A Better Alternative to Anti-virus Software for Projection Machines
I don't use antivirus software. Nor do I use spam filters. Why? Because the ones I've used, and I've used a lot of them, have all irritated me so much that I've given up on using them. These tools, which are designed to protect us from the myriad of threats around us in cyberspace, slow my machines down to a crawl and seem to interfere with every aspect of the systems. They have caused communication problems for network access and RDP. Some have even caused BSOD incidents in certain scenarios. They label some things as spam that shouldn't be, and miss stuff that shouldn't be missed. Because of these and other reasons, I came to the conclusion that the antivirus/antispam cure was worse than the disease.
I say all of this to demonstrate that I follow my own advise. If you were to ask me if you should install antivirus software on your presentation machines, my answer is NO! Anti-virus software is a performance killer. When it comes to presentation machines, performance is paramount. Having antivirus software meddling with every file download or import interferes with the overall process. System-wide scans suck life out of the CPU which creates problems when trying to build presentations or when presenting during a service.
Many of you are gasping, "How do we protect our systems from viruses and malware without such tools?" Here are the system protection measures I recommend as a better alternative for projeciton machines:
1) Make regular image backups of your systems. This means complete copies of your hard drive on a regular basis. I recommend weekly backups for churches. If your system gets infected, simply restore the system drive to the most recent backup. If that backup is infected too, keep going back until you reach the point prior to infection. A good imaging tool (such as Acronis) makes it easy to schedule regular backups and to restore from a history of backups when necessary. Also, keep a copy of the original image just incase you need to quickly start over (GoFishMedia machines come with restore disk for this purpose.)
2) Use a separate drive for your data files (such as drive D:). In the event you need to restore your system disk (typically drive C:) to a previous image to fix a virus or malware problem, having separate drives will let you restore the system drive without touching your data files. If you do put your data files on the same drive as your system, then at least use a separate backup process on a regular basis to back those files up as well. This will make it easier to restore your data files after re-imaging the system drive.
3) Do not use Administrator accounts. Make it a practice to log in to a limited user account. If your system happens to acquire a virus or malware while in a limited user account, the infection will be limited to that account only, but the system itself should remain uninfected. Eliminating an infection at this point simply involves deleting the user account on that machine, then re-adding it.* The infection associated with the user account has been removed, but the system itself is still clean. Using your machine with an administrator account, however, nearly guarantees that a virus or malware infection will become system-wide.
Another good thing about implementing items 1 and 2 is that you'll be better protected against other potential system problems that may come along. These include problems associated with Windows Updates, driver updates, new software, and even a SongShow Plus updates (a very remote possibility, of course :-).
For our machines here at R-Technics, we make regular images of our system drives. Our data files are stored on servers so if a system drive needs to be restored, data files are not affected. The servers are also backed up daily onto external drives that include a rotation of disks stored off-site. When system infections occur, its simply a matter of restoring an image. In some cases, we decide that re-installing Windows and applications from scratch is the preferred approach. But in either case, blowing away a system drive is something we're comfortable with for any of our machines because of the backups we have in place.
For development machines, we've found it impractical to run in any user mode except Administrator. We've tried using non-Administrator accounts that have been granted a lot of privileges, only to eventually find some function we need to perform as a developer but is not permitted within that user account. As I mentioned above, running in an administrator mode incurs significantly more risk, since your entire system is vulnerable to viruses and malware. Even so, I still don't use anti-virus software on these machines because of how they interfere with various tools and system components.
The main risks for a machine getting infected by a virus or malware are browsing and installing tools and utilities, particularly from unfamiliar sources. I do both of these things on development machines on a regular basis, with some trepidation. There's an idea that I'm considering to deal with this problem. It is to deploy a virtual machine within a development machine. This virtual machine would then be used for web browsing and downloading. It would be equipped with anti-virus software for scanning file downloads prior to copying them to the development machine. If the system gets infected, the virtual machine files will be deleted and replaced with pristine copies of the originals. This approach has some downsides as well, but could be a workable approach. However, someone pointed out to me that using a virtual machine actually increases the surface area for a possible hacking attack, so I suppose this needs idea needs some more thought put to it.
For spam control, I have developed mailboxes and whitelist configurations so that potential spam mail is mostly isolated and can be quickly scanned visually. It's not perfect, but it works pretty well for me.
To wrap this all up: From my perspective, anti-virus/anti-spam tools are a cure that is worse than the disease. Don't use them on your SongShow Plus machines. Instead, implement the system protection measures I outlined above. Having said that, I also acknowledge that doing so will increase the chance that your system will get infected at some point. Just this week I had to deal with a malware infection on a notebook computer that, as you might expect now, had no anti-virus/anti-malware protection. I've been willing to take the risk, but if using an anti-virus tool gives you peace of mind, then you should go with it. If you do, try to find a tool that doesn't interfere with the performance of your machine. Also, remember that anti-virus tools aren't perfect -- they don't guarantee that your system won't be infected. So even if you are using such a tool, I still recommend that you implement the system protection measures I discussed.
Important note: Despite everything I've said here, we do run the SongShow Plus executables and installers through a series of virus checkers before uploading them to the server for public download! Others here at the office are, also, not so anti-virus adverse and do have these tools on their systems.
*Caveat: One down-side to deleting an infected account on a SongShow Plus machine is that you will loose most of your User Preference settings. These settings are local to user accounts, not system-wide. So when a user account is deleted, so are the settings. We need to implement a backup module for User Preferences so that these settings can be easily restored -- I'll move that item up the to-do list.
(BE218)
Comments:
I gotta say that I agree for the most part, but I would never take this risk on a machine that people other than me can logon to and run. So for our situation, I choose anti-virus software. Even though the account is a limited user account, I don't want to have to risk doing a restore/rebuild on a Sunday.
1) Don't do any system upgrades within a day or two of a service. This includes Windows updates, video drives, etc.
2) Don't install new software within a day or two of a service, particularly if it might interfere with graphics or video playback.
3) I even include SongShow Plus updates, particularly from one edition to the next, in this list.
4) Even if you are confident to do these things a day or two before a service, please don't do them just moments before a service.
These things are actually more likely to be a source of an unexpected problem than even viruses or malware. Wait until after your weekend serivces are complete before making updates.
Disclaimer: I frequently update our church's SongShow Plus installation moments before a service, but only if I'll also be on hand to handle unexpected problems.
So it's usually Friday night (which preceeds our Saturday morning service) or never.
But at church, we do run a limited account. I just wish I could install fonts with the limited account and I'd rarely have to use the admin sign on .
I let Yahoo and Google do my spam filtering for me. And they do a very decent job of it. Why download spam, if you can stop it at the server? Especially, if it isn't your server.
I am sure that this doesn't work on Vista, but it does in XP.
Browse to internet explorer (in Program Files), hold down the shift key and right-click iexplore.exe, select RunAs, select the logon as another user option, choose the/an admin account, type the admin password, click OK, then click the stop X before IE can open a web page. I would also set the internet explorer home page to Blank for the admin account. This will cause the formerly mentioned procedure to open a blank internet explorer.
Once IE is open, type C:\windows\fonts in the address field and then tap the enter key. You are now operating as an admin in this window, and can install FONTS from the file menu.