2006-08-17

Limited User - The Anti-Virus

A co-worker has been complaining the last week and a half about how frustrating it was to have to re-install their home MS Windows XP Media Center computer because it had a virus. (That reminds me of a cute commercial.) His theory on the attack vector is that his sister-in-law had logged in as administrator to install some software from the Internet.

However it got there, it appeared to have been introduced to the system with admin privileges and was able to quickly zap any anti-virus tool thrown at it. There may have been a way to recover without re-installing, but that's not my point. My point is that once the malicious code had been run with administrative privileges, it was very effective and difficult to remove for many reasons, including it's ability to disable anti-virus software.

I grew up using Macintosh computers from OS 6.x to 7.6 and during that era of mostly Internet free use the main attack vector of viruses were floppies from untrusted sources. The solution was simple, have anti-virus software installed that scans your disk when it's inserted. With the exception of kids deleting your files or messing up your desktop, it wasn't that big of a deal that you were basically always an administrator on the system. The same could be said for MS Windows during the same era. Most of us have learned to use single-user computer systems with virtually no restrictions to what we could do at any time. Multi-user systems were something that businesses and universities did.

Then came OS X (with it's Unix heritage) and XP, multi-user for the masses. Perhaps to help ease the transition from the single-user I can do anything whenever I want experience to the multi-user setup, MS XP Home Edition would by default create it's first user account as an Administrator and require that at least one user account be an admin account. This default setup lead me to believe for quite some time that running XP as an admin was encouraged by Microsoft. I have since discovered that this is not true. In fact, some people at Microsoft go out of their way to write about not running as Administrator, or at least reducing privileges of Internet applications. Aaron Margosis went as far as to claim what I've been wondering (and experiencing) for over a year, that you are better off running as non-admin WITHOUT anti-virus than you are running as admin WITH anti-virus.

Over a year ago I had switched my wife's account over to an Administrator account because she was calling me at work weekly for help logging in as admin to install the latest kids software from the library. (Future rant topic, kids games that need to be installed.) She only browsed to safe sites and the kids aren't old enough to go finding warez so all was well until she opened an attachment sent by a virus on her brother's computer. Fortunately Stinger was able to remove it and I set McAfee up on guard duty.

A few months later my teenage sister came to visit for a week. She wanted to install a few games and I had McAfee, so I made her account an Administrator account. A couple of days later I used the computer and found that IE had an annoying browser helper app. My sister said she didn't install it, but that it just appeared when she went to some site. McAfee didn't protect against it so I ran the gauntlet of anti-malware software. None of them could remove it. So, I re-installed and everyone was a limited user. I asked my sister to browse to the sites she had been to before the trouble started. At one of the sites the browser helper appeared. I logged her out and logged into my account. No helper app. The damage was isolated to her account which was easily deleted and re-created.

For the rest of the year's subscription for McAfee I dealt with their software's annoying borderline LUA bugs (having to Graphically log in as an Administrator to update, multiple update notification processes running instead of installing as a system service, etc) and didn't see it find or protect us against one virus, so I didn't renew. I just run ClamWin occasionally to see what kinds of junk has accumulated in the IE Temporary Internet Files. (I personally browse with Firefox but the kids often use IE.)

At work most people run with Administrator privileges and complain about their anti-virus software pestering them to death with questions and announcements and eating up their system resources. I run as limited user with Firefox, Thunderbird, text-only email and only installing software from trusted sources. Guess who doesn't get viruses (again, I scan occasionally with clamwin runas admin to see what's there).

I would love to see a comprehensive test of what viruses are blocked or limited by running as a limited user on XP. Mike L. at gnuman.com has written about a small test. If you know of such a listing or have done the testing, please let me know about it.

Post a Comment