Discussion in 'other anti-malware software' started by Kees1958, Nov 18, 2007.
As the title says, anyone willing to post experiences?
I'd like to know some experiences with suDown too. I want LUA to become a redundancy layer to GeSWall.
There's some discusion about LUA and suDown in this thread.
Forget your anti-virus, anti-malware, 6000 security scanners...
Limited User Account is the best thing you can do for your security (in Windows XP, can't offer insight into Vista).
suDown allows you to neatly run things that need it as Administrator, just by typing your login password.
It is far superior to "Run As Administrator" for many reasons, including child processes spawn with admin rights too.
I highly recommend you use a LUA! I do it with no problems whatsoever.
EDIT: Wanted to add that I use P2P, games, online games, multiple security apps (SandboxIE, ProSecurity, Kaspersky, BOClean, Outpost PRO 4) all flawlessly in a LUA, don't believe it when people say "stuff won't work".
It might work, but the effort of getting things to work...
A few examples where I found problems:
- PunkBuster anti-cheat software won't work under limited account.
- eMule, works ok except no search ability ...
Solvable? Maybe. Worth the effort? No.
After a VERY unpleasant experience with a unique trojan that tampered with my computer's access permissions and effectively locked me from my own files and system, I've taken to running under LUA. Finding out firsthand how helpless even HIPS were against this form of attack was not enjoyable at all...
Mrkonvic.. You cite applications that "don't work" using a Limited User Account. Using sudown it's as simple as typing your password to launch them with full Admin privileges. It's not rocket science.
Worth it? YES, the amazing gamut of malware defeating restrictions placed on software running in a LUA renders a very large percentage of malware useless.
I can't believe in a forum that recommends people to use Firewalls, Virus Scanners, Anti-Spyware programs, HIPS programs, alternate browsers with security extensions, anti-keyloggers etc.. etc.. that people still refute the benefits of running a Limited User Account.
Without question it is the best thing you can do in Windows XP to defeat malware from harming your system.
If you run apps that require admin privileges - as lua - you self-defeat the idea of limited account.
As to believing that ... xyz in a security forum, seeing is believing. I like limited account - IN LINUX - not in Windows. Modularity from the start, not as a weak, semi-successful addon.
The best thing to defeat malware? Don't have it on your system. As simple as that.
As to sudowning some of the apps - try PunkBuster please ... with CounterStrike or America's Army. Good luck.
Punkbuster is a real security pain in the ass, like Xfire. But I was not asking this with the idea to apply Sudown on a gaming machine, so agree about the effort in that case.
Exactemondo, as our friend Chappelle would say.
Well, if the purpose of a computer is a bit of surfing and a bit of mail, then sure, LUA by all accounts (no pun intended). But what do you do when your setup is:
3-4 computers, using 3-4 different operating systems
heavy gaming, including online and anti-cheat software and such
sharing of hard drives / printers and such
lots of scheduled tasks / scripts
lots of virtualization
How does LUA fit into this ... ?
AFAIK, PunkBuster needs access to physical memory.
Too much pain?
Yes, some things can't be done (fully automating tasks that require admin rights). How many people here would need to do that? For you, with your intriguingly bizzare setup of 3-4 different OS's it may not work.
However your facetious remarks:
No you don't defeat the purpose, you only run the programs that you CHOOSE to run with admin rights. I download a keygen, and run it with non-admin (LUA) rights, all of a sudden it's incorporated trojan can't hurt me.
Do that in Admin account and you rely on your AV/AT/AS to have it blacklisted, or you rely on your HIPS to pick up that it's installing a driver, and if either of those fail, you lose.
SIMPLE! Wilders, everyone? Pack up and go home, we just got the answer... Just don't have the malware on your system! It's so obvious...
Don't discourage people from investigating things that are extremely valid, just because you want to run 3-4 OSes and employ the "don't have malware on your system" defence
After finding out how powerful (and destructive) NTFS access permissions can be, I'm inclined to agree.
Windows XP actually has a very powerful inbuilt security system in its access permissions functions, where you can lock down anything from files, registry entries and special API calls to system services, and even entire drives and user accounts. It's also unpleasantly destructive when abused by malware. What happened to me recently was that a trojan used the LsaRemoveAccountRights API to completely strip my account of its privileges, necessitating a reformat of my drives to restore my computer.
Upon recovering my machine, some quick research reveals that if malware authors wanted to, they can design malware to attack users running with Admin rights by: denying access permissions to Program Files folders so security software cannot launch, changing your user account password, change/edit your logon script file, limit the amount of drive space your user account has access to (theoretically this can be set to 0 for maximum annoyance), limit the amount of time your account can stay logged on, deny your ability to shutdown your computer via the Start menu, etc etc etc.
As of right now EQSecure with global lockdown rules fail against these types of attacks, simply because it doesn't monitor the API calls used. I have no idea if Comodo V3 can stop these. You can hand-edit your computer security policy one by one to prevent malware from abusing these privileges, or you can run under LUA to deny these privileges to malware altogether.
I must admit this previous experience completely changed my opinion of LUA. As of now I've switched to running under LUA full-time, with ThreatFire + Windows Firewall in the background. There are just too many privileges waiting to be abused when one runs as Administrator, and frankly I can't be bothered to wait for HIPS vendors to upgrade their programs to monitor these privileges, and then me having to configure hundreds of additional rules by hand.
Stephen, your analysis of my points failed on 3 accounts: PunkBuster, scripts, and virtualization.
As to Wilders, how many people here do you think have malware on their comps? Answer: 0.
But from your tone, I guess you know everything, therefore I concede that you win. Multiple OS are "bizarre" and all the problems are only because I want to run something ... hey, you win.
It's not a fight Mrkonvic, I'm just making sure people aren't scared away from a great security measure by your false statements.
The point is, this thread is called "Sudown experiences anyone?".
I have a heap of sudown experience, all positive.
Thumbs way up for LUA w/ sudown.
Never really thought of this, it makes me a bit mad because IMO it´s the job of the HIPS writers to think about all possible ways that malware might be able to take control/do any damage. Is there a way to stop this attack besides to execute apps in non-admin mode? Which of course also isn´t a great solution.
Why is running in non-admin mode not a great solution?
From prior experience? That's asking the impossible.
None that I've discovered so far. I'm only still beginning to pay attention to XP's access permissions, but I suppose it'd be theoretically possible to delve into the settings and selectively turn off some administrator rights to disable this attack? I don't know.
If people can live with HIPS, half a dozen scanners and other whatnot, they sure as hell can live with LUA.
Not necessarily. Half the software I use for my business requires adminstrative privilege to run.
Right-click -> Run as = problem solved?
Solcroft, I have manually tweaked 'access rights' in XP Home om my wife's PC. Trouble is that you need XP professional to create some order in it (group policy editor). Also with TF registry custom rules I have created some extra thresholds against a staged policy elevation.
I agree that the manual tweaking is not a solution. I for instance can not remeber what setting I have changed. On my wife's PC it is impossible to create another user (admin or limited) and I can not really recall what the heck I have changed (so suggestions welcome).
This is also the reason why Sudown won't install on her PC, simply can not install, due to limited rights ("no access"').
Have you tried rebooting into Safe Mode, accessing the hidden Administrator account from there and the create/delete/modify the accounts you need to?
I have disabled the hidden admin account, so have to check how to enable it again (reason admin account can be accessed via external/network access). I am so stupid to have deleted a word file which contained all the tweaks I had applied on her machine.
Do you know there is a registry tweak to change the keyboard/language on Vista machines on the user log-in screen (on the left below). It can be used to access the PC with the hidden admin, therefore I have disabled the hidden admin in Vista also.
I will give it a try.
Here´s a way of solving any issues between "poor coded" programs and LUA:
1. Get these tools: FileMon & RegMon & ERUNT
2. Run the program from LUA and trace which files that fails to be accessed using FileMon.
3. With elevated privileges, change permission for those files by adding write/change permission for the user.
4. With elevated privileges, make a backup of the registry using ERUNT.
5. Run the program from LUA and trace which keys under HKEY_CLASSES_ROOT\ that fails to be accessed using RegMon.
6. Export those keys to .reg files by selecting File\Export in the reg. editor, and then choose the selected folders. Then using a text editor, open your .reg files and replace all instances of HKEY_CLASSES_ROOT\ with HKEY_CURRENT_USER\Software\Classes\ and save your changes.
7. From LUA, import the edited .reg files into the registry.
Does this also solve the unknown program message when running LUA?
@Kees1958: Yes, and for solving your problem in post #20 you need this & this.
Separate names with a comma.