This is a good thing. Anti-virus companies have gotten lazy, mostly to increase profits.
I have in-house knowledge of an anti-virus product (BitDefender) that could have been the best in the world. But instead the board of directors decided one day that the product is too good and that they should keep it down a notch, as it wasn't worth it to keep so many talented developers on the payroll. The product itself is still good, but is bloated (as normal users need to see a lot of background activity and red lights for the cost to be justified) and it's not what it should have been.
In general I feel bad when companies get bitten by Microsoft's anti-competitive behavior, but not this time.
> normal users need to see a lot of background activity and red lights for the cost to be justified
The corporate versions of anti-malware are usually better because they can avoid all the klaxons and alarms and flashing dialog warnings, because it's not the user who pays, it's someone else in the corporation.
As three14 says below, some Anti-malware software feels awful to run; really nasty interfaces and nasty mangling of the experience. Having the machine run a scan when the user is away helps.
But I'm surprised there isn't a better AV product out there.
I would be more bothered if other vendors anti-malware wasn't terrible. Every virus-like behavior I've seen over the past several years was actually anti-malware misbehaving. One particular peeve is disk usage - anti-virus scans at a low priority, but somehow the disk slows to a crawl anyway. I suspect that the antivirus gets fewer I/O requests serviced, but causes many seeks so once it gets an I/O request honored, the disk is tied up until the seek completes. It would be nice if the OS took care of this, but given that it doesn't, I blame the anti-malware vendors for not caring about their customers.
I say this to many people. If the definition of a virus or malware is something that hinders performance and functionality of your computer, then most commercial AV products fit the bill. They have a massive footprint, stop you doing normal things, constantly interrupt you and generally are impossible to remove completely.
It staggers me how competition in the anti-virus market gave us so many bad products. Even the ones that started out good slowly morphed into expensive bloatware. Security Essentials was the first step against that trend, and I'm happy to see it go all the way.
> It staggers me how competition in the anti-virus market gave us so many bad products.
They all suffer from the problem of "This rock keeps tigers away." A large proportion of AV instances never incur any malware at all; it gets stopped at the corporate firewall level or the users just don't browse to any infected sites. So how can you tell that the AV package is even doing anything? It must keep itself in the user's face to seem productive, or else that AV package will lose sales to a competitor that looks like it does more.
You know all those email taglines "This message was scanned by Norton AV" or whatever? Those are trivially fakeable and carry zero security meaning, or even worse than zero in tricking someone into falling for a fake. Their presence is obvious when you understand what they really are: advertising for the AV package.
Security Essentials is the first AV package that's not motivated primarily by sales, so it has the ability to stay out of the way where commercial AV products can't. (Why does MS Security Essentials exist at all? I recall one MS blogger, probably Raymond Chen, mention in passing that MSSE was created to reduce Microsoft's own support workload, as a fair number of support tickets with Microsoft are caused by malware.)
The disk performance problem may be because all the file accesses effectively flush the disk cache, rather than just the number of seeks. Other than that, couldn't agree with you more (and that's why I don't use Windows machines these days unless there's no other option).
It could be, but virus scanners don't use FILE_FLAG_NO_BUFFERING? It seems relatively easy for them, and if some did and some didn't you'd get reviews like "slower than the competition".
I don't claim to have any special knowledge here so yeah, could be. I didn't know about that flag BTW - thanks for mentioning it. It sounds similar to O_DIRECT on linux?
Pig and Hungry hungry hippo eh? Couldn't have put it better myself. So tired of seeing this crap foisted upon people who don't know any better. While I see the author's point about it being a bad thing for all users to be protected by the same antivirus software, I must say that MSE is the only antivirus software I've ever been comfortable using. I didn't use antivirus software for well over a decade, but MSE has such a small footprint and is so unobtrusive that it's now a question of 'Why not?'.
Some people seem to have forgotten that the reason MSE is so good is because Microsoft have an entire department that explores those DrWatson errors people send them. Some of the time the reports include virus authors' early attempts which are accidentally sent and then used to create virus definitions.
If MSE was installed by default, the data MS would have to improve it would increase by a substantial amount. Also, MSE is generally rated the best AV in pretty much every independant review I've seen.
"Malware authors. You don't think they're going to ignore this development, do you? If most budget-conscious home users stick with Microsoft's built-in offering, then surely the first thing the bad guys will do is make sure their latest creation can slip past Microsoft's scanner."
While misguided, this point raises a problem. By having a single 'default' AV installed, it might mean the attack surface is made simpler as malware writers need only target a single scanner. With MS' demonstrated speed in addressing issues however, I doubt this is a great threat.
Am I wrong in wishing for Microsoft to take a step toward sandboxing/code signing instead of playing the cat-and-mouse (and sometimes snake oil) game of antiviruses and antimalware products?
Admittedly, this is probably not feasible by definition since the Windows ecosystem gives developers infinite freedom. And sandboxing is not trivial to get right. "Bad" applications will just go out of their way to entice the user to allow "read and write all my files." And sadly, users don't really read or understand warning dialogs. But one could wish, right?
Signed, someone who has seen too many friends' computers slowed down with said antiviruses, defenders, and always a plethora of toolbars.
I was one of the folks in charge of defining and building the Windows Phone 7 application platform. I pushed extremely hard to ensure that when WP7 shipped the app sandbox was tight, tight, tight. So much so that I pissed enumerable people off because we refused to open it up to anything but managed code. I always argued that the product would be better off in the long term with a real reputation for being solid & secure.
It was hard to do, but we were able to do it because WP7 was basically a v1 product and we had no backwards compatibility requirements (or existing customers <g>).
For Big Windows, it's a lot harder. A LOT HARDER. But I have read that Win8 will have a sandbox for new apps. That should help a lot, but it really is just a start. AV software will still be a necessity for most users.
Thanks for the reply. Definitely interesting to hear what it is like on the "other side" of the drawing board.
Android is actually an interesting case. Android applications are sandboxed. It's just that applications can request some very dubious permissions ("read all your SMS messages") and users don't know any better and don't read the fine print. The flexibility does allow for some excellent customizations (e.g. Swype keyboard replacement), but the risk of shenanigans is also there.
TechCrunch says:
One of the most popular forms of trickery in Q3 was
SMS-sending Trojans that collect personal information
and steal money. Another new method of stealing user
information is malware that records phone conversations
and forwards them to the attacker.
These are not classic viruses in the purest sense. These are not, say, buffer overrun exploits. These originate from apps the user downloaded that do other, sneaky things.
How do you protect the user from the user? The other flip side is iOS where almost everything is heavily locked down, except perhaps for the AddressBook API. The user is not very trusted, and essentially has no way of opting-in to anything really dangerous. This does severely limit the interesting cross-app interaction cases. But I can sleep safely knowing that my iPhone-holding non-techie family members can't download anything that would cause harm.
Since educating users across the board is likely impossible, does this mean the tough Apple approach is the way of the future (loosely speaking)?
The WP7 API surface area is very much locked down. For example, in v1 we did not provide any access to the address book (other than a chooser). There is no way to do cross app IPC. There was no background processing. No sockets. Etc...
As I went around the world "selling" the WP7 story to developers I got very good at saying "I'm sorry, but in this version of the platform the app you want to build is not possible."
I found that once this sunk in, developers were actually really glad we were so clear and unambiguous. They weren't necessarily happy, but it felt good (to me) knowing we'd been principled and consistent.
I personally believe this is the only way to build a modern client platform. Start with very tight controls and open it up only when
* There is a well understood use case.
* You have the time/resources to do it right.
I do not mean to be overly pejorative about what Google has done with Android (because, in the large it's truly awesome), but I firmly believe that when it comes to building platforms once the cat is out of the bag it can't be stuffed back in. I'm specifically referring to BOTH the tightness of the sandbox and fragmentation BTW.
<pedant>"Enumerable" means almost exactly the opposite of "innumerable", which I think is what you meant: (Enumerable: able to be counted. Innumerable: not able to be counted.)</pedant>
The notion Android has a malware problem is odd to me. I've been using an Android phone for more than a year and never experienced anything suspicious. I am yet to see someone who had a virus/malware problem with it.
But then I ran Windows boxes for decades without a single non-intentional infection. I'm not the average person.
Dear downvoters: how serious really is this "Android malware problem"? I understand you can put a malicious app on the store and some clueless idiots will install it, but, then, we have windows on buildings and every once and then some clueless idiot falls through one. We don't call it "the window problem".
That's not really an apt comparison, as the windows are not disguising themselves as, say, bathroom doors, a place many people are likely to visit. It doesn't have to be massive to be a problem or even to be significant, it just has to be out of the ordinary. The reason this is a problem is because many people trust their phones, don't expect malware to infect them there, and they have no way of knowing what is a malware app and what is not.
The reason this is a problem is because it is happening, and it is picking up speed. If your engine is leaking oil, you take steps to get it fixed _before_ your pistons seize. That's what this article is trying to highlight.
Again, I refuse to believe I live in a magical land unaffected by the daily problems that cost countless sorrows to the rest of mankind. I never experienced an Android malware and never heard of someone who did. It's entirely possible someone somewhere installed a malicious application or jumped out of a window, but the fact I know nobody who did it gives me pause when people say the sky is falling.
>It doesn't have to be massive to be a problem or even to be significant, it just has to be out of the ordinary.
The fact that it exists, regardless of if anyone installed it or was damaged by it, is the problem. It's time to start thinking of solutions for that problem _before_ you or anyone you know is affected.
If we look at it this way, we should address the problem of sandbox escape on WP7 because it can happen we don't know exactly how.
One way to check for malicious software on Androids would be to automatically run it on virtual hardware and flag malicious behavior for review by human beings.
I agree. The best way to protect from malware is to stop it before it happens. What better place to be able to do this than on embedded software, where everything can be controlled centrally? It'd be hard to fully protect sideloading apps on Android, but at the very least the marketplaces should be fully protected.
Every app on every marketplace should be tested for malware, and the device should be able to scan for apps acting outside of the limitations imposed in the API. I have a WP7 device, and it's kind of like the new Mac where thanks to its marketshare it's not a huge target. But I'd be willing to bet there's some exploits out there that could be targeted, and that scares me as a netsec employee.
That's right. It's also easy to make an insecure platform.
The hard thing to do is to balance these two things.
This reminds me of two of my favorite quotes:
“Fools ignore complexity. Pragmatists suffer it.
Some can avoid it. Geniuses remove it.” – Alan Perlis
“Making the simple complicated is commonplace;
making the complicated simple, awesomely simple,
that’s creativity.” – Charles Mingus
I wrong in wishing for Microsoft to take a step
toward sandboxing/code signing
IMHO, these are tools to keep a tight control of your platform and it won't keep the mallware/viruses out, even if mallware authors will have to be more creative. It creates a false sense of security (i.e. security theater). If you don't believe me, see http://www.jailbreakme.com/ ... a hack that can jailbreak your iPhone just by visiting a webpage and clicking on a link. If you have a recently upgraded iPhone, it probably won't work, but the author of this has already upgraded it to use a new unpatched exploit at least once. And I'm pretty sure that Microsoft cannot do a better job securing Windows than Apple did with iOS, mostly because iOS is a seriously restricted platform.
You could also argue that the area of attack becomes smaller and that in general this is a good thing. However, personally I'm not concerned with script kiddies that are just trying to have fun on other people's expense, as based on my own usage patterns I could never be infected, because such people do not have the capability of distributing such mallware to me (as I'm only getting software from reliable sources). The threats I'm worried about come from the people with in-house expertise and that are earning money from this activity, as they do have the means for mass distribution and the potential for real damage to your bank account and online identity.
Maybe its a PR move for Microsoft more than anything. "Windows 8 has a built-in anti-virus and is more secure than ever!"
I feel like Windows gets targeted the most because there are just so many computers running it. If 80% of computers out there ran OSX I wonder if anyone would give a shit about the next vulnerability in Windows.
However, speaking about Windows, historically has been pretty insecure by default. Microsoft started giving a shit only recently, after the failure that was Windows Vista and the bad press associated with it.
Pff, if that annoying and totally ineffective UAC dialog is the best they could do in more than 5 years of development, I shudder to think what happens when increased security is not the goal of a release.
And btw, I don't know what you mean by the early XP era, but you're probably referring to a timespan of at least 20 years.
Yeah, I was being sloppy. There was and is malware on Windows for a long time but it only became a widely recognized "epidemic" in the late 90s - early 2000s.
but the real point is that it's just nonsensical to say that Microsoft has been more focused on security as a reaction to bad press of Vista - whether you like or hate Microsoft or Windows or Vista, there's just no interpretation of the timeline under which that makes any sense.
I believe the Metro-style apps do run in a sandbox. It's conceivable that Microsoft could make a version of Windows 8 that did not support old style apps, so in that case all apps would be sandboxed.
1. This is bad for antivirus vendors who want to continue doing the same ol' thing. McAfee, AVG, and others are still terrible, and Norton has got such a bad reputation that even though its recent products have improved (somewhat?), it will be a long time before independent consultants start recommending it again. So this is going to put pressure on these companies to do something newer and better, which is great.
2. But, it likely won't change what actually ships with new PCs, since PC vendors these days (Dell and Acer directly, Best Buy, Staples, and others) make their margins by shipping computers with a free trial version of McAfee or Norton in the hopes that the customer will be snookered into paying for the software. In our experience, most customers do end up buying it, since they don't know any better.
3. Although we recommend and love Microsoft Security Essentials, it is not perfect. Just last week we had to do a manual cleanup of infected register systems for a local business where both MalwareBytes and MSE missed major components of the virus. The leftover components were sufficient to re-infect the systems -- while running in Safe Mode. (This was XP, for those wondering.)
4. Malware developers still have a lot of tricks they haven't even tried yet, that honestly I'm surprised haven't shown up already.
5. Malware is largely a commercial industry now, so there will be financial pressure on malware developers to adopt new tactics to defeat the bundled antivirus.
6. But, antivirus technology also still has a lot of room to improve. Microsoft especially is in a unique position to do this because they can legally do things like repair infected or damaged components of Microsoft software from clean copies, which might be a legal gray area for independent companies. (I am not a lawyer and all that.) Microsoft has the capability and resources for example to develop software which can examine key operating system areas for anything that looks suspicious -- something which most antivirus software doesn't do now.
7. In our end of the business, it could be a mixed blessing. On the one hand, we lose money on every single virus cleanup that we do, and I hate charging people for it anyway. On the other, it does drive new customers to us and gives us the opportunity to really make a strong first impression. But I won't cry into my pillow at night if Microsoft somehow manages to eviscerate the malware industry.
8. But, I'm skeptical about rapid adoption. What we're seeing right now is more and more people trying to keep their computer-related costs down. We're still doing significant XP support -- probably over half of our Windows users, if I had to estimate -- and, earlier today, the only reason we were able to convince a client that they would actually be better off buying a new replacement system is because decent IDE hard drive upgrades right now just aren't worth it. If this trend continues, and if Windows 7 continues to be "good enough" for most people, it'll be years before we see enough adoption of Windows 8 to make a dent in malware, which gives the malware developers plenty of time to adapt. (But, I could be surprised. Then again, what I've seen so far of Windows 8 isn't exactly compelling.)
9. Finally, the best place right now to stop malware, in our opinion, is still the browser. Chrome + AdBlock Plus by itself typically prevents repeat malware cleanups. The major exception to this was Limewire.
So, basically: I don't think this will really have that much of an impact any time in the near future, but if it does, it will probably make malware nastier and antivirus software better, and it will still be business-as-usual for support companies, which means it won't really improve consumers' lives much.
> Chrome + AdBlock Plus by itself typically prevents repeat malware cleanups.
That's interesting because Chrome is installed as the user (and so writable by the user), not as admin (like everything else). Chrome should be easier to infect.
No, unfortunately. :-( One of my 2012 projects is to build us a system that can keep track of all this stuff so I can publicly provide real data on what we see instead of winging it.
Web-wise, there seems to be two primary sources of infection: malicious ads on legitimate websites, and poisoned search results. (Compromised websites were all set to be a strong third source, but Wordpress cleaned up its act and we haven't seen as much of that this year.)
AB+ takes care of the ads, which seems to be the biggest source of infections. Chrome seems to be pretty resilient to direct attacks against the browser so far, if statements from people at CanSecWest are anything to go by. (With at least one known exception [1].)
We make guesses about the source of the infection based on the type of infection, what we find in which temp folders, and the client's browsing history -- if they're OK with us looking into that.
edit: I should explain that we've seen the same results from Firefox w/ AB+.
Chrome's sandbox has an extremely solid design and implementation. It's far more robust than anything else available, and we have yet to see an attack in the wild that can bypass it. Our big remaining weak spot is NPAPI--because plugins can't be sandboxed without completely rewriting their platform layer. Using AdBlock addresses this weakness by preventing plugin content from loading. You can achieve the same effect by turning on click-to-play or plugin blocking.
The linked video from VUPEN doesn't actually show a Chrome hack. It's a Flash exploit, which affects any browser with Flash installed (including about 98% of desktop browsers). We've been working for almost two years on developing a fully sandboxed Flash implementation, and expect to ship it to all platforms early next year. It's taken so long because sandboxing a large existing application is a huge engineering effort--particularly when you have such a long compatibility matrix. FWIW, the custom PDF reader we ship has always been fully sandboxed, just like all normal web content in Chrome.
Currently, the only Chrome platform with a fully sandboxed Flash is ChromeOS, because we had to rewrite the platform layer from scratch anyway (and did not implement several Flash features initially). The Windows version of Chrome also has a sandbox of a sort; it runs Flash in low-integrity mode (just like IE on Vista+). This is nowhere near as strong as the real Chrome sandbox, but we were able to implement it relatively quickly as a stopgap measure. The shipping Mac and Linux versions have no Flash sandbox right now.
Thank you for helping to build such a solid browser. We love it, and our clients love it, and we love working on a first-time client's machine and seeing that they're already using it. :-)
Thanks for the info. I use AdBlock Plus and I love it too.
On a related note, what do you think about NoScript? Does it really help prevent attacks these days, or are NoScript users just being paranoid? I use NoScript with AdBlock Plus, but so many websites rely on JS these days, it gets annoying pretty quickly.
Based on what little I've seen of compromised websites being used to attack visitors, Javascript has been involved in every single case. It might not necessarily be a JS-based exploit, but JS is used to load the actual exploit into the page.
But, I'm really not a domain expert on this. I follow things like Sucuri's blog and get maybe a few calls a year from someone with a compromised website, so it's possible that there's a more common attack method that I don't know about.
Yeah, I'd love to love and recommend NoScript, but I just can't. JS is becoming too integral to too many websites these days, for everything from navigation to contact forms, and it looks like that's going to be the trend forever at this point.
FWIW, I don't think a single one of our clients uses NoScript, so good browser + AB+ + good antivirus software seems to be doing the trick so far.
I've tried to leave NoScript a month ago but there are too many asshole website developers out there. But your recommendation is a good one, as I've heard nothing but good things about Ghostery.
> Just last week we had to do a manual cleanup of infected register systems for a local business
> every single virus cleanup that we do
I really hope that when you say "cleanup" you mean "wipe and re-install; and then carefully restore data from backups after really carefully scanning it with multiple anti-malware software."
> Finally, the best place right now to stop malware, in our opinion, is still the browser. Chrome + AdBlock Plus by itself typically prevents repeat malware cleanups.
You mean this is an effective small prong in a many pronged defence, right?
Here's a somewhat more polite response than your comment deserved:
No, when I said "cleanup", I meant, "cleanup".
When a client -- whether individual or business -- gets infected, what they want is their computer back to exactly the way it was before the infection, with as little hassle as possible, preferably without a lot of expense.
They often do not have all of the installation media for every program on their computer, even the ones that they rely on. They often do not have the registration information for software that we could legitimately download for them, even though they have a fully legitimate copy.
If they are a new client for us, they probably do not have any backup system at all. If they do have a backup system, there are 50-50 odds that it isn't working and they don't know it.
Nor do they typically want to have us over multiple times to deal with one configuration issue after another. People are surprisingly sensitive to their computer setups.
Nor do they know (or have) all of their passwords for everything. Reinstalling Microsoft Outlook from scratch, for example, and restoring their Outlook data file, will still make Outlook require their email account password again.
We do an extensive series of automated offline scans of the hard drive after storing a backup of it, and then we proceed with manual troubleshooting from there. We examine key areas of the Windows registry for any signs of infection; we use other trusted tools to check running processes; we check for unexplained network activity; we check for modified files; we check for overall system performance. We look into what type of malware was on the system and whether the client might need to change their credit card, banking, or account information anywhere. The system doesn't leave the shop until we are confident that it is clean. After that, we become proactive: we explain the importance of backups, good antivirus software, and a good web browser with AB+. Almost every system leaves the shop with our recommendations in place.
In the four years that I've owned this business, working with clients in three counties, I have had exactly three incidences of reinfection. Since we work hard to develop long-term relationships with our clients, I have reason to believe that our approach works. Two of the cases were caused by Avira, a product we had previously recommended, repeatedly failing to update, combined with insistence on the client's end with using Internet Explorer. In the third, most recent case, it was likely caused by an employee of the client's doing something they shouldn't have, and since they are a brand new client, we've not yet been able to work with them to disable web browsing on the registers and set up a dedicated web station.
I am fully aware of the theoretical risks of choosing anything other than a wipe and reinstall. I am constantly re-evaluating our approach, and there will probably be a day when I will reluctantly tell people that we really have no choice other than to start them over from scratch.
But that hasn't happened yet, and when it does happen, I will have to tell people that all of their Word, Excel, and PDF documents are lost too, because those documents may themselves be infected and we won't be able to guarantee that antivirus software will catch it.
I'd be willing to bet that we'll see more advanced ransomware before we'll see that, though.
Our job is to be a powerful buffer between people who just want to get on with their lives, and the various headaches associated with technology. If we accept an infected system from someone and hand it back to them with a fresh copy of Windows and nothing more to go with it than a shrug, then we are not doing our job. Likewise, if we hand a system back to someone with a password-stealing trojan still left on it which later compromises their E*Trade account, then we are not doing our job. I got started in this business partly because of the number of people I met who were utterly frustrated with the arrogance, self-righteousness, dispassion, and ultimate uselessness of other tech companies. I wanted to do something different: build a tech company that focused on people.
I doubt you noticed it yourself, since it's nothing out of the ordinary in a tech discussion, but your original comment is condescending in tone. Given that his entire business is built around providing customer service that uniquely avoids the kind of strict, condescending, and unsympathetic approach towards computer security your comment implies, I thought his reply was informative and appropriate rather than overly sensitive and defensive.
If anything, it really highlights the additional burdens of his approach and suggests that computer security as a service to consumers is about more than just security.
I just can't stop thinking about that analogy where a car buyer is forced into buying brakes just after he bought a brand new car, because said car doesn't ship with working ones. Antivirus feels the same for me: why would I want to buy an OS that is flawed and needs to be fixed by buying third-party products? Microsoft adressing that issue isn't something I perceive as great news, it's rather sad they shipped windows so insecurely for such a long time.
Anti-viruses will always be necessary. There is money to be made in sending spam, running bot nets, and mining data. Regardless of what operating system you are running I'm sure there is someone out there who could find a vulnerability if he or she was motivated enough. Is this more of a PR move? Whenever you talk to Mac users they seem to flaunt the fact that they are virus free or is it that no one bothers since so few people have macs compared to pcs?
Anti-virus software is not necessary. It's a side effect of poor system configuration, slow release cycles for patched software and to a lesser extent, poorly designed software.
If a severe vulnerability is discovered, open source communities race to distribute a new version of the software (faster than anti-virus vendors can respond). Package management allows patches for _all_ software to be rolled out quickly and securely. A turnaround time exceeding 2 hours from knowledge of a critical vulnerability to patched software being distributed to 1,000,000's of computers would be considered slow. The concept of executing files downloaded from Internet sites, provided on removable media or sent via email is completely foreign.
Proprietary vendors tend to follow the processes defined in their ISO 9001 compliant Quality Management System. They wait for the next weekly "Urgent" Security Working Group Meeting so that a proposal to develop a Software Change Request can be agreed upon. ... blah blah... 2 months later you _may_ have updated software that users won't know about because they don't check the sites of the 100's of applications on their computers on a daily schedule.
Microsoft _could_ do more, particularly with respect to system-wide package management. However, _proprietary software vendors_ are the primary culprits. Microsoft can't help Windows users if software vendors refuse to respond to security vulnerabilities quickly or fail to design their software with consideration towards security.
I wish I saved the reference, but I read an interview recently where the founder/CEO of a prominent anti-virus vendor stated bluntly that the only reason the business exists is because of a failure to address {a list of well known and ignored problems including some I mentioned above}. Marcus Ranum ("inventor of the firewall")[1], Linus Torvalds[2] and many other well known and greatly respected researchers/practitioners have views on the computer security industry that may appear surprising. These people have significant influence, decades of experience and the respect to back it up. The comments they have towards the industry, including anti-virus vendors, are often quite negative (while remaining constructive). There is a reason founders of anti-virus companies can make discouraging remarks about the need for their company to exist -- they know from vast experience that software vendors won't be listening.
> It's a side effect of poor system configuration, slow release cycles for patched software and to a lesser extent, poorly designed software.
Don't forget stupid and naïve users - those who know that the dodgy crack / serial website is going to have infected files, or those who don't realise that cute cursors come with malware.
And, to be fair, it's not just MS that has these problems. BSD makes things a bit less scary for Mac users, but there's still the problem of people running as a high level user and entering their password whenever they're asked, without necessarily thinking about it.
I have in-house knowledge of an anti-virus product (BitDefender) that could have been the best in the world. But instead the board of directors decided one day that the product is too good and that they should keep it down a notch, as it wasn't worth it to keep so many talented developers on the payroll. The product itself is still good, but is bloated (as normal users need to see a lot of background activity and red lights for the cost to be justified) and it's not what it should have been.
In general I feel bad when companies get bitten by Microsoft's anti-competitive behavior, but not this time.