antivirus and limited user

Discussion in 'other anti-virus software' started by maxoblivion, Oct 11, 2007.

Thread Status:
Not open for further replies.
  1. maxoblivion

    maxoblivion Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    65
    Is antivirus software necessary for defense when running Windows with a limited user account?
     
  2. ASpace

    ASpace Guest

    Yes , of course :thumb:
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I have been running as a limited user for a couple of months, and I love it, but I dont dare to be without a AV (even though it has nothing to do :) ) LUA protects against most of the threats so I dont see a need for HIPS´n´stuff though.
    I have read somewhere that LUA doesnt protect against (if I memember right) level 3 ring rootkits/malware, whatever that is..
     
  4. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    definatly!
     
  5. maxoblivion

    maxoblivion Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    65
    Pardon my naive question but the positive spin on LUA is that malware can't make system changes, install programs, change the registry etc. How does malware circumvent the limitations on priviliges that an LUA imposes?
     
  6. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Running under LUA for several years and I still using AV/AS. Why? because LUA doesn´t protect against keyloggers. I also recently added a policy sandbox and a behavioral blocker. Keyloggers and Rootkits are malware types that really concerns me. I´m not so worried for other types of malware.

    /C.
     
  7. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    threats will always get inside the computer, probably every type of threat.

    if you have thought about it, its already out there. :rolleyes:
     
  8. maxoblivion

    maxoblivion Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    65
    Can malware be downloaded with a LUA and then wait until an administrative account logs on to attack the OS?
     
  9. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Always Use AV otherwise you are using your machine with a big risk. Think of AV as insurance. Even if you surf safe on LUA.

    To answer your last question, an expert should really answer but I will tell you that I believe it can.
     
  10. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    AFAIK, LUA is like a "policy sandbox", so if a malware enters LUA, then it will only have limited rights.

    Edit: I missunderstood this question, sorry about that. Yes, a malware can fulfill its purpose if you downloaded it in a LUA enviroment and then later on enters the admin account and execute the file with the malware code.

    /C.
     
    Last edited: Oct 12, 2007
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Actually I don't know where you get the idea where LUA does not protect against keyloggers. Ordinarily a keylogger is installed as a device driver to avoid detection. In a LUA (in XP) it is impossible to install a device driver.

    If it is not a device driver, it will be right there in the task manager and probably running from the user temp directory. You never clean out your temp directory? It can't install to just about anywhere else in a LUA. It can't write a registry entry to start on boot in a LUA. (I am not sure it could not drop a shortcut in the start folder, but that is so easy to detect.)

    In Vista UAC will give you a big red prompt, and you can say no or screw up, as you please. I suppose its possible to write a user mode keylogger, and I would love to know if there area actually any out there.
     
  12. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    I've been running without an AV for a month now (obviously I have other means, hopefully, to protect my computer) in virtual mode. About the insurance analogy, it is fine up to the point when disaster strikes... If you get infected they won't compensate, and you will get a polite 'there is no 100% security'.

    I've tried LUA with windows home edition, and it was a disaster: A lot of my applications won't load and some need to be reactivated. It will make a hard environment for malware to run, but also takes the fun out computing.
     
  13. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @Diver: There are several keylogger types, monitor tools etc, that works perfectly under LUA in the timeframe between reboots.

    /C.
     
  14. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I have no doubt you are correct, but please clarify what you mean by the "time frame between reboots." Also, I expect that these are extremely easy to detect, probably showing up as applications in task manager, or at least as processes, and likely being launched from the startup folder. Will these install in a LUA, or just run in one. Its a big difference as anything installed as a driver will run in a LUA. A link to an article on this would be appreciated.
     
  15. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    The issue here, between our posts anyway (sorry for this temp. hijacking), is whether or not a keylogger/monitor tool can fulfill its purpose under LUA, and the answer is clearly a yes. Besides, even if they also have a behavioral pattern how to function, that isn´t the same as they are easily detected, since they can exist fully in memory. I mean: why use hooks when you can intercept/monitor keystrokes as they are typed?

    /C.
     
  16. ASpace

    ASpace Guest

    @maxoblivion

    Running with Limited user account it much much safer than with Administrator account but it doesn't mean you are protected against all kind of threats
     
  17. maxoblivion

    maxoblivion Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    65
    I'm trying out the program "StripMyRights" which limits an application's privileges. Anyone know how I can confirm that my browser, Firefox, is actually running limited?
     
  18. maxoblivion

    maxoblivion Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    65
    I found software called "Process Explorer" that shows application rights status among other things.
     
  19. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    To say a keylogger will operate in a LUA is not saying anything. The whole point of the LUA is to prevent the keylogger from installing. Most keyloggers once installed in an administrative account will run in a LUA, but so will your display drivers. Show me one that will install under a LUA, and where detection is not trivial (ie. it shows up in the task manager) and that gets a prize, a congratulatory PM from me.
     
  20. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @Diver: Look, if you feel like you are 100% secure in a LUA enviroment, then thats fine for me. No need to be sarcastic regarding offering me some sort of a "prize"...

    @maxoblivion: If it don´t create any problems for you (games etc.), I would advice you running in a full LUA enviroment instead of using tools in an admin account that lower the rights of different software.

    /C.
     
    Last edited: Oct 12, 2007
  21. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    If you can download and save it, then if you ever log on as an admin user you may inadverdently execute the malware.
     
  22. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I agree with the above. I missunderstood your question maxoblivion, sorry about that. I will correct my earlier post.

    /C.
     
  23. maxoblivion

    maxoblivion Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    65
    Can anyone recommend some software that would report any attempts to change the registry or add processes or services? Would something like Defensewall do that? Are there any simple freeware tools that fit the bill?
     
  24. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    http://www.threatfire.com/
     
  25. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater

    Nothing is 100%, but running in a LUA is right up there with having a firewall and an updated AV. The reasons more people don't use it is Microsoft did not make it easy, there is a lot of old code left over from the Win9x days that either does not run or requires a lot of messing around to run, and few people understand how much it improves security.

    Vista's UAC and automatic handling of programs that write to protected areas is a major improvement in this area, but they should have allowed the UAC approval to last for a few minutes for similar operations so the user would not have to go through the prompts for each file to be deleted in the same directory if they are not selected all at once.
     
Loading...
Thread Status:
Not open for further replies.