Beta2 and running as non-admin?

[Rich]

My experience has been that MSAS Beta1 does not really work unless the user,
and all users are local admins. What I've found is that "Scheduled Scan"
and "Check for Updates" do not run if user is non-admin.

I assume this is true and if so, it seems to practically negate MSAS on a
shared computer which has say one admin user and numerous non-admin or
"limited" users. It's very strange for a ubiquitous security product to
have this fundamental limitation.

I also heard that Beta2 might address this. Is this true? And if so, is
there a ballpark release date for Beta2??

Thanks for any informed feedback.

-Rich

p.s. MSAS is an odd product. A lot of people are recommending and using it
(I have done both). When it runs it seems to be quick & efficient (not sure
how thorough it is in finding spyware). But it seems that MS is not putting
much effort into making it truly ready for prime-time, e.g. the
above-mentioned admin permissions requirement.

 

[Guest]

Rich, It is true that MSAS has limitations on a limited user a/c.It will
still find any spyware but if it involves registry keys it will not be able
to fix it because limited a/c's cant access the registry.The big plus for
this program from my point of view is the real time protection.I have being
using it since it first came out and after getting everything in order I am
know used to seeing '0' results for any scan run.It might have it's problems
but that should not detract from the fact that it is very effective.

 

[Rich]

Yeah, the free real-time protection is a plus (even w/ Ad-Aware you have to
pay for that). BUT if updates don't work, including signatures, then it's
value for non-admin users is severely diminished.

I wonder if competitors like Ad-Aware & SpySweeper have these limitations w/
non-admin users? If not, then why wouldn't MS just fix these problems? In
Beta2??

-Rich

 

[Guest]

Rich, The whole issue of non-admin users only became apparent about 14 months
ago.Some software providers are now starting to provide programs that take
this into account.But as long as you have an admin a/c that is doing the
updating then it should not be a major issue.When you refered to updates not
working was that for ltd a/c's or as a general issue.

 

[Lucvdv]

My experience has been that MSAS Beta1 does not really work unless the user,
and all users are local admins. What I've found is that "Scheduled Scan"
and "Check for Updates" do not run if user is non-admin.

I assume this is true and if so, it seems to practically negate MSAS on a
shared computer which has say one admin user and numerous non-admin or
"limited" users. It's very strange for a ubiquitous security product to
have this fundamental limitation.

I also heard that Beta2 might address this. Is this true? And if so, is
there a ballpark release date for Beta2??

Thanks for any informed feedback.

This is a non-issue IMO.

Any files or locations MSAS can't reach when logged on as that user, won't
get infected when running as that user either.


It's the alternative, being able to scan files a user doesn't have access
to, that would be a security flaw.

If a user has no access to a certain file or registry key, that means *NO*
access through whatever software at all, with *ZERO* exceptions - including
any on-demand virus or spyware scanner.

Because real-time protection is running as a service, it will still have
access to those locations to protect them even if some malware does slip
through all access restrictions.

 

[Andre Da Costa]

Rich, I can confirm that the Limited user features will be fixed in BETA 2
of Windows Defender, I am currently running a interim release of the product
on Windows Vista build 5270. The current beta 1 release, which was purchased
from GIANT in December 2004 was originally developed as a single user
application. Microsoft is aware of this it will be fixed in the beta 2
release. In the mean time, please log into Admin accounts to do thorough
scans, and do them in safe mode.
--
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Bill Sanderson]

Mike Nash has announced that beta2 will be available in the first half of
2006. Since then, another Microsoft spokesperson has said, I believe, first
quarter of 2006. There have been rumors I've heard from folks that I think
are reliable about an announcement sooner than that-i.e. more information
this month.

That's the best I can manage about a timeline--othewise I believe your
characterizations are correct. I can confirm that beta2 will include a
portion running as a service, and that it will work better in multi-user and
limited versus administrator scenarios.

 

[Bill Sanderson]

But real time protection is not running as a service in the beta1 product.

--

 

[Sooner Al [MVP]]

That's good to hear...

Thanks...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[Rich]

I'm talking about the primary user who is *limited* and they stay logged in
at most times. In that case, the automatic MSAS updates don't work
including signatures. I assume that this is just a design deficiency of
MSAS Beta1 but if I'm wrong I would *love* to hear that and how I can make
it work.

Since MSAS controls all of this internally, i.e. it's *not* a Windows
Scheduled Task which has the option of imbedding an admin-user/pwd, I cannot
see any way to get around this.

-Rich

 

[Rich]

Bill,

Thank you very much for confirming that: (a) my problem is typical, (b)
Beta2 should fix it, and (c) Beta2 should be out in the next 1-2 quarters.

With some of the responses I got to "a" I was questioning my
obvservations... I'm glad to know I'm not crazy. ;-)

So one last question about Beta2, which may or may not be answerable...

(d) Will Beta2 be available to legacy (WinXP) users or only to Vista users
as Windows Defender?

I realize this may be caught up in MS's decision on whether to keep sharing
this utility freely or not, and may not be publicly known at this time, but
I figured I'd ask on behalf of all the millions of folks currently relying
on MSAS.

-Rich

 

[Rich]

Don't bother replying... other replies from Bill and Andre have confirmed
what I was looking to confirm. -Rich

 

[Bill Sanderson]

Beta2 will be available to Windows XP users without additional charge--i.e.
without buying one of the subscription services that will also include
it--WindowsOneCare Live and Microsoft Client Protection.

I expect it to be available for Windows 2000 users as well.
--

 

[Lucvdv]

But real time protection is not running as a service in the beta1 product.

I let the process names (gcasServ.exe and gcasDtServ.exe) fool me, you're
absolutely right

That means if you don't log on with administrator rights, spy/malware that
can find a privilege elevation exploit can install itself and the real time
"protection" can't protect because it's running with insufficient rights.

That puts Giant/MSAS straight in the garbage category.

 

[Bill Sanderson]

Extremely useful garbage that has successfully cleaned a great many
machines, and without cost to the users, however.

Beta2 won't work this way--so stay tuned.

--

 

[Lucvdv]

Extremely useful garbage that has successfully cleaned a great many
machines, and without cost to the users, however.

That's a fact, maybe I overreacted a bit

 

[Guest]

That's good to hear. I also run with restricted rights. It's actually a great
way to limit risk of spyware and trojans. In fact, I managed to visit a site
earlier this month that tried to launch a WMF trojan, but it was unable to do
much thanks to the restrictions. My son's system also has been spyware-free
since he's been running without admin rights as default.

The main problem I've been seeing is more of an irritation than a problem.
Whenever I login, I get a bunch of pop-ups asking me if I want to block or
allow various items. They're all safe, so I told it to allow, but I'm
prompted on every login. I'm assuming I don't have rights to the registry key
that remembers my setting and that this will also be fixed in Beta 2.

Does anybody know what the security implications would be by creating a
batch file in Startup to launch Beta 1 using runas /savecred? I'm not sure
where or how the credentials are saved for runas. Are they stored in a secure
location? If so, I'll disable the autostart and use the batch file in All
Users startup to launch Beta 1 with admin rights. It will just be a temporary
workaround until Beta 2.

 

[Bill Sanderson]

Here's the first hit I got with this Google query:

how are runas credentials stored?

http://silverstr.ufies.org/blog/archives/000208.html

I continue to be amazed at Google. I really didn't expect to get "the
answer" out of that query--and I don't think I did--but the links are all
very relevant to the query......


--

 

[Guest]

I guess I should've Googled. I'm usually the one telling other people that
they should've used Google.

I never realized that /savecred worked for any app being launched for the
desired user. I had always assumed that if you were using runas with
/savecred to run an app like MyApp.exe as user SuperUser, that you would have
to type the password in again when you run MyOtherApp.exe. Apparently not,
though. I can definitely see that being a potential security problem, though
somebody would have to guess the name of the user you're using with RunAs.

I guess I'll just wait for beta 2. <g>

 

[Bill Sanderson]

I really did that just as a lark--I've had remarkably bad luck in trying to
find out such details--someone else asked me "What is stored in Microsoft
Protected Storage"--and I never could get a clear answer to that one either.
I think there is some security by obfuscation going on here....

So--I figured the google would yield some laughs, but nothing useful. Wrong
again...
--