are about.