A
Alexander Suhovey
My answer doesn't seem to get thru for some reason. Probably because of
excessive use of word malware and mentioning particular malware names and
web sites
. Basically, I've performed same experiment as one resulted in
a table I was referring to earlier with almost same results and I was trying
to describe the process.
Oh well...
I'll give it another try. See my comments inline.
I wonder where do you get this info since if I look at for example
symantec's malwade database, first thing most of them does is writing
something to %windir% and HKLM. I'll agree that mass-mailing worm doesn't
need elevated privileges but most of them assume user has them. Just like so
many legitimate programs
For single-user environments I can see your point since but even there if
you set up your environment correctly you can protect parts of your data
that way (think archives here).
I wouldn't called it "just". And deleting a user profile is worst case
scenario since removing infection in case of standard user is much more
easier. Just log on with another (admin) user and scan offending user's
profile.
That's my point. In case of standard user, it hasn't gotten to the *system*,
only to one isolated part of it. It can't get to the kernel and plant a
rootkit to hide itself. It can't stop/delete firewalls and antiviruses. It
can't even make itself autostart for all users. Yes, it can have access to
everything user has access to with same acces level though.
Let's get something straight. I'm not saying that LUA is a replacement for
any other security levels like patching, antiviruses and firewalls. Not at
all. It does a good job as last level of defense limiting the damage if all
other levels fail. And incidentally, since malware authors just as normal
developers tend to assume user has administrative rights, it can break
malware completely so all it does is terminates abnormally right after it
starts.
LUA is not [all] about protecting you from malware. It is [more] about
isolating users from each other and from the system security-wise thus
limiting the damage to the system particular user can make (intentionally,
accidentally or by running malware). LUA is not the panacea, it's just
another level of security, most basic one. Level zero if you will.
Again, there's no silver bullet and different threats require different
solutions.
- Firewall will protect you from remote attacks and will limit malware
network activity but will not prevent you from getting an e-mail with a worm
and running it.
- Antivirus will detect malware but only if it has appropriate signature in
database.
- Common sense will tell you not to run this attachment but we all know that
human is the weakest link security-wise.
- Finally, if all fails, LUA will limit the damage malware can make.
I can't believe we are arguing on this topic. I thought it's all quite
obvious and can be expressed in same ole sentence: Don't Run With Scissors.
Try saying something like "Everybody should run as root, LUA is crap, it's
not worth it" on any Linux forum, just let me know which one so I can watch
you being teared apart in seconds.
Umm.. I'll pass
excessive use of word malware and mentioning particular malware names and
web sites
. Basically, I've performed same experiment as one resulted ina table I was referring to earlier with almost same results and I was trying
to describe the process.
Oh well...
I'll give it another try. See my comments inline.
DevilsPGD said:
I wonder where do you get this info since if I look at for example
symantec's malwade database, first thing most of them does is writing
something to %windir% and HKLM. I'll agree that mass-mailing worm doesn't
need elevated privileges but most of them assume user has them. Just like so
many legitimate programs
For single-user environments I can see your point since but even there if
you set up your environment correctly you can protect parts of your data
that way (think archives here).
I wouldn't called it "just". And deleting a user profile is worst case
scenario since removing infection in case of standard user is much more
easier. Just log on with another (admin) user and scan offending user's
profile.
That's my point. In case of standard user, it hasn't gotten to the *system*,
only to one isolated part of it. It can't get to the kernel and plant a
rootkit to hide itself. It can't stop/delete firewalls and antiviruses. It
can't even make itself autostart for all users. Yes, it can have access to
everything user has access to with same acces level though.
Let's get something straight. I'm not saying that LUA is a replacement for
any other security levels like patching, antiviruses and firewalls. Not at
all. It does a good job as last level of defense limiting the damage if all
other levels fail. And incidentally, since malware authors just as normal
developers tend to assume user has administrative rights, it can break
malware completely so all it does is terminates abnormally right after it
starts.
LUA is not [all] about protecting you from malware. It is [more] about
isolating users from each other and from the system security-wise thus
limiting the damage to the system particular user can make (intentionally,
accidentally or by running malware). LUA is not the panacea, it's just
another level of security, most basic one. Level zero if you will.
Again, there's no silver bullet and different threats require different
solutions.
- Firewall will protect you from remote attacks and will limit malware
network activity but will not prevent you from getting an e-mail with a worm
and running it.
- Antivirus will detect malware but only if it has appropriate signature in
database.
- Common sense will tell you not to run this attachment but we all know that
human is the weakest link security-wise.
- Finally, if all fails, LUA will limit the damage malware can make.
I can't believe we are arguing on this topic. I thought it's all quite
obvious and can be expressed in same ole sentence: Don't Run With Scissors.
Try saying something like "Everybody should run as root, LUA is crap, it's
not worth it" on any Linux forum, just let me know which one so I can watch
you being teared apart in seconds
.Umm.. I'll pass