February 6, 2007 11:25 AM PST

Microsoft's own antivirus fails to secure Vista

Microsoft's own antivirus software, Live OneCare, is unable to fully protect Vista users against viruses, and one of security firm McAfee's antivirus software packages also fails to protect users, according to independent research released Friday.

Security news site Virus Bulletin, backed by a team of security researchers based in Oxfordshire, U.K., tested 15 antivirus software packages used by businesses and designed specifically for Vista, Microsoft's newest operating system. The packages were released to businesses two months ago.

The researchers tested whether each of the antivirus products would stop a set of viruses known to be currently circulating. In order to be awarded a pass, the software had to detect all the viruses with no false positives.

But out of the 15, four failed: Microsoft Live OneCare 1.5; McAfee VirusScan Enterprise version 8.1i; G DATA AntiVirusKit 2007 v17.0.6353; and Norman VirusControl v5.90. The other 11, including software from CA, Fortinet, F-Secure, Kaspersky, Sophos and Symantec, detected all the viruses.

"With the number of delays that we've seen in Vista's release, there's no excuse for security vendors not to have got their products right by now," said John Hawes, technical consultant at Virus Bulletin. "In these days of hourly updates, it's always a surprise and a disappointment to see major products missing them (viruses). Vista cannot fend off today's malware without help from security products. It certainly looks like people upgrading to the new platform are going to need additional security solutions."

Joe Telafici, vice president of operations for McAfee's Avert Labs, told ZDNet UK that, in his opinion, Virus Bulletin had not used its latest antivirus updates, causing the failure. He said McAfee would issue further results with the updated software.

Microsoft pledged to improve Live OneCare. "We are looking closely at the methodology and results of the test to ensure that Windows Live OneCare performs better in future tests and, most importantly, as part of our ongoing work to continually enhance Windows Live OneCare," a company representative told ZDNet UK.

On the subject of Vista, the Microsoft representative added: "It's important to remember that no software is 100 percent secure. Microsoft is working to keep the number of security vulnerabilities that ship in our products to a minimum, through our Security Development Lifecycle process, and that work is paying off. The release of Windows Vista is the first Microsoft operating system to use the Security Development Lifecycle from start to finish and was tested more, prior to shipping, than any previous version of Windows."

Richard Thurston of ZDNet UK reported from London.

See more CNET content tagged:
McAfee Inc., antivirus, antivirus software, Microsoft Windows Vista, Microsoft Windows Live

65 comments

Join the conversation!
Add your comment
An additional question
would be the effect of the virus given UAC. I have yet to see a piece of malware or a virus do much to a properly locked down XP machine.
How did UAC do?
Posted by catch23 (436 comments )
Reply Link Flag
re
Too bad neither XP or Vista is locked-down by default, and no help is given to its mass of ignorant users.
Posted by qwerty75 (1164 comments )
Link Flag
chalk up one for ms(omg i dont believe i said that..)
at least there admitting their product is flawed, unlike mcafee which is just making excuses, then its going to make its own test, which will of course have ten minute fixes for those problems, in my belief i trust the first person not the person who the company who has had time to fix it to fix the tests themselves
Posted by Nocturnex (163 comments )
Reply Link Flag
Are You Kidding Me?
Does admitting your product is inferior make the product better? Who cares if they are admitting it has problems. If only you had a clue with the real count of vulnerabilities that Microsoft knows about and isn't talking about!
Posted by RA_REBORN (17 comments )
Link Flag
How did they test?
Just wondering what the machine and user configuration were as well as how many warning messages needed to be ignored for the malware to be considered a success.

I'm not $175 interested, but there's nothing like having someone else read the VB story and make my conclusions for me.
Posted by webdev511 (254 comments )
Reply Link Flag
I Dare You...
to take on Vista as far as security is concerned...Citizen Gates 2007 C|NET.

Today: Oh, by the way, no OS is free from virus attacks, but Vista is trying to keep it to a minimum...really.

Bill is going to regret that "DARE YOU" statement to any virus software writers for a long time.

"idiot"!
Posted by Llib Setag (951 comments )
Reply Link Flag
hehe
Yeah, I was kind of thinking the same thing about that comment
about Vista's security versus Mac OS X... oh my
Posted by jelloburn (252 comments )
Link Flag
I have yet to see virus package that can
secure and OS. New viruses etc come out on a regular basis and there is a turn around time for AV companies to produce signatures and release an update. No AV software is going to protect the user from themselves if they fail to apply manufacturer patches and insist on visiting shady sites, open attachments, and running software from untrusted sites.
Posted by unknown unknown (1951 comments )
Reply Link Flag
Many OSes don't even NEED an A/V package.
... just Windows.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Precisely
That is why OSes should all be secure from their inception. Solaris 10 is the prime example of this thinking!
Posted by RA_REBORN (17 comments )
Link Flag
Does this surprise anyone?
IMO, if Microsoft knew how to secure Windows users wouldn't need OneCare.

But since we do need antivirus, it makes since to get it from someone other than MS.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Hell no, fully expected
The Microsoft Malicious Software Tool is a piece of crap, and I expected no better from Vista.

Just further proof that all of the hot air about security improvements in Vista are nothing more than hot air.
Posted by Hardrada (359 comments )
Link Flag
...and this is why Windows is inferior.
Seriously - where did that MS fan/astroturfer go that said s/he
only needed Windows' A/V and nothing else? Guess one brand
won't do it anymore... so what is that, TWO A/V products now as
a standard just to keep the OS from getting owned? ;)

Seriously - there is no such thing as perfect software... but there
is a such thing as decent architecture and decent security
practice. Windows has neither, as is demonstrated by this very
article (seriously... known circulating viruses... for Vista. Go
Figure).

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
I expected more from you
I thought as a Linux advocate, you'd speak honestly about Linux's issues in addition to Windows and Macintosh, but you didn't say anything at all. Very conveeeeeenient to ignore that OS's issues, isn't it?

What's wrong, penguin got your tongue? :)
Posted by Vegaman_Dan (6683 comments )
Link Flag
I expected more from you
I thought as a Linux advocate, you'd speak honestly about Linux's issues in addition to Windows and Macintosh, but you didn't say anything at all. Very conveeeeeenient to ignore that OS's issues, isn't it?

What's wrong, penguin got your tongue? :)
Posted by Vegaman_Dan (6683 comments )
Link Flag
Good Comment/Insight
Thanks.
Posted by pmchefalo (135 comments )
Reply Link Flag
OneCare Has "Issues"
I use OneCare and wouldn't at this point recommend it to anyone else. I have had two incidents where it failed to detect obvious virii attached to emails. In the last case, it removed the attachment from the desktop after detachment and a full system scan, but didn't detect it when opening the email again, nor bay a manual scan of the attachment. Apparently it uses a "just in time" scanning philosophy that relies on detection when opening the actual executable. Not as secure as other vendor's approaches.
Posted by pmchefalo (135 comments )
Reply Link Flag
If you want to run a Microsoft OS....
Your best bet is to dual boot off of two separate hard drives, with two different versions of Windows.

Boot off of the second version to scan the first, boot off of the first to scan the second. It might help to put the second on removable media, and only have it on the computer when you are scanning or updating the definitions.

Good luck and have fun.
Posted by ralfthedog (1589 comments )
Reply Link Flag
Yep more negative MS articles
WoW on the list of 9 recent stores on CNET 2 are anti-microsoft articles... CNET you really need to just stick with linux and your 30 year old DOS like command prompt.
Posted by agentbb007 (41 comments )
Reply Link Flag
Do you think....
Maybe there is a reason for all the recent negative publicity? I sure think there is!
Posted by ddesy (4336 comments )
Link Flag
This is journalism
This isn't anti-Microsoft. They posted someone else's interesting findings, explained what test MS failed, and then let MS comment on it.

MS doesnt' have a perfect antivirus solution on its most secure OS ever? That's news for everyone.
Posted by solomonrex (112 comments )
Link Flag
Anti-Microsoft or objective stories?
Looking at what Microsoft has delivered recently, what positive articles would you suggest?
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
why
Why would you use 8.1i, 8.5i is both designed for Vista/XP and is the newest release. At least that is what my School's IT department tells me as they hand it out for free to all students. CNET I think you screwed the pooch on this test
Posted by Icaarus (19 comments )
Reply Link Flag
Explain me like I'm a 2 yr old
I just wanted to know somethings very basic - a virus is some piece of malicious code that takes advantage of flaws in the OS to perform unintended tasks (at the very basic at least). So if MS went ahead and redid their OS aren't they supposed to have fixed the flaws in the OS in the first place - in that case how do viruses written for XP or any previous version work on Vista?
As is evident I'm not an IT person and dont know or dont care to know about the internals of a PC - all I want it to do is work - if MS sells me a defective product (Vista + Live One Care)- looks like it is cause they told me its secure and it does not work - am I not being cheating of my money? How does MS get away with it?
Posted by rkpodila (6 comments )
Reply Link Flag
Yeah, EXACTLY
I am in IT and I've wondered the same thing for years. Imagine how much economic damage the 100,000 known Windows viruses have done over the years. It's one thing to blame hackers, but when the OS is so insecure that a high school student can write a virus that takes down millions of computers worldwide, it's obvious that the OS has glaring defects. I still can't believe Microsoft is still in business.
Posted by HandGlad2 (91 comments )
Link Flag
I'll give it a shot
Actually a virus does not take advantage of flaws in the OS to perform unintended tasks.

True, it can get onto the computer via a flaw in the OS, however it can also come through email as an attachment, or a flaw in a 3rd party application, etc.

Once a virus gets onto a computer it's just like any other application. It can write and read files, open sockets, etc. No need to take advantage of any flaws!

A virus written for XP may work on vista because, remember, it's just like any other application and only constrained by the permissions under which it runs (this is where UAC of vista can help. Hopefully most linux users are not running as root...).

The trick is to prevent the virus from getting onto the computer in the place.
Posted by fweewoger (3 comments )
Link Flag
Explanation
Windows Vista was based on XP code. XP was based on Windows 2000 code. Windows 2000 was based on NT 4.0 code. Windows ME was based on a night of doing LSD while watching Beavis and Butthead cartoons...
Posted by thedreaming (573 comments )
Link Flag
2 yr old explanation
They have more money than you
Posted by NurdwithaT (1 comment )
Link Flag
And, Still, They Don't Know Sh*t!
Did anyone else find these contradictory statements to be hilarious:

1) "The release of Windows Vista is the first Microsoft operating system to use the Security Development Lifecycle from start to finish and was tested more, prior to shipping, than any previous version of Windows."

2) "But out of the 15, four failed: Microsoft Live OneCare 1.5..."

Kinda reminds me of the saying: "I work and I work and I teach you all I know. And still, you don't know sh*t!"

My XP Pro is working as well as can be expected from MS. I do believe I'll wait a while before shooting myself in the other foot with Vista...
Posted by drdoolittle2800 (17 comments )
Reply Link Flag
Wow. You don't even make sense to yourself
Did you notice that point 1 doesn't have anything to do with point 2?

Point 1 was for Windows Vista.

Point 2 was for Microsoft's Live OneCare.

Just to let you know- those are two different products. You don't get Microsoft's Lieve OneCare with Vista. It's a separate product.

While you're shooting your own feet, you may want to keep that gun away from your mouth as well. :)
Posted by Vegaman_Dan (6683 comments )
Link Flag
Writing on the wall...
Somebody needs to teach Microsoft how to read walls... (* GRIN *)

This has been a known for quite some time now... Microsoft has just proved it!!!

Will they ever learn? I doubt it... they've had eons to correct their problems but have done very little to correct their problems.

They've spent a lot of time and money saying they're going to correct them... but that's still the same Microsoft rhetoric they always give... they're looking into it... they're strengthening their security...

Bottom Line: Microsoft CANNOT BE TRUSTED. They've lied one-hundred too many times.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
All too true. God produced MAN 1.0 (with known defects)
We certainly can't trust any company that releases a product that isn't 100% perfect.

Let's look at a list some of the affected producers:

Microsoft
Sun
Adobe
Apple
Cisco
Red Hat
SGI
ABC
CNN
NBC
CBS
3com
Palm
General Motors
Ford
Chrysler
Your parents

And the top it all off- GOD

That's right, the world isn't perfect. We should trust nobody at all. The planet itself is not perfect and we've known that since the first man started walking upright. We should have never trusted anyone at any time.

But in the real world, you make the best of the situation, try to fix problems as they come up and avoid future ones. Will you be 100% successful? Of course not, but you do try your best.
Posted by Vegaman_Dan (6683 comments )
Link Flag
VISTAPOCALYPSE - It's Upon Us Now
MS' pathetic AV toy is no match against the legions of determined crackers that are writing exploit code around the clock to rip Vista from end to end.

MS' first AV product died an abysmal death years ago and OneCare is destined to arrive in the same morgue sometime real soon.
Posted by Sumatra-Bosch (526 comments )
Reply Link Flag
Honestly Speaking
I am new to the IT field. I am currently in college so...Im not trying to step on anyones toes. You all make good points. I learn a lot by reading here... yet I rarely speak.

However, the bottom line is this guys....

We all know that upon the new release of anything that there will be bugs and things that need to be fixed...no product is ever developed perfectly 1 shot one kill. Im not the smartest man on earth but I knew that if I chose to upgrade to Vista early there would be moans, groans, hiccups and cost concerns. So I chose to wait.

XP has been fixed up pretty nicely over the last few yrs, Vista will be as well.

The goal should not be to bash this early in the vista game, better yet, report the deficiencies to Microsoft and give them time to react and adjust.

Malicious code is as variable as binary.... and binary can be pretty darn infinite dont you think... there are too many ways, too many variables for microsoft to be able to shut down all attacks with one shot.

With Microsofts products having such high exposure it will take time...and minds like yours weighing in ...to make it happen.

Good thing is that we are all smart and can use any of the various linux or Mac Os's to keep us happy in the interim.

If Microsoft charged less for their product debuts and raised the price as it were refined... they wouldnt catch so much "street heat".

Im just Keypinitreel.
Posted by Keypinitreel1 (302 comments )
Link Flag
inregards to liveone not being "Vista sound"
Yes... That is too ironic to not be funny.

Common Sense 101.

"Make sure your own products are mutually compatible before putting them on the market."

Thats just Keypinitreel.

Peace fellas.
Posted by Keypinitreel1 (302 comments )
Reply Link Flag
Ok...
First off let me tell u something....VISTA IS BRAND NEW!!!!!!ok..so..let me think about something..do u really expect microshit to do something right..the first time..more or less the second...so..my advice..lay off of vista...it cannot be perfect right out of the gate.. personally...i love it..i wont go back to xp...sure..its costly...but really is worth it....for some...others..maybe not...antivirus support is something that will come along later..i have experimented with a few...Maffee 2007, will not run..however..the letest release of AVG free edition..works perfectly with vista www.free.grisoft.com, so..antivirus support is not something that will just poof come along..u have to wait on it...i have problems with photoshop cs2, i have problems with illustrator cs2, but u no what..thats y i am waiting on the new version..the vista compatable version..most software u r speaking of comes out before vista even came out before hints of vista came out..so how can companies be prepared????
Posted by finalfantesy2007 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.