Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Account type a protection - also sandboxed browsing


  • This topic is locked This topic is locked
4 replies to this topic

#1 wibble2

wibble2

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 21 November 2010 - 08:08 AM

I've just been reading some of the tips for avoiding infecion in the sticky posts of this forum, and could not find any mention of using a standard windows user account rather than an adminstrator type account which is often the default for PCs and laptops with preinstalled windows.

When you are logged into a standard windows user account, you do not have write permission to lots of the system files and folders.

Does this mean in practice that web browsing from a standard user account offers some protection from infection ?

I'm guessing that being logged-in as a standard user means that whatever malware gets executed by the browser will be unable to modify system files - though there may still be some other areas where some malware may be stored.

Also, I've heard that the Chrome browser runs in a sandboxed environment. Will this also help to block malware infections?

Any thoughts on any of this?

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 AM

Posted 21 November 2010 - 10:10 AM

Yes, working with a Least-privilege User Account (LUA) offers protection against most malware, especially malware that requires administrator/system rights to become persistent.
The way you work with a LUA depends also on the version of Windows you use. Things changed significantly with Windows Vista. What version do you use?

The goal of sandboxing is to prevent malware to make persistent changes to Windows. But many sandboxing technologies do not prevent read access. So if malware is designed to steal information while being sandboxed, it will be able to do so.

Edited by Didier Stevens, 21 November 2010 - 10:11 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 21 November 2010 - 10:59 AM


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 wibble2

wibble2
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 21 November 2010 - 04:36 PM

Thanks for the info and links.

I'm using Vista. While logged into a Standard User account the other day I got a AVG popup box warning about a "Phoenix Exploit" - I ran a couple of detection tools metioned on these forums, and also ran the AVG Rescue CD and none of these specifically mentioned a virus or rootkit detected.

Another poster mentioned that the same thing had just happened to them, but they were getting random browser redirects. I'm not getting redirects at all, so I am hoping that running as Standard User has saved me from getting an infection.

I note that one of the links you mentioned says that a user mode infection can be installed via the HKCU part of the registry so that some malware may start up when the same user logs in, and it can then write to all other processes run by that user (including Windows Explorer), This sounds serious, but it should be easier for anit-virus software to find - I suppose this is because it can only(?) start up by an entry in HKCU.

... and in that case, wouldn't a simple System Restore (to a date before the infection) be a reliable way to disable any user-mode infection ?

So if malware is designed to steal information while being sandboxed, it will be able to do so.


Right. So if using Chrome, it may be possible to get a malware infection that can read data and keystrokes from your PC; but when you close Chrome the malware will disappear permanently until the next time you visit a web site that causes another new infection?

If so, then I'm assuming that before using (say) online banking you should close all instances of Chrome, then open a new instance just for doing online banking ?

Edited by wibble2, 21 November 2010 - 04:43 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 21 November 2010 - 04:45 PM

Your log is posted here.

After posting a log for analysis and help with malware infection, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere including the AVG forums. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users