Can I just confirm this news Chaps? I.E.10 64bit is a safe browser even without AV/AMW protection running. Is that what you are saying? I use I.E.10 but I don't use the 64bit version, at least I don't think I do, because I was told it wouldn't work on a lot of sites and etc. Clarification of this would be greatly appreciated.
Even with my extremely limited knowledge and understanding of these issues I am really quite certain that what they are saying is that I.E.10 has been developed with anti-malware protection in mind and it has proven very satisfactory. If you subsequently add 3rd party protection, well then, you are doubling up on prophylactics, which has been known to curb unsolicited intrusions fairly effectively.
Enable 64bit tabs and let us know if you find anything that does not work for you. Once you enable EPM (64bit tabs) you need to restart the computer. After that, you can turn EPM off and on without restarting the computer, you just need to restart IE.
I have attempted (many times) to infect a Virtual Machine by just visiting a know bad website. I was stating the conditions of those tests. e.g. the VM had no antivirus software installed; only the native Windows Defender and SmartScreen Filter were running/enabled. Computers can be infected by CDs, DVDs, USB devices, other computers on your network... and by allowing the installation of apps that you thought were clean. You will probably need some security related software to protect you from yourself.
I'll change safer back to safe because it matters to the analogy:
"Saying IE10 64 bit is a safe browser even without AV/AMW protection running is like saying you [are] safe on a mountain road when wearing a seat belt even when driving a car with no brakes."
If I'm understanding the analogy:
...IE is the car
...IE's safety measures are like a seat belt
...no anti-virus/anti-malware software (AV/AM) = no brakes.
I think that I've clarified what I was originally attempting to convey in my post that lead urbanspaceman1 to seek clarification... but, in keeping with your great car analogy:
A W7/IE10 combo has its own set of brakes - but users break brakes:
The user can...
...turn off UAC (so IE runs as administrator - edit: runs at the high integrity level)
...turn off or ignore IE's SmartScreen Filter.
I'll leave Windows Defender out of the discussion.
[If additional AV/AM is installed, the user can turn off or ignore that too. That is an additional step. This gives then user more time to contemplate his/her stupidity. Thus, AV/AM software might make the user's driving/browsing safer*. But that is not the point that I'm discussing**.]
*Let me know if you find a website that mentions malware getting by those brakes without the help of the user and was stopped by additional AV/AM protection. Bonus points if the AV protection was provided by MSE
**I'm discussing (defending?) a statement that I did not make.
urbanspaceman1 did not make that statement either.
urbanspaceman1 was asking if that is what I was stating.
The statement's construction lends itself to this interpretation:
I.E.10 64bit is a safe browser. No AV/AMW protection is needed.
I'll defend that I.E.10 64bit is a safe browser.***
I've stated when/why AV/AM software is needed.
***I've not read where any AV/AM tool stopped any infections that came in via a 0-day IE flaw without the user breaking brakes. Chrome, however, had a flaw that let malware run a the system-level. Which is why I keep my UAC brake level higher than default.
I do not think that we disagree with each other...
...I just really wanted to repeatedly say "break brakes"
Last edited by UsernameIssues; 03 Nov 2013 at 08:51.
You are a very patient and tolerant contributor Mr. UsernameIssues: I envy you your genial disposition.
I've inadvertently wandered into unfamiliar territory now and I'm up to my vitals in dark waters, so I must beg your indulgence, back up, and hopefully establish my terrain.
When I first acquired a 64 bit OS in 2012 I installed I.E.9. 32 and 64 bit software but was advised that the 64 would present problems –- which it did on a lot of sites so I abandoned it. I now use I.E.10. but it doesn't appear to have 32 or 64 bit options anywhere and I don't remember being asked when I installed it. I did attempt to use I.E.11. last week and that insisted I install the 64bit version but it was messing with too many things on my system so I abandoned it until it has been fine tuned.
When you speak of 64bit tabs and refer to EPM do you mean Enhanced Protection Mode and are they one and the same? I have always had EPM activated (maybe it is on by default).
You also refer to UAC: is this User Account Control? Of this I know nothing really and, as far as I am aware, I am running in administrator mode continuously. Should I be doing otherwise?
I had not been running the Smart Screen Filter so I have turned it on: is this wise? (Maybe it is off by default.)
I run MB-AM (free) on a regular basis (2-3 times a week on quick scan, plus once a week on full scan); should I be scanning my (strictly) data storage HDD as well as my OS SSD?
Thanks... learning & posting is a hobby. I hope that the info that I post is correct.
@Anyone,
Feel free to correct me.
On a 64bit OS, IE9 can run as a 32bit app or as a 64bit app.
You can also run IE9 32bit and IE9 64bit at the same time.
On a 64bit OS, IE10 starts with a 64bit parent process that gives birth to 32bit children (tabs). If you force IE10 32bit to launch first (as the parent process), it will launch a 64bit parent and then the original 32 bit version will exit... resistance is futile
On a 64bit OS, IE10 (with 64bit tabs enabled), makes the same 64bit parent process start first and the children are all 64bits* processes.
*unless the parent process thinks that a 32bit child (tab) is needed to run a 32bit plug-in/add-on.
I had no problems with IE11, but I only spent a few hours with it inside a VM. And I've played with it inside a W8.1 VM. I guess that I just don't push IE hard enough to see the issues that others see.
"64bit tabs" and "Enhanced Protected Mode" (EPM) are the same option. Sorry for not being clear. I should always spell out the term before using the abbreviation.
This is turned on by default:
EPM is not turned on by default:
Take a look in Task Manager (or Process Explorer) while EPM is off:
(Restart IE if you just turned EPM off.)
Doh! i did it again. Yes, UAC = User Access Control.
Here is the short version:
If your user account type = admin
And if UAC = off
Then the stuff that you start (like IE10) will start at the high integrity level.
If your user account type = admin
And if UAC = on
Then you can...
...right click on some files or shortcuts
...select "Run as administrator" from the context menu
...answer yes to the UAC prompt
...then the app will start at the high integrity level.
Apps running at the high integrity level can do a lot of damage to the computer.
In my opinion, it is best that you be notified/warned by the UAC popup that an app is going to run at that dangerous level. Letting every app (that an admin user starts) run at the high integrity level is just not needed. It is taking a risk for not much gain. It puts the files in the Program Files folder(s) and the Windows folders and other protected folders at risk.
It is better/safer when apps run at the medium integrity level or the low integrity level. Process Explorer can show integrity levels and what app starts other apps (parent/child). An app running at the low integrity level should not be able to change files in the Windows OS system folder or in the root of the system drive (e.g. C:\).
If you start notepad while UAC is turned on, then it should start at the medium integrity level. Windows (file) Explorer is also running at the medium integrity level. You can drag a file from the Windows (file) Explorer and drop it into Notepad. The file will be opened in Notepad.
With the UAC still turned on, right click on notepad.exe or a shortcut to notepad.exe and select "Run as administrator" from the context menu. Notepad should start at the high integrity level. You can drag a file from the Windows (file) Explorer and drop it into Notepad. The file will NOT be opened in Notepad. Interactions between apps at different integrity levels are limited for safety. Those who turn off the UAC throw that safety model out the window.
On a 64bit OS (with the UAC still turned on and with EPM turned on), IE10 starts with a 64bit parent process at the medium integrity level. That parent gives birth to 64bit or 32bit children (tabs) that run at the low integrity level. It is those tabs that do the actual surfing to web sites. It is that low integrity level that helps keep you safe.
On a 64bit OS (with the UAC still turned OFF and with EPM turned ON), IE10 starts with a 64bit parent process at themediumhigh integrity level. That parent gives birth to only 32bit children (tabs) that also run at the high integrity level. It is those tabs that do the actual surfing to web sites. It is that high integrity level that makes IE less safe. [You can force 64bit tabs, but let's not go there.]
If you are still awake - I'll ramble on a bit about account types:
If your user account type = standard
And if UAC = on
Then you can...
...right click on some files or shortcuts
...select "Run as administrator" from the context menu
...type in the password for an admin account
(if there is a password on the admin user account)
...answer yes to the UAC prompt
...then the app will start at the high integrity level.
Standard users might have to do one more step....
...but there are things that happen as a standard user that I don't understand; so my account type = admin.
SmartScreen Filter is on by default. It is IE's filter for known bad websites, known bad files that you might be downloading and maybe it does other stuff that I don't know about
If an infection got past MSE, it could scatter itself 100s of times onto any drive that it can. If Malwarebytes picks up anything during a quick scan, then run a full scan on everything.
Last edited by UsernameIssues; 07 Nov 2013 at 11:00. Reason: corrected copy/paste error (high integrity level w/ UAC off)
You are most obliging, and I greatly appreciate your time and attention and expertise: thank-you.
I turned UAC on and set it to the highest level and it immediately began popping-up windows asking for permissions. I experimented with the lower settings one by one but it was even flagging my automatic instant restore point task on start-up when at the lowest level. Perhaps I don't know how to drive the thing - I will take some to learn time now you advise its use but I have to say, unless I can make it invisible I will probably not bother using it. Such is the indulgence of the spoilt. I am sure I experimented with it when I first upped to 7 and a new machine.
I have turned EPM on.
In future I will scan the data HDD as well. SSDs are now cheap enough to use for bulk data storage: I may well invest.
Thank-you again.
UAC greatly increases the security of the system. You should at least have it on the default level. For better protection, use always notify.
UAC also protects the program files and windows folders.
While you might be an admin on your PC, UAC was made so that you are not running as admin until a prompt appears to elevate you. If you elevate yourself at the prompt, you are giving temporary admin privileges for that request and only that request.
UAC improves the security of the system greatly, and helps protect against threats and malware.
Some helpful links:
http://windows.microsoft.com/en-us/w...-windows-vista
http://msdn.microsoft.com/en-us/libr.../aa511445.aspx
http://windows.microsoft.com/en-us/w...ccount-control
Read those 3 links, it will give you a good understanding of how UAC protects you. (The first link is for vista, but the info is still valid in 7 and 8)
@UsernameIssues thanks for all that info.
Quote
