Welcome to The Windows Blog 

Windows Vista: Defense in depth

Wow, you describe a specific situation and suddenly people extrapolate something completely different!  During a recent discussion with journalists about the release to manufacturing for Windows Vista, I made a comment about how attacks on the Internet are getting more and more sophisticated, and some of the security features in Windows Vista really help our customers. This somehow morphed into people thinking I said customers shouldn’t use antivirus software with Windows Vista. When the articles and blogs started appearing, I asked the PR folks to send me a copy of the transcript of the call so I could read it over and see if I said something I didn’t mean. After reading the transcript, I could certainly see that what I said wasn’t as clear as it could have been, and I’m sorry for that. However, it is also clear from the transcript that I didn’t say that users shouldn’t run antivirus software with Windows Vista! In fact, later in the call, I explicitly made this point again, because I had realized I wasn’t as clear as I should have been. It’s important for me that our customers are using the appropriate security solutions for the right situations, whether that’s security functionality integrated in the operating systems, or add-on products.

The point I had been trying to make (albeit unclearly) is that Windows Vista includes new security features that can dramatically help improve our customers’ security for certain situations. I was asked a question about how I rated the protection provided by Windows XP with Service Pack 2 and whether or not it was still effective. I ended up telling a story about how the machine my seven-year-old son uses has no antivirus software installed because it runs in a very locked down configuration, which includes only being able to visit websites on an approved list (approved through the parental controls feature in Windows Vista). He also has no access to email or instant messaging and he doesn’t run as an administrator of the machine. In fact, parental controls in Windows Vista requires that the user you apply controls to is not running as an administrator. Email, phishing, and other social engineering attacks are definitely among the most prevalent attacks that home users experience today, and his machine has been locked down in these regards.

My point in bringing up this extreme example was really meant to emphasize that importance of defense-in-depth measures we put in Windows Vista—both the number of defenses and their combined effectiveness.

Now, the comments have unfortunately been cited out of context implying that I said Windows Vista users shouldn’t use antivirus. I want to be clear, most users will use some form of antivirus software, and that will be appropriate for their scenarios. In fact, Windows Security Center, a great feature in Windows Vista, specifically encourages the use of antivirus software.

We’re continuing to make the best operating system we can, and I’m very proud of it. I think we’ve made some great changes in Windows Vista on the security front, and I know our customers will benefit.

jim

Comment 

Tags: , , ,

Comments

  1. Sephiroth
    Posted on: November 10, 2006 at 6:15PM  

    Wow!  Sometimes one has to question the tactics used by journalists.  It's very unfortunate that things said can be so easily misinterpreted.  I can see how that conversation went:

    Me:  The apple is nice and green on the red tree.

    Reporter:  Let me quote you on that, you said, "the apple is nice and red on the green tree?"

  2. derekslager
    Posted on: November 10, 2006 at 7:02PM  

    Unfortunately, this "clarification" will lead to more headlines ...

    "Vista won't boot without antivirus installed."

    "7-year-old children forced to work as Microsoft beta testers."

    "Microsoft Security Center is the only supported antivirus software on Windows."

    "Allchin: Instant messaging not supported on Windows due to security issues."

    "Vista: Totally insecure when running as administrator."

  3. singhgagand
    Posted on: November 10, 2006 at 7:15PM  

    Hi, I know my question doesn't have to do anything with the article but I really need to know something about becoming a computer engineer what kind of field is it when u want to create OS. Please tell or E-mail me at singhgagand1@yahoo.com

  4. Rosyna
    Posted on: November 10, 2006 at 7:57PM  

    Actually, I think not needing an AV package in an OS is an awesome goal to have. If an OS is so secure that malicious code doesn't have a chance to run on the machine, then God's in His heaven, all is well with the world.

    Alternatively, to have an OS that is so secure that installing an AV package creates more problems than it could ever solve.

  5. newscientist2000
    Posted on: November 10, 2006 at 9:25PM  

    Its unfortunate that the media sometimes adds their own interpretation to unclear sound bites.  Good journalists would follow up with you to and ask for clarification first!

  6. bluvg
    Posted on: November 10, 2006 at 9:47PM  

    Jim,

    I listened to that interview as well, and I certainly didn't get that impression from what you said.  Like you mentioned here as well, you specifically mentioned later that you were in no way endorsing running without anti-virus software.  I think you're being too hard on yourself about being unclear!

    I've run with XP without any anti-virus for a long time now, and before that with W2K.  I do an online scan every so often to make sure the machine is clean, and not once has it found anything.  

    Simply put, if you're running as a standard user, there is very little in terms of *viruses* that you have to worry about.  I suggest to anyone questioning that, go ahead, look through the anti-virus vendors' databases, and see how many viruses operate on the premise that they have unrestricted access to HKLM, Windows system directories, Program Files directories, etc.  The vast, vast, vast majority of viruses are rendered totally ineffective when running as a standard user account.  The whole anti-virus industry is a bit overblown anyways (hey, don't tell me you've found "900 instances of malware" when they're all cookies...), but there's no reason to think it's heresy to run without anti-virus when running as a standard user.  Not that I'm recommending it either, of course, but it's just not the crime against humanity some claim it to be.  Besides, some of the most dangerous attacks out there these days are not virus-related, and many are not OS-specific.

    The only concern I have, though, is that now the attackers will turn their focus to non-admin accounts, perhaps going after privilege elevations and information within the user profile.  I hope Vista is up to that challenge.  I also hope that UAC isn't "one more dialog" that people simply click through without reading.  The standard user account provides the *right kind* of inconvenience to the user--requiring them to launch a privilege escalation *manually*, not having it done for them.  As for my company, we're definitely sticking with the standard user account plan.  Under which, by the way, we've had not one virus/malware attack succeed--and, according to our logs, that would be the case even if we didn't have anti-virus running.

  7. steve.wiseman
    Posted on: November 11, 2006 at 12:32AM  

    Jim,

    This is another case were the press intentionally gets it wrong. I read what you had said - before it became a silly article on Slashdot.

    They need people to come to their website, so it works for them to take you totally out of context. Stuff like this just makes me so damn mad. I read the title of the article, and said "What to hell, this is bullshit" so loud I woke up my infant son sleeping in the other room.

    Each time I see this happen it reminds me that every time I see a sensationalized article title it is time to start digging for the real facts.

  8. Robert McLaws
    FeaturedCommunity
    Posted on: November 11, 2006 at 12:43AM  

    I posted my thoughts on the matter earlier today. Jim, you told me this story during my interview with you as well (don't know if that was the first time you told it or not) and it was as unassuming then as it was Wednesday. I'm sorry it has caused you such headaches!

  9. dasryms
    Posted on: November 11, 2006 at 4:07AM  

    Hi

    Congrats to Jim Allchin & team for Vista-RTM

    das

  10. Single Dove
    Posted on: November 11, 2006 at 4:09AM  

    Just do anything you want to do,in despite of anything others say.

    Feet are your own,mouthes are others's,you cann't contol what they want to say.

    In additional,so-called journalists are just crows.

  • Page:
  • 1
  • 2
  • 3

Trackbacks

  1. Posted by: Dena: Vista Ready on November 10, 2006 at 6:10PM

    Jim has just posted a response to all those bloggers and "media" who have posted that Jim said that people

  2. Posted by: Michael Howard's Web Log on November 11, 2006 at 2:20PM

    When I read the interview " Allchin Suggests Vista Won't Need Antivirus " with Jim Allchin I shuddered,

  3. Posted by: Donna's SecurityFlash on November 11, 2006 at 11:43PM

    There was a news about Mr. Jim Allchin's interview is misunderstood. BTW, Mr. Allchin r espond to it

  4. Posted by: Kurbli on November 12, 2006 at 5:16AM

    Korábban írtam Jim Allchin félreérthető nyilatkozatáról, úgy tűnik, hogy az elmélkedés a mondottakról/leírtakról

  5. Posted by: Harry Waldron - My IT Forums Blog on November 12, 2006 at 12:26PM

    Jim Allchin's recent comments on the enhanced security found in Vista were misinterpreted during a telephone

  6. Posted by: Harry Waldron - Microsoft MVP Blog on November 12, 2006 at 12:27PM

    Jim Allchin's recent comments on the enhanced security found in Vista were misinterpreted during a telephone

  7. Posted by: Microsoft News Tracker on November 12, 2006 at 5:25PM

    Allchin Suggests Vista Won’t Need Antivirus During a telephone conference with reporters yesterday, outgoing Microsoft co-president Jim Allchin, while touting the new security features of Windows Vista, which was released to manufacturing yeste..

  8. Posted by: SSiTE News on November 13, 2006 at 4:25AM

    Ever since Microsoft Vista chief Jim Allchin talked about his son not using anti-virus in a recent teleconference with journalists, the world has been abuzz with claims Vista won’t need AV software. Now Jim Allchin has clarified his statements on the

  9. Posted by: Security Incite: Analysis on Information Security on November 13, 2006 at 9:46AM

    November 13, 2006 - #155 Good Morning: Happy Monday to you. Ready to get back into the fray? I am, after a great weekend with the twins. But I was certainly happy when the boss came back into town. They were pretty well behaved and we even braved th

  10. Posted by: Security Curve Weblog on November 13, 2006 at 11:34AM

    Have you seen the ads for the "Truth in Software Commission" hearings over at BigFix. If you haven't seen it, I highly recommend checking it out. Their satirical content is absolutely hilarious and it's very much worth the trip (trust me, it's

  11. Posted by: OpsanBlog on November 15, 2006 at 9:17AM
  12. Posted by: SAGE Wisdom Journal on November 15, 2006 at 10:03AM

    Latest news on Windows Vista include questions over antivirus and the released v

  13. Posted by: WebLog de Stéphane PAPP [MSFT] on December 23, 2006 at 3:30AM

    Nos amis suisses ont développé un site en français sur l’utilisation d’ordinateurs connectés à Internet.

  14. Posted by: Satisfy Me on April 21, 2007 at 12:18PM

    It has been a busy week, and between catching up at work and a backlog of email, sick kids and just about

Navigation

The Blogs:

Recent Posts

Tags

View more

© Copyright 2008 Microsoft Corporation. All Rights Reserved.   |   Privacy Statement