How Microsoft can stop viruses forever.

Staten Island, NY Posted: 9/17/2014 1:00:00 AM

Every computer I've been asked to clean up has one of the mainstream Anti-Viruses installed. It doesn't seem to matter if it's McAfee, Norton, Kaspersky, AVG, Avast, Microsoft, MalwareBytes, or anything else. People still get viruses, regardless of the brand of Anti-Virus they use.

What bothers me most is that there are some very easy things Microsoft can do to virtually eliminate the need for an Anti-Virus.

Time and time again, Microsoft has used the wrong strategy to combat the threats. Here's what they need to do:

1. Follow Apple's lead by preventing programs from being installed by untrusted publishers by default.

Apple completely controls 100% of the programs that could be installed on iPhones and iPads. Simply stated, unless a program is installed from the App Store, which reviews every program before it is published, it can't be installed.

They don't offer any other method to install programs specifically so they can insure they are all from a trusted source. This is why there is no need for an Anti-Virus on an iPad or iPhone.

Apple eventually brought that idea to the Mac, and as of today, the default setting on every Mac sold today will only allow you to install software from the Mac / OSX App Store, or a trusted source. This means, unless you change this setting, you will not be able to install a program from an untrusted source. Bravo Apple.

Microsoft has dabbled with this feature by creating a Windows 8 App Store, but it does not block you from running or installing untrusted software by default, and it clearly has no benefit for Windows 7, which is far more popular than Windows 8.x.

I admit this is a much bigger hurdle for Microsoft, because a lot of large companies have custom software from independent or in-house developers. Still, for the average consumer PC, who rarely needs to install new software, blocking untrusted publishers by default is essential.

In cases where an untrusted publisher or program is installed, that program should be forced to run in a "Sandbox", where it is specifically restricted to reading and writing to a pre-designated set of folders.

This means, whenever a new or untrusted program is run, the user should be given an option in the control panel to specifically designate which folders it can read or write to. No exceptions. If the user does not give it access to a folder, the program shouldn't even know it exists.

2. Isolate the browser from the operating system.

This is so fundamentally easy to implement, it's hard to believe it's not done. When somebody browses the Internet, there is no reason for any website or email program to have access to the operating system.

This means that if a user visits an unsafe web page, there is no reason to allow any scriptis on that page ability to alter the browser, or any part of the operating system.

In cases where the user downloads a program from an untrusted source (a publisher that Microsoft has screened), that program should be restricted to running in the "Sandbox" mode in #1.

3. Add Real Parental controls that block users from installing ANYTHING or changing settings.

As a parent or manager, sometimes you just want to configure a computer with whatever programs you think your children or employees need to run, and you simply don't want them to be able to install new software or change any settings.
Although there are parental controls, they don't have an option to fully block a child from installing programs or changing settings. Large companies with IT departments have options to set limits on settings and programs, but most smaller companies don't have any options to set limits.

4. Windows needs a true UNDO feature.

Let's say you've downloaded a really bad virus, and it starts to trash your system... potentially altering thousands of files. Microsoft does have an option to restore your registry to an earlier date, but it won't undo all the other changes and installed programs. Since storage is now quite abundant, creating multiple restore points will give people the ability to roll back to the last safe state.

If nothing else, creating an undo option for critical system files and the program directory will at least remove the virus itself.

5. Stop being a jerk when it comes to XP.

The fact is nearly a third of all computers in the world still run XP. Far more people run XP than the newest version of Windows (8.x).

Like it or not, that's a massive number of vulnerable computers to completely ignore. Even before the official termination of support, Microsoft has been grossly negligent in their support for XP. XP users are stuck with Internet Explorer 8, and cannot install any newer, more secure (Microsoft) browsers. In my opinion, besides the security issues, this was a terrible business decision, because it led to Chrome and Firefox taking the majority of today's browser installations... which is a cash cow for Google, who makes money whenever you search using those browsers.

This isn't an "I love XP" rant. I know it's a 12 year old operating system, and that people have had a lot of time to get new computers, but the fact remains, as long as those computers are still operational, they are not only vulnerable... but they can be a potential threat to other computers if their outdated Internet Explorer 8 and Windows Security Essentials are breached and they begin to trash all the files on any shared network drives.

I never use an anti-virus

I've had a computer since the late 70s, and one of the most common questions people often ask me is "What Anti-Virus do you use?".
Then they ask... How can that be? Doesn't everyone use an Anti-Virus? How could you survive over 30 years without ever using an Anti-Virus?

The quick answer is that I take steps to minimize the risk based on some of the suggestions above.

How I avoid viruses without waiting for Microsoft to take action

I use a Mac, which already has a features in place to prevent people from running or installing software from an untrusted source, however I also run Windows... except I run a "Virtual PC", instead of a physical one.

A Virtual PC is a way to run an entirely independent operating system either inside a window or as a full screen either on another monitor or that you switch to with a hotkey or swipe of the mouse.

If you are unfamiliar with Virtual PCs, you're missing one of the best tools in the world to let you surf the Internet safely and test untrusted software without fear. The best thing is once you have this Virtual PC file, you can run it like a regular PC and when you're done, you can decide whether to save everything you did that day. If you didn't have any problems, you save the changes... otherwise, you don't. Then it goes back to where it was the day before.... no more virus.

Virtual PCs will be the explored in more detail in a future Idea Of The Day post.