Damage malware can do without admin rights

Discussion in 'other anti-malware software' started by girioni, Mar 12, 2016.

  1. girioni

    girioni Registered Member

    Joined:
    Mar 31, 2015
    Posts:
    11
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    333
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Thanks for sharing, will post it in the UAC thread.
     
  4. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    If Google Chrome can install itself as a limited user, then any spyware/malware can do the same and send out information over the network. Most of the harm that can occur on a system can happen in the user space: information/privacy breaches, and ransomware.

    There was a discussion on this topic last year (https://www.wilderssecurity.com/threads/how-to-harden-windows.379098/), and a poll (https://www.wilderssecurity.com/threads/limited-user-accounts.364182/) where a majority prefer not to use a limited account.
     
  5. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    That's why I love system-wide SmartScreen-Filter on Windows 8.1 and 10. Most stuff with low reputation score won't be able to execute, so it mitigates a lot of user-mode threats as well.
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    This is sorely lacking in detail and examples.

    Yes, malware can run in a LUA and in a default Windows LUA, install itself in user space and achieve persistence. A LUA can be hardened easily to the point where that won't happen but it becomes even less convenient to use. Google Chrome won't be able to run or install itself in user space and neither will malware. Any installations will require a full admin logon and all software in the system will have to install itself in the Program Files folder and the configuration files will have to go in the individual user's AppData folder. Any software that doesn't conform to this won't work. There is always a trade off between security and convenience and the more you secure a system, the less easy and convenient it is to use.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,887
    Location:
    Australia
    Very true!
     
  8. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    I prefer to inconvenience malware instead of myself ;)
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    After running Windows in a locked down LUA for many years, I don't find it any more inconvenient than using 3rd party security software. Once it is set up right it is lean and fast. Most Windows apps work fine in a LUA including all the major browsers, all Microsoft and Adobe products and Virtualbox. It is learning to run Windows in LUA, setting it up and becoming accustomed to it that is inconvenient not the day to day use of one.
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,204
    Location:
    in a remote land :)
    Most people using Admin Account are either lazy or ignorant; there is no benefits but risks compared to SUA. The article is worthless to read; no details, no procedures, nothing really informative.

    Not saying that you have UAC, Smartscreen, Windows Defender, Applocker (for Pro/Ent users) , etc...

    It seems that the blogger took SUA as a anti-malware feature, it is not. SUA is supposed to reduce rights and access of the users, not stop malwares...
     
  11. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Correct, I am lazy! But I'm not so lazy as to run random or internet facing programs as an admin. That's what runas and LUA/SUA accounts are for :p
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,204
    Location:
    in a remote land :)
    so your are a smart lazy dude :p
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Well, I think it's useful to remind people that just because apps run with limited rights, they can still do damage. And LUA/SUA was invented to make it harder for exploits to do any damage. It won't do anything to protect users against malware that is run manually.

    As we have already discussed extensively, if you use top quality security tools, there is no need having to deal with all the annoyances involved with running in SUA. This hasn't got anything to do with being lazy or ignorant. It's all about convenience.
     
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,204
    Location:
    in a remote land :)
    indeed, however SUA + UAC at max , restrict quite some stuff, even some manually malwares; of course not the complex malwares but the basic one. After all, a user isn't supposed to launch malwares manually.

    As security geeks, we know how to use those tools and we have safe habits; Average Joe doesn't.

    MS made a bad move years ago to let users logged-in as admin for the default account. They should enforced SUA instead, as linux does when you install the OS.

    This "Convenience" was the motive of UAC reduced strenght; because MS listened the lazy people who can't just sign out and go the admin account to do the admin stuff or type a password...the same one who after disable UAC, people prefer to sacrifice security for convenience, we all know that...and we know the result...
     
  15. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    We all use our computers how we like, and as long as our strategies leave us free of malware then they're meeting our needs. While a SUA account wouldn't have made any difference to my own security outcomes over the years, I can respect that others see more benefits than hindrances from it. I have to use LUA accounts in a number of contexts, but it's not something I really want on my own machines.

    Mark Russinovich (an advocate for the principal of least privilege) foresaw the direction of malware in 2007:
    http://arstechnica.com/business/2007/04/microsofts-guru-malware-and-viruses-will-evolve-on-vista/

    I wish I'd saved that page with stats I saw last year suggesting that most modern malware was able to work in standard user accounts. Searching combinations of "malware" with terms like "standard user" "limited user" "LUA" "SUA" hasn't been fruitful for me to find it again. However, I've seen enough write-ups of malware to see that they're frequently designed to accommodate standard accounts. You can look up Dridex yourself to see how many of the "cheat sheet" blog's checkboxes it ticked alone, and the rest of the list is hardly controversial.

    Personally I think privacy breaches and loss of data are potentially far more significant than damage to the OS or even hardware itself. There are moral, legal, physical/safety and financial consequences to consider.
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    That's a pretty dumb assumption, I haven't been infected in about 12 years while using an administrator account...
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,204
    Location:
    in a remote land :)
    Good for you, but your case isn't the case of everybody, so it isn't dumb; If you read properly, i didn't say using an admin account will get you automatically infected, but it afford no benefits but risks.
    Since you are on this forum, i guess you have safe habit and a bit of knowledge; Average Joe doesn't. All infected PC i fixed since years were all used with Admin Account, all computer i put on SUA with some tweaks, were rarely infected after (except for toolbars and some minor PUP).

    think wide before replying. thanks
     
  18. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    That is easily dealt with by harding the default LUA so a standard user can only run software and scripts the administrator has installed and vetted on the system. Even without that, damage is much more short term and limited and a system can be cleaned by simply deleting the infected account and and all its data after saving any non binary data that the user wants to save.
     
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Yes that's one advantage. That's why when I lend one of my PCs to someone then that's all they have access to - a standard user account with a restrictive software policy.

    It's not infection that concerns me, I just want my laptop back the same way I gave it.
     
  20. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    I would say the same to you...
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    You don't necessarily need to use advanced tools that rely on user input to stay safe. I would not recommend HIPS to normal users, but AV, AE and sandboxing can keep hem safe with perhaps a bit of training, also when running as admin. But like I said, users should be aware that even in LUA/SUA they are not automatically safe against malware. That's why it's a useful article.
     
Loading...