Limited User - The Anti-Virus

A co-worker has been complaining the last week and a half about how frustrating it was to have to re-install their home MS Windows XP Media Center computer because it had a virus. (That reminds me of a cute commercial.) His theory on the attack vector is that his sister-in-law had logged in as administrator to install some software from the Internet.

However it got there, it appeared to have been introduced to the system with admin privileges and was able to quickly zap any anti-virus tool thrown at it. There may have been a way to recover without re-installing, but that's not my point. My point is that once the malicious code had been run with administrative privileges, it was very effective and difficult to remove for many reasons, including it's ability to disable anti-virus software.

I grew up using Macintosh computers from OS 6.x to 7.6 and during that era of mostly Internet free use the main attack vector of viruses were floppies from untrusted sources. The solution was simple, have anti-virus software installed that scans your disk when it's inserted. With the exception of kids deleting your files or messing up your desktop, it wasn't that big of a deal that you were basically always an administrator on the system. The same could be said for MS Windows during the same era. Most of us have learned to use single-user computer systems with virtually no restrictions to what we could do at any time. Multi-user systems were something that businesses and universities did.

Then came OS X (with it's Unix heritage) and XP, multi-user for the masses. Perhaps to help ease the transition from the single-user I can do anything whenever I want experience to the multi-user setup, MS XP Home Edition would by default create it's first user account as an Administrator and require that at least one user account be an admin account. This default setup lead me to believe for quite some time that running XP as an admin was encouraged by Microsoft. I have since discovered that this is not true. In fact, some people at Microsoft go out of their way to write about not running as Administrator, or at least reducing privileges of Internet applications. Aaron Margosis went as far as to claim what I've been wondering (and experiencing) for over a year, that you are better off running as non-admin WITHOUT anti-virus than you are running as admin WITH anti-virus.

Over a year ago I had switched my wife's account over to an Administrator account because she was calling me at work weekly for help logging in as admin to install the latest kids software from the library. (Future rant topic, kids games that need to be installed.) She only browsed to safe sites and the kids aren't old enough to go finding warez so all was well until she opened an attachment sent by a virus on her brother's computer. Fortunately Stinger was able to remove it and I set McAfee up on guard duty.

A few months later my teenage sister came to visit for a week. She wanted to install a few games and I had McAfee, so I made her account an Administrator account. A couple of days later I used the computer and found that IE had an annoying browser helper app. My sister said she didn't install it, but that it just appeared when she went to some site. McAfee didn't protect against it so I ran the gauntlet of anti-malware software. None of them could remove it. So, I re-installed and everyone was a limited user. I asked my sister to browse to the sites she had been to before the trouble started. At one of the sites the browser helper appeared. I logged her out and logged into my account. No helper app. The damage was isolated to her account which was easily deleted and re-created.

For the rest of the year's subscription for McAfee I dealt with their software's annoying borderline LUA bugs (having to Graphically log in as an Administrator to update, multiple update notification processes running instead of installing as a system service, etc) and didn't see it find or protect us against one virus, so I didn't renew. I just run ClamWin occasionally to see what kinds of junk has accumulated in the IE Temporary Internet Files. (I personally browse with Firefox but the kids often use IE.)

At work most people run with Administrator privileges and complain about their anti-virus software pestering them to death with questions and announcements and eating up their system resources. I run as limited user with Firefox, Thunderbird, text-only email and only installing software from trusted sources. Guess who doesn't get viruses (again, I scan occasionally with clamwin runas admin to see what's there).

I would love to see a comprehensive test of what viruses are blocked or limited by running as a limited user on XP. Mike L. at gnuman.com has written about a small test. If you know of such a listing or have done the testing, please let me know about it.

I Am

OK. I've finally given in and created a blog so that I could rant about things in a socially accepted (and popular) forum.

Up to this point I have had no interest in blogging. I'm not very consistent at anything over the long term, especially something journalish and I was more interested in publishing more of a technical writing than an opinion column.

First I did "content management systems" like PHP-Nuke, Post-Nuke and Drupal. Those have their place, but they feel empty without an active community.

Next I got into writing up my insights into a third person form on a wiki for others to learn from or improve upon (edit). I still appreciate wiki sites, but I didn't want to rant on one just to have someone edit my opinions so here I am.

I don't know what this blog will become. The odds are that it will be a neglected collection of sporadic rants of things that annoyed me to the point of writing. I am a code hacking (white hat) open source fan who daylights as a computer programmer and GNU / Linux systems and network administrator with a Windows XP desktop. Most of my thoughts will likely be focused around those topics.

I've gone to the blogspot/blogger (and other blog hosting site) signup pages before when I've had something I felt like ranting about, but picking a name has been a bit of a road block. As I was thinking about what to name this blog, I thought "why do people blog, anyway". Some do it for popularity, and others for a little money (if they are really popular and have advertising, or are promoting something) but mostly I think we do it to say "hey, I am here."

I finally committed to blogging and picked a name with the thought "Cogito, ergo sum" (I think, therefore I am.) unfortunately even though iam.blogspot.com isn't a site, they wouldn't let me have that URL, so permalinks will be to iam-jla.blogspot.com