Sophos: Windows 7 vulnerable to 8/10 viruses, FUD alert

FUD - Fear, uncertainty and doubt

Yesterday, a senior security advisor at Sophos, who is responsible for working with the security community and communicating information on security threats to IT professionals, posted an entry on his blog entitled "Windows 7 vulnerable to 8 out of 10 viruses". Given the bad publicity that surrounded the launch of Windows Vista, is this yet another failing on the part of Microsoft that will lead to poor adoption of the Windows 7 platform? Fortunately for Microsoft, if you take the time to read the entry, it turns out that the tests are not even close to stringent enough to make claims that many will interpret to mean Windows 7 is vulnerable to 80% of the infections in the wild.

The first known computer virus was created in the early 1970's, and since then literally millions more have been written, with more being created daily for various nefarious reasons. Sophos, in its test of Windows 7 security in late October, tested a clean install of the operating system against ten of these potential infections. Out of the ten, seven infected the machine successfully, with a further one being able to infect the machine once UAC was manually disabled. The viruses chosen for the test were picked from the top of the SophosLab feed, where researchers from around the globe work to identify known and emerging malware spreading across computer systems all over the world.

If the top ten items in the feed had been mac viruses, that are unable to run on Windows, would their headline have been "Windows 7 invulnerable to viruses"? Somehow I think not. This is yet another case of a high profile company publishing results without making it clear exactly what they represent, many people who do not take the time to read the article would assume this means Windows 7 has an 80% chance of becoming infected, when in reality, this is only true if the only ten viruses in the world were the ones with which Sophos conducted the tests. At the end of the day, the only way to truly know the risk of infection of running a Windows 7 machine is to conduct this test with a far larger (and statistically sound) number of viruses, randomly chosen from a pool of all the viruses currently in the wild, as any high school maths student who has studied statistics will tell you.

Windows 7 is not perfect by any means, if it were, anti-virus companies would go out of business, but it is a highly secure operating system. As long as UAC is enabled, and the system is kept patched, and safe computing is practised, the chance of getting infected is minimal. Running an anti-virus package will further decrease the likelihood, but as always, no system is 100% secure.

Report a problem with article
Previous Story

HTC HD2 available in Europe today, US 2010

Next Story

Microsoft cuts 800 more jobs

81 Comments

Commenting is disabled on this article.

Anyway, the Windows7's maintenance center recommends users to install AV software immediately after installation

Regarding the AUC, it also has a preventive role against bad manip for Beginners

Does Sophos need this kind of testing to earn money?

What I do not understand is why this is on a frontpage "ad"? It is fairly clear the whole process used by Sophos is flawed andsubjective, so why give it any importance? If there's people who in this day and age do not use antivirus software then it is their own fault for not preventing to get infected. What Sophos has proven here is that an antivrus is needed (and if it is Sophos better or them).

An the lame excuse of "I know how to browse and I never get infected" is flawed too : if you don't have an antivirus how the ell would you know f you're infected or not?

The only reason OSX is less flawed is because not sufficient viruses are written to attack that OS, ifApple would have the market share MS has this would be a different story.

Long story short: this article doesn't do anything but prove you need antivirus software, nothing else.

LoveThePenguin needs to get another job other than Microsoft Basher. Have fun with Linux while the rest of the world continues to use Windows... Waste your time bashing a solid OS that has given people all over the world jobs and careers. Just think how much Microsoft has helped the world career wise, and to make many tasks in life easier in general. Think of the Xbox, and what it brings to the living room. Think of what good Bill Gates charity does for children and countries around the world. If you think of all the Linux iterations there are, the scope of how they have changed the world isn't even a pimple on the ass of Microsoft. (sorry if I'm the first to point this out to you) GOOD DAY SIR!

Dave legg,
Why are you using terms, which quintessentially describe MS press releases, to distort the truth? Are you sore that windows 7 is seemly just as infectable(yes, I just made that up) as every other version of windows?

I mean one of those viruses that didn't run only did so because of windows 7's own incompatibilities with previous incarnations, not because of increased security. Perhaps that's MS's new strategy; it's easier than fixing the thing I suppose lol.

If you want a system that is backwards compatible with old software then it will also be compatible with viruses. You can't have both...

Sophos are clever folk with the work that they do and Ive been using it in a business capacity for years.

but this is yet another example of bull**it blog posts which serve no purpose.

1) A system without anti virus is not a normal setup, unless you are think and deserve to be infected
2) malware by its nature needs to almost always be run by the user, its the way they get people to run it thats the problem.
3) Are you seriously telling me XP fares better on the same test? no chance you install xp sp0 and see what happens?
4) 7 ships with the firewall on. So unless you are purposely running malware on your computer without anti virus installed then the risk isnt as big as they make out.

Maybe they should post, Mac OS still vulnerable if you dont patch or use av.

Aergan said,
Sophos wanting to shift some stock, eh?


They don̢۪t sell to home users so unlikely.
Doesn̢۪t mean I agree with the article though.

If one is serious about security, then run your browser in a sandbox. Even though Chrome and IE8 already sandbox, Firefox does not. Ever since I started to use Sandboxie no malware has been able to infiltrate my system. I even switched back to IE because I now feel seure, plus it just renders pages nicer than Firefox for me.

You can run Firefox in a pseudo-sandbox with psexec:
psexec.exe -dl "C:Program FilesMozilla firefoxfirefox.exe"

I do this for all apps that don't need to run with admin access.

schwit said,
You can run Firefox in a pseudo-sandbox with psexec:
psexec.exe -dl "C:Program FilesMozilla firefoxfirefox.exe"

I do this for all apps that don't need to run with admin access.

Great Tip schwit, You rock!

Okay I don't think anyone else has pointed out the BIGGEST FLAW in these tests....

Out of all of those "viruses" tested not all of them are viruses, in fact many are trojan horses which for those who don't know is something pretending to be something else and requires human action to actually work.

A virus on the other hand is something malicious that sits on the back of a file and without the user knowing is run as the file is legitimate just something else is attached to it.

The two worms (the only Viruses included in the test) - one failed... but anyway these are autorun worms (presumably from their names) - so again in Windows 7 the user must have accepted the autorun (as you do in Windows 7)... so its closer to a Trojan Horse in its behavious on Windows 7 (whereas in older versions of windows autorun acted regardless of user confirmation - a worm is considered a higher threat than a Virus as it requires no human action... which is not true in this instance. I'm guessing they didnt go with a "WORM" headline as people don't understand the difference.

Conclusion - to Windows 7 none of these are viruses, hence no viruses succeeded.

Jugalator said,
Uh, it's not FUD if it's backed by facts? Or are they just speculating about things?


Its fud because they dont state how they tested. They dont even say if the user was elevated to an admin or not.

Jugalator said,
Uh, it's not FUD if it's backed by facts? Or are they just speculating about things?

Any criticism of MS and its products is F.U.D didn't you know?

Seen as a security firm can't use correct terminology and alters the test to seek an outcome yes its FUD. If they ran the latest 1000 security attacks on a NORMAL system with default settings and found 8/10 worked they might have an article.

What they did was more like an "install" of trojan horses.

I really don't understand why people don't just run as standard users. That eliminates 90% of virus infections. I really doubt there's much a bad pdf file can do to your computer when the only thing it can access is the local user folder. Same applies to almost anything else that even has the authority to execute code in the first place.

So basically as someone stated in the official thread on the topic, this means that 80% of computer users are morons.

LoveThePenguin said,
What a great idea. Blame and insult the users for the mistakes of the operating system. A winning strategy for sure...

cos its the operating system's fault that some website convinces the user they have spyware on their computer and need to download a fake AV package...course its playing on potential holes in the OS that the users are bombarded with, but stupidity is the main vector here.

Isn't windows vulnerable to ALL *viruses* because it doesn't come with an AV, only Windows Defender that's antispyware-only? So, "duh!" to the article I guess. lol

Linux doesn't come with an antiviruses, and nor does OS X and other operating systems, yet they don't get mass infections world wide. Antivirus software merely plugs a hole in a security deficient OS.

So? A virus is just a lump of code that does something malicious, and infects other files.

Windows retains compatibility for running code dating back a very long time. Why would these viruses suddenly not work?

MioTheGreat said,
Windows retains compatibility for running code dating back a very long time. Why would these viruses suddenly not work?

Actually one of those viruses didn't work for precisely the opposite reason. That is, due to incompatibilities with previous versions.

If these "viruses" are able to cause trouble without triggering UAC, then they obviously don't need admin/root privileges to run.
So tell me, if these were ported to other operating systems, wouldn't the Linux or Mac OS X system be "vulnerable" in the same way??

I mean, those operating systems would block any system-changing program (as does Vista/Win7), but would happily allow something run in just the user's local profile.
I guess virus protection isn't a big deal if you're running some tiny, minority OS like Linux or Mac OS X where no one bothers writing viruses.

GNU Linux has a majority share of the web server OS market, and 20% of the netbook market. Not exactly small. And OS X has over 10% in the US desktop market. Yet windows is the only one targeted? Sorry but the argument of security in obscurity has been proven false time and time again. Good luck next time

LoveThePenguin said,
GNU Linux has a majority share of the web server OS market, and 20% of the netbook market. Not exactly small. And OS X has over 10% in the US desktop market. Yet windows is the only one targeted? Sorry but the argument of security in obscurity has been proven false time and time again. Good luck next time :)

Mac OS X and Linux are still vulnerable to the rm -rf ~/* virus. So what?

I'm a bit taken a back that Neowin chooses to post this on the mainpage. The article is fine, but the title should be changed. The web page surfer flying through pages will see that title, and remember it. I'd change it for the sake of Microsoft's credibility.

That's the reason I included FUD in the title, the whole point of the article is to challenge the blog post by Sophos that used that title.

DaveLegg said,
That's the reason I included FUD in the title, the whole point of the article is to challenge the blog post by Sophos that used that title.

You're right.
Security companies, above many others, should be objective when publishing test results. Titles like this only mislead the user to think the OS will surely get infected.

DaveLegg said,
That's the reason I included FUD in the title, the whole point of the article is to challenge the blog post by Sophos that used that title.

I read the sophos article and I couldn't find any F.U.D. I mean we aren't talking about the blatant lies about Linux which MS frequently espouses. Now that is F.U.D.

Sophos would get much more credibility if they described the method of testing they employed to back up their statements, but they haven't because they know they're points are flaky at best. I don't think anyone is surprised that a company providing anti virus products comes out saying people need anti virus products.

I think what Sophos is suggesting here is that Microsoft should include Security Essentials with Windows 7 ... Good suggestion Sophos, you get a gold star! What's that? You don't want that? Why not? Anti-what? But I thought security was important to you! OK, stop crying! Jeeeeez.... What a baby!

I think sophos is suggesting that if you do your banking with windows 7, you better be prepared to have your funds depleted at random, and your identity stolen.

Well I'm not going to bother to read the article, my thought here is that UAC will prevent infection outside of a users specific account if used properly. Cleaning of the infection would be as simple as deleting the account and starting fresh. I don't consider that successful infection because the rest of the machine is still safe. This article is kind of like saying "9 out of 10 video games ran correctly on Vista" for example. The point where most viruses become a threat is when the user runs their code, and their success rate will be as good as installing any other application. UAC prevents the infection from going spreading to other users and the core of Windows.

nullie said,
Well I'm not going to bother to read the article, my thought here is that UAC will prevent infection outside of a users specific account if used properly.

If you enjoy blind faithfulness and leaving your fate to luck, then sure go ahead.

In other words, 2 out of 10 viruses are written so crappy, they don't even work? That would be the more interesting result in a test where you deliberately disable security features and forcefully try to install a virus. Not a single OS beats stupidity.

If you actually read the article, you may have noticed it was due to incompatibilities between windows 7 and previous versions. It seems MS's incompetence has some good side effects lol.

In my experience The best Antivirus is you own intelligence. Me and my friends who are computer-smart never get viruses, we can even go without AV software and still get nothing, or at least nothing serious. On the other hand, people who can hardly handle computers are constantly falling for trojan afte trojan. They click ads, respond to spam, click insecure links, etc.

Absolutely. Unfortunately, the vast majority of computer users range from folks who probably shouldn't be even near one to people who are naive enough to click whatever comes their way. For these folks no countermeasure is too much.

+1 Thats the best anti-virus. And I guess thats difficult to beat. Novice users must be trained for that. And at the same time this should not create a fear in novice users that computer cannot be trusted etc...

Unckmania said,
we can even go without AV software and still get nothing,

You don't have to be a computer expert to avoid viruses. Just try Ubuntu

The company is obviously using scare tactics to manipulate the clueless into buying their product. It's just another false sense of security. Move along, there's nothing to see here.

Ansuza said,
The company is obviously using scare tactics to manipulate the clueless into buying their product. It's just another false sense of security. Move along, there's nothing to see here.

Errm except they dont have a consumer product to sell...... business only with Sophos I think youll find.

AgentGray said,
Yes, because there are no corporate bigwigs that make buying decisions with no idea what they're doing...

This.

Ansuza said,
The company is obviously using scare tactics to manipulate the clueless into buying their product. It's just another false sense of security. Move along, there's nothing to see here.

I quite agree with you, this is just marketing tactics

Ansuza said,
The company is obviously using scare tactics to manipulate the clueless into buying their product.

They don't need much scaring when windows is universally synonymous with viruses and spyware.

These people remind me of a TD Insurance commercial that showed everyone but the protagonist walking around with 10 layers of bubble wrap around their bodies. Basically, having an unnecessarily high level of protection (safety filters, network filters, link checkers come to mind) to make up for the lack of responsible computing.

rm20010 said,
to make up for the lack of responsible computing.

If that was so, then why is windows the only OS with mass infections worldwide? I think calling users dumb (which you are effectively doing) is a poor excuse.

doesn't suprise me, the AV vendors are running scared. OS's are becoming more secure by default (by no means completely secure) and with the introduction of MS Security Essentials why bother with Sophos outside the server room at all?

This is the same crap they spin for Mac's stating a big attack is around the corner, still waiting for that one.

REM2000 said,
doesn't suprise me, the AV vendors are running scared. OS's are becoming more secure by default (by no means completely secure) and with the introduction of MS Security Essentials why bother with Sophos outside the server room at all?

This is the same crap they spin for Mac's stating a big attack is around the corner, still waiting for that one.


2009 is the death of OS viruses, currently and next year,its finding exploits in things like Adobe Acrobat etc for Remote Command and Control of the system.....and guess what its not platform specific. Adobe 8 +9 both have wide open issues with exactly this and it affects mac version, windows, linux, you name it, it has the exploit ;o) so Yes mac and Linux systems are as much to risk of this than windows.

Mando said,

2009 is the death of OS viruses, currently and next year,its finding exploits in things like Adobe Acrobat etc for Remote Command and Control of the system.....and guess what its not platform specific. Adobe 8 +9 both have wide open issues with exactly this and it affects mac version, windows, linux, you name it, it has the exploit ;o) so Yes mac and Linux systems are as much to risk of this than windows.

I'll stick to using Preview to view my pdf's then.

Pauleh said,

I'll stick to using Preview to view my pdf's then. :)

I'm pretty sure Preview is exploitable, too. The attack vector is the document.

Mando said,

2009 is the death of OS viruses

I think 2007 or 2006 was the death or The OS virus. Ever since them its been Trojans and malware.

Pauleh said,

I'll stick to using Preview to view my pdf's then. :)

I wish I could preview. Windows 7 broke my PDF previewer in Outlook.

Amodin said,
I wish I could preview. Windows 7 broke my PDF previewer in Outlook. :(

You might want to check this link. This fixed the preview handler for me in Outlook 2007 when I changed to Win 7 (64-bit).

GreyWolfSC said,
I'm pretty sure Preview is exploitable, too. The attack vector is the document.

This is like saying that if a web page exploits a vulnerability in IE, Firefox will be vulnerable as well, because the attack vector is the web page.

REM2000 said,
doesn't suprise me, the AV vendors are running scared. OS's are becoming more secure by default

Most other OS's are secure by default and have been for decades. Windows is the only OS that needs bloated antivirus, antispyware, anti-*, firewalls etc. The rest of us just work away happily knowing that our systems are secure and stable Don't you know that windows is synonymous with viruses? I've talked to some people who were shocked to learn that you can run an OS without anti-virus, antispyware etc.

REM2000 said,
(by no means completely secure)

There will always be exploits for sure, but windows will always have a sole monopoly on viruses!

REM2000 said,
and with the introduction of MS Security Essentials

But wait, I thought the UAC was supposed to stop all these mass infections? Perhaps MS aren't quite so confident now.

REM2000 said,
why bother with Sophos outside the server room at all?

Are you referring to windows servers? Because they are the only ones which need antivirus software.

REM2000 said,
This is the same crap they spin for Mac's stating a big attack is around the corner, still waiting for that one.

Truth hurts eh? And how big do they have to get? Isn't hundreds of millions of windows PC's infected with viruses enough?

thats so dam true.. I gave up Norton and McAfee alooooooong time ago.. I started to like AVG.. but even that really screws your comp up..

dimithrak said,
thats so dam true.. I gave up Norton and McAfee alooooooong time ago.. I started to like AVG.. but even that really screws your comp up..

I've been using Avast! Home Free for a few years now and really like it; much ore than I liked AVG. Microsoft Security Essentials is another good free one; I was a beta-tester and was quite impressed with it.

LoveThePenguin said,
It's the only OS in which such mass infections exist, so are you surprised?


Because it has the largest distribution on the planet.

MadDog said,
Because it has the largest distribution on the planet.

+1, if Mac OS even managed to get 20% market share you would see it targeted. Apple can drag there feet too, look how long it took them to fix that java vulnerability.