We've gotten a few requests in Ye Olde Mailbag recently asking if we're planning Windows 7 antivirus reviews anytime soon.

That depends on what you consider "soon," frankly. ;-)

With the fairly recent public release of Windows 7 beta (for free, no less!), clearly the initial reviews of the OS are good, and it's clear even though it's officially labeled a "beta" product, it's very, very good.

The general consensus is that's it's everything Vista should have been.

Given the loud backlash against Microsoft for Vista, I'm glad Windows 7 is starting with such good reviews.

Do You Need Antivirus with Windows 7

With Vista's release, Jim Allchin, Microsoft's former President was quoted at betanews.com as saying,

"My son, seven years old, runs Windows Vista, and, honestly, he doesn't have an antivirus system on his machine.

"His machine is locked down with parental controls, he can't download things unless it's to the places that I've said that he could do, and I'm feeling totally confident about that.

"That is quite a statement. I couldn't say that in Windows XP SP2."

That really is quite a statement; however, he also pointed out,

"Please don't misunderstand me: This is an escalating situation.

The hackers are getting smarter, there's more at stake, and so there's just no way for us to say that some perfection has been achieved.

But I can say, knowing what I know now, I feel very confident."

Given that, as company president, it was his job to be tout the features and benefits of his company's products, I'm not surprised by the first statement, per se; however, I do think it was cavalier of him to be dismissive of antivirus software.

Here we are now, a couple of years into Vista, and clearly Vista machines are indeed being infected with viruses, worms, trojans, spyware, and all sorts of other malware (albeit perhaps in different ways that different versions of Windows) so it's pretty clear these things are still a threat to this OS as they are to other OSes.

And, viruses will continue to be a threat to Windows 7, too, no matter how well locked-down a given computer may be.

So What About Windows 7 Antivirus Reviews?!

Ah, yes, back to the original point: when are we going to get antivirus reviews up for Windows 7?

We've got some other things cooking right now with tons of new pages that help our users do a head-to-head antivirus comparison of the different A/V software we've reviewed, but once that's done, Windows 7 antivirus reviews look like they're next on the horizon for us.

The initial expectation is that A/V software that runs well on Vista should also run equally well (and perhaps better) on Windows 7.

If you're technically inclined and are interested, here's where to download Windows 7.

What's in store for us on April 1st 2009 with the Conficker worm?

There are a lot of educated guesses being floated, many of which are in this New York Times piece on the Conficker activation.

As the piece points out,

"It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service.

"It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers."

For more information on detecting it, here's the Microsoft Conficker detection tool and Norton instructions on how to manually remove Conficker.

There's recent news afoot from a number of sources, including The Register about a Microsoft Excel Trojan.

Several versions of Excel are vulnerable to this particular bit of malware including:

Excel 2000

Excel 2002

Excel 2003

Excel 2007

Excel 2004/2008 for Mac

Excel Viewer

Excel Viewer 2003

How do you get this trojan

Since it takes advantage of a flaw in Excel (and the Excel viewer), all you need to do is open an Excel spreadsheet with a specially crafted spreadsheet. Once you open it, the trojan payload is instantly delivered to your system.

What's being done

As of this writing, Microsoft's official word on the Excel Vulnerability is,

"At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability."

The Microsoft Security Advisory goes on to say they've not yet decided to release a patch as a part of "Patch Tuesday", a service pack, or something "out-of-cycle."

As with any new virus, trojan, or other malware, we urge readers to make sure you're running current antivirus software and that your antivirus signatures are up to date.

If you're not sure if your antivirus software is up-to-snuff and does everything it should, we have a page to help you compare antivirus software.

To the uninitiated, Microsoft has one day monthly, "Patch Tuesday," they call it, where they release bug fixes and patches to their software.

A recent blog at IT World on Patch Tuesday talks about the once monthly cycle and asks if this is often enough.

They claim, perhaps accurately, that most IT security pros claim to like the once monthly cycle because it lets them plan better and it lets upper management "manage better." Further, they claim, it actually makes things, "more secure," by making things regular.

This is total, complete, utter garbage. Garbage on multiple fronts at that. Here's why:

Just because you as a home user or an IT security pro have updates available by Microsoft (or any other software vendor for that matter) does not mean you have to apply them the same day they're released!

Let me put it another way...
If Microsoft were to continually release updates as they were ready for release to the public by their developers (rather than sitting on the patches for the arbitrary "Patch Tuesday,") then individual home users and companies alike could choose when to patch things according to their own schedules and computer security needs.

If you're a web hosting company with dozens, hundreds, or even thousands of servers under management, you have a very different set of concerns than a home user with three machines, right?

You also have a different ability to execute tasks, too. Rightly so.

With that in mind, why not put the power--and the security--in the hands of the customers and let them choose when to patch.

If a company wants to patch on the second Tuesday of each month, they by all means certainly can; however, if a company--or an individual user--has a particular exploit that is of concern to them, and they need to patch their server(s) today, they by all means certainly can.

Plan it. Manage it. It's easy.

But to say that the once monthly cycle makes it easier for IT shops to manage is absurd bordering on delusional. It literally takes management decisions away from the managers and IT pros and shifts the burden of decision making onto Microsoft.

How does that possibly make sense?

That's akin to saying it's easier for you as a company (or an individual) to plan paying your bills if your bank only makes your money available to you on the second Tuesday of the month!

As an individual--and especially as a business--who knows how many times you get paid in a given month (i.e. the developers said the patches were ready), but the bank (i.e. Microsoft) instead sits on the money (i.e. the patches) 'til the second Tuesday.

For most desktop PCs security at a fairly basic level boils down to: solid firewall software, good antivirus software installed and updated, OS patches applied, and if you're smart other software patched, too. Maybe you throw in anti-spyware, too, to be on the safe side. Fine. (If you're really smart, don't run as Administrator, either.)

But at least let home and business users make the decision themselves about their respective security... I'll schedule my own bill payments, thanks.

Our blog has been quiet for a few days as we work on putting together some new guides to securing your computer and some other resources to help our visitors secure their PCs--and keep them that way.

We hope to have that wrapped up in a couple of days here, but meanwhile, more news from the Conficker /Downandup front.

Microsoft announced in a press release today they're putting up a tidy reward of $250,000 (US) for info to bring the miscreant[s] to justice. In their press release about the Conficker reward Microsoft disclosed that they're working with ICANN (Internet Corporation for Assigned Names and Numbers) and "operators within the Domain Name System" to disable sites that are targeted by Conficker.

"To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker."

While it's hard to discern from the lawyerese press release exactly what they're doing, there definitely appears to be a concerted effort to stem the tide of this worm. Among the groups involved are:

Notable on the list to us were the Georgia tech researchers as well as anti-virus software makers Symantec and F-Secure. We salute the private sector and education researchers for working together on this.

Too bad it takes a worm outbreak to make such an effort happen.

On February 6, 2009, more information was made available by Microsoft about Protecting Windows from Conficker. We encourage our readers to have a look.

As most everyone would agree, in this day and age, anti-virus software of some kind is a necessity on your PC. In-the-know PC security experts would even go so far as to say a firewall is necessary, too.

But what most never bother to talk about is other preventative measures--free ones at that--that you can take to make (and keep) your PC significantly more secure.

What most consumers--and even some businesses, too--don't know about Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 is that you can setup different accounts with different levels of permission on the computer.

What's the big deal with this?

Here's the scoop: there are two basic levels of permissions in Windows: Administrator and User. Practically speaking, all accounts in Windows are one of the two. Here's where things go off the rails...

Microsoft, in their infinite wisdom, makes all default user accounts Administrator accounts. This means the user account you originally setup your Windows XP with is an Administrator. Administrator accounts can do virtually anything to the computer.

Administrators can install files. Administrators can kill processes or running programs. Administrators can change the priority of some tasks to make them get more of your machine's horsepower or less.

That doesn't sound so bad, but here's where the plot thickens. Administrator accounts can even hide processes and other things on the machine, and as we already know, Administrators can install programs.

What does that have to do with viruses? Well, what is a virus really other than a program with malicious intent?

Thus, this means many viruses, since they're nothing but evil programs, acutally rely on your account being an Administrator for them to even function!

So, long story short: since Administrator accounts are needed (in many cases) to have the permission to install the virus, trojan, worm, spyware/adware, or other malware in the first place, what would happen if you weren't an Administrator?

Elementary, my dear Watson.

You make it harder for your computer to get infected in the first place. Much harder in fact. There's a really interesting piece over at Computerworld about the benefits of removing administrator rights and running as a regular user. One company, BeyondTrust Corp, is quoted in the article as saying,

"When BeyondTrust looked at the vulnerabilities patched for Microsoft's browser, Internet Explorer (IE), and its application suite, Office, it found that 89% of the former and 94% of the latter could have been stymied by denying users administrative privileges."

Wait a second here... you mean to say something like 90% of the vulnerabilities could have been mitigated just by using the right user account on my computer?

Yup.

Couple that with Internet security software, and you've got a really solid level of protection against most viruses and most other computer security threats.

OK, now that we understand there's something else you can do to prevent viruses from getting onto your computer, the question is: how do you make an ordinary User account that doesn't have Administrator rights and how do I use it?

The single most important thing to remember is this: you must keep at least one Administrator account on your computer, so DO NOT delete the one you're using now.

Secondly, if you're going to try this, bear in mind that things can go wrong--horribly wrong in some cases--when you try to deal with accounts and permissions issues. If it breaks, you're on your own.

Here are Microsoft's instructions on how to create & configure user accounts in Windows XP.

Once you have your new account made, you may need to grant permissions to that new account to run the various programs you intend to run.

To do this, you'll need to either log out and back in as the Administrator, grant permissions then log out as Administrator and back in as your new User account -OR- familiarize yourself with Microsoft's "RUN AS" command, which temporarily grants your current user account the ability to do a certain task as Administrator without the pain of logging out and back in.

Now that you've gotten that far, start using the regular "User" account to perform your ordinary day-to-day tasks. After a couple of days of use, you will have probably encountered just about all of the little permissions snags where you need to grant permission to such-and-such software for your new User account to function.

Then, when you purchase new software and need to install it, just log in temporarily as your Administrator account, install the software, and grant your new User account permission. Then when you log in as that User, you'll have the benefits of both your new software and significantly increased computer security over and above your antivirus software.

Some readers may be unfamiliar with US-CERT. US-CERT is a big deal. It's the official United States Computer Emergency Readiness Team.

As a division of the Department of Homeland Security, they're charged with helping keep U.S. citizens' computers safe.

This week, in their revised advisory on Downandup / Conficker, they announced that the recommendations from Microsoft to help protect yourself from the worm are "not fully effective." Ouch.

We originally covered the Downandup / Conficker worm after Computerworld revealed 1 in 3 PCs was still vulnerable.

Considering that Microsoft issued a Downandup / Conficker alert and a worm patch way back in October 2008, the responsibility for the worms spread can't really be put at Microsoft's feet. They issued an "out-of-cycle" (i.e. emergency) patch for it, it's up to us as consumers to take action.

Lastly, lest it go unsaid, remember that firewalls and antivirus software alone are not enough to keep your PC safe. You have to keep it--and all your software--patched, too.