It still is an ugly kludge
And Sophos has a point....
A row has broken out between Sophos and Microsoft over the alleged patching and management difficulties posed by Windows 7's XP Mode. The technology allows XP applications to run in a virtualised environment within Windows 7. This offers backward compatibility with applications but comes at the expense of security, according …
... then having to fork out for another license for each bit of software you want to also use in XP Mode? So if you used Sophos AV, for example, you'd need another license to re-use it inside of the XP VM (or use another seat on your enterprise license programme).
What a great idea. I wonder why they did it that way... Sophos might quit whining about it once they realise the revenue implications...
Seriously guys. Why replicate the entire OS in a VM format when you could do it properly and add re-implementations of XP core functions to support these legacy apps. Just my $0.02.
Its not a temporary mechanism. The reason for the vast numbers of pre-orders for Windows 7 Ultimate- is purely to get hold of XP mode (assuming that the purchasers have also checked out their processors support VTx- and that its not hobbled in the BIOS like some manufacturers seem to routinely do).
I've placed a number of Pre-orders for W7U, and will be using XP mode from day one. I've no plans to purchase new apps down the road- as long as my current library of apps work- I've paid good money for licences, I've no intention of going out and replacing the whole lot (yet again). I'm far from unique.
At the moment I dual boot most machines with XP and Vista (and even triple boot a few with Ubuntu)- W7U is a far tidier solution- and is not a temporary solution in my eyes.
You shouldn't need an MCP/MCSE to run your home computer.
So let's get this straight... XP mode is a full VM and you need to patch it as a separate machine, give it anti-vx as a separate machine, firewall it as a separate machine, in fact do everything as a separate machine? Quite apart from the double performance hit of doing everything twice, how many end-users are going to realise they need to do this?
Anyone know how the split occurs between patching the XP-mode virtual, and the host ? Does WSUS - for example - detect two installations ? Do I need to create two PC accounts on the domain, adding another when I enable XP-mode ? This sounds like a real kludge of horrific proportions, but hopefully it won't be needed much in (our company's) real life...
ok, i understand that the XP instance is seperate from the Windows 7 instance and how each has its own security settings but isn't it a little short sighted to expect users to manage each seperatly?
I'm with Sophos on this one. Sounds abundantly stupid of Microsoft to have taken this approach.
To copy the comment I just pasted on the MS site:
Basically, if we upgrade from XP to Vista, we can't do a straight upgrade, we also need to buy MED-V, which comes as part of MDOP, and learn how to use that to configure two sets of windows, with two sets of security updates, and two sets of anti-virus.
I'm sorry, but even with MDOP I can see where Sophos are coming from - that sounds like an admin nightmare, and a huge amount of work. Also, while I've only had a quick browse, I can't find any details on how to buy MDOP yet, and I have a sneaking suspicion it isn't going to be free.
The bigger problem is that Microsoft have marketed the XP mode as being a great solution. What's been gloseed over is the fact that this hidden virtual PC is going to be full of vulnerabilities unless secured. Most users are just going to run programs, they are going to have no idea that they have a virtual machine running in the background.
Those hidden, unpatched virtual machines are going to be seen as low hanging fruit by the malware guys. Unless Vista defaults to automatically patching them, with the Vista security center warning if the Virtual machine has no AV or needs security patches, then yes, this is going to be a concern.
Something is very wrong with Win7,
No real advantage over XP, yet can't run all the SW XP can.
So why bother installing Win7 at all if you need SW that works on XP and not WiN7. The only extra is the DX10 game API
The "extra" security is largely mythical. The problem is social engineering where the users install the Malware deliberately.
Fail to O'Neill..
1) he says he disagrees with Sophos complaining about having to patch XP seperately and install seperate virus software, then says "You can treat the VM as something to be patched via Windows update or WSUS just like a physical PC. You install anti-virus software on it like a physical PC." Well, O'Neill that's EXACTLY what Sophos said! You just say it's not a big deal, and they say it is. And Sophos is right -- you're doubling the workload, and negating the security fixes of 7 if people can just target the XP VM instead.
2) Second fail, XP mode is for small businesses? Small businesses don't tend to have the weird custom apps (that are tied to IE6 or even 5.5, XP, etc. etc.,), larger businesses do.
Need another AV in the XP VM. AVG Free or AVAST and go. What's the problem? Oh, people don't know what a VM is all about. Umm... try educating them. If they won't be educated, don't let them use the feature. Last time I checked, it was hard enough to set up a VM in the first place that if you didn't know jack about it, you wouldn't get it to work and if you know enough to get it to work, you should understand that you'll need separate AV for it as well.
XP Mode is exactly what they say it is: a pre-configured Microsoft Virtual PC instance installed with Microsoft Windows XP.
That means an instance of Windows XP boots up with its own BIOS and its own virtualized hardware.
I imagine the default networking mode is to set it up with NAT using a private network between Windows 7 and Windows XP.
From a Windows 7 anti-virus and firewall perspective, all traffic and activity running in Windows XP mode would be coming from a single process: the VM.
You have to treat Windows XP Mode as an OS. It needs its own anti-virus software installed, and its own firewall configured. It will have to be patched separately, as well. Just like any other VM.
It is a dangerous tool Microsoft is handing out. Something that will be a certain target for gleeful malware writers. It is also incredibly useful for end-users to have a method to run applications that otherwise wouldn't work at all.
I hope Microsoft makes changes to Microsoft Update that enhance the ability to keep Windows XP Mode's VM up-to-date.
i don't care if he is right. the amount of trouble that pos application has given in either home or corporate environments makes me wonder if it wouldn't be best it leave the whole damn firewall open and have the machines auto rebuild with a clean image every night.
XP mode blah. bothered. if it doesn't work natively on 7, i'm sure i can live without it. corp isn't going win7 anytime soon. XP and vista all the way.
i can sure live without Sophu*ked, crapafee, and crapersky killing off machines more often than a virus attack.
grrrrr, Sophos, amazed you're still in business.
When talking about "users", we are actually talking about people that use Windows 7 Professional or Ultimate. E.g. Business customers.
If that's the case then you've got a small IT shop with no IT bod and your networks already full of spyware and misconfiguration from a security point of view (generally speaking), or you have an IT Department who will control XP Mode via Group Policies.
XP Mode is a virtual machine running Windows XP SP3. It will be seen by most management software as an additional computer on the network. I don't know if it joins the domain via the host settings, or if it runs in more isolation.
XP Mode isn't offered on Home Premium Edition of Windows 7 at all. Windows 7 Pro will not just use it out of the box by default - it needs to be downloaded and enabled first.
As it's a VM, the worst case scenario of that machine from getting an infection would be trashing it and creating a new one. Which actually results in simply needing to reinstall the XP only apps - of which there are very, very few.
Additionally, who the hell is going to be using XP Mode to run IE for external browsing on a casual basis...?!?!!!
The risk is minimal. The integration between host and guest is the same as using VMWare Workstation or VirtualBox. Difference is the visual integration / end-user experience is smoother. The security is the same.
Surely XP Mode is a "temporary solution" seeing as MS are bringing XP towards end of life. Unless MS will be extending the life of XP specifically when used as XP Mode until Windows 7 itself reaches end of life.
My understanding was that XP Mode is to allow users to upgrade to Windows 7 and not have to worry about those few apps which won't play ball; they can run under XP Mode while suppliers of those apps get their act together and make them native Windows 7 compatible.
I'm split in support of Microsoft and Sophos; both have valid points. XP Mode is just "Microsoft Virtual PC" albeit seemingly better integrated and more capable.
"Will the XP-mode VM also require its own IP address or will it NAT off the W7 host?"
Out of the box, the XP mode VM uses NAT through the host, but it can be plumbed into a NIC if needed.
Are people really surprised that XP Mode is a full VM?
The Windows Virtual PC beta has been available for ages, and is a pre-requisite for the XP Mode VM image...
I think as the XP SP3 license is free, application vendors should consider offering implicit licenses for their products inside VMs too, for WVPC environments.
I can't see any administrative nightmares, as WVPC is not intended for large enterprises anyway, MED-V is... this is a stop-gap measure to help those with deployment-blocking LOB apps that need a rewrite being able to upgrade to a more recent version of Windows.
Really serious rollouts of WVPC would most likely build off their own XP SP3 images anyway - have users not logged on as admins, get domain-joined for maintenance, etc. rather than use the clean XP Mode image.
Work has installed windows 7 RTM on my laptop and I've gone off and downloaded the XP mode VM tools.
It's basically Virtual PC and seems to run with the same kind of latency.
It therefore supports NAT, bridged and host only network modes.
I've not had much chance to play with it yet, but I've got to say I haven't got a clue how this is any different from me running XP in VMWare (apart from the extra latency). Nothing has integrated into the windows 7 start menu that I can see. I've yet to install any apps on the VM so maybe that's the reason, but from the 'how wonderful XP mode is' stories I'd seen around the web I was expecting things such as networking settings and control panels from XP to be available easily from windows 7. As far as I can tell the only way to get to these things is to run the full VM desktop of XP and use it as normal.
I was aware that this is for 'normal' as opposed to power users, but this is shaping up to be another case of fairly good idea, really bad implementation. Power users are expected to be able to learn how to run a VM and so therefore should have no need for integrated XP mode.
So basically, yes you're running a second machine for all intents and purposes, it default configures to NAT which will prevent a fair number of vulnerabilities from being exposed to the outside world, but offers you no protection if you are running XP mode software that then talks outside of your 'machine network'.
Personally I was really hoping that it was integrated and fairly seamless and therefore made the use of an XP VM much more like using wine-doors and WINE under *nix with no virtual desktop defined (so apps run under the native window manager, install native shortcuts in the desktop menu launch tool). So far it's the exact opposite of that and I've spent all my time in a virtual XP desktop updating it and configuring it to be suitable for my use. If it hasn't shown promise in the next couple fo weeks then it's going to be un-installed and I'll return to using my VMware XP instance.
Sophos have a point, but they don't take criticism about security and their own products well so I shall treat them the same and ignore them. I've been forced to use sophosAV at work for a few years now, work even offered me a licence for home use which I refused on two counts I don't run Windows and even if I did I still wouldn't run Sophos due to having caught viruses twice at work, both of which were fairly well known; though new, and one according to Sophos' own information library that they should have caught. They have improved the software from the user point of view, but it still sucks.
So Sophos; well they can just shut the fuck up until they stop giving me false positives on open source software that they can easily check out and not send me emails telling me I don't have a clue what a false positive is when I report false positives to them (6 to 9 months down the line they did something about the item I reported, by which time Ive got another 4 false positives that I have to either choose to not use or disable AV whilst I use).
Sophos can't manage to get its client software to work on Windows servers once IE8 is installed due to problems with reliance on URL files to do its updating. No amount of pleading with their tech people can get that through to them, that they are completely useless in protecting servers.
Now Sophos is complaining that a VM needs another licensed copy of its software? Does this mean they can't figure out how to scan another set of files on the same computer? Even if some configuration of a remote scan is needed, it seems that Sophos is completely lacking in problem-solving expertise if they can't offer something to help.
I'm sorry but I was under the impression that the XP-mode of Windows 7 was essentially a sandbox environment.
That is to say there's a base-line read-only XP system and when your various XP apps run they create little forked diff files where they happily store the various bits of flotsam/jetsam that apps STILL seem to need to crap all over our disks in this day and age. So at worst wouldn't malware only be able to ruin that one specific app and maybe drop some files into my Windows 7 profile folder (where presumably my resident Windows 7 AV will detect and delete it)? Presumably the virtual XP's network connection would be NAT'd as well to slow/stop network attacks.
If this *isn't* how XP Mode works, it bloody well should be!
Ha! You expect users to manage ONE set of security settings? Here's how:
1) Find how to turn it (some annoying thing to them) off
2) Turn it off
User have been/are doing this in XP... easy as pie.
When everyone finally realizes that users can't mange security settings then this will all be moot.
Until then, I'll still be turning a profit because when they turn off security feature X that allows virus Y to take root... $$$$$ for me. Now doubly so.
How to make users stop? Remove all GUI security settings.... Hack the reg, edit a file.... then THEN you can complain about 2 security settings being difficult on SYS ADMINS.
If you have to maintain the virtual copy of XP just like a stand-alone machine in order to run your older programs, with all the bother and expense that entails, why upgrade at all? I mean, the main reason to use Win7 is the added security. If none of that penetrates through to the XP Virtual Machine, then might it not be a better idea to stay with XP until there's a better reason to change? In fact, I still have a machine running Windows 2000, not because it's incapable of running XP, but I can't think of any reason to upgrade (it doesn't use the internet, for example). Just because something is new, doesn't mean you need to use it.
Ah, sorry. I need a better reason than that if I'm going to disrupt my life.
Perhaps the concern is as much that updates and patches for the (soon in the UK, already elsewhere) free Microsoft anti-virus apps are handled automatically by the respective MS Updates in both host OS and XP VPC.
Really I think this has more to do with the up-coming choice UK consumers and small businesses are about to make between a no cost, invisible AV product from MS and an equivalent (if VB100 etc are to be believed) from Sophos requiring both time and money.
Think we'll hearing a lot from Sophos and their ilk over the next few months with ever more desperate FUD to justifty the existence of their products.
I'd be freshening my CV for 2010, were I in the Windows AV business.
Turning XP source code over into the public domain would probably be a humanitarian act on the scale of eliminating malaria. Bill & Melinda, are you listening?
Seriously though, cutting XP loose ( with a lot of IP soul searching) would create an escape route for MS to make modern, business friendly/premium products while simultaneously entrenching Windows XP as the free operating system of choice. This situation would be great for developers too. Think about it Bill...
Is it just me or are Microsoft creating a lot of confusion with the "XP Mode" marketing. Most XP apps ran on Vista, hence will run on 7. Presumably XP mode is for those apps which never ran on Vista (such as 16-bit apps). Many business have those, but most don't, and the emphasis on XP Mode for "XP applications" seems to dull the message that lots of apps are fully compatible with 7.
This whole thing is a fuss over nothing. XP mode is present only to support applications that do not work correctly in the new architecture in Vista and Windows 7. It is not unheard of for there to be compatibility issues between versions of products, especially operating systems. This is inevitable as new features are introduced and the envelope is pushed forwards. Microsoft care more than most about maintaining backwards compatibility and this normally causes more problems for them in terms of security etc... (e.g not enabling DEP by default as applications were not written to be DEP aware.
XP mode is a great temporary solution to any compatibility options as it means Microsoft do not have to clutter up the new OS with all sorts of shims to support legacy functionality. I say it is a temporary solution as ultimately XP mode is only required until application vendors provide updates or patches to make their systems compatible.
For larger enterprises MEDV provides corperate environments with an easy way to provide a pre-configured virtual machine (complete with patches and AV if required) that can be rolled out to client computers as required.
This whole thing from sophos's point of view seems to be a bit sensationalist. Recently Sophos's marketing seems to have become progressively more cheaky (see the recent video of a google search for "remove" that shows "remove norton" etc.. in the results). I hope Sophos in very hight esteem and would chose them over any other AV vendor given the choice but this is starting to sour my impressions of them.
Anyway i think that is enough words for now...
Why, oh, why, do people still listen to the dribble spewing out of Microsoft?
What Microsoft has done with Windows 7--having XP running in VM--is brilliant, for Microsoft. Doing so allow Microsoft to break-away completely as it pertains to further supporting XP, and at the same time forces the gullible noobs adopting Windows 7 to purchase--or 're-purchase'--apps to run natively in their 'new', under-performing, incompatible, hacked together OS.
It's the same old plan, again--'new' OS (incompatible with most all of the current software), forced replacement of apps still performing smoothly in the 'old' OS. (Nevermind that actual, measurable benefits of the 'new' OS are virtually non-existent.)
Microsoft has correctly concluded that it can only survive by forcing yet another OS--and replacement of perfectly working apps--on us. This is a lasting tactic that preys on the non-techie. It is doing what it must to survive--sans actual benefit to the public. It CAN NOT compete with the likes of OS X, or the numerous offering of *free* open-source linux distros, or the numerable BSD variations.
As an example, a very large percentage of corporate and edu Europe, China, and Japan have opted to use linux and/or BSD.
You'd be wise NOT to adopt Windows 7, in any flavor. Make XP your last Microsoft OS--you'll be glad you did.
Does it launch the app in a VM with a really basic XP system hidden away behind it, or boot into XP with the full explorer desktop and all that jazz?
Why couldn't they use the same idea as "Compatibility Mode" in Windows XP? Just set an option and it loads using an odd set of dlls (or something... I never paid much attention tbh...)
I hear all this stuff about sandboxing. Why didn't they run virtual XP in a sandbox and if the internet was needed for an app just make it so the app would use the newer Windows 7 "already secured" internet setup. If this is not possible then like usual windows sent out another OS prematurely and forgot to use common sense because the average XP user will be hard pressed just to use or figure out what the virtual xp is as well as understand the idea of patching. Hell most users don't even full understand what windows update is.
The blame here lies with ISVs who seem to be too busy counting their (grossly inflated) license fees to get off their fat arses and retool their apps properly for a new OS architecture. And by "new", in many cases it's the fricking *NT* architecture they still aren't willing to deal with - these people are partying like it's 1993 and the whole Program Files / User Data separation concept doesn't exist.
I'm not much of an MS fan, but for my money the best thing they've done in the last decade is to put evolving into a (relatively) sane, security-minded architecture ahead of the interests of last century's ISVs who can't be arsed to do their share of the dev work and prefer to rest on their laurels. If your firm *needs* XP mode for a critical app, then you have bigger problems than needing two AV licenses.
Having said all that, realistically, XP mode shouldn't really need its own security provisions if it's only there for that one dusty legacy app. It's firewalled from the outside by default, and the app in question will only be talking to predefined and trusted servers on the WAN if it does so at all. I can't conceive of any business app that's free to meander around the Web freely (and thus bring down the pain) - but please do point out any you know of so I can avoid them.
And how many people have complained about Microsoft compromising on security to support older applications? They can't win - if they support old apps then they're cluttering up the code base, and if they don't then they're forcing you to upgrade for no good reason (even though Windows Vista/7 is a lot more secure than Windows XP).
I'm also surprised that you mentioned OS X - Apple "forced" you to repurchase licenses for perfectly good apps as OS X is completely incompatible with Mac OS Classic (they provided a classic mode, but you seem to be completely ignoring the fact that XP Mode is intended for the minority of applications that don't work in Vista/7).
You're just spouting complete bollocks when you say that most current software doesn't work in 7. All software that works in Vista will work in 7, and a lot of software that works in XP already works in Vista. The ones that don't tend to be the ones that rely on users being administrators, or the ones that use undocumented APIs.
But then again, this wouldn't work with your image of a Linux utopia, because everyone knows that Microsoft is evil.
I haven't really looked into the compatibility issue giving birth to "XP mode", but i dropped one app of mine into W7 RC and it worked as usual. That's a 32-bit app (on 64-bit OS), using registry and writing to its own folder as well as using all 'old' GUI controls and GDI stuff as it did under XP.
Now if all that works, are the only apps that won't run those which did not even remotely fit into "NT5 programming model", such as with hardcoded writing to the root of the C: drive and similar monstrosities? *
If so, it's about ... time, the respective owners of those apps decide whether to throw in the money to bring those apps from year 1990 to 20xx or just put them onto a seperate (*offline*) machine running an old windows.
*Additionally, there is the inevitable class of those apps directly communicating with hardware / "integrated drivers". It's clear that those need to be updated for an OS version with different driver model. But for these apps i suspect "XP mode" won't cut it, most likely they need to run on an un-virtualised OS of the version they were made for, so a seperate machine to run them is probably the only sensible option if the app really won't ever be updated to a new OS version.
I'm not one who is keen to update the OS every so often for no tanglible benefit. w2k,xp,w2k3 (NT5 IOW) are perfectly fine for now and unless some app really needs >2GB on its own for the foreseeable future.
But if you on one side need features of new OSes you shouldn't expect that newer OS to drag on compatibility with apps that were written for a windows version of a time where consumer windows was basically a single-user, (mostly) offline, security-agnostic OS (win3x/9x/ME IOW).
While some obscure business critical in-house apps may no longer work without "XP mode" (never updated because their original author left in 1995), i can't imagine any irreplacable and un-updateable "off-the-shelf" app requiring "XP mode" in the long run.
..but isn't the entire idea of a VM is that it behaves like a completely separate machine? In other words, should it not *be* divorced from whatever the underlying OS thinks should be done?
Otherwise, what's the effing point? If I (hypothetically) run XP in a VM under Win7, I want my XP machine to behave like an XP machine... and *not* have to figure out if the bizarre observed behaviour stems from my XP installation/software or from Win7 thinking it "knows better" about what should be happening inside the VM.
I have been running Win7 RC here at work for the last couple of months, and I have only found one application that refuses to work point blank on WIn7, namely CCS PIC C compiler (but it's a really crappy IDE hacked in Delphi, and I'm hardly surprised it does not work, very little of it works properly even under XP).
I ended up running that under XP Mode to make it work. It seems there is a fully instaleld XP running and sending the window via terminal services. It does work, but it's slow and clunky. But I only consider it short term problem under software vendors get their crap in order (Although I doubt CCS will ever make their PIC C IDE work properly...)
What exactly is *wrong* with software you've used for years and know every nook and cranny of? For instance, on my Linux box, there are at least three different editors, of various power and glitziness, but I've been using vi for well over twenty years now, counting from the moment I thought "Okay... now how do I get *out* of here?" in '87 ([Esc]:wq, for the noobs out there. :q! if you don't want to save). I write whole novels in vi, and the blessed absence of toys means that I can use it over a GPRS connection at nearly the same speed as when I'm sitting at home. Anyone suggesting I switch to something newer can eff off.
Policy is strict. Windows is for games, Unix is for everything else. Until the day that Blizzard officials come to my house telling me to upgrade, upgrading to Windows 7 lands me exactly nothing. It's not like I'll get more than 60fps on a 60Hz monitor.
1) XP mode only runs on professional and ultimate editions, home users can go back to sleep.
2)The intention of XP mode is to make it easier for those companies who depend on very old apps that don't run on vista. They can upgrade to Win7 and still run them in XP mode despite support for XP ending soon.
3) nearly all the apps most of us use now will run fine in on the normal Windows 7 without XP mode.
4) You only need extra AV software if your virtual PC is roaming out on the public Internet. (something that admin in the target market could prevent) . Even if you get use it without protection and get infected it will only be the virtual PC instance that is infected not windows 7. You can choose to make some directories shared between the two but then those directories will be protected by the main AV program.
5) Using XP mode is optional. You don't have to use it or install it.
6) If Linux is your god please go worship elsewhere, we have already heard how it solves every problem in the universe.
Another commenter wrote: "These are exactly the same issues that Apple had with "Classic" mode when Mac OS X was introduced."
Yes, correct but that was an entire OS redesign. OSX has since gone through 5 major revisions and runs on at least two different chip sets. Software purchased for OSX 1.1 still works on OSX 1.5. Why can't Microsoft manage the same thing?
In the mid 80s, Commodore released the Amiga home computer with OS 1.3. Apart from software that used undocumented features of the OS (or which ignored the guidelines) it all worked on version 3.5 of their OS. There were MANY changes in the interim... (as well as the company going bust and being bought over)
MS have millions of times the cash to throw at the problem than Commodore/Amiga did, so why is the newest version of their OS not compatible with existing software?
(Does the same thing happen with Linux? When you get an updated kernel do you need to recompile all the code?)
My take on this is that MS have cocked up and subsequently realised it (and in a world first, they've admitted it). To rectify the original cockups they've added XP support and - surprise - cocked that up too!
Biting the hand that feeds IT © 1998–2021