Microsoft: We should block infected PCs from the Internet

By on October 7, 2010, 4:02 PM
In its effort to tackle botnets, Microsoft has offered a potential solution that would prevent botnet-infected computers from accessing the Internet. In a blog post this week, Redmond's Scott Charney described a "global collective defense" and compared his vision to modern public health in a paper titled "Collective Defense: Applying Public Health Models to the Internet" (PDF). Charney said that while traditional protection mechanisms such as firewalls, antiviruses and automatic software updates can reduce risk, they're not enough.

"Despite our best efforts, many consumer computers are host to malware or are part of a botnet," he said. He suggests that infected machines could have a "health certificate" to show whether it has security software and the latest patches. Systems lacking the proper software would be forced to update, while infected computers could be blocked from the Internet entirely.

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," Charney said. "We need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk."

Quarantining PCs may require government intervention, according to the Microsoft executive. "Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced," he said. Such measures are unlikely to be accepted by Internet privacy advocates, however.

Analysts are already questioning the effectiveness of a quarantine-based system. Joe Stewart of SeecureWorks adequately notes that if the person behind a botnet isn't dealt with, they'll just find a way to continue operating. "Technical solutions just haven't worked," Stewart said. How effective do you think Charney's proposed solution would be?

User Comments: 42

Got something to say? Post a comment
bugejakurt said:

I think it's effective. I agree with him forcing security updates on computers and penalting those who don't enforce security updates.

TomSEA TomSEA, TechSpot Chancellor, said:

Wow....can you imagine how many PC's would get shut down from the net? I'm sure tens of millions around the world.

(shrugs) But I can't blame them and frankly I admire the innovative thinking. Just not sure the Microsoft campus in Kirkland, WA would get burned to the ground from (uneducated) angry PC users as a result.

JMMD JMMD, TechSpot Chancellor, said:

How about shutting down sites that host this crap, or shutting down sites that have known security flaws.

I'd really like to see them focus more on hardened operating systems, sandboxed environments and taking down the botnet operators and controllers.

I'd be all for ISP's having a dynamic black list that blocked computers from going to sites that were infected or host malicious software.

The problem I see is a lack of education and standardization in the industry. It's like the wild west and no one has any control of any part of it.

Guest said:

Yeah right. I've never taken part in the annual flue shots available, and now they think they're going to quarantine me to my house..........

Guest said:

Not a bad idea as long as it is run by a trusted(LOL) company. Instead of banning the whole internet for infected computers, allow them to access sites that would allow them to get updated and cleaned.

matrix86 matrix86 said:

Such measures are unlikely to be accepted by Internet privacy advocates

My thought exactly. Kicking your clients off of your connection because a company wants you to wouldn't settle very well with the ISPs. When consumers don't have connections, ISPs don't make money, and they could care less whether or not your computer is infected.

I'm torn between this, though. I could see it as a good thing, but at the same time, I just wonder exactly how well it would work in the long run...not to mention all the people who would not buy a Windows computer for fear of getting infected and shut off from the internet. And as we can already see, with Mac becoming more popular, they will eventually have the same problem. So i'm stuck in the middle here.

Guest said:

ya that will work (LOL)

I know companies that still use windows 2000 on service pack 2 because service pack 3 screws up there proprietary data base software and they are too cheap to put money into a new system software not to mention hardware

Guest said:

if your pc is blocked from the internet because you dont have updates, then how do get the updates...

i have several pc's but i don't update them all because the update process can prevent other software from working.. my nero5 stopped working over a year ago and only a system restore would put it right, but when i restarted it i forgot to cancel auto update and once again it stopped working.. i had a similar problem with my purchased version of dr divx where it asked for my password saying my trial period had expired and then wouldn't accept my password.. luckily system restore worked and i turned off updates and i no longer have the problem.. i mostly disable my network connection on that pc but when transfering files or buying software online i temperaraly enable it...if it was detected without updates and was forced to update then who is going to reimberse me with software that works.. the new divx encoder is crap as i am unable to crop with it and i am not happy with the results obtained.. which means we will all be at the mercy of microsoft.. and i for one don't trust them that much

mattfrompa mattfrompa said:

I have not had a virus that I was unable to get rid of, but if I get kicked off the net I'll pop that Linux dsic in right away

spydercanopus spydercanopus said:

"Just as when an individual who is not vaccinated puts others' health at risk"

Backwards speak. If you're vaccinated, doesn't THAT protect you from non-vaccinated people? Bill Gates is a eugenicist and admits vaccines are used to reduce population in a TED video. Just google it.

Guest said:

How did the expression "could care less" get started. Is everyone so stupid not to realize it means just the opposite of what's intended?

MrAnderson said:

It sounds all good in the realm problem and solution, but we don't lock people up in their homes when they refuse to take a pill. This idea at its core is a thought excise that could only be successful in being implemented with major compromises that would make it otherwise less effective. An idea insisting on enforcing an industry by making sure that there will be buyers is scary. Heck, forget insurance against damage, it truly would herald in health care for our devices.

Perhaps if it were freely available might it be more appetizing... if the computing device security industry were funded by government and businesses (those that stand to lose money the most, spending perhaps millions each year to track and cut off another of the hydra's head) it might stand a chance.

Why not make it a truly free market where competition is academic and garners the prestige to match Nobel esc prizes. An openly public none proprietary and open sourced code base/library to fuel the "cyber health care cause" Put one leaching industry to bed for good, which only subscribes to subscriptions for customers.

We might as well be paying for insurance, because what have people gotten when the software failed yo defend. Yes the software that year after year people are entrapped into using through the front loading of such software by PC manufacturers.

This proposed solution defies the entire ideal of an open Internet. Surely a new infrastructure will need to be in place. Billions will be spent, or a new Internet built by multinational corporations and governments, and the old Internet will be come the slums. The web will fracture under the strain and the people with the technical know how will find ways to build smaller webs. They will be limited in scope, but vast enough to connect many. And for those with out resources to recreate some of the services that are on the commercial web, will connect via proxy "clean machines"...

blaacksheep blaacksheep said:

Systems lacking the proper software would be forced to update, while infected computers could be blocked from the Internet entirely

Who exactly determines "the proper software" that I need to be running on my machine for internet access? I find it highly objectionable that they propose to mandate the installation of "approved" processor-crippling antivirus software on MY computer. I find it equally objectionable that I would be considered guilty of harboring malware until proven innocent.

"They" won't stop until they have complete control over every aspect of our lives.

Guest said:

Why don't Microsoft make a better operating system that is more secure ?

No one will be on the net if they do that .dleption

aj_the_kidd said:

Big companies will never go for it, users are stupid and will open any attachment, if that attachment contains a virus and spreads throughout the companies network, effectively shutting out most users from the internet. Thats going to be a problem

Guest said:

As a society we do currently take action simply because you are not 'up to date' with virus protection. Do we not lock children out of public school if they have not been vaccinated? How about the way we treat those that have a known ailment? How well do you suppose it goes when you admit to having aids on your health/life insurance application? How about cancer? Shall we start this list up because you know should it is a very long and disturbing one. The verbiage in the article is wrong. The intent is be to block known infections from the ability to spread. This does not preclude the ability for a known infected computer to attach to an protected system for an attempted repair, though this odds are a new OS install would be the best answer. I merely means you are locked into the sandbox until you get your fix. Bashing critical thinking like this just shows where how postured you are. How many people out there thisnk everything is fine when in fact they have infected systems? Hmmm? Don't you think they would feel a modicum of appreciation when they actually start seeing the performance they remember? (having done my best to disinfect many machines I already know how people react to this).

Nope. This is an excellent idea if implemented correctly. Of course there will be haters and dung throwers as always.

Guest said:

This is simply a ploy to divert attention from the real issues, most of which have already been commented upon in the preceding posts.

Guest said:

It's called Secunia PSI, use it, love it. People posting here are probably the ones who are actively "vaccinating" more than the average joe anyway. While Microsoft isn't making perfect products, last I checked the major issues usually involve someone trying to open up a bad attachment, XSS attacks, poor browsing software. No Script will solve a lot of those programs and the best part is it's free! So is Secunia, but I'm not in the habit of pushing software on others. Just family and friends.

Wendig0 Wendig0, TechSpot Paladin, said:

I'm not sure how well this will work, but until they put "access to internet" in the Bill of Rights, then it's really up to the isp. ISP's should send out warnings to infected users with an ultimatum to clean their PC or lose their privilege of surfing through porn online. Giggity.

Guest said:

How did the expression "could care less" get started. Is everyone so stupid not to realize it means just the opposite of what's intended?

The expression is "...couldn't care less", but so many people are ******, and have used it/ heard it wrong their whole lives, that nobody gives a damn.

Guest said:

Let's face it. This is just another ploy by MS to sell more of their "insecure" software. If MS knew how to write a truly secure OS, then there would be no need to kick the average "Joe/Jane Schmuck" off the internet. The bulk of the security problems are with MS software to begin with. Win 7 has been "ballyhooed" as the most "secure MS OS" yet, and no sooner is it made available to the general public, then a bunch of "security patches" come out. Now if MS can convince users to buy more of its crappy software (under the guise of security), then it stands to make more money. As Barnum said, there is one born every minute.

AlExAkE said:

Me too! AGREE! Such updates and software checks to see if the PC is infected should be the law. I will always install the latest patches and security risk updates to any computer I have access to. There should be a way of limiting access to internet to people who refuse to update, because they become the contributes to the problem.

Take any regular biological virus/bacteria for example. If there are many people infected in a place, their access to other people is being denied, in order to protect the rest and not spread the dieses. This should work the same way.

I VOTE "YES" with both hands!!!

Guest said:

I definitely agree. I hate bots. If your computer is infected then it is your fault, not Microsoft. So, we should enforce security patches and anti-virus software on any computer that is connected to the internet. Otherwise, they should be blocked from accessing internet.

fimbles fimbles said:

Will microsoft continue to provide updates and support for their older operating systems forever?

Or when the support ends does this mean you will be forced to upgrade to the newest version of windows in order to keep updated?

Call me cynical....

Guest said:

Apparently there are too many users here who are not familiar enough with computer security and/or flaws to properly comment and see right through this.

The idea is nice. It's a lofty goal, however, and nearly impossible.

Current malware and virii already disable the majority of well-known anti-malware or anti-virus software, making the computer user believe there is nothing wrong. The anti-X software products are much more difficult to overcome than simply accessing and modifying some form of "health" certificate.'s a lovely idea in theory. In actual practice it simply would die a horrible death from the internet flu.

DeepThought007 said:

This is an excellent idea! Lets penalise the consumers for faulty software they purchased in good faith. Next we get the government to take all faulty vehicles off the road if the manufacturers don't make them safe.

blimp01 said:

what would happen if i refuse microsoft to obtain my computer's security information

Row1 said:

I do have access to the internet in the bill of rights.

i do not need approval or certification from anyone anywhere to communicate however I want with whomever I want.

This is a dumb idea. Maybe we could make each human on the planet get certified in proper English before you are allowed to talk to anyone.

People: do you have trouble recognizing a totalitarian idea? You cannot do anything web-realated unless some un-named organization says you have an active, approved product on your computer.

In other words, He who has the gold makes the rules. He who gets to declare who can be on the internet controls the internet.

You think you have trouble getting through on a Tech Support line now? Imagine all ten jillion web users.

In business, if we don't like the service from one AV company, we switch.

With this global governance, how do you switch if they don't perform well?

Will the leaders be globally elected, so we can vote them out?

Or will they be a bunch of appointed/nominated rogue, well-funded do-gooder hedonists like in the EU or UN?

Open your civics book. To the chapter called "taxation without representation."

If y'all fall for this, maybe you will fall for some global un-elected, un-accountable board which decides how much energy each nation is allowed to use, adn gets to decide how much tax is placed on each and evey bit of energy expenditure across the globe.

I call it global carbon cap-and-trade.

Guest said:

Here are a few points of why this line of thinking is bad...

1. Who the F*** is microsoft to declare what's infected and what isn't? I don't recall MS being appointed the governing body on the internet over what traffic is 'clean' and what might constitute malicious traffic.

2. Today, shutting down 'botnets' for "public safety". Next, using it as a vehicle for disabling services to organizations such a governing body doesn't agree with. Major net neutrality problems.

3. The obvious privacy concerns. To have your computer ask permission to access the internet each and every time to a single, government or commercially operated organization is very frighting. What would such a protocol be called? MMI (Mother, May I?)

4. It raises a potential for a new type of denial of service. Spoof traffic it so that it appears to be originating from a target network, and sit back and wait for them to be shut off by the "Internet Bot Police". Now the target organization has to cut red tape just to have service restored. Can one imagine the frustrations of network admins having to jump through hoops to get a judge to restore service? New network certifications would have to include an entire section on international law!

5. If it were to be implemented in microsoft's operating systems directly, it would only pertain to their operating systems. Mac and Linux operating systems, while much more difficult, are just as susceptible to malicious programs participating in botnets.

Trillionsin Trillionsin said:

Okay, I literally only read the first few lines and the thought came to my mind... "If they are going to completely block you from the internet that you legally pay for and deserve your access too then they will have to offer build in free antivirus protection. On the other hand, I dont really like the power and control this gives them, invasion of privacy and such.. blah blah...

Guest said:

Everyone saying "Yes" might as well, hand over their wallet/purse and keys to their house/car and newborn child. Seriously though if these flawed ideas get passed, you have yourselves to blame when all things fail.

ISP: How can we help you?

Customer: I can't access my internet!

ISP: Well we've been told, you have an infected PC, so you're cut off until otherwise known.

Customer: *insert what you want here*

I was leaning towards yes and then thought about it, read the whole article and firmly said no! This is the worst logical idea, as people have pointed out before. Who's to stop a false attack, against say.. an ISP that won't cooperate? Then suddenly that service is cut off, the smaller services will be disappearing under all these problems. Soon we'll have a global ISP, where it's pretty much a dictatorship. They want full control of our lives, people are too blind to know who "they" really are.

There's nothing here worthwhile, what if you were using an older OS? Not all schools upgrade to the best, would that mean they'd be given free PC's or something? Nope, nothing at all. Just means the whole school as a whole, could be shut down if things are not up to requirements. I've been in public and high schools, who ran from 95 and 98 OS's. Does that mean will Microsoft, somehow extend support for em now? Hardly!

Enforce the rule of upgrading OS to something more secure, and also by the way.. use an AV only they approve of. None of those "perfect" AV services, that don't have major impacts. It's better to take the giant bloatware AV packs, that will cripple your PC and make it it's slave. Then you can use the internet, unless of course that service fails in protecting you. Have fun fixing that one, being all those giant companies don't always work. It's been proven before, it takes multiple ones usually to protect better. No one program is perfect.

Guest said:

The majority of people that have chosen the "blue pill" will find out too late what all this really means.

paulanthony said:

I don't like the idea of being the fun police telling me what software I should have or not have, and I think the idea is just a money making trick by vendors and purveyors of yet more bullshit AV and spyware programs thast just lull people into a false sense of security for a price!.

Man who do you think writes this (viruses) crap anyways, its the same people selling the antidote

bah! humbug!

nismo91 said:

how about the other way round, block all infected internet from our PCs.

Guest said:

Used correctly, the expression is "could NOT care less". It's seldom used correctly.

paulanthony said:

nismo91 said:

how about the other way round, block all infected internet from our PCs.

Hooray, at last someone has an idea!

Guest said:

Breaking News: Malware uses health certificate to propagate itself

Gars Gars said:

What about certificates? um?

For what is those?

Unused or compromised technology?

nigelle said:

ISP don't want to do anything but complains that the traffic is increasing too much and so that they have to increase their fee but most of the mail traffic is spam ! They should be forced ( by laws or regulations) to take a part in the sanitization of the Internet : e.g. the server (my SMTP or the first link from the site I look at) where data enter the internet should run an antivirus against it (reject the data with virus and send a warning mail to the sender), an antispam program and check that the return address in the HDLC frame (denial of service) correspond to the sender. All of these are not 100% efficient but should improve the situation of the network.

The possibility to detect if the sender is part of a botnet should be studied.

I am against the blocking of the offender connection (except in case of repeated offences) but I think that a warning is required.

Microsoft can improve the situation with more secure softwares and a warning (with confirmation asked) message when I try to run a script on an attachment...

GonchuB GonchuB said:

But the problem lies when people try to do something important over the internet and they realize they are not able to do so. Some are not so experienced and do not know how to take care of infections or how to prevent them, they just get into the machine, check what they need to check and leave. Although I think it is fair for all the other user who get compromised from other machine's virus, I don't believe this is a fair policy for those unexperienced user who will have to pay for virus repair on a monthly basis.

geeksatlarge said:

Is it just me, or is anyone else getting the impression that there's a distinct effort on the rise to control anything the "public" has access to. I see so many things wrong with this idea, I hardly know where to start. This is just another attempt to get the camel's nose into the tent. The minute I hear "Government intervention", I tense up and guard my wallet. These people *never* get it right. But, what they do is set in motion a chain re-action that they can't control, but negatively affects others that were not intended to be affected. This is called the law of unintended consequences. These people have way too much time on their hands. They can't seem to abide by the principals of live and let live. The are like the ever-present Nanny that tries to control every waking moment of the child they are in charge of. Hey, but nobody hired them to be in change of anything! What's wrong with the model in place now? Anyone that's on the Internet/Web should have enough sense to know the environment itself most closely mimics a free society. In a free society, it is ultimately crippling to have your personal responsibilities for protecting yourself usurped by any nameless, faceless agency that will ultimately get around to dictating how, when and where you can have access to... fill in the blank. "He who would trade liberty for some temporary security, deserves neither." - a quote from Benjamin Franklin; an individual who was smarter than most. 'Nuff said.

jakeshjo1953 said:

I know something has got to be done but keeping the low guy who can't afford all the wistles and bells is going to hurt more in the long run. I don't have a regular job, I'm disabled and live off of my Social Security benefits to take care of three of us. I do have free antivirus and I have a yearly update on my Iobit antimalewhere package. I really can't afford that. There are a lot of people out there that have even less than I do and can't afford anything. Do you just punish them for not having? just a thought.

ohsilly said:

We have to remember that malicious software often goes with knowingly malicoius users who chose to ignore security updates solely for the purposes of spreading crapware all over! They just acted like they are clueless but they know how to maintain their computers but choose not to.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.