Um, even if you run as non-administrator on a Windows box, you still need anti-virus, because somewhere on your computer, something is running as an admin, whether you like it or not, and it was likely coded by chuckles the microsoft programmer, to whom “security” was not even an afterthought.
So a worm/trojan/spyware/malware/baddie/baddite will come along and use a security exploit and Privilege Escalation (http://en.wikipedia.org/wiki/Priviledge_escalation) to run as Admin on your machine.
Great article it touches on things I have been advocating for years. I used antivirus software for a couple years back in the late 90s and realized I was still getting virus’s. I used to work as a tech and learn much better ways of handling this without costly antivirus software (costly being CPU and resource usage). There is great software out the for ghosting a machine, creating disk images that will not take up disk space and refresh your system back to the way you want it.
Also, you can always reformat your machine which is what I was doing for awhile. But then you have to always reinstall everything. That was costly in time, which is valuable. So in my humble opinion it is best to create a ghost image of your machine how you want it, all your software set up and the settings you prefer. Then when something goes bad just reload the image. There are some small costs I should outline. First everytime you add new software you use often you must create a new image, but how often does that happen? One might also argue everytime they do that they will lose there data. But that isn’t true media and drives are so cheap now that all usable or valuable data should be kept on those mediums so not to be effected by this process.
Lastly, working with images is a bit tricky at times. It takes some knowledge. But once you get it down it will save you time, money and the head aches that come along with dealing with virus’s, spyware and everything else. Oh and as a fellow developer doesn’t restrict your development process by running as a non-admin which I love! Hope my 2 cents is helpful.
Jeff hit idea #2 of the six dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ and I totally agree. It is just a scaling issue.
If you want to visit the secret war room like in “Dr. Strangelove” they don’t let 6 billion people in but then check to see who they should kick out, nope, they probably have a list of who should be in there in the first place. If you aren’t on the list, you don’t get in, or at least must have a good reason. I agree with the other Chris about whitelists, it makes the problem more tractable at least. You have a list of things that are permitted in memory and that’s it. You can add a new program to this list, and this is a security hole, yes but maybe you should examine the source before you do so? Closed source? Why use it? How valuable is your data?
Even when running as non-administrator but with the administrator password, when malicious code wants to make system calls (lets say in Vista), I would expect to see an “allow” or “continue” button. I would believe most users (or those who don’t read your blog) would naively click allow/continue (or type in the admin password).
Viruses are commonly hidden in software people download. Most people want no hassle software and click through whatever they think the system requires for them to get their software.
I am not an average user, but being a software engineer, I am also the proclaimed family IT specialist (such a burden on many of us in technology!). This is probably the #1 reason for infections or malicious code execution in my experience.
This is why anti-virus software is important. I think it compensates for an average user’s naivets.
Hey dude, your blog is great. It makes me want to blog too. Today’s topic is pretty silly though, but at least it’s doing the blogger’s job of creating a dialogue here.
Anyway instead of leaving my comments on the issue, I thought I’d blog about it too!
http://fuzzyschemes.blogspot.com/2007/12/naive-computer-security.html
Nice article, Jeff!
You could enforce security with a whitelist, but you cannot stop end-users from adding harmful applications to that whitelist. Especially if the file comes from someone they trust.
i tried running as a non-administrator in windows xp for quite a while. my xp partition is solely for gaming and all my email, picture printing, browsing, etc. is done in vista.
i really wanted to play games as a non-administrator. really. i created an administrator account called “installer” and a different “limited account” to run my games. i’d install a game as the installer user, log off, then log in with my gaming account to play.
first i had problems running my saitek programming software. research revealed this program can’t run without some admin privileges. after modifying permissions for specific registry keys i had it working.
the next problem is that anytime there is a game patch released i’d have to jump through hoops to get it installed. here’s how it would go:
what a pain.
some games won’t even run if you aren’t an administrator.
others will exhibit very odd behavior. for example, the original soldier of fortune game was well known for its over the top gore. i installed this game with my installer account. when i went to play it with my gamer account–no gore!?! even performing a “run as…” with admin privileges would not show the gore. i even went into the registry and gave all the soldier of fortune entries admin privileges. no gore. only if i played the game with an administrator account would i see the game how it was intended to be seen.
after about 6 months i gave up, deleted the installer account and made my gaming account an administrator account.
“There’s almost nothing a virus, malware, or trojan can do to a user who isn’t running as an administrator.”
Even you’re not admin/root/superuser/whatever your OS calls it, a virus/malware/trojan could still write to every file your user-account has write-access permissions for (e.g. all your documents, any songs you’ve composed, your music, picture and movie collection, etc.) which is pretty much all the files I care about.
If I had to choose between losing my personal data files and losing core system files, I’d rather lose core system files, because I can always just reinstall the OS (whether than OS be Windows, Mac or *nix). I can’t just “reinstall” my personal data files.
When running as non-administrator basically this happens: you can not destroy or otherwise modify ‘important’ system data. Included in that is that you can only modify your own data. But think of it, what is more important to mister I-only-write-documents? His ‘C:’-disk that he can repair with one button and a manual of his PC, or his ‘My Documents’ with all his work documents that he forgot to back-up in the past month?
I am not trying to say that running as non-admin is a bad thing, I’m justing saying that for average Joe it is nothing at all better than running as admin.
“Why perpetuate the broken anti-virus blacklist model when we don’t have to?”
well, I believe as of now, we HAVE TO.
no offence but blacklisting does save my ass off hundreds of viruses from flash drives and public machine…
well look at Vista and the future I think MS already heard you but it might take some time… I guess you’ll just have to be patience! I believe everyone already realizes part of that it’ll just take some time.
I am of the opinion that most people expect too much of AV software. Most people draw the wrong assumption, and it is because of misleading advertising strategies, that AV software actually protects you from threats. AV software is supposed to compliment good practices as a user, proper configuration of the machine/network etc.
What they -AV developers- should be doing, is advertising that their software eliminates the hassles of older and known threats as well as most ‘strains’ of these, and then take a pro-active position in actually warning their users and potential users that the world is an evil place, with new undetectable threats arriving daily that are not going to be blocked until they get a chance to disect, classify, and send out the detection update.
In all honesty, I’m thinking that the best thing any AV company could ever do is to abandon the age-old tactics and start from the ground up, a new attitude and less gimmicks. We need to start towards a system that looks for behaviours in running processes. The amount of triggerable events that can be defined as being ‘harmfull’ would be far smaller than any blacklist or detection signatures.
Jeff,
Write another article discussing how much damage a virus could do if you were running Windows in non-admin user mode. Suppose you visited a website that hijacked Firefox with buffer-overflow and installed a the website installed a virus-infected version of Firefox with a keylogger. It installs firefox binaries within “My Documents” folder, so it doesn’t need any special permissions. It changes the links on the Desktop to this launch this infected version.
The next time you ran firefox you would have no clue that firefox was infected with a keylogger. Finally you go to your bank site and every key is logged and sent to a remote host. A browser can encrypt your information and send it to the bank securely, but if the client is hacked, who can you trust?
Scary.
running anti-virus software in the largest virus in the world is an oxymoron.
I haven’t run a virus scanner on my desktop during my working life (I work as a .NET developer, previously Win32 and some Java on Linux).
I’ve yet to cause any problems on the corporate network (going on eight years sans a scanner now).
I don’t run one at home either. Its pointless, and I never intend to.
I enjoy the feeling of security I get from running Linux, but even back when I was running Windows I was able to avoid (visible) malware just by never using Internet Explorer and always running questionable executables (e.g. keygens) in a virtual machine.
I agree with you about blacklisting, but I think you’re overestimating the value of not running as admin. The most important files to me is my personal data, my source code and writings and pictures I’ve created, etc. I can easily and quickly reinstall and setup Linux, but my personal data is irreplaceable.
Check out sudown for Windows machines. No need for AV.
I can easily and quickly reinstall and setup Linux, but my personal data is irreplaceable.
Then of course you regularly back up your personal data, right? To an off-site host (typically, “The Internet”)? Many services out there make this easy, such as Mozy (http://mozy.com/) and Carbonite (http://www.carbonite.com/).
Again: I want to encourage things that work, things that make sense. Anti-virus is neither. I do believe regular backups fit both of these categories.
Now all we need is a primitive anti-virus and a much heavier focus on decent backup tools - which is good for more than just virus damage. That seems to me a much more logical way to proceed. People are currently so focused on an impossible prevention they don’t spend enough time worrying about how to recover from it.
Exactly.
I love the folks who install three anti-virus-“solutions”, and another two personal firewalls, in addition to the built-in firewall.
All active simultaneously, of course.
They really believe that they are this way more protected.
In fact, they are, but only because nearly nothing runs any more.
They effectively managed it this way, to block all auto-update functions, which led to year-old programs like quicktime, full of buffer-overflows.
But they just feel safe, because they throwed money away.
It’s a little bit like snake oil.
If you promise you solve a problem, and they only have to pay, instead of learn, most people prefer to pay.
Even if the solution is proven to fail mostly.
I run as admin all the time and don’t use any anti-virus software. The only thing I do not run as admin (via DropMyRights) is firefox and thunderbird. Where else am I going to get a virus? A floppy disc boot sector virus? uhh…right. Don’t download executables from unknown locations and you’ll be fine. I think the last time I had a virus was pre-1990. And yes, it was from a floppy boot sector virus.