- Mar 9, 2014
- 697
- 2,219
- 1,268
- 43
- Content source
- https://www.youtube.com/watch?v=aeva-kN4bBQ
The biggest risk with Windows: LOLBINS
- Thread starter monkeylove
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Why referring to MD "exclusively" as being rendered useless through pasting malicious command in CMD run as admin?
Last edited:
If an adversary has Administrator (Windows) or root (Linux) access, the game is already over. You are complaining that the fire sprinklers didn't go off after you personally handed the arsonist the keys to the water main and showed them how to shut the valve.
Security software runs on the OS. If you execute a command with the highest privileges the OS offers, you are telling the OS, "I outrank the security software. Kill it."
This is not "exclusive" to Microsoft Defender. If I have root on a Linux box, I can kill -9 your precious SELinux or AppArmor processes, unload kernel modules, or rewrite the config files. If I have Admin on Windows, I can instruct the service control manager to stop a third-party AV service just as easily as Defender, provided Tamper Protection isn't effectively hardened.
Stop treating "Admin Access" as a vulnerability in the software. It is a vulnerability in the chain of command. If you let a saboteur into the command tent, don't blame the perimeter guards for not shooting him inside.
Security software runs on the OS. If you execute a command with the highest privileges the OS offers, you are telling the OS, "I outrank the security software. Kill it."
This is not "exclusive" to Microsoft Defender. If I have root on a Linux box, I can kill -9 your precious SELinux or AppArmor processes, unload kernel modules, or rewrite the config files. If I have Admin on Windows, I can instruct the service control manager to stop a third-party AV service just as easily as Defender, provided Tamper Protection isn't effectively hardened.
Stop treating "Admin Access" as a vulnerability in the software. It is a vulnerability in the chain of command. If you let a saboteur into the command tent, don't blame the perimeter guards for not shooting him inside.
Microsoft made Admin account the default.
Microsoft recommends Standard User accounts because they adhere to the Principle of Least Privilege.
They provide the tools to secure the house (Standard Accounts, UAC, AppLocker), but they leave the front door unlocked by default because most users would rather be robbed eventually than inconvenienced immediately.
In a corporate environment (AD/Intune), no one gets Admin rights by default. That is a disciplined environment. Home usage is the Wild West.
Well, other security software can be protected from changing settings, smart security apps outrank Windows.
I have installed Win a billion times and not once have I seen any recommendation by MS about using a standard account not during installation nor after it.
Some apps do not behave properly on SUA, even if installed through Admin A.
Last edited:
The Windows OOBE (Out of Box Experience) is designed to get a user from "Box" to "Desktop" with minimum friction. It is not a security audit. Relying on the installation wizard for security advice is like relying on a car salesman for driving lessons.
Microsoft has explicitly recommended the Principle of Least Privilege (Standard User accounts) in every Security Baseline, TechNet article, and Best Practice guide since the Windows NT era.
@Divergent has a point 
seriously 
yes he does
In Windows UAC is not a security boundary, Standard User is. Also even when you run Admin with UAC it is better use a different Admin account for daily usage because of creator/owner Access Control Lists rights. When you run mostly Microsoft applications (like my wife on her laptop) and use your PC as end user (not as a hobbyist) you can use standard user account without any problems when you enable the "Allow non-admins to receive update notifications" option in group policy.
seriously yes he does In Windows UAC is not a security boundary, Standard User is. Also even when you run Admin with UAC it is better use a different Admin account for daily usage because of creator/owner Access Control Lists rights. When you run mostly Microsoft applications (like my wife on her laptop) and use your PC as end user (not as a hobbyist) you can use standard user account without any problems when you enable the "Allow non-admins to receive update notifications" option in group policy.
Yes you are right and there is also PPL (Protected Process Light)
so hell and damnation will not be your faith when running Admin SUA 
When I remember correctly (but that is years ago in Windows 10 age), the core Bitdefender free protection processes were protected that way (even Admin's could not shut them down). At that time Avast free had not co-signed their processes with Microsoft (so they could be killed by admin). Also does not Defender processes run in VM (Virtialization Based Security or something like that) to protect them from tampering (on compatibel hardware)?
Last edited:
You claim these apps are protected from changing settings?
The ultimate setting change is uninstallation. If I am Admin, I can run the uninstaller. If the uninstaller is password protected (a common feature), I can use my Admin rights to kill the process via a kernel debugger or manually rip the entries out of the Service Control Manager.
You cannot use software to solve a problem caused by giving a user total control over the machine. If you give a user a sledgehammer (Admin Rights), do not be surprised when they smash the security camera (The AV).
A security guard cannot evict the building owner. If the OS says "Die," the application dies.
Standar user account is offered by MS to limit the ability of inexperienced users to make changes to settings, while keeping this right to those who know (Admin account).@Divergent has a point
In Windows UAC is not a security boundary, Standard User is. Also even when you run Admin with UAC it is better use a different Admin account for daily usage because of creator/owner Access Control Lists rights. When you run mostly Microsoft applications (like my wife on her laptop) and use your PC as end user (not as a hobbyist) you can use standard user account without any problems when you enable the "Allow non-admins to receive update notifications" option in group policy.
Of course it might limit post-execution damage, but this is not its main use, otherwise MS would make it the default account on Windows install to keep its OS secure.
@Shadowra can tell how many samples were blocked using SUA compared to Admin account (repeat the test one time for each type of accounts).
Some AVs prevent even uninstallation and they run as System not Admin, so they can not be easily terminated. Admin can not access WindowsApps by default.
Attachments
You claim Standard User Accounts (SUA) are merely for "inexperienced users." This is functionally incorrect regarding OS architecture.
Windows uses Mandatory Integrity Control (MIC). Admin processes run at High integrity; Standard processes run at Medium. This is not about "experience"; it is about physics.
If a "knowledgeable" Admin clicks a malicious link (and they do, frequently, look at the stats for sysadmins compromised via phishing), the payload inherits High integrity. It can write to System32, install kernel drivers, and bury itself in the Master Boot Record.
If a Standard User executes that same payload, the malware inherits Medium integrity. It cannot write to system folders. It cannot install services. It is trapped in the user's profile, making remediation a simple file deletion rather than a re-image.
You argue that if SUA were secure, it would be the default. We have already established that Convenience sells, Security prohibits.
Microsoft defaults to Admin to minimize support tickets for printer installations, not because it is the superior security posture.
In every secure environment (Government, Finance, Defense), the default is Standard User. Are these institutions just trying to stop their engineers from changing the wallpaper? No. They are preventing lateral movement.
The "Shadowra" Test is Redundant
You are asking for a test to prove that a locked door stops more intruders than an open one.
We don't need a "test" to know that Admin+Malware=KernelAccess and Standard+Malware=UserSpaceAccess.
A Standard User account stops 100% of malware that relies on writing to system directories or modifying HKLM registry keys to survive a reboot, unless that malware carries a specific Privilege Escalation exploit (a much higher bar than a script kiddie executable).
Go ahead and try to install a rootkit from a Standard account without typing an Admin password. The OS will simply say "Access Denied." That is not a "test"; that is the architecture functioning as designed.
Security is not about "knowing" how to make changes. It is about ensuring that when you don't know a script is malicious, it doesn't have the keys to the castle.
SUA is still estimated today to reduce risk by 80–95%, especially combined with other mitigations.
Microsoft prioritizes convenience over security on the whole. This is perfectly exemplified by the default setting for UAC, which was lowered following its implementation in Vista: "Notify me only when apps try to make changes to my computer."
Microsoft's rationale for the relatively weak default setting and variety of ways to bypass it is that UAC is not a security boundary.
You point to the WindowsApps folder as proof that Administrators have limits.
Yes, C:\Program Files\WindowsApps is owned by TrustedInstaller by default, and Administrators only have "Read" access initially.
You are ignoring the SeTakeOwnershipPrivilege. This is a specific right granted to the Administrators group.
An Admin doesn't need "permission" to enter, they have the right to change the permission.
Right-click folder -> Security -> Advanced -> Change Owner to "Administrators".
Apply.
Now I own the folder. I can delete it, burn it, or fill it with garbage.
You are arguing that because the janitor locked a door inside your house, you (the owner) cannot get in. You have the master key. You just have to bother to put it in the lock.
Access Control Lists (ACLs) are not laws of physics. They are suggestions enforced by the OS. If you control the OS (via Admin rights), you control the ACLs.
I think many people are confusing certain points.
Yes, switching to a limited account can reduce the attack surface (obviously, each action will need to be validated with an administrator password).
However, you've forgotten one type of malware: Rootkits
This malware seeks to hijack administrator rights in order to prepare for subsequent attacks.
So yes, it can reduce the risk, but it's not a complete defense against everything.
A Rootkit, by definition, requires deep system integration, usually installing a kernel-mode driver or modifying the Master Boot Record. A Standard User cannot do this.I think many people are confusing certain points.
Yes, switching to a limited account can reduce the attack surface (obviously, each action will need to be validated with an administrator password).
However, you've forgotten one type of malware: Rootkits
This malware seeks to hijack administrator rights in order to prepare for subsequent attacks.
So yes, it can reduce the risk, but it's not a complete defense against everything.
To install the Rootkit that "hijacks" the system, the malware first needs Administrative privileges. If you are running as a Standard User, the Rootkit setup fails at Step 1, Access Denied. A Rootkit cannot enter the Kernel unless you (the Admin) invite it in. Standard User is simply the refusal to open the door.
For malware to go from Standard User to Admin/System without the password, it requires a specific vulnerability (an LPE exploit) in the OS.
Common malware (Ransomware, Stealers) relies on the user being Admin. It does not burn expensive, unpatched Zero-Day LPE exploits on random home users. By running as Standard, you force the attacker to be sophisticated enough to have a working LPE exploit. By running as Admin, you force the attacker to be sophisticated enough to... ask you to click "Yes."
Saying "Standard User isn't perfect because Rootkits exist" is like saying "Bulletproof vests are useless because anti-tank missiles exist." Yes, a bigger weapon can defeat the armor, but wouldn't you rather stop the 99% of bullets (commodity malware) that are actually being fired at you?
How much is the percentage of Rootkits among the total malware samples encountered by home user?However, you've forgotten one type of malware: Rootkits
This malware seeks to hijack administrator rights in order to prepare for subsequent attacks.
You may also like...
-
Microsoft Defender Antivirus feat AI Defender- Started by Shadowra
- Replies: 13
-
Microsoft is reevaluating its AI efforts on Windows 11 — plans to reduce Copilot integrations and evolve Recall- Started by Parkinsond
- Replies: 0
-
Gartner: All AI Browsers Should be Blocked for Foreseeable Future- Started by Gandalf_The_Grey
- Replies: 5
-
Millions at Risk as Windows 10 Updates End — What Home Users Should Do Now- Started by Bot
- Replies: 13
-
Windows 11 KB5067036 update rolls out Administrator Protection feature
- Started by Parkinsond
- Replies: 13