kudos MS

If they can incorporate rootkit detection into OneCare that would be impressive.

Agreed, money well spent. Keep pushing security.

I'm not sure I agree with the above comments. If Microsoft need to purchase another company in order to known how to protect and fix their own operating system software there's something very seriously wrong.

How can an external company, without even the benefit of source code, be the expert on Microsoft Windows?

Interesting point Vince,

Security is OS agnostic however, knowing everything about their OS/source code etc does not mean they know everything about security, or the ways in which their code can be attacked.

It's like saying the author of a book would be it's best editor. Writing and editing, though they share much, still have two distict skill sets.

...an outsider always has a more objective view.

Lets say you build a form or script on your site and think you've covered all the bases -- it just takes one hacker with another way of looking at the user facing side of it to find a chink in the armor.

Another consideration could be MSFT coders who leave themselves a backdoor -- maybe a test point in the code -- or worse, the well hidden intentional backdoor left for the day after their pink-slip arrives.

As the saying goes: "Just because you're paranoid doesn't mean someone isn't out to get you".

:)

Since outsider points of view are welcome here, here is mine.

How on earth can you reliably detect a rootkit on a running machine? If you have been properly root kit'd then it would be impossible to tell without booting from known good media (either an external harddrive or preferably a cdrom)

Please Microsoft, instead of spending all this money on detecting malware, just separate the OS from the user data and let people reinstall the windows components without dropping out to an archaic dos prompt. I am sure we have all spent many hours reinstalling windows and user settings, if you think you have a rootkit then you are better off reinstalling anyway.

All Onecare is good for is to give the user a nice false sense of security.

Its not the OS that needs protection, its the users. Vista as an OS won't get infected sitting there, its end users installing P2P, surfing the web, downloading programs and whatnot that get the machines/networks infected and that is regardless of the OS in use.

Knowing that (as we do), wouldn't it be better to at least make it easier to reset the OS back to a known good state? System restore works in about 50% of cases and looses data so does not count, plus you cannot trust a restore state to not be infected.

Blaming the users is just a poor excuse, how are they supposed to know what is good or not? Just make it easy to remove programs and prevent anything writing to \windows would do a lot to help. I have seen XP broken many times by broken or corrupted drivers, nothing to do with the user.

What about the fact that a good rootkit hides itself, so how can you ever detect a good one from the running machine?

This software is only good for poorly written rootkits. The user will spend 5% of their time doing endless virus/malware/adware/rootkit scans and definition updates just to make themselves feel save and absolve Microsoft of responsibility, they are all still cannon fodder.

Its like cars and seat belts. Some people will refuse to wear a seat belt saying they shouldn't have to for whatever reason they deem but others will simply wear the safety harness for the safety it affords merely because you can't control what everyone else does. Sometimes a mechanical issue causes the crash but more often than not its the end user who crashes the car so you can choose to drive without a seatbelt thinking your ok or you can protect yourself the best you can and live with the ramifications if something were to happen.

Just like antivirus/spyware/root kits - you can't have a user know everything and you can't have an OS that knows everything and increasing your functionality to protect the users the best you can is THE BEST you can do.

You can blame the os all you want, you can blame the car all you want but it still doesn't distract from the fact that its more often than not a fault of the user than the vehicle itself (be it a car or an os) that causes the problems to begin with.

So you are trying to say that Mark Russinovich is a bad driver?

[blogs.technet.com...]

He got infected ONLY because he was running as Administrator. Vista is better in that regard but it is just teaching people to click yes regardless, then blame them when things go wrong. No normal day to day program should need Administrator rights and a password prompt would have made it clear that this CD is installing something it shouldn't.

Administrator rights make things much easier for hackers to plant malware because they only need 1 exploit instead of 2.