is a "user account" less susceptible to maleware than an admin. account?

[Joe]

It was suggested to me in the community forum for Norton- that a way to less
the chance of malware from web pages is to use a user account rather than my
admin. account because the user account has less access to system resources.

Sounds like a good theory- I'm surprised I haven't heard it before- but is
really that good?

Another, possibly better way to surf risky web sites (such as porn) is with
the use of Acronis backup program's feature "Try and Buy" which apparently
sets up a protected zone on the hard drive and there it mimics system files-
using that, you can try questionable software, load questionable drivers
and/or surf those naughty/dangerous web sites. Has anyone here tried this
and is it really that effective at protecting your system? Supposedly if you
don't like the results of the experiment- you just turn off the system and
you're back to where you started.

Of course having a good AV program and keeping it up to date is critical so
I do that- but I am always thinking of further enhancements in "safe
computing".

Joe

 

[David H. Lipman]

From: "Joe" <[email protected]>

| It was suggested to me in the community forum for Norton- that a way to less
| the chance of malware from web pages is to use a user account rather than my
| admin. account because the user account has less access to system resources.

| Sounds like a good theory- I'm surprised I haven't heard it before- but is
| really that good?

| Another, possibly better way to surf risky web sites (such as porn) is with
| the use of Acronis backup program's feature "Try and Buy" which apparently
| sets up a protected zone on the hard drive and there it mimics system files-
| using that, you can try questionable software, load questionable drivers
| and/or surf those naughty/dangerous web sites. Has anyone here tried this
| and is it really that effective at protecting your system? Supposedly if you
| don't like the results of the experiment- you just turn off the system and
| you're back to where you started.

| Of course having a good AV program and keeping it up to date is critical so
| I do that- but I am always thinking of further enhancements in "safe
| computing".

| Joe


Yes but a femaleware is even MORE susceptible

However about "malware", yes, a non-admin account tends to be much safer but still not
immune.

You said "Of course having a good AV program and keeping it up to date is critical..." so
are you dumping Norton/Symantec for a "good AV program" ?
If you aren't, maybe you should.

 

[FromTheRafters]

It was suggested to me in the community forum for Norton- that a way
to less the chance of malware from web pages is to use a user account
rather than my admin. account because the user account has less access
to system resources.

From your subject line:

"is a "user account" less susceptible to maleware than an admin.
account?"

No, it only limits the scope that malware you do run will have.

Sounds like a good theory- I'm surprised I haven't heard it before-
but is really that good?

Yes, it is *very* good.

Another, possibly better way to surf risky web sites (such as porn) is
with the use of Acronis backup program's feature...

You have misconceptions about both what constitutes a 'risky web site'
and the purpose and limitations of sandboxing.

[...]

Of course having a good AV program and keeping it up to date is
critical so I do that- but I am always thinking of further
enhancements in "safe computing".

Sandboxing and implementing 'least privilege' in the form of non-admin
logons are both very good ideas. Sandboxes may work very well now, but
if everybody used them then malware authors *would* find a way to
circumvent them (they already do to some extent).

 

[Joe]

Cool! I look forward to your results.

And, I'm glad you have Acronis- which I'm now experimenting with on my older
computer before I install it on my main computer. One of the features, "Try
and Decide", supposedly is also a great way to limit malware from web sites-
it uses a special locked section of the hard drive where it mimics system
files- any changes to those while running this feature only changes the
virtual system files in the protected zone. Once you disable it or turn off
the computer- those files are gone unless you decided to save them. So, if
surfing the web in dangerous areas (like porn sites)- then you if
automatically disable Try and Decide- supposedly the system is safe from any
malware. Now, I don't know if this logic is valid but it might be. Somebody
in a Norton community forum suggested that some malware can still damage the
system.

Comments?

Joe

 

[FromTheRafters]

[...]

One of the features, "Try and Decide", supposedly is
also a great way to limit malware from web sites- it uses a special
locked section of the hard drive
where it mimics system files- any changes to those
while running this feature only changes the virtual
system files in the protected zone.
[...]

[...] Try and Decide- supposedly the system is safe
from any malware.

That is, any malware that requires accessing those particular things
that you prevent it from having access to. Mostly this ability to write
to an actual disk is for malware that is designed to be persistent or
recurring.

Now, I don't know if this logic is valid but it might be.
Somebody in a Norton community forum suggested
that some malware can still damage the system.

That's true, but damaging the system isn't the only problem to address
regarding malware.

 

[dominik lenné]

Within a non-admin account any program I deliberately start will have no
admin-rights and so will not have the possibility do dig itself deeply into
the registry or boot sector, as I understand it.

But what about exloits exploiting malware, that is code, that starts by
overwriting more or less arbitrary parts of the cpu associated memory - do
the non-admin-account restriction of rights still apply for that, so that
access to registry and boot sector is blocked? Does the OS somehow contain
events of this kind?

Dominik

 

[FromTheRafters]

Within a non-admin account any program I deliberately start will have
no admin-rights and so will not have the possibility do dig itself
deeply into the registry or boot sector, as I understand it.
True.

But what about exloits exploiting malware, that is code, that starts
by overwriting more or less arbitrary parts of the cpu associated
memory - do the non-admin-account restriction of rights still apply
for that, so that access to registry and boot sector is blocked? Does
the OS somehow contain events of this kind?

If I understand your question, no. There will still be privilege
escalation exploits from time to time.

 

[FromTheRafters]

Within a non-admin account any program I deliberately start will have
no
admin-rights and so will not have the possibility do dig itself deeply
into
the registry or boot sector, as I understand it.

Correct, but it does have access to system resources (else it couldn't
run at all.)

But what about exploits exploiting malware, that is code, that starts
by
overwriting more or less arbitrary parts of the cpu associated
memory - do
the non-admin-account restriction of rights still apply for that, so
that
access to registry and boot sector is blocked? Does the OS somehow
contain
events of this kind?

Dominik

Yes, some malware will do this, and can do it even from a user account.
How it's done depends on the OS, but all software must call system
resources. AIUI, if malware inserts a system call that gives it access
at a deeper level, then it can wreak havoc. This is the method used by
viruses and worms.

[...]

***
A minor point.

Exploit based malware includes true worms, but not most true viruses.
Viruses don't require *any* software vulnerabilities. There is some
confusion on this point because many viruses were written to demonstrate
software vulnerabilities, although the action that makes a virus a virus
is not dependent upon them.
***

 

[dominik lenné]

So, to sum up the answers, working in user account is helpful, but no
guarantee against anything, kind of gradual improvement.

I wonder if it at least makes it easier to remove the thing, should it have
succeeded to install itself.

 

[FromTheRafters]

So, to sum up the answers, working in user account is helpful, but no
guarantee against anything, kind of gradual improvement.

No, it is *very* helpful (still no guarantee).

I wonder if it at least makes it easier to remove the thing, should it
have succeeded to install itself.

In order for it to "install itself" it has to have the admin
credentials. If you or your software allow some malware to execute in a
normal user account, it doesn't have the power to install itself in most
cases. If something does indeed get installed, having a user account has
no effect on removability. The thing is, if admin gets tainted - you're
SOL, if your standard user account gets tainted, it may interfere with
your ability to remove it as a user, but you can still go to admin and
erradicate the beast from there. Malware installed by admin can thwart
attempts to use "System Restore" or "Safe Mode" which are both handy
tools to be able to use. Malware installed as a user cannot (by design)
affect other user accounts (especially admin).