Microsoft Fires Back At Sophos On Windows 7

Although Windows 7 comes with 'defense-in-depth' security that includes features like User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP), it's still a good idea for customers to use antivirus software, said Paul Cooke, director of Windows Enterprise Client Security at Microsoft, in a Friday blog post.

"So while I'm not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run antivirus software on Windows 7," Cooke wrote in the blog post."This is why we've made our Microsoft Security Essentials offering available for free to customers."

Last week, Chester Wisniewski, senior security engineer at Boston-based Sophos, claimed that Windows 7, configured with default User Account Control settings and without antivirus software running, was found to be vulnerable to 8 out of 10 unique virus samples in recent tests in Sophos' labs.

On Monday, Wisniewski said Microsoft's marketing of UAC as a complement to the security of Windows 7 is somewhat misleading.

"Most malware these days is behaving in a way that UAC doesn't help," Wisniewski said in an interview. "A lot of fake antivirus software doesn't elevate privilege, so users don't get any UAC warnings. We're seeing more of these threats operating in userland and not necessarily doing things that trigger UAC."

Given that Sophos sells antivirus software, Wisniewski has taken some heat from Microsoft proponents who claim he's just trying to drum up fear to sell more products. Although Microsoft is giving away its Microsoft Security Essentials antimalware offering for free, Wisniewski doesn't see that as a threat to Sophos' business. "The more PCs that are protected, the better," he said.