Delen via


Anti-virus vs. Non-Admin

This may be controversial, but I truly believe it and I'll say it:

With today's threat landscape and the way malware works today, you are better off running as non-admin WITHOUT anti-virus than you are running as admin WITH anti-virus.

If your anti-virus/anti-spyware/anti-malware software requires that you run as administrator in order to protect you, GET RID OF IT. It is not worth the cost. As Paul Coddington put it, it's "sort of like having a burglar alarm that only works when your house is unlocked and the doors are open."

Most if not all of the most prevalent malware out there today simply will not work if it runs with non-admin privileges. That will change over time -- especially after the release of Windows Vista -- which is why I preface my assertion with "With today's threat landscape". Hopefully by then, anti-malware solutions will have changed, too.

[Addendum - June 4, 2006, 2220 EDT] I would like to clarify one point: If you are running as non-admin, you are better protected if you have good, up-to-date anti-malware that works well as non-admin than if you have no anti-malware protection at all. (On the other hand, if the anti-malware contains bugs in high-privilege code or exposes other elevation of privilege paths, maybe you're not!)

Comments

  • Anonymous
    June 02, 2006
    The comment has been removed

  • Anonymous
    June 02, 2006
    Agree!

    Especially in the light of all those problems with antivirus software lately

  • Anonymous
    June 02, 2006
    So basically running Windows Vista without any antivirus means that wee will be, thanks to UAC, better protected than we even could be in Windows XP?

  • Anonymous
    June 02, 2006
    The comment has been removed

  • Anonymous
    June 02, 2006
    The comment has been removed

  • Anonymous
    June 02, 2006
    Bucky - I don't disagree with your advice to replace rather than get rid of the AV.  My point is that the malware that is most likely to infect users today doesn't attempt elevation of privilege because it assumes it's running fully-elevated already.  It won't run or propagate as non-admin.  You are better protected running as non-admin without AV than running as admin with it.

  • Anonymous
    June 02, 2006
    ... but you are BEST protected by running as non-admin with an AV running that works with LUA. I think that really needs to be said.

  • Anonymous
    June 02, 2006
    Walker:  And now you have said it, and so it has been said. :-)

    THAT said, I have set up numerous relatives with non-admin accounts and usually no AV, and they have had NO problems with malware.  My mother-in-law recently bought a new computer from a major OEM.  It came with a popular AV product from a major security vendor.  I set up her non-admin account and left the AV in place at first, but it didn't work well as non-admin, so I eventually uninstalled it.  No problems with malware since.

  • Anonymous
    June 02, 2006
    The comment has been removed

  • Anonymous
    June 02, 2006
    Hi Aaron, I know this is not what you meant, but the blog entry does look like you are saying that you can dish your antivirus if you are using non-admin accounts.

    Since that would be incredibly bad advice (and we also don't want the distorted recommendation to be next Slashdot headline), I suggest you could clarify it in the blog entry. Get rid of your non-LUA aware antivirus, but get another one that works ok!

    btw I'm glad your mother-in-law never got a malware in these three years without AV. I've got several friends who run Mac without AV who haven't either. But I don't consider them to be safe, only untargeted for the moment. It is trivial to write LUA-aware malware, just like it is trivial to write Mac OS malware, it wasn't done just because of it wasn't necessary. Yet.

  • Anonymous
    June 03, 2006
    I agree that when Vista is released, malware writers will change their habits.  Right now, it is possible to get malware such as keyloggers running when a user logs on and all this can be installed when the user is running as non-admin (albeit it will only run with the interactive user and not all users), but we'll see even more of this when Vista comes out.

  • Anonymous
    June 03, 2006
    The comment has been removed

  • Anonymous
    June 03, 2006
    The comment has been removed

  • Anonymous
    June 04, 2006
    Andrew - the SAFER approach is better than running everything as admin always, but it's not as good as running everything as non-admin and elevating specific tasks on an as-needed basis.  What if some malware drops some code on your system - maybe in your My Documents folder or elsewhere in your profile that it's allowed to write to, and puts a shortcut to it in your Run key (which lots of malware does)?  Result:  the next time you log on, that malware runs as full admin.

  • Anonymous
    June 04, 2006
    The comment has been removed

  • Anonymous
    June 05, 2006
    The comment has been removed

  • Anonymous
    June 08, 2006
    The comment has been removed

  • Anonymous
    June 09, 2006
    Joyce, that site just looks like a thin shell around Google ads.  And I still maintain that some (not all) AV will leave you worse off.  Be especially careful of random tools you find on the internet - a lot of free so-called anti-spyware tools actually install spyware and keep it from getting removed.

  • Anonymous
    June 09, 2006
    The comment has been removed

  • Anonymous
    June 13, 2006
    The comment has been removed

  • Anonymous
    June 14, 2006
    The comment has been removed

  • Anonymous
    June 14, 2006
    Leolo, that's a good question -- I had thought about that scenario too.  If malware is already running arbitrary code on your desktop, there are lots of other similar DoS attacks it could mount without invoking elevation windows, and which it can also do on current versions of Windows.  For example, it could create a bunch of always-on-top windows that always grab focus and prevent you from getting to anything else on your desktop.

  • Anonymous
    June 14, 2006
    Hi,

    Thanks for your reply. I hadn't thought of that. But you're right, once malware is running on your system I guess is already too late :(

    Regards.

  • Anonymous
    June 15, 2006
    Hey Aaron,

    I am an IT intern at a company that recently began placing new employee accounts in the "users" group instead of the "power users" group that they were traditionally placed in for reasons that were mentioned above.  From what I hear it eliminates pretty much every problem but also eliminates few needed privileges here and there that we can't seem to get back; namely, downloading activeX controls.  I've researched for a couple days now and have tried messing with IE settings (seems to be a higher problem than this) as well as group policy settings for add-ons, but it almost seems impossible to give non-admin groups certain privileges, even when the admin tries to allow it.  The only solution we can think of is to create a whole new group that resides somewhere between admin (power user) and limited user that will have totally custom settings... something that will take awhile to create just to allow one little privlege.

  • Anonymous
    June 15, 2006
    The comment has been removed

  • Anonymous
    June 15, 2006
    The comment has been removed

  • Anonymous
    June 17, 2006
    So, what AV solutions do not require admin?

  • Anonymous
    June 17, 2006
    The comment has been removed

  • Anonymous
    June 19, 2006
    PingBack from http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

  • Anonymous
    June 21, 2006
    The comment has been removed

  • Anonymous
    June 21, 2006
    The comment has been removed

  • Anonymous
    June 22, 2006
    The comment has been removed

  • Anonymous
    June 23, 2006
    Hi Aaron. Not sure how to respond to your comment to my posting at the location of the comment, so I am filling in the form and suspect this will just get added at the end. Anyway, about my comment about active-x. Active-x is non-standard IE specific code, and, according to IE messages when running IE, it can cause harm. Firefox by default does not allow active-x, causing poorly coded and designed websites not to work properly in Firefox. Hope that clarifies my comment. I figured that's where you were going, but whether your comments are accurate (I may disagree), they're not relevant in this context.  That's the point I was trying to raise.  --Aaron

  • Anonymous
    June 29, 2006
    The comment has been removed

  • Anonymous
    July 04, 2006
    The comment has been removed

  • Anonymous
    July 05, 2006
    The comment has been removed

  • Anonymous
    July 06, 2006
    If your smart enough to run as non-admin then your smart enough not to visit sites that are harmful nor open up stupid emails. Its obvious that this will not work for the average joe!  

  • Anonymous
    July 06, 2006
    The comment has been removed

  • Anonymous
    July 07, 2006
    yes thats correct, but a standard disclaimer from ms is,

    "In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site."

    and this is supposed to be mitigating factor.  I've always kinda laughed at this statement

    don't get me wrong I actually agree with what your saying and its exactly how I've been configured for ten year but its a requirement to have at least a natting router(firewall is nice) between you and the inet.

    there are alot of ms and non ms apps that don't run as a normal user within a corporate environment its easy to deal with, but to the average joe its confusing.  

    thanks and keep up the good work!

  • Anonymous
    July 09, 2006
    The comment has been removed

  • Anonymous
    July 21, 2006
    We should have a list of AV software that runs perfectly under LUA.

    So far I know AVG Free Edition runs great.

  • Anonymous
    August 23, 2006
    Sophos runs fine under a LUA. I'm not convinced on running without AV software though. Worms and other nasties don't care what user level you are, and there's plenty of others that exploit things to gain higher priviliges. Not only that, but you can still get stuff installed in the browser, etc. I honestly wouldn't feel happy running without AV.

  • Anonymous
    September 22, 2006
    The comment has been removed

  • Anonymous
    September 30, 2006
    is it a myth that there are AV out there that runs in LUA?

  • Anonymous
    December 17, 2006
    Hello everybody, I'm convinced that to have a computer Non-Admin is better since we navigate carefully or use the computer with care but how to make a coputer Non-Admin ? Please apologize my ignorance.

  • Anonymous
    January 09, 2007
    Hello everyone, I searched some useful antivirus tools for protect my computer, after free trial many tools, i find RunSafe program is very useful.

  • Anonymous
    January 11, 2007
    Ok, I'll admit it. I've been living dangerously for the last several years. Simply put, I refuse to install any kind of antivirus or personal firewall software on any of my systems. This includes a Windows XP Home system that was used by my children as

  • Anonymous
    March 23, 2007
    The comment has been removed

  • Anonymous
    May 06, 2007
    The comment has been removed

  • Anonymous
    June 15, 2007
    The comment has been removed

  • Anonymous
    June 22, 2007
    The comment has been removed

  • Anonymous
    July 03, 2007
    Thanks for the follow-up, Aaron. Interesting to hear that you are running Vista as a member of the Administrators group. Concerning 'never elevating anything': I'd be concerned when running as an administrator that I would inadvertently elevate an application simply by entering text into another application at the same time that the first application forces the focus to change to the 'elevation prompt'. These kinds of focus changes happened frequently with WinXP; is it no longer a problem with Vista? In any case, when running as a standard user, the 'elevation prompt' requires the input of an administrator's complete password--something nearly-impossible to enter inadvertently. Is this a valid concern, in your opinion? [Aaron Margosis]  From this UAC blog post: UAC prompts will not “steal focus” from the user’s task. If the operating system cannot determine that the prompt was generated from the foreground window the current user is using, we will alert the user with a highlighted operation in the taskbar that an application is requesting elevated privileges. The user can select to elevate at his or her convenience and not be disrupted by an unplanned application elevation. Also, in the simple "consent" dialog case, the "approve" option ("Continue" in US English versions) is not the default, so it's not as likely to be approved inadvertently. Based on your comments, for a small business (i.e., non-domain) user, for AV, anti-malware, and firewall, do you think that a combination of a basic third-party AV package, Windows Defender, and the internal Windows Defender is sufficient? Do you think that something like NIS is overkill? And all this while running with an administrator account? [Aaron Margosis]  Hmm, I'm not prepared to make a general recommendation one way or the other on that.  What works for me may not be right for you.

  • Anonymous
    July 03, 2007
    Thanks, again. Obviously, my last paragraph should have read: "Based on your comments, for a small business (i.e., non-domain) user, for AV, anti-malware, and firewall, do you think that a combination of a basic third-party AV package, Windows Defender, and the internal Windows Firewall is sufficient? Do you think that something like NIS is overkill? And all this while running with an administrator account?"

  • Anonymous
    August 23, 2007
    The comment has been removed

  • Anonymous
    September 14, 2007
    Table of Contents - blog posts on Aaron Margosis' Non-Admin WebLog

  • Anonymous
    September 30, 2007
    The comment has been removed

  • Anonymous
    November 11, 2007
    The comment has been removed

  • Anonymous
    June 23, 2008
    LUA works quite well, been running it for years combined with SuRun and Avira and am yet to be infected. Avira updates fine under LUA. SuRun makes it a breeze to access admin features when needed just like Linux and I highly recommend it for those considering to run as LUA.

  • Anonymous
    December 17, 2008
    The comment has been removed

  • Anonymous
    February 25, 2009
    So does anyone know of any malware than will infect an xp machine while running as a LUA user. I have a tech that claims he has seen it happen.

  • Anonymous
    April 02, 2009
    > So does anyone know of any malware than will infect an xp machine while running as a LUA user. I have a tech that claims he has seen it happen. Yes, it happened on my PC. Since than I am using LUA + SRP (software restriction policy) + kafu.exe SRP: http://www.mechbgon.com/srp/ KAFU: http://www.wilderssecurity.com/showpost.php?p=1190510&postcount=93 More on the subject here: http://www.wilderssecurity.com/showthread.php?t=200772 Tom

  • Anonymous
    April 07, 2010
    The comment has been removed

  • Anonymous
    March 17, 2011
    Hello, I've been running Non-admin for several years without AV, until I "stumbled over" an unsecure page that turned my screen blue. I bought now AVG Threat Labs (www.avgthreatlabs.com/.../about ) and I can download website reports and see where the threats are lurking if I am not sure about a particular website. However, I still run as non-admin.

  • Anonymous
    April 07, 2011
    John, misunderstood, you must have bought an AVG antivirus (www.avg.com/.../internet-security) and not the AVG ThreatLabs - that is their website rating and security site.

  • Anonymous
    April 13, 2011
    John, I think you’re are a bit confused. AVG ThreatLabs is a threat detection website and not a piece of software . TL is a cool tool though, as it helps keep you safe when visiting any site.

  • Anonymous
    April 19, 2011
    John, Hey, I'm quite sure you didn't buy AVG ThreatLabs (http://www.avgthreatlabs.com) as that is a site dedicated to security ratings and is not antivirus software (www.avg.com/.../internet-security). TL is a very useful site which tells you about site threats.

  • Anonymous
    June 01, 2011
    I agree with this premise ABSOLUTELY whole-heartedly ..

  • Anonymous
    June 02, 2011
    The comment has been removed