Windows 8 security is like a swiss cheese flak jacket - sez AV firm
Even so, mouldy old malware apparently worked in tests
The knives are out for Windows Defender, the basic anti-malware protection bundled with Windows 8: makers of rival antivirus products are lining up to criticise Microsoft's efforts to secure its operating system.
Windows 8 can be infected by 16 percent of the most common malware families, even with Windows Defender activated, according to tests by Romanian antivirus vendor Bitdefender.
The latest version of Microsoft's OS was compromised by 61 of 385 malware samples flung at it by BitDefender. In addition, one software nasty bypassed Windows Defender but crashed on execution, while another ran but was blocked by User Account Control (UAC), so no malicious payload was delivered.
Malware that successfully bypassed Windows Defender was capable of opening backdoors to allow hackers to remotely control the attacked x86 PC, intercepting keystrokes, stealing online gaming credentials, and more.
Bitdefender has a vested interest in talking up the security shortcomings of Windows 8 as it touts its own paid-for virus-zapping packages.
However, the company used malware collected over the last six months, which is not ideal: the test sample won't include every threat, according to Simon Edwards, technical director at Dennis Technology Labs. And every antivirus product misses some software nasties from time to time, despite what marketing departments' rhetoric would have us believe.
Bitdefender also tests malware by fetching a copy of the malicious code from an internal FTP server and executing it to see how far the malware progresses - as opposed to visiting a booby-trapped web page that attempts to comprise the PC, which is a more common method of infection. In theory, there should be little difference, but this methodology bypasses Windows Defender's SmartScreen that filters out phishing attacks and malware downloads when using Internet Explorer.
By way of defence, a Bitdefender analyst told El Reg: "We did not rely on tests over the internet because they are highly subjective and their success rate is – most of the times – dependent on the tech skills of the user operating the PC; our goal was to see how vulnerable the system without the user’s intervention is. In other words we’ve simulated a hapless user."
In addition, Bitdefender omitted to detect whether the successfully installed malware managed to survive a reboot on Windows 8. "Some of Windows 8’s security mechanisms should prevent Master Boot Records from being infected, which is one way the bad guys keep systems infected over time," Edwards explained.
"All vendors have a very strong motivation to demonstrate that Windows 8 is vulnerable and that alternatives to [Windows] Defender are necessary to provide the best security. I suspect that testing will show they are right, but there aren’t any good tests published yet, as far as I know, so they’re probably trying to race each other to show this themselves."
Microsoft Security Essentials in Windows 8
Security lab AV-Test, which sells analysis of malware to antivirus makers, also has reservations about Windows Defender following a preliminary review. The company drew its conclusions after throwing malicious code at Windows 7's Microsoft Security Essentials, which has been rebranded Windows Defender in Windows 8. AV-Test plans to formally review the effectiveness of Windows 8's built-in protection, and that offered by third-party security tools, in January.
"We saw rather similar results [to Bitdefender's] in our tests when we look at Microsoft Security Essentials, which is actually the new Windows Defender in Windows 8," the lab's chief exec Andreas Marx told El Reg.
"Microsoft offers a basic protection in their OS, so it's better than nothing, however the results are not good enough to replace existing free or paid security products."
Marx added that at least Windows Defender is capable of repairing the operating system if damaged. ®
ANTIVIRUS SOFTWARE COMPANY PUBLISHED GROUNDBREAKING STUDY TODAY PROVING THE SOFTWARE THEY SELL IS REQUIRED TO MEET THE SECURITY STANDARDS SET BY ANTIVIRUS SOFTWARE COMPANY
Re: more holes in it
Gorgonzola is an Italian blue cheese, the holey Swiss cheese is Emmentaler.
I always wonder...
"Malware that successfully bypassed Windows Defender was capable of opening backdoors to allow hackers to remotely control the attacked x86 PC, intercepting keystrokes, stealing online gaming credentials, and more."
There's one bit of information I'm always missing with researches like this: what kind of user account and user profile was used? Because the end user can matter a lot when it comes to system security and breach of that security.
2 extreme examples... Although Windows 7 sets up an admin account for you to work with by default (and relies on UAC to block unwanted system changes) its not how I like to work. Instead I lowered my accounts privileges to that of a normal user (I'm on Windows 7 Professional btw; this also provides user account access), removed the password from this account and instead added a password to the global system administrator account. Resulting in the obvious situation that my user account has no write access to system parts of the system partition (C). I can't dump something in c:\program files, I can't do much in c:\windows; the only places I have full r/w access to are my own personal data directories as well as the stuff on the non-system partition (D).
The moment I want to do something beyond my capabilities I either have to raise my privileges (start a raised console ("run as administrator") for example or simply await a UAC prompt. After which I need to type a password and then can perform the required changes.
Needless to say; I'm pretty confident that not much malware which might be capable of bypassing Security Essentials will also easily be capable to install itself. Unless of course it fully runs within user space and doesn't require any extra credentials; but mentioning of stuff such as keyboard monitoring makes me think otherwise. My account credentials simply wouldn't allow me to do this. (unless of course they're actually exploiting local root exploits or local backdoors, the article doesn't quite say).
Another extreme example is a friend of mine who clicks before reading. Sounds dumb, it is dumb, but that's the way he works. When he sees a website popup he's clicked it before you could say "I don't think that looks trustworthy". He'll even go as far as mindlessly clicking "yes" on UAC messages, sometimes even jokingly mentioning that "Oh, Windows needs to ask me if Bill Gates can go to the bathroom, sure; do what you have to do".
Needless to say: its also the kind of friend who calls me every once in a while to ask me if I could help him make his "PC run faster". At one time I even managed (well, stuff like adaware & spybot managed) to remove 584 cases of malware, spyware, tracking cookies and other kinds of crap from his PC. Although his switch to Windows 7 has managed to slow that process down quite a bit.
Needless to say that my user credentials and user profile (the way I work) is bound to stop a lot of crap even whenever that is capable of bypassing my virus scanners. Whereas my friend... With such a user profile I don't think it would even help if his virus scanner (or "protection suite") would be capable of blocking everything. Whenever there's a trojan provided chances are high he'll invite it right over by clicking "yes" ("sure I'd like some new software, lets have it!").
AS SUCH.... What kind of user profile is used during such virus tests? With modern Windows (Vista, 7, 8) its almost inevitable that the user will get a system warning somehow. So do they simply assume the user simply clicks yes all the time or....