Admin accounts: whats it all about?

looking for a decent outgoing program control firewall I come across a thread on another forum where the users and OP were arguing amongst themselves, the discussion was about outgoing protection on firewalls being "useless" ...specifically if you are running your windows as an 'admin' like most window account do... as this means any rootkit etc can bypass your firewall anyway...

im just a little confused here.... do they mean running the computer under the hidden "super administrator" account? or just "regular" administrator account? - I ask because I run my Windows 7 x64 under the default it installs in which is 'regular' admin - all the files i have can be "run as administrator" so Im assuming that under this 'regular' admin account I dont really have 'admin' privelages... ...it all gets a bit confusing... I think what Iam trying to find out is:- am I wasting my time using an outgoing firewall? - if so, why then do they bother with them if they can be bypassed when windows default installs on an admin account? - OR why dont thet mention at install of firewall that account should be dropped to 'standard' account? (I notice Avira do this before...)

im just not convinced that malware can bypass my firewall/Anti-Virus because iam on the default windows installation account and the software company that owns that security could not tell me that its 'useless on current setup' - Avira is the ONLY prog to request drop privelages...

be great if someone could clear this up for me....

this is the topic i was reading

and this qoute (as well as many others) was what made me ask about it

is that person above just assuming that all infections are going to be undetectable rootkits that can bypass everything on your windows 'default' installation? whilst shutting your firewall down in the process? - if an outgoing firewall detects ONE thing then its been worth hvaing... he cant assume that all rootkits/infections are going to do this...

I was going to install an outgoing program control firewall in case anything untoward I may run by accident on my system tries to 'phone home' or allow some hacker access, e.g. (scenario) run a keygen and it pops up "keygen.exe is trying to connect" then you know something untoward is trying to happen and its been stopped and you notified?

I just cant believe that all these software firewalls are 'poop' as the users on that forum make believe and that all your security can be bypassed on default windows installation user accounts because your regular admin. i dont want to join that forum and continue that debate cos by looks of it i will get my head taken off like the OP has .... poor bloke only wanted advice about a good light firewall,...


thanks

 

Ars is a decent site, but it has members to ignore in certain areas.
Several years ago, I used to read comments like this..........'I don't use an anti-virus app because I don't install malware'.
Because he was/is a respected member......he got a lot of agreement.
I do know this member now uses AV .....because he's commented on it since

I use Comodo on a win7 x64 computer because it's highly rated and allows for outgoing control.
I see it as a possible defense against malicious script that's inadvertently been downloaded from a browser session..... and tries to connect to a server to install a rootkit/trojan.

But if you become infected, outgoing control should be considered compromised and either a cleaning of the system or a reinstall done. I keep a drive image around for that possibility.

Running a browser in a sandbox like Sandboxie can be beneficial.
http://www.sandboxie.com/
What gets past your security during a browser session can be eliminated when the sandbox is closed. Also, Sandboxie has a menu that allows whitelisting of what can be run in the sandbox and what apps are allowed to connect to the Internet from the sandbox.

 

Windows 7 firewall has outbound protection, but it needs to be turned on. See control panel> administrative tools > windows firewall with advanced security.

However, it takes trial and error to set up rules properly to allow certain programs outbound. The firewall does not notify you when something trys to call out, it just stops it. So you won't know which executable to specify an 'allow' rule for. When making the allow rule, you have to go to the program folder and try the exe's one by one.

The roles of security software is to deny and then delay. Another well known term is 'layers of security'. So, you keygen scenario is correct, the firewall should provide a layer of protection. While layers of security may all be bypassable, having them will deter some attackers, and delay others, giving you time to uncover/discover that an attack is underway, and take remedial action.

 

thanks

ive gone with Zone Alarm Pro, simply because its light... comodo i found a little hungry on resources but that was some time ago - pretty intrusive too, but a great firewall...

i just cant believe some of the stuff i was reading over that site

so can anyone clear up this admin stuff up? - am i at risk? should i drop to 'standard' - I ask because i actually have stopped using AV's - i never get infected and use sandboxie (although not with browser), i do have AVIRA / SAS to call on for scanning

 

That thread is pretty old
Times change..people change
Running as a standard user is safer as there is less chance of change to the system while running standard.
So there is some truth...but not a black and white issue regarding the firewall
An infection is still an infection and will go out/a software firewall will show such attempts made.
I also run as an admin rather than standard user...I have tried the standard user..but ran into occasional bugs such as missing tray icons that just wouldnt show regardless.


As far as the firewall issue...its always nice to get an alert that a file is wanting to access the internet.
Although an antivirus product may have not caught it...you just did...Thats always makes one feel "privileged"

 

With Vista and Win 7, the regular admin account created after install has the admin token separated but held ready. When you confirm by clicking 'continue', then the admin token is engaged. Also if you choose to run a program as admin, the admin token is engaged. At least thats the way I understand it.

Go here:
http://blogs.msdn.com/b/e7/archive/2009/02/05/update-on-uac.aspx
And read the section on "The purpose of UAC". It takes Microsoft to explain it clearly

I've always used a standard account for daily use since I had Vista.

Here is a document explaining rootkits:
http://docs.google.com/viewer?a=v&q...C9Hc23&sig=AHIEtbSlDO1OE2ppO53nThfw-oZrNjfOUQ

According to that Symanctec document, most rootkits require admin rights to function. So running a Standard user account is safer.