Viruses trojans and other malware on windows on arm?

[kondamin]

What is the current state of all the nastiness for win/arm?

Is it more locked down like iOS and less vulnerable or is it just as leaky and in need of an extra layer of antivirus software?

I’m looking at a ThinkCentre Neo 50q QC and wondering if it would start sputtering to a halt when burdened with anti virus software

 

[Dr. Dro]

As I understand it, it's full fat Windows 11. Applications written for traditional x86/x64 CPUs run on a seamless translation layer. Last I heard, there were still many driver issues and kinks to work around, but at the same time, the concept of providing driver updates and regular maintenance is foreign to Qualcomm, so don't expect the experience to be as smooth as it is on a regular PC. This is especially true for games, which rely on graphics driver support (and I mention again, the notion they actually have to support their hardware is completely foreign to Qualcomm). If I had to give you any advice, it would be... against getting an ARM64 Windows 11 PC.

btw - have you tried iOS lately? Nowhere near as locked down as it used to be. I bet sideloading comes soon, even though Apple grumbles and keeps saying EU only. They'll have to cave.

 

[kondamin]

That's a pity, I was looking at it for an older gentleman who doesn't need all that much compute wise but does love installing and clicking on everything.
but won't react well on me not giving him administrative privileges.

 

[Bill_Bright]

Whoa! The OP's question was about malware. Absolutely nothing provided in the response had anything to do with malware.

The real, true answer is the latest versions of Windows on ARM are VERY safe and secure against the threats of malware AS LONG AS the user -"always" the weakest link in security - keeps the OS and their security current and avoids being "click-happy" on unsolicited links, popups, downloads and attachments.

Is it more locked down like iOS and less vulnerable or is it just as leaky and in need of an extra layer of antivirus software?

NO you do NOT need an "extra" layer of security. The integrated security is just fine, again, AS LONG AS you keep the OS and security current and avoid being "click-happy" on unsolicited links - the EXACT SAME precautions one must make regardless their primary security solution (or OS) of choice.

HOWEVER, and again regardless one's primary security of choice, one should always have a secondary "on-demand" scanner to occasionally double check just to make sure the user (once again, the weakest link in security) or the primary security solution did not let something slip by. I use Malwarebytes for that.

As far as how security relates to ARM based systems, the truth there is ARM "offers" even better security over x86 platforms - which is a primary reason many welcome the push to ARM based systems. Note I said "offers", I did not say "implements". That will depend on what, if, and how the various advantages ARM "offers" is implemented, if implemented, by the manufacturers of the specific hardware devices.

Are ARM based systems invincible? Of course not. Spectre and Meltdown illustrated that. But Spectre and Meltdown where good wake-up calls too.

but won't react well on me not giving him administrative privileges.

Well, truth be told, nobody (even the most advanced pros) should be running with administrative privileges "full time". All users should be using standard accounts for their day-to-day computing tasks. Then, should the need for administrative privileges pop-up, switch as needed then switch back.

 

[ShiBDiB]

AS LONG AS the user -"always" the weakest link in security - keeps the OS and their security current and avoids being "click-happy" on unsolicited links, popups, downloads and attachments.

This is the answer for basically every single thread involving this topic when it comes to personal computers.

Yes, the corporate environment is different. But if you're a CISO coming to TPU for advice on your cyber infrastructure than you should be fired.

For a home environment, keep windows defender updated, dont click sketchy links, dont download sketchy things.

 

[Bill_Bright]

This is the answer for basically every single thread involving this topic when it comes to personal computers.

Yes it is. And sadly, has been since the beginning of malware and likely will be until all the bad guys in the world are eliminated.

Yes, the corporate environment is different.

Yes and no. Corporate/organizational/government networks are more and more frequently targeted these days simply because the bad guys know users of those networks tend to be untrained and undisciplined in computer security and therefore are "click-happy" on unsolicited links. And this is due, in part, because those networks are supported and maintained by [supposedly] professional IT and IT security people, and their managers and C-Level execs. And consequently, those users assume their systems are secure so they are less cautious than they might be with their own, home computers. So when they get a legitimate "looking" email they click away - letting the malware and badguys in.

But sadly, as we have seen over and over again, those so called IT and IT security people, their managers and C-Level execs are NOT professionals. That is, they too often are lazy and incompetent administrators led by incompetent managers and execs.

The Equifax breach a few years ago is the perfect example. Complacency, negligence, lack of training, no sense of urgency, bumbling responses, and perhaps most importantly, a total lack of accountability led directly to 143 million! users having their personal information compromised!

Understand the developers of Equifax's software had months before the breach, identified the vulnerability, developed and distributed to Equifax, the patch that would have secured the vulnerability and prevented the breach in the first place. But Equifax took no action to install it. They sat on their thumbs and did nothing while knowing the vulnerability, and the patch to fix it, was in their hands.

And here we are, 8 years later and little has changed. Corporations are still being hacked, much in part because available patches are NOT being applied in a timely basis.

The solution is easy. Employees need to be better trained on how to identify and act on potentially evil (or just suspicious) emails. IT personnel MUST be aggressive at applying patched and training their users. And perhaps most importantly, managers and C-Level execs MUST take network security seriously AND (this is THE biggie) they must be held accountable for these totally preventable hacks and breaches.

 

[ShiBDiB]

Yes it is. And sadly, has been since the beginning of malware and likely will be until all the bad guys in the world are eliminated.


Yes and no. Corporate/organizational/government networks are more and more frequently targeted these days simply because the bad guys know users of those networks tend to be untrained and undisciplined in computer security and therefore are "click-happy" on unsolicited links. And this is due, in part, because those networks are supported and maintained by [supposedly] professional IT and IT security people, and their managers and C-Level execs. And consequently, those users assume their systems are secure so they are less cautious than they might be with their own, home computers. So when they get a legitimate "looking" email they click away - letting the malware and badguys in.

But sadly, as we have seen over and over again, those so called IT and IT security people, their managers and C-Level execs are NOT professionals. That is, they too often are lazy and incompetent administrators led by incompetent managers and execs.

The Equifax breach a few years ago is the perfect example. Complacency, negligence, lack of training, no sense of urgency, bumbling responses, and perhaps most importantly, a total lack of accountability led directly to 143 million! users having their personal information compromised!

Understand the developers of Equifax's software had months before the breach, identified the vulnerability, developed and distributed to Equifax, the patch that would have secured the vulnerability and prevented the breach in the first place. But Equifax took no action to install it. They sat on their thumbs and did nothing while knowing the vulnerability, and the patch to fix it, was in their hands.

And here we are, 8 years later and little has changed. Corporations are still being hacked, much in part because available patches are NOT being applied in a timely basis.

The solution is easy. Employees need to be better trained on how to identify and act on potentially evil (or just suspicious) emails. IT personnel MUST be aggressive at applying patched and training their users. And perhaps most importantly, managers and C-Level execs MUST take network security seriously AND (this is THE biggie) they must be held accountable for these totally preventable hacks and breaches.

Making me feel like I'm reading a discussion board post for one of my classes . (Currently living the GI Bill life getting a BS in cybersecurity)

 

[Space Lynx]

This is the answer for basically every single thread involving this topic when it comes to personal computers.

Yes, the corporate environment is different. But if you're a CISO coming to TPU for advice on your cyber infrastructure than you should be fired.

For a home environment, keep windows defender updated, dont click sketchy links, dont download sketchy things.

I always tell people for a home environment you also want something like Quad DNS changed to the DNS, that can help with some of the bad links I think. My elderly father has a bad habit of clicking on phishing email links, and I have had to clean OS install his PC a few times because of it. Ever since I added Quad DNS though it hasn't happened, it might not matter, its possible he just stopped opening emails as much. I don't know.

edit: on Quad DNS website, it does state they block several domains for security and safer internet by default. so it might be helping

 

[Bill_Bright]

Cloudflare (1.1.1.1) is another good alternative DNS. They can help but are not infallible.

If one uses these, I recommend making the DNS setting changes in your router. In this way, every device on your local network uses that setting. It is much easier to manage, IMO, than changing the DNS settings on each individual computer and networked device.

 

[ShiBDiB]

Cloudflare (1.1.1.1) is another good alternative DNS. They can help but are not infallible.

If one uses these, I recommend making the DNS setting changes in your router. In this way, every device on your local network uses that setting. It is much easier to manage, IMO, than changing the DNS settings on each individual computer and networked device.

Yup I always forget to mention this but it's a setting change I make whenever I upgrade a family members router (aka they get my old one).

The router setting is usually "good enough" in those environments because the users don't know what a DNS is let alone how to change it on each device (thus ignoring the router). Usuaully 1.1.1.1 as primary and 9.9.9.9 as secondary.

 

[AVATARAT]

ARM + Windows = Celeron + Windows
I will be very interested to see how slow this device will be after a few months of use if you don't manage Windows well.

 

[Dr. Dro]

Whoa! The OP's question was about malware. Absolutely nothing provided in the response had anything to do with malware.

The real, true answer is the latest versions of Windows on ARM are VERY safe and secure against the threats of malware AS LONG AS the user -"always" the weakest link in security - keeps the OS and their security current and avoids being "click-happy" on unsolicited links, popups, downloads and attachments.

I mean. It was kind of implied there. Your statement equally applies to the traditional x86/64 processor version of Windows, it is very safe. Since there is "Prism" (basically Windows on Windows AArch64) and "ARM64EC", it's highly probable that many, if not most types of malware should also affect it as well? Perhaps not to the same damaging extent, I don't know. Ultimately, as you've also mentioned, the user is always the weakest link in the security... thus ARM64 is probably not going to do anything to help this case. If I had to say, it's probably a bit "safer" considered, some applications flat out won't run? But I think most that don't by now are probably just graphics intensive applications

Edit: reworded post, came out all sorts of weird from my brain

 

[kondamin]

Well, truth be told, nobody (even the most advanced pros) should be running with administrative privileges "full time". All users should be using standard accounts for their day-to-day computing tasks. Then, should the need for administrative privileges pop-up, switch as needed then switch back.

I don't disagree, but he'll ask someone else to fix it.
This isn't a corporate setting where I can use my position or a AUP to force behavior.

 

[Bill_Bright]

I mean. It was kind of implied there. Your statement equally applies to the traditional x86/64 processor version of Windows, it is very safe.

Ummm, no. Sorry - while no doubt the answer about security with ARM here may be obvious in our minds, there was nothing implying anything about malware or security in your reply - hence my reply. Your focus was clearly on driver updates, maintenance, and smooth experiences with gaming because they rely on graphics driver support - nothing about "Viruses trojans and other malware" as asked by the OP.

I am NOT criticizing because I totally agree with those comments. I am just noting an observation to clarify any confusion because I am sure to many users/readers, the question about security and how (or if) it "equally applies to the traditional x86/64 processor version" is not so obvious.

Edit: reworded post, came out all sorts of weird from my brain

LOL All I can say to that is it took me almost 15 minutes to write/rewrite/edit/write those last 2 little paragraphs of 5 sentences above as every time I read them back they sounded weird - no doubt because I am still acutely decaffeinated this morning!

I don't disagree, but he'll ask someone else to fix it.
This isn't a corporate setting where I can use my position or a AUP to force behavior.

Nobody likes to be "forced" into a behavior - even if a behavior they would have chosen themselves. I might suggest you suggest to him using 2 accounts; one "Standard" account he can totally personalize for his normal day-to-day usage, and another "Admin" account for when admin privileges are actually needed - with a stern warning of the dangers of using a Admin account full time. He still has total control, but is protected (from himself - don't say that part! ) from making changes that might break the OS.

Perhaps show him this article which explains why all of us should use a ‘Standard’ user account in Windows even if only one person will be using the computer.

You may (likely will) fail miserably, but at least you can say you tried.