strange behaviour - admin/user accounts

Discussion in 'Trojan Defence Suite' started by osaka, Nov 13, 2003.

Thread Status:
Not open for further replies.
  1. osaka

    osaka Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    6
    Location:
    France
    Hi all,

    I have just installed TDS3 trial on my Win2k system using admin account. Looks powerfool and great. But there's a very curious thing I can't explain myself. The first scan showed nothing, all OK. But after switching to an restricted user account, I have about 40 alerts, all File Trace style, all pointing to strange files in my c:\winnt\temp directory. If I delete these files in TDS window, they show up again after a new scan. But what's strange, its that Windows Search can't find any of them, neither on user nor admin log. And Admin scan always shows nothing suspicious. I really don't know what to think of that. Anyone have an idea, please? o_O
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Just a short notification.
    I think your problem has been discussed before, only I do not know where. I'll have to describe what I'm recalling from those other places and to hope that I recall correctly and that someone else will find the proper location of the old discussion.
    IIRC, it has to do with limited rights somehow generating these alerts and the solution was to run tds under admin rights using w2k's "runas" method. You should be able to configure it right in the link you click on to start TDS.

    Well, that's only little more information than nothing, but I thought maybe it would be good if you at least got a response to your issue quickly.

    HTHH,
    Andreas
     
  3. osaka

    osaka Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    6
    Location:
    France
    Thank You, Andreas, for the hint. I appreciate your quick response. I tried to investigate further, but it only resulted in a further mess. I tried to change the user account rights from "restricted" to "power user", and guess what ? I have third version of scan results! This time TDS found only 2 file trace alerts, but both different from all previous ones. Moreover, they are also impossible to find manually on disk. Do they exist or not ? If not, where these alerts come from ?

    I'm really perplexed now. Scan results depending on accout rights? I must say I was really impressed by the first look of TDS and its opinion of the best AT software out there. I almost bought it without trying. Unfortunately, I am much less confident now.
    If I have to use Admin to get it right, it is useless for me, because I rarely do daily work using this account, and NEVER surf internet being admin, because once I did it and was severely punished, so I learned.
    Using TDS, I would rather be absolutely sure about being infected or not. With these results I have more doubts than ever.
    Sorry to conclude this, but unless someone gives me a good explanation of this strange behaviour, my experience with TDS will be really a short one, in spite of its excellent opinions.

    osaka
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Osaka and welcome to the forum!

    So many people solved this and i can't find my own posting back a few weeks ago about this which worked again for the users.
    There are two ways: install both on admin and user level, or like Andreas wrote already have it run as so the user gets a few admin privileges to run TDS correctly.
    Its a permissions problem, you COULD modify the shortcut to RUN AS the Admin account, which has the privs needed.
    Not sure which causes the strange scan effects.
    Anyway in TDS4 this problem will be solved.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Osaka, Here is how to use the run as command as mentioned in Andreas's & Jooske's post. This is from the the XP help file, W2K is similar:

    "To start a program as an administrator
    In Windows Explorer, click the program executable file that you want to open.
    Press SHIFT and hold, right-click the program icon, and then click Run as.
    To log on using an Administrator account, click The following user.
    In User name and Password, type the Administrator account name and password that you want to use.
    Notes

    Use this procedure if you want to perform administrative tasks when you are logged on as a member of another group, such as Users or Power Users.
    If you want to run a program as a domain administrator, in User name, type the name of the domain followed by the administrator account name. For example:
    DomainName\AdministratorName

    Use of Run as is not limited to Administrator accounts.
    If you try to start a program, such as an MMC console or Control Panel item, from a network location using Run as, it could fail if the credentials used to connect to the network share are different from the credentials used to start the program. The credentials used to run the program might not be able to gain access to the same network share.
    If Run as fails, the Secondary Logon service may not be running. For more information, click Related Topics.
    You can also use Run as from the command prompt. For more information, click Related Topics.
    The Secondary Logon service accepts only password authentication. If policies require smart card logon, then Run as will not work".
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Osaka,
    I cannot help you much on the central question - if that is "why is there this discrepancy of alerts when tds is launched with different privileges?". I suppose several access-denials by the OS get interpreted by TDS as a trace of some kind (afaiu, no, the files don't exist) and then again the alert you get is another interpretation of that trace... If the old discussion can't be found, we can only wait for a comment from the DCS techs...

    However, I would like to say a few words regarding the questions a) whether it makes sense to have different scan results depending on which user you're running the scanner as and whether it makes sense to tweak TDS to those higher privileges obviously needed; b) what kind of effort that would require for your computing practices:

    a) quite obviously your scan coverage will be different under differently priviled accounts. Files may not be readable to any user, directories not traversable etc. Maybe the scanner needs to make a copy of a file into a temporary directory (e.g. in order to unpack it), so it needs copy permissions and permissions on the temp dir. All in all, scanning as admin will cover more corners of your system then scanning as guest. The question now is whether those corners the "guest scanner" misses are considered critical, vulnerable and whether they should be checked or not. I would answer positively to all of these three questions, even for the temporary dirs.

    To be fair, running any process with admin privileges of course also generates new security issues to worry about. You would have to worry about how reliable this process is: how easily it crashes or could be manipulated or even hijacked. Thus, it all boils down to asking yourself the question: "Am I trusting my security scanner so much to grant it the elevated privileges it would need to perform in the best possible way?" I would trust TDS this way, your mileage may vary. You could also try to get more experience with TDS before you grant these rights (then you would have to learn to ignore the specific category of alerts which started off this thread, which I think is possible); or you could grant it those rights and monitor TDS for a period of time (two weeks or so maybe?) and then decide if it can keep them.


    b) running TDS with admin rights is not be so hard to achieve as you make it out to be. and you don't have to log on, let alone surf as admin: If you inspect the properties of the icon-link you click on to start tds, the second tab has a checkbox "Execute under another account" (I'm translating this from my german caption, probably it's not the exact phrasing). If you check it, the next time you use this icon to launch TDS, you will be presented with a dialog box asking for the account name and password you want to run TDS under. Simply specify your admin account and TDS will be an isolated admin process, leaving the rest of your restricted logon session unmodified. The commandline version of this approach is called "runas", but presently I don't know the parameters needed for this command, but it shouldn't be too difficult to find documentation on it.
    (Although I know it better, I'm still doing everything as admin - I simply didn't find the time yet to move all my settings to a restricted user account. But when I do one day :rolleyes:, I will use this way to launch my TDS with admin rights...)

    I hope this is at least of some help to you.
    CU,
    Andreas
     
  7. osaka

    osaka Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    6
    Location:
    France
    Hi boys, now I am pleasingly surprised by your quick reaction and exhaustive answers. OK, I tried to launch TDS under restricted account with "run as" privilege - and it works. So it's fine for me like that. I run a standalone home PC, not a network, so other restrictions mentioned by Pilli does not concern me much. I also agree with Andreas saying you can have different scan results due to different rights and access privileges. But that shouldn't give any false alerts, anyway, and the most privileged account should give the most complete answer. That's what still troubles me a little, because suppose I know nothing - how can I guess which scan result got it right ? My first reaction when I saw a bunch of alerts was to reinstall my system - which I did. Took me some time, including reinstall of all the other software I use (I don't complain too much - it's always a good idea to do this ;) Now, I can accept the solution to always start TDS 'as admin'. No problem to credit TDS with admin rights to make a scan, but I still won't do it with IE or Outlook while surfin' ;)
    Thank you once again for your answers, now I'll try to learn a little more about all the bells and whistles of TDS :D

    osaka
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again Osaka,
    while surfing on a user account and TDS "run as" will mean you can also in the registered version use the exec protection on that level so you'll be rather safe for malicious executables and other nasty code.
    Glad you got it working, and pity for all the unnecessary work you didn't first ask before starting your re-installs (very understandable reaction!)...
    Hope all is fine now.
     
  9. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi again,
    I have found the thread I was thinking of, but it's at the private DCS forum. If you're a registered owner of TDS-3, you can get there (see Jooske's signature) and do a search for "runas". Remember not to exclude older posts from your search. I got five results and all were in the private part of the forum, all were interesting, but I would suggest you most thoroughly read the one with the most replies (25), last post from March 2002.

    I understand that:
    Admin's scans are the most accurate ones.
    Limited User's scans generate false alarms (in a few places, Winnt/temp among them).
    These false alarms do not correspond to existing files.
    It will be fixed in TDS-4 and can be avoided for TDS-3 by running it as admin (recommended) or giving full access to the limited user for the corresponding dir (not recommended).

    HTHH,
    Andreas
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes this is a problem due to file permissions. Either "run as" the Admin account or simply ignore trace alarms on the TEMP folder or other folders where the limited user has no permissions. Most should be able to spot this bug pretty quickly, it is just a bug
     
  11. osaka

    osaka Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    6
    Location:
    France
    Hi all,
    thank you for all the help. Once a strange behavoiur can be explained and there"s a sufficient workaround of a problem, there's' no point to condamn a good software. Just to answer Andreas: I have no access for your private forum, as I just installed a trial version two days ago. I'll certainly go there when I register :) . Runas is the only good solution for me, but it's sufficient. Just ignoring false alarms, as suggests Gavin, is not a good idea in my opinion. Having a bunch of 40 or more false alerts all the time it's easy to miss a true one once it appears. To conclude, it's all OK for me and I'm glad to continue with TDS. And thank you once again!

    osaka
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Osaka, the general parts of the DCS forum are accessable already (see link in my sig) --you need to register as a member-- to keep updated with the announcements, free tools and more, for the private TDS forums you need a TDS registration and an entrance request.

    Others had their problem completely solved with either the runas or double install on both levels, so i really hope you have no unnecessary alerts with all this!
     
  13. osaka

    osaka Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    6
    Location:
    France
    Thank you Jooske,

    just one more dumb question. You have mentionned a possibility of double install. I would like to try this, but how can I do it from user level? When I run the installer, I got a message "you must have admin rigthts..." etc. Do I start the installer with "runas" method ??

    osaka
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oops! i'm not on a system like yours, so hope other persons can jump in for these important details!
    You could give it a try that way with the admin rights for the necessary functions.
     
  15. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi again,
    If I understand this correctly, then there's four main types of accounts (or groups) in W2k: admins, power users (don't know if this is the correct translation - "Hauptbenutzer" in german), users and guests. A personal login account normally belongs to one of those groups and its permissions are based on the permissions granted to the group in general. Now, what are those permissions:

    I am not sure here, but I think what concerns us presently is execution privileges...

    Admins - may do (i.e. read, write, execute, delete) more or less everything.
    PowerUsers - may launch any apps not specifically declared unsafe (by an admin).
    Users - may launch no apps except for those specifically declared safe (by an admin).
    Guest - my not launch anything.

    The problem is - I suppose - that TDS's installer is considered as a suspicious/dangerous/critical program (after all, it installs something) by the Operating System and that the OS thus won't allow regular users to execute it. You could try if the behaviour changes when you're logging in as a member of the PowerUsers group - but maybe (!) then you'd have to run TDS as a member of that group as well (i.e. you'd have to elevate the privileges for your day-to-day computer activities from regular to super user level).
    Running the Installer with the RunAs as admin won't produce a result different from running it when logged in as an admin, i.e. what you have now already - as far as I understand.

    Not having actually tried any of the above, I'm not sure that it really is like that and I'm not sure what you'll be willing to try. See for yourself. However, I would suggest staying with running TDS by runas/admin.

    Andreas
     
  16. osaka

    osaka Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    6
    Location:
    France
    Thank you, Andreas

    I have already the solution that works (start TDS with runas admin). I was just curious about the second method which was suggested by Jooske, but thats not critical if it doesn't work. In fact, in win2k (I don't know about XP), even a simple user or guest can launch all apps, with exception of those which are specifically restricted by admin, or by an installation program. Habitually, those are the apps that deal with windows settings, registry manipulation, optimisations or tweaking (eg. system mechanic, disk defragmenters..). And, obvoiusly, nearly all installation programs (they usually modify registry and add files in restricted windows places like c:\winnt\ etc). The reason of my question was simply to understand the Jooske's suggestion. Anyway, I will stick to the first working solution, and I'm happy with it. Again, thank you all for your assistance and help.

    osaka
     
Thread Status:
Not open for further replies.