Security Software: Protection or Extortion?
As the Conficker worm sprang to life on April 1, talk here at the PC World offices turned to some interesting debates about how best to protect PCs from malware threats. In recent weeks we've run several helpful articles offering tips, tricks, and insights to keep you and your PC safe from Conficker and other malware on the Internet. At the same time, a few among us have revealed that they don't run any security software at all on their own machines--and have no intention of starting now.
Shocking as it may sound, there are plenty of experienced, knowledgeable technophiles out there who laugh in the face of danger as they traipse unprotected through the wilds of the online world. Among them is our own Hassle-Free PC blogger Rick Broida, who prefers what he deems the relatively minor threat of malware to the annoyance of intrusive, nagging security apps.
Is he insane? Naïve? To find out, we gave Rick a podium to speak on behalf of those who shrug off the safety of antimalware suites, and to defend his point of view in a debate with security correspondent Robert Vamosi, who regularly reports on malware and other security threats for PC World's Business Center. Who's right? Who's nuts? You be the judge. Share your view in our comments section.
First up, Rick Broida presents his assertion that security suites are an unnecessary nuisance compared with the threat of malware.
Rick Broida: We Don't Need No Stinking Security Software
Security software is a scam. A rip-off. A waste of money, a pain in the neck, and a surefire way to bring even the speediest PC to a crawl. Half the time it seems to cause more problems than it solves. Oh, and one more thing: It's unnecessary.
Heresy? Crazy talk? Recipe for disaster? No, no, and no. For the past several years, I've run Windows (first XP, and now Vista) without a single byte of third-party security software. No ZoneAlarm. No Norton Internet Security. No Spyware Doctor. Not even freebie favorite Avast Home Edition. I use nothing but the tools built into Windows and a few tricks I've learned.
Want to know how much time I've spent cleaning up after viruses, spyware, rootkits, Trojan horses, keyloggers, and other security breaches? None. I'll say that again: none.
Maybe I'm asking for trouble (that sound you hear is fellow PC World columnist Rob Vamosi nodding furiously), but after years of infection-free computing, I have no qualms about my methods. Your mileage may vary, and I make no guarantees. But if you want to rid your system of pricey, performance-choking security software, read on.
My first line of defense is my router. Like most, it has a built-in firewall that blocks all unauthorized traffic and makes my network more or less invisible to the outside world. The second line of defense is Windows. XP, Vista, and 7 have built-in firewalls that help protect against "inside" attacks, such as if a friend were to come over with his spyware-infected laptop and connect to my network.
Of course, a router can't stop viruses, phishing, and other threats that arrive via e-mail. My secret weapon: Gmail. As I noted in "Use Gmail to Fight Spam," I route mail from my personal domain to my Gmail account. (From there, I can access messages on the Web or pull them down via Outlook.) Gmail does a phenomenal job filtering spam--much of which is malware. The service also performs a virus scan on all attachments.
By using Gmail as an intermediary between my POP3 server and my PC, I've kept not only spam at bay, but malware as well. I don't know whether Windows Live Mail and Yahoo Mail offer similar amenities, but for me Gmail is a slam-dunk solution. Even phishing messages are few and far between. Of course, as an educated user, I know better than to click a link in a message filled with scary come-ons ("Your account has been compromised!").
Speaking of phishing, the latest versions of Firefox and Internet Explorer offer robust antiphishing tools. Both will sound the alarm if I attempt to visit sites known to be fraudulent, meaning that even if I click something that looks like, say, a totally legit PayPal or eBay link, I'll get fair warning. And that's just the tip of the safe-browser iceberg: Firefox and IE are way more secure than in the old days. They block pop-ups, provide Web site ID checks, protect against malware installation, and so on.
As for other threats, I'm comfortable leaving my PC in the capable hands of Windows Defender. Microsoft's antispyware tool runs quietly and efficiently in the background. I "check in" once in a while to make sure it's active and up-to-date, but otherwise I never hear a peep from it.
Of course, that could mean bad stuff is slipping past Defender, right? Sure, it's possible. That's why I occasionally run a system scan using Ad-Aware or Malwarebytes Anti-Malware. (I'm not completely insane, after all.) So far, so good: The scans always come up empty.
Last but not least, I exercise common sense. I don't open e-mail attachments from people I don't know. I don't download files from disreputable or unknown sources. I don't visit Web sites that peddle gambling, porn, torrents, or "warez." (Yeah, I know, I'm boring.) In other words, I keep my Internet nose clean, which in turn keeps my PC clean.
At the same time, I make sure that automatic updates are turned on for Windows, my Web browsers, and any other software that gets patched regularly. And, perhaps most important of all, I rely on multiple backup methods just in case my system really is compromised somehow. For example, my Firefox bookmarks are all synced to the Web via Xmarks (formerly Foxmarks). I use the online-backup service Mozy to archive my critical documents and Outlook PST file. And drive-cloning utility Casper makes a weekly copy of my entire hard drive to a second drive.
Ladies and gentlemen of the security-software jury, I rest my case. My only real evidence is Exhibit A: me. After several years with XP and about six months with Vista, I'm still cruising along without a security care in the world. So, are you going to lock me up or accept me as your new messiah? Either way, I'm good.
Next up, security correspondent Robert Vamosi argues the opposing view.
Now that Rick Broida has stated his case, it's time for our security advocate to weigh in. Is Rick correct to say that security apps are just a waste of time, money, and system resources? What say you, Robert?
Robert Vamosi: Why Security Software Makes Sense Today
I understand the motivations of people--like my PC World colleague Rick Broida--who say you don't need to spend money on computer security. If you have the time and knowledge to lock down your PC, then you are certainly welcome to fly in the face of the billion-dollar security software industry. But as a security reporter for the last ten years, I've seen some really scary stuff in the wild, enough to convince me that a nominal investment of $50 a year or so for a decent Internet security suite is well worth it. Besides, I don't have the spare time to be clever about my PC: I just set it and forget it.
I agree that good behavior online goes a long way toward avoiding a significant share of the malware lurking out there. If you never stray from "safe" e-commerce sites, and if you never download porn, grab free games, or gamble online, then your chances of acquiring malware are considerably lower. But recently even legit sites have been festooned with hidden iframes, each silently directing your browser to download content from who knows where.
Unfortunately, even the latest Web browsers can't detect compromised sites within the first few minutes after the attack hits. Although browsers have made tremendous strides in malware protection, in tests that I've done with Internet Explorer and Firefox, I've seen a latency of up to 1 hour before they'll report a newly compromised site as bad. Without active heuristics from a security software product, how would you know whether your favorite travel site has fallen victim within the last 10 minutes?
Rick is right to say that a network router can block a good amount of malware, and that Windows XP SP2, Vista, and 7 all have built-in firewalls for blocking inbound traffic. But the Windows Firewall is not a good defense against rogue outbound traffic. Despite what Microsoft claims, its firewalls are not true two-way firewalls; they still leave outbound ports open. Why? Microsoft Office software (Word, Excel, Access) communicates with various servers such as the SharePoint Server, so by default Microsoft makes that process easy--even if you don't run SharePoint at home. As a result, what Microsoft actually says is that its outbound firewall permissions remain open "except where excepted." Sure, I suppose I could sit down and configure my own firewall rules to block this and that; but then again, I could simply download and use the free versions of ZoneAlarm and Comodo (both of which block unusual in and out traffic) and be done with it.
I see some flaws in the claim that a router, the Windows Firewall, and a Web browser are enough to protect you. Say, for example, that some rogue software gets in through a compromised Web page on port 80. Once installed, the rogue malware then looks for a way back out of the infected PC. Every time any application tries to open a new Generic Host Server connection, my ZoneAlarm flags me and gives me the option to shut it down. Not all Svchost.exe connections are bad, mind you, but if I'm not opening new applications and ZoneAlarm prompts me out of the blue, then I'm right to be suspicious.
I have no problem with Windows Defender, but what's defined as spyware is elusive; no two companies agree. That's why it's good to have more than one opinion. Installing a non-Microsoft security product, say, the free AVG software, as a companion is a much safer choice. And, seriously, is it wise to entrust your computer's security to the one company that wrote its operating system and most of the programs that OS uses? When it comes to computer security, diversity is usually better.
As for performance, almost all security vendors are working hard to reduce the resource drains of yesterday. For example, both McAfee's utilities and Symantec's Norton products, once seriously bloated and slow, have slimmed down and sped up dramatically. Even free tools are faster today, and almost all of them now allow you to reschedule intensive scans to run in the background or overnight.
I've never had a virus (or any kind of malware) infect my computers, and thanks to a small investment of time and money, I probably never will.