Replacing Windows 7 security updates with anti-virus?

Question

Microsoft has announced Windows 7 will no longer be receiving updates after January 14, 2020: Here.

I hate windows 10's forced updates and telemetry so I have always stuck with Windows 7, but it may be as good as dead after the lack of security updates.

Linus Tech Tips did a great video covering this issue: Here.

With this massive change I was wondering if anyone knew of the real impact this would have. Can third-party Anti-virus successfully substitute Windows 7 security updates after they are discontinued?

Right now I use Malwarebytes and AVG, and I feel as though this would be enough but this is something you have to be sure about.

With Windows Vista I feel as though this has already been studied but, I am not clever enough to google the right words. So I have turned to the amazing community here for solid answers.

Is Windows 7 being left 4 dead, or is Y2K coming back for round 2?

Answer 1

Nope.

After Microsoft discontinue security updates for a version of Windows there is not a safe way to run that version of Windows.

Some people will promote Virtual Patching where you have a external firewall scan all your traffic looking for patterns of traffic that look malicious. I would not trust that, and it requires a seperate non-vulnerable computer.

A number of vulnerabilities patched by Microsoft are not the sort that anti-virus are good at catching. In the most recent example Google announced a Chrome Bug plus Windows 7 bug that caused visiting a site to remotely execute arbitrary code, this was being used in the wild. After end-of-life Microsoft will not patch this type of bug. (https://www.zdnet.com/article/google-chrome-zero-day-was-used-together-with-a-windows-7-zero-day/)

Answer 2

No, anti-malware is not a replacement for security updates.

Neil Matz summarized the Fortinet's Q2 Global Threat Landscape report for 2017, noticing:

WannaCry and NotPetya targeted a vulnerability that had been patched by Microsoft a few months earlier.

But it’s not just these high-profile attacks that target recent vulnerabilities that are the problem. During Q2, 90% of organizations recorded exploits against vulnerabilities that were three or more years old. And 60% of firms experienced successful attacks targeting devices for which a patch had been available for ten or more years!

You hate Windows 10's forced updates and telemetry, but there are methods to change their operation. For example, using gpedit.msc on Professional editions you can:

• Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates. It's still possible to choose 2 = Notify before downloading and installing any updates.

• It's possible to get the feature updates only after they are actually ready (i.e. tested and complained by the end users). ... > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received:

  When Selecting Semi-Annual Channel (Targeted) or Semi-Annual Channel:

  • You can defer receiving Feature Updates for up to 365 days.

• Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds. Allow Telemetry = 0 Security sends only a minimal amount of data to Microsoft. Too much? You can disable the DiagTrack: Connected User Experiences and Telemetry service.

Windows 10 was the first Windows with cumulative updates, which actually means less updates. Since October 2016 there has been no difference as Microsoft stopped individual updates for every supported Windows and currently all updates are in rollup model. (You can read more about servicing differences).

Answer 3

There is no realistic substitute for software patches.

There are additional security measures one can take, but all of them have their limitations.

• Antiviruses will not do a thing against attacks that do not write to disk. If an attacker hijacks a legitimate process in memory, it's open-season on your data. These kinds of attacks are becoming more and more common.

• Firewalls and IDSes (of either the software and hardware variety) can catch malicious traffic that matches a signature. The slightest bit of customisation will defeat this.

• All software measures rely on your core operating system being trustworthy. A core OS with security holes like Swiss cheese cannot be trusted.

• Hardware measures rely on you having a spare machine with software that has a supported OS anyway.

Answer 4

Windows 7 was released 10 years ago. Wanting to use win 7 now is the same as wanting to use win xp in 2013 (the year windows 8.1 was released), or wanting to use windows 95 in 2004. There were such guys in that era too, and we made fun of them at the time¹. Technology is changing, you should learn to adapt if you want to succeed in this field. If you want to schedule your own update times or prevent some updates to install completely you can spend some more bucks for the pro version of windows 10, regarding telemetry I have bad news for you: there's also in windows 7, and the quantity of information can't be configured as in windows 10 so you keep the defaults, whether you like that or not.

To answer your question: there is no way an external small software house can patch vulnerabilities of a closed source operating system with the same efficacy as the operating system developer, the best they can do is work around known bugs by blocking features or scanning your activity for malicious patterns. This will slow your computer, and has bigger privacy concerns that the telemetry Microsoft gathers². Also, as someone already said, there are vulnerabilities which can't be worked around outside of the operating system, so you'll keep them all.

Relying on external protection for your outdated OS may lure you into a false sense of security and may work without issues for years (it is not like the operating system becomes insecure the exact day its support ends) but would require you to keep yourself informed on new security issues, whether they are severe, whether they affect your OS, whether they will stay unpatched and eventually determine whether you should finally leave your OS at one point. If you can afford that much time managing your installed OS just for privacy concerns you can definitely use it to install Linux and solve the issues you may encounter to the lack of certain apps in your usual workflow, it will pay off more in the future.

Another thing that has not been said in other answers and I think affects security of an old operating system is that external app developers will eventually stop supporting it and releasing new version for it, so you may end up having old and buggy versions of apps such as browsers, which may be another surface of attack for exploiters.

TLDR, only hassle comes with staying with Windows 7. The problems you thought Windows 10 has also affect Windows 7, and while up until now it may have been a preference choice for the old UI to justify using that operating system, from now on the technical problems which come with it will keep increasing, so stay away: either go to Win 10 or move to Linux

---

¹ there was arguably a reason for people to stay in an older operating system at the time, and that was the increased demand of computing power of the newer operating systems which prevented them to be installed on older machines. This is not true anymore, since Windows 10 requirements are exactly the same as the 10 year old windows 7.

² concern being data leakage and server vulnerabilities are more likely on a small company and more likely to be severe, because Microsoft has a much more experience in security gathered from failures accumulated along its 40 year of activity and enmity to various revolutionary hacker groups

Answer 5

As others have said, it is not recommended to try to use an antivirus as a replacement for system updates. An antivirus is just one component of your system security, which also includes a secure network (incl. updated router), updated firmware and applications (especially your browser), 'street smarts' of what not to click on, and of course, an updated operating system.

However, that does not mean that there is no solution in your specific case. After all, the problem you are having is not that you are required to use Windows 7, but just that you understandably do not want to use Windows 10 with its tracking, preinstalled junk, major updates all the time, and other issues. Luckily, there is a solution to this particular problem, and it's called Windows 10 Enterprise LTSC (Long Term Servicing Channel), also known as LTSB (Long Term Servicing Branch). It contains the same security as regular Windows 10, and is compatible with the same non-Store software, but does not include the Store, Cortana, Start Menu junk, or really anything at all that you wouldn't find on Windows 7 or even XP. Its update schedule is also similar to previous Windows versions - security updates and bug fixes come every month or so, but major feature updates are considered to be completely separate versions, and updates are never forced. Telemetry can be turned down to '0', which is the same bare-minimum value that is normally only available on Windows Server.

I too was in a similar situation as you, and decided that LTSC was the way to go. It's the kind of stable, clean OS that I want on my PC, and since its primary market is embedded systems like POS terminals, it's going to be updated for a very long time. Of course, Microsoft hates when people choose it, but their vital corporate customers demand such an OS.

If you do choose the LTSC route, you can get a key for usually less than $15 on eBay (prices vary).

Answer 6

Here is a list of some common ways that computers become infected with malicious software, and whether anti-virus, system patches, or neither of those are effective in protecting against this. As with many questions like this one, a lot depends on the use case.

1) Downloading executable software from the Internet and running it as administrator. This is what anti-virus is most effective at protecting against, but it is far from perfect. Whether or not the system is up to date on patches makes no difference here.

2) Downloading executable software from the Internet and running it as a non privileged user. As of 2019 with normal versions of Windows XP being unpatched for 5 years now, it's fairly uncommon for programs to try to exploit vulnerabilities to gain administrator privileges, but it can happen. Having an up to date system is important in this case. In addition to anti-virus being used to prevent malicious executable from running, anti-virus can sometimes detect if an executable contains a Windows elevation of privilege exploit, but it's easy to fool anti-virus in this case. So anti-virus is only a small substitute.

3) Documents such as Word and Excel documents which exploit unpatched vulnerabilities in Microsoft programs. Anti-virus can often scan these documents for exploits and prevent harm from being done. Since these documents are not executable, the exploit can't hide itself from anti-virus. So anti-virus does help in this case.

4) Remote exploits in system services and the kernel. Anti-virus only scans files in real time, not memory, so it can't help you here. Fortunately, remote exploits are very rare and Microsoft or someone else will probably release a patch even after support is over, as they did with the SMB1 (used by WannaCry) exploit on Windows XP/2003.

5) Internet explorer: Anti-virus doesn't scan memory and can't really help you against a properly written exploit for Internet Explorer. You'll have to find a different browser to use. This also applies to other Microsoft products which connect to the network or Internet. If a security vulnerability exists in one of them, anti-virus can't help you.

6) System libraries like .NET: Programs which open documents and/or connect to the Internet, such as web browsers, use system libraries that are updated by Microsoft. Many of the updates that you get from Windows Update are for these libraries. The Windows JPEG exploit from back in 2004 was a classic example of this. Many programs which weren't made by Microsoft used the Windows JPEG library to decompress JPEG images. After the vulnerability in the Windows JPEG library was discovered, all of these programs became vulnerable to malicious JPEG images. This is a big gray area. Even if Microsoft doesn't release a patch for a system library, it's usually still possible for the application to patch the problem on their side. If it's a popular program like Firefox that is high risk due to popularity, the developers of Firefox might patch it themselves since they know that Microsoft won't.

In general, whether or not anti-virus is able to prevent you from being infected, anti-virus can still scan your hard drive and clean up infections after the fact, but only if the malware is wide spread enough to be recognized by the anti-virus software, and it doesn't use sophisticated cloaking techniques to hide from the anti-virus. This protects you from simple malware, but doesn't protect you from more directed attacks and more sophisticated attacks. The malware can still steal your information and corrupt your system in between the time that you were infected and the anti-virus cleaned it out.

To summarize, if the use case consists mostly of #1, then having an unpatched system really makes no difference, and anti-virus is what you need, now and in the future. If the use case is #3, then anti-virus is a very effective substitute for patches. If the use case is #2, then anti-virus is not a substitute at all. For the others, anti-virus is not a substitute, but there are work arounds. For #6, it's a big gray area.

Answer 7

Sadly you will probably not have much of a choice because Windows 7 will not even support the newest generations of CPUs. Or any kind of reasonably new hardware, for that matter. In 2020 you won't get drivers for anything.
It already doesn't support recent CPUs now (though you can "fix" the problem with a hack, since the does-not-support thing is just deliberate sabotage, not for a technical reason). In 2020 you will be yet another two or so CPU generations in the future, and another two or three GPU generations, and I don't know... whatever comes after U.2, and whatever comes after SATA and USB3.

You will simply not be able to use the hardware -- much like even installing Windows 7 on a typical 2015 computer was already a nuisance because it lacked the drivers necessary to run the installation (unless you slipstreamed them onto the install medium first).

Going without security updates can work, but it's obviously much more bookkeeping, much more paying attention, and still being at higher risk. I would rather go without antivirus than without updates, to be honest. Antivirus is kinda useless and sometimes worse than the malware that it doesn't detect anyway despite constantly consuming 20% of your computer's resources. Security updates, on the other hand, prevent threats from entering your system in the first place. Which is kinda... better.
You're running two AVs on one computer. That's at least one too many (two too many if you ask me).

Your problem with Windows 10 forced updates can probably (I haven't checked since I'm sticking with Windows 7 myself for as long as possible) be fixed. If nothing else, you can simply block the update servers on your gateway (but I'd try going with NtLite first, remove everything related to telemetry and update from the install medium, works like a charm for all the useless crap shipped with Windows 7, probably works just fine with Windows 10, too). Then just bulk-install updates manually.

Although of course security updates are not Windows 10's most urgent problem. Its most urgent issue is that it burns an awful lot of resources doing things that you never asked for and that you do not even want to happen, but on the other hand side it is very bad at doing things that you want (such as, providing an easy and pleasing user interface, or playing a BluRay movie, or just not constantly getting in your way by being "extra smart").

The issue is not limited to computers, it applies to most goods. Everything has to be "smart" and "intelligent" and "connected" nowadays. Nobody needs that shit, and it doesn't work properly either. Plus, it is so creepy to call a machine that spies on you 24/7 with a human-sounding name and pretend it's a living person. What sick person came up with that idea? Cars are worse than they were 5 years ago, too. And with autonomous driving gaining acceptance, they'll still get much worse. Drone taxis on their way, also autonomous, of course. But of course, 99% of all people are just going to buy it, so...

Realistically, you gotta face it. You only have three options:

1. Go with it, accept that things are the way they are. People will buy crap, and will continue doing so, so the market will inevitably go that way. You don't really have a choice.
2. Accept that you're too old. Retire. Move to [insert desolate place]. Grow sheep.
3. Buy rope, hang yourself.

Answer 8

Can third-party Anti-virus successfully substitute Windows 7 security updates after they are discontinued?

No

Anti-virus software is still just software, and like other software it's designed to run within a certain operating system environment. That is, the software runs as a set of services, shell extensions, and UI programs, all of which are simply normal guest processes within your Windows OS, and depend on APIs and services provided by the the OS.

If the OS environment needed by the anti-virus software is itself flawed, then malware will be able to exploit those flaws to get around any anti-virus software. And, of course, like any large software system, Windows 7 will have flaws, as evidenced on the 2nd Tuesday of every month when we're still, even after 10 years, subjected to a new set of patches to fix yet another set of newly-discovered issues.

Answer 9

Upgrade to Linux. Run Windows 7 in a QEMU VM (allows more direct hardware access to videocard VirtualBox). Clone box for each program you want to run. Only one run VM at a time.

Thus, each program is completely sandboxed, and more secure than windows 10 will ever be, even with security updates: Only vulnerabilities will be those in the specific programs which should be getting updates. And your hardware is protected by Linux, which is getting updates.

That said, Windows 10 IS a security hole. Despite all the bad advise on here telling you to do so, side-grading to Windows 10 doesn't make you more secure; it just makes you insecure to different things.

Here's the experiment I ran, if you feel tech-savvy, I suggest you run it too, and not just take my word for it.

I ran a comparative analysis between Win 7 and Win 10 across a DDWRT router that I had sniffing packets on my network (white hat of course). With 100% of Win 10's options adjusted to favor privacy, and Win 7 running stock install, Win 10 had literally nearly twenty times as much data being dumped to the internet while just sitting there than the Win 7 box did by active browsing. All that Win10 data was just waiting to be sniffed, catalogued, advertised on, etc., the vast majority of it going to IPs designated in blocks registered to Microsoft or the US Military (that second one surprised me a bit). Further, blacklisting those IPs on the router... the Windows 7 machine ran fine, but the Windows 10 machine then refused to connect to the internet at all afterwards.

Whatever security you may think you're getting switching to Win10, you'll lose equal measure in different types switching to Win10.

However, between un-updating Win7 and updating Win10, I guess in the end it all boils down to which government you want having your data more... the Chinese government or the US government+Microsoft.

Answer 10

In short - YES, you will be fine.

You asked a simple question, and yet people are going into quantum physics with explanations.

Instead of anti-virus, choose some internet security suite, it comes with a complete package.

Also, remember - lack of common sense in today's virtual world is a killer, even with the best OS and protection you might have. If you are going to visit malicious, suspicious and dangerous sites, nothing will protect you. Unless you are a broker, trading with crypto-currencies, having your own online business, or doing anything that involves money transfers often, than ofc use latest OS combined with good antivirus/Anti-Malware/firewall combo. Cyber criminals choose their targets carefully, common people are at the bottom of their list.

Don't misunderstand this with the online frauds, being naive and getting scammed is really up to you, and got nothing to do with OS security. Even with office support only up to 2016 version, and vendors pulling out with win 7 support soon, you should be fine for the next 4-5 yrs easy. Also, have in mind - win 7 will still continue with paid support in the following years, many companies will pay for this extended support simply due to the efficiency of win 7 in a business environment. It is vastly superior to win 10 since majority employees are not hard-core IT specialists and they are more productive by simplicity and ease of use of win 7, also many companies tends to run their network setups for over a decade minimum, and most of them are not willing and able to spend a small fortune once in 5 yrs to upgrade to a new hardware, software, etc...

Imagine having a good, reliable, with zero issues, 7-8 yrs old copy machine worth 5000 USD, and suddenly no drivers for win 10!? Yes, win 10 will use a generic driver and make it work, but only with basic functions. Forget about advanced options, ain't gonna happened because you can't use software designed for win 7. And "run this program in win 7 compatibility mode" is a joke.

People will say this is a copy machine vendor fault by not writing appropriate drivers, but it's not. But that's a topic for another thread, not this one.

99 % of us use the same logic - what tends to run good, don't touch it. I don't mind moving forward with technology, as long as it suits my needs, not the other way around.

With some common sense, and good 3rd party security software, just go ahead and be happy using what you like, not what others (especially Microsoft) think you should.