Reply to: How come viruses work?

I don't think that's necessarily a problem, but it is a major reason why things slow down. Java, Adobe Acrobat, God knows what else, all these things like to install updates these days. Run msconfig, and turn them all off.

Exactly what UAC does in Vista/W7.

It's perfectly possible to setup an XP with the user (and any software run directly or indirectly by the user) blocked from accessing anything outside of his own Documents & Settings folder.

The real problem is that windows and windows programs are constantly doing whatever they feel like. If all these damn background tasks and updaters did not keep chugging away all the time it would be easier to notice anything unusual. Most of it seems completely unecessary.

I'd like reserved areas of memory and hard disc that could only be write accessed if I flipped a switch. One could then check the common areas thoroughly before allowing use.

Indeed, but the reasons are nothing to do with what you said, which was almost completely wrong. Or possibly completely wrong, I'd have to go back and check.

In truth the NT line of Windows (i.e. NT, Win2K, XP..) have all had pretty good security, and the OS is well protected from rogue applications. The problem has always been as Nick says, most users, even in corporate environments with IT departments who should know better, logon with an administrator account and so bypass the whole lot.

A "drive by virus"? If you're PC sits behind a hardware firewall in a router, shouldn't it stop things like that happening?

So you mitigate that risk by taking out insurance: "I bet I have an accident".

Take backups.

Many thanks for an extended analysis.

Trouble is (to continue the car analogy) that some of those pieces of advice are equivalent to saying "don't drive on any road where you even slightly suspect that there may be dangerous drivers", or "never drive a car unless you know personally the people who built it".

Which is accurate enough, I suppose: when you get on the net, you're driving in Iraq, not in Hertfordshire.

If you are running on an account with administrator privileges, which has historically been the default setting in Windows, then how is the system supposed to distinguish between you running a program and something else running it? Your account provides the authority.

Modern applications aren't just monolithic blocks of code: they rely on a multitude of components working together. When your web browser wants to look up the IP address of a web site, or your email client wants to look up the IP address of a mail server, they both rely on the DNS lookup component of the operating system. That in turn doesn't know how to communicate with your Ethernet card or your wireless router: it relies on other components to do that. When the DNS service gets the IP address back from the Internet, and wants to save that address so it doesn't have to look it up again, how does the system know that its attempt to write to the disk is the result of you hitting return after typing "example.com" into your browser a second before? How does it know that what is being written to disk is a string of characters, rather than a piece of executable code?

Meanwhile, your network drivers are logging messages, your mail client is downloading mail, your feed reader is updating feeds, your Windows Update is modifying core OS files and telling you to reboot or else, Word is autosaving in the background, Media Player is streaming video ready for when you unpause it... the number of interactions going on within the average PC is so great that it's very difficult for the system to know what instigated any given one - was it you, or a virus?

What if it's a virus that intercepts the keyboard entry point and sends fake keystrokes into the system? How can it tell that those keystrokes came from the virus, rather than you typing? What if it sends fake mouse messages, so that when an alert pops up saying "Are you sure you want to send donkey porn to your boss and then trash the hard drive?" it clicks "OK" without human intervention? How does it know that it wasn't you clicking OK?

Your best bets are:

• Keep up-to-date with Windows Updates;
• Don't forget your other software: most things will let you know if they have an update available, but what about those that don't - check the web site;
• Always read warning messsages, and be sure you know what you're doing before saying "OK";
• Don't visit any even slightly suspect web site: they have a habit of installing things even if you click "Cancel" or use the "X" to close the confirmation dialog;
• Don't ever open an email attachment unless you're absolutely certain you know what it is.

You'll notice that everything in that list is something that puts the onus on you. The computer is just a machine; it can't make reliable judgements for you.

Obligatory car analogy: it goes where you steer it, at the speed you dictate; it can't stop you driving into a wall. Even those new-fangled collision avoidance systems couldn't save somebody who drove off a cliff at ten miles an hour. Similarly, no matter how many safety systems are added to an operating system, they'll never be perfect if it's to remain usable (see UAC), so you'll have to be perfect for it

Which is why there have been no new PC viruses now for well over 15 years.

Strictly speaking, IE's HTML renderer is itself an ActiveX control: it's possible to embed a new HTML document inside an HTML document using an <object> tag in IE

Various other things are also implemented as ActiveX controls, such as Media Player plugins, QuickTime, Java applet runners. Then there's things like MSXML, which are ActiveX controls that don't have a UI.


In addition IE has Browser Helper Objects, which are used for things like toolbars, as well as assorted pieces of malware and spyware.

Presumably you opened the torrent, which ran a torrent opening program you'd previously installed from the internet somewhere...

That leads directly to a major part of my question: when the virus asked your PC to do whatever it was that it did, how come your PC acceded to the request? Why didn't it say "who the hell are you?" or "not without proper authority I don't" or something like that?

I'm sure you're right, but I got clobbered by a drive-by virus yesterday that got onto my machine, I can only assume when I clicked onto a website to download torrent I was looking for. I didn't agree to download anything, and I was using Firefox. I have anti-virus which is right up-to-date. I have SP3 whiich is fully up0-to-date with the latest patches. And yet I got screwed.

I'm still reeling from just how ineffective all that "protection" was, and wondering if I should do my web browsing in a virtual machine. Which is bloody ridiculous if you think about it.

Computers should be easy to use! When someone makes one that way, it'll really catch on. Maybe Steve Jobs already has ;-)

I doubt that's true. Flash is the only ActiveX control in common usage, and that's well enough known that security holes are reported as a problem in Flash (and there are some). And of course Flash isn't Windows only.

In Vista, Active X controls are limited. I know this from working on one that didn't work in Vista's "protected mode". The Netscape plugin version of the same thing that works in Firefox/Chrome/Safari/Opera has no such restrictions and can run like a native application, but in IE, the ActiveX control is prevented from having the same access.

Vista also does all sorts of clever things in keeping track of programs you've downloaded and treating them differently until you unlock them.

I suspect 99% of these problems are actually people installing bits of crappy software they download. I recently installed Serif Draw Plus/Lite - or something, and it installed the Ask toolbar which installed an upgrade service which took it on itself to delete my boot.ini regularly. : Entirely my doing and no virus checker would have helped. That was under XP; under Vista or Windows 7 it wouldn't have been able to do that.

One of the posters on one of your links had a good phrase: "Computers should be easy, not users should be PhD's.".

So do viruses usually get in via actual bugs in part of the OS? Or is it usually because the user said "yes of course that's OK" when they shouldn't have done? How about if I browse using a low-level user account, and routinely refuse requests that don't look like something I have just initiated?

But honestly, I'd like a really read-only browser: let me read web pages but do not save anything (maybe the odd bookmark). And a read-only email client to go with it.

If you're using IE, it's probably through a security hole in an ActiveX component. Supposedly this isn't allowed, but somehow it still happens. (The fact that the average user doesn't bother reading the warnings they receive but just clicks away merrily doesn't help.)

With other browsers, it'll be a similar flaw.

This only applies to Windows, by the way.