Stop Paying For Windows Security; Microsoft's Security Tools Are Good Enough

When it comes to keeping your Windows PC secure, all of the scare tactics and overblown virus stories out there make it hard to feel safe online. The fact of the matter is that you don't need to pay for Windows security.

From time to time we like to go on long, opinionated rants about subjects that bug us. This is one of those times. So let's have a frank and honest discussion about Windows security, and leave the scare tactics and FUD for money-grubbing corporate marketers.

Microsoft Security Essentials is a Great Antivirus Application

The release of Microsoft Security Essentials has changed the landscape of antivirus software. We've finally got a completely free application that protects against viruses, spyware and other malware — without killing system performance like some of the "suites" tend to do. In my personal experience, it barely slows down the machine and rarely affects my work — and during a deliberate attempt to download some viruses (for testing purposes), it immediately found and blocked them from doing anything.

You don't have to take my word for it, however. Not only did AV-Test.org find that it detects 98 per cent of their enormous malware database, but AV-Comparatives (a widely known anti-malware testing group) found that MSE was one of only three products that did well at both finding and removing malware, including the leftovers. It was also the only free product to grab their "Advanced+" rating-the top honour for an anti-malware solution.

The more tech-oriented readers will probably note that MSE does not do any fancy heuristics to detect viruses that aren't in the database already, which is a feature offered by some paid solutions. In my opinion, this feature is usually unnecessary and a massive system drag if combined with a healthy dose of not installing questionable nonsense.

Stop Whining About "Outbound" Firewalls

Every time I read an article about the built-in Windows Firewall, I see comments complaining that they use Zone Alarm or some other software because they handle "Outbound" connections. Let's put it on the table — the Windows Firewall has plenty of capability for handling outbound connections if you really need that level of paranoia. In fact, if you just look through your start menu you'll find a link for Windows Firewall with Advanced Security. You can head into there and pretty much configure any setting that you can possibly imagine, getting right down to the port level if you want.

The fact of the matter, however, is that outbound firewalls on a desktop PC are Completely Pointless. If the malware has made its way onto your computer, you have already lost the war. Your PC now belongs to whoever is running the botnet, and your outbound firewall isn't going to stop it — after all, the malware can simply add a rule to the firewall to allow access. It's better to focus on keeping malware off your PC in the first place.

Let's not forget that most of us are using a router with a firewall built right into it, and as long as you aren't using easily-cracked WEP encryption, you should be perfectly safe behind your firewall.

User Account Control (UAC) is Not a Security Tool

The single most irritating feature introduced in Windows Vista was those annoying UAC prompts, asking you for permission to do nearly anything on your computer. The fact is, even if it makes you feel more secure, it's a false sense of security. Malware researchers at SophosLabs found that 8 of 10 malware samples can actually bypass UAC on a system with the default Windows 7 settings.

The fact of the matter is that unless you've pushed the UAC slider all the way to the top, it's not meant to be a security feature. The original intent was to change the way Windows works so that you can more easily run software as a standard user account, instead of running as administrator all the time. So there you have it — if you aren't going to run as a standard user or turn the slider all the way to the top, you may as well disable UAC.

Keep Windows Updated

When it comes to protecting yourself, it's laughable how many people install multiple antivirus applications but don't keep their system updated with the latest operating system patches. Last April, the Conficker worm was exploiting and spreading on millions of PCs through a critical security hole in Windows that had been patched the previous October.

If everybody would simply keep their systems patched, we wouldn't have to worry so much about these problems. If the constant rebooting action of Windows Update has you frustrated, you can always temporarily delay Windows Update's forced reboot, or just make it not restart your PC automatically — but you should always have Windows Update running at all times.

Keep Applications Like Acrobat and Flash Updated or Uninstall Them

Even though we're complaining about people not keeping Windows updated, the most likely cause of drive-by malware infection these days is through your browser plugins. Adobe Flash is notoriously full of security holes, and the latest attacks have been using vulnerabilities in Adobe Acrobat to infect your PC without installing a thing — just go to the wrong site that redirects you in a hidden frame to a PDF file containing the exploit and your system can be exploited.

Keeping your applications updated is critically important to protecting your security. Your firewall won't protect you, and an antivirus software is unlikely to help if you're using an old, vulnerable version of Flash in your browser. What you need is a piece of software that scans your PC and makes sure that you are using the latest, patched versions. We've got you covered with the five best software update tools for any OS, but my personal recommendation for Windows is for Secunia PSI.

Stop Downloading Questionable Files

There's a little-known fact that I don't usually tell anybody, but I'm going to share with you today: I haven't used real-time antivirus software on my PC in 10 years, and I've never been infected with a virus. About once a year, I run through an online virus scanner to make sure that my claim still holds true, and it's never happened.

How have I managed that, while being a geek and testing software all the time? There's a couple of simple rules that will protect you:

  • Use an online scanner like VirusTotal to scan questionable files before installing them.
  • Don't download and install those questionable files in the first place.
  • Use some common sense. That pre-release copy of the latest video game you got from a torrent? Yeah, it probably has a virus in it.

So what do you say? Are the built-in tools, combined with Microsoft Security Essentials, good enough for you, or are you going to stick with the full paranoia route?

The How-To Geek thinks a little common sense and system patches goes a long, long way towards a secure system. His geeky articles can be found daily here on Lifehacker, How-To Geek and Twitter.


Comments

    Security Essentials is a piece of doggy doo. I have been using it, and now my computer runs at a third of the speed it was running at. What does that say?

      If your comp is running at a third of the speed then off the top of my head I would say there is something wrong with your computer. Regardless of whether or not MSE is good software, I'm sure reviewers would have noticed something like that.

      I use virus software. I don't know what it looks like when you get a virus as the last one I had was the stoned virus back in the early 90's. I'm too paranoid to ditch it though.

      I did use Zonealarm when I used to have a modem and would constantly get messages in the log about attempted scans and such. After I went to an ADSL router the logs remained empty. So after 2 more years of paying I let it lapse and stuck with the built in firewall.

      I used to obsessively pay attention to outbound connections, but given they always ended up being legit software that I would just say yes to I grew bored with it and stopped. I guess it comes down to what you are doing with your computer. If you have reason to monitor outbound then something like Zonealarm is good. If you're a boring old fart like me who only runs 100% trusted software and doesn't really experiment then perhaps not.

      Something is wrong with your PC, running 7 pro on my netbook with MSE and there is no performance issue...

      I'm now using Panda Cloud, and there is no problem with it, in fact my computer is faster!

    I've traditionally used Avast AntiVirus but did trial Security Essentials a few weeks back. Both are good and avoid the bloat of Symantec and Norton offerings.

    To help help avoid accidental infection by non-technical members of the household, we only use webmail. Hotmail and Yahoo Mail both scan for infestation before downloading a file.
    Above all, I recommend that nobody download any files they're not expecting. If they're suspicious, email the sender to verify.

    I do like the bit about UAC though. I have one Vista machine that is constantly warning me about the activity (or crashes) of my HP printer drivers. It does somewhat get in the way of the machine's usability so maybe it is time to disable it?

    Good article.

    I think a number of your comments are naive - sorry.

    Re: outbound firewalls. They are great for access control I use ZoneAlarm because it tells me what is trying to dial out and I can control access for what does/doesn't have access. It also indicates what is "new" that is trying to dial out.

    I also use a virus scanner - i've had a few little utilities over time that have been nasties. For example, I once downloaded JKdefrag which is a reputable defrag tool. My virus scanner warned me that it was infected. JKDefrag had a good reputation from a known site.

    Each to their own. Like the person who speeds recklessly in their car and say "I've never had an accident".

    Joe D Plumber

      @Joe D Plumber. You may want to stick to drains my friend. Either that or learn to research your security rather than just clicking 'OK' when WhizzBang Security Suite Plus pops up a warning (google 'jkdefrag virus false positive')

    "I haven’t used real-time antivirus software on my PC in 10 years" Same here. Using YahooMail with it's inbuilt virus scanner too helps with the mails...

    Have used F-secure online virus scanner instead of installing bloatware.

    The real problem is with clients of mine who surf porn with IE, doing it half cut, they click on anything, next thing an infected PC.

    Excellent article. I run a large school network and we're constantly on the cutting edge of virus attacks. We use McAfee to handle our AV centrally, but even with daily updates pushed out to PCs we still see the occasional virus make it through.

    Just this week we encountered a new one, a sample sent to McAfee showed that they hadn't seen it before and are now developing a DAT to detect it. Avast and Avira also didn't detect the virus, but the Microsoft Security Essentials DID!

    That's a big vote in it's favour. Now if only they had a tool for me network so I could deploy, manage and report on it as well!

    Your comments about safe browsing and not using a virus scanner are valid too, I am like you and for many years didn't worry about a virus scanner. Never got infected, always patching up other peoples PCs not my own. I have a damn good idea of everything that goes onto my machine.

    However in the past few years with the number of web exploits about and a new found liking for torrents I've made sure that I do have good AV on my PC and every once in a blue moon it actually spots something that might have otherwise slipped through, but I could count these occasions on one hand.

    I'll be passing this article onto staff as required reading.

      Microsoft offers Forefront Client Security, which pretty much similar to MSE, with centralised deployment..

    I have been using MSE since it was made available and it has been brilliant. It runs so much faster than AVG on my Windows 7 machine and it has picked up any suspect files straight away.

    This is, frankly, ludicrous. If you care about security, you don't run Windows. If you run Windows, you don't care about security or are delusional.

    There are no ifs or buts there. Microsoft's track record over the last twenty years is absolutely consistent: it's a cesspit. Windows fans and antivirus vendors keep claiming there'll be Mac and Linux viruses any day now, but the Windows:Mac:Linux virus ratios in the wild still seem to approximate 100%:0%:0%.

    Speaking of security in the context of Windows gives false hope to people. It is not capable of security. It is unsafe at any speed.

      I guess I'm delusional then.

      Sure there are lots of viruses out there, but my virus scanner has yet to encounter one. I use PC's at work all day, and I can't say I've ever lost any worktime because my computer has been taken out due to a security issue or simply exploded from the shame of running windows.

      You linux/mac people seem to think that we windows users can't go 20 minutes without a crash, virus attack or electrocution from dribbling all over the keyboard. I've just run 'net statistics server' from the command line and it says I haven't rebooted my computer since 5th october. From memory that was because the power to the building was shut off.

      That being said, this message that automatic update wants to restart my computer has been bugging me for awhile now.

      But geeze man, lighten up. I've never understood how people can be so offended by other peoples computer choices.

      Ok... well anyone saying there is a total of ZERO mac viruses are... well... stupid, first off ask all your mac friends(Like your teachers and such) about how many viruses they have gotten before and I swear to god a few of them will say they have, the same goes for linux.

    Wow, David, tell us how you REALLY feel.

    With regards to the claim that "8 of 10 malware samples can actually bypass UAC", I beleive that is rubbish. Remember that claim came from sophos, from a guy who seems to have the job of scaring people.

    His article was deliberately vague about what he was actually testing. All he did was run 10 malware samples on a windows 7 machine. 2 crashed out with errors.

    However he didn't actually report on if any of those 8 samples actually infected the PC. I checked out the technical details on what changes the first one of the 8 actually does to your pc, and it writes to folders that you cannot access without elevation if you have UAC on.

    The UAC dialog we all love to hate doesn't automatically come up when an application does something that requires elevation - the application will receive an error from windows when it attempts the API call that isn't allowed. Its up to the application to ask windows to restart the process, with elevation - and then windows will show the UAC dialog.

    I'm pretty sure that those malware samples didn't get around UAC, that would be a serious security hole. I'm picking that they tried to infect the PC and ignored the error windows returned. After all, if you are trying to be sneaky and infect a PC and fail you probably don't want to advertise the fact you tried and failed.

    If MS-Windows is so secure now, why are you using Debian Linux for your website? ;)

    Perhaps you'd care to transfer the site to a MS-Windows server instead and not use any third party firewall or anti-virus protection..

    If you really believe in what you wrote that is.. or would you prefer a more secure choice?

      At a very rough guess I would say that it is because Linux is very good at doing things like this?

      I use windows for my desktop because it meets my needs on the desktop. Linux runs my fileserver because I believe it does a better job there then windows. I recommended a Mac to my inlaws because I felt it would better suite their needs.

      You are allowed to use, and even like, more then one type of OS you know.

      If knives are so good, why aren't you using one to eat your cereal?

      Deadset. Sometimes you wonder.

        Yeah, pretty silly territory wars going on here.

        I've been a mac user for the past 5 years (for video/audio editing, fieldwork), but just got a PC for my research/writing/admin needs and I love them both for what they can do. Like Craig said, I think if people keep an open mind and pay attention, they'll find what they need.

        Anyhow, this is supposed to be a forum about anti-virus/security issues. I just downloaded the MSE based on the review from Johnathan T here:

        http://www.techsupportalert.com/best-free-anti-virus-software.htm#MSE

        and the link to this site was in the discussion.
        MSE upload/install was smooth after unistalling supplied Norton trial. So far no problems.

        I am no where near to being even a demi-geek, so I just wanted to thank you all for sharing your specialK. You are helping a lot of people. Stay real.

Join the discussion!

Trending Stories Right Now