Jump to content

Run as Administrator

Tabvla

By Tabvla
in Malwarebytes for Windows

 Share

Recommended Posts

Tabvla

Tabvla

Posted
  • Author
Posted

Aura, thank you for your reply.  

 

Assume the following:   (NOTE :  only applicable to Windows OS)

 

1.  User is logged in with an account with Standard privileges (W8.1 and W10)

2.  The User runs a Threat Scan

3.  MBAM reports Malware or PUP or other

4.  User follows standard procedure and instructs MBAM to quarantine unwanted items

5.  MBAM completes the procedure and apparently quarantines the items

6.  User now believes system is safe

 

Problem

 

Because the User was logged in with Standard privileges the unwanted items are NOT quarantined.  The items will only be quarantined if the User is logged in with Administrator privileges.  The system is therefore still just as vulnerable as it was before the Scan but the User is unaware of this.

 

Solutions

 

1.  If the User has an MBAM Icon on the Desktop they can Right-click the Icon and from the pop-up Menu, select "Run as Administrator".   If the User does not have a Desktop Icon then this option is not available.

 

2.  Most Users will have an MBAM Icon in the Taskbar.  Therefore it makes sense to add the "Run as Administrator" to the Taskbar MBAM Icon pop-up Menu.

 

T.

 

 

Link to post
Share on other sites
sman

sman

Posted
Posted

User account defines the user privileges/permissions and by the OS, not by the application..

 

There are many ways for the user to go for application run at elevated levels (with Admin password, if a Std user)..

 

Application granting control, while on run, is unheard off and will void OS control..

Link to post
Share on other sites
Tabvla

Tabvla

Posted
  • Author
Posted

Perhaps my suggestion has been misunderstood.

 

In a Windows environment any program can be "Run as Administrator" providing the User with Standard privileges knows the Admin password - commonly known as UAC.  This includes MBAM which can be run with elevated privileges if the User Right-clicks the program Icon and selects "Run as Administrator". 

 

Therefore I am not suggesting anything new that does not already exist in both the OS and MBAM.  All that I am suggesting is that the "Run as Administrator" option be added to the Taskbar Icon pop-up Menu.  UAC will activate and if the User knows the Admin password they can proceed.

 

I would like to refer to Post #5 by Exile.  Premium does not run with elevated privileges if the User is logged in as a Standard account.

 

For reference I quote the following by Firefox

 

 

If you are doing a manual scan in a limited account, it needs to be Ran As Administrator or it will not have the needed rights to removed the infections.

 

If you have a scheduled scan being performed, make sure the scheduled scan was scheduled while logged in as an administrator account.


post-2065-0-92797800-1392234217.jpg

 

T.

 

Link to post
Share on other sites
Aura

Aura

Posted
Posted

You can press on the Windows key, and enter "mbam.exe" or "Malwarebytes" to bring up the program icon, right-click on it and select Run as Administrator. Personally, I'm not a person who likes context menus to be bloated when an option can easily by avoided and/or already exists somewhere else, like the Run as Administrator one.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Perhaps my suggestion has been misunderstood.

 

In a Windows environment any program can be "Run as Administrator" providing the User with Standard privileges knows the Admin password - commonly known as UAC.  This includes MBAM which can be run with elevated privileges if the User Right-clicks the program Icon and selects "Run as Administrator". 

 

Therefore I am not suggesting anything new that does not already exist in both the OS and MBAM.  All that I am suggesting is that the "Run as Administrator" option be added to the Taskbar Icon pop-up Menu.  UAC will activate and if the User knows the Admin password they can proceed.

 

I would like to refer to Post #5 by Exile.  Premium does not run with elevated privileges if the User is logged in as a Standard account.

 

For reference I quote the following by Firefox

 

 

T.

This is something we intend to fix. In a later release they plan to modify how realtime protection functions so that it will always have SYSTEM level privileges thus eliminating the need for Premium users to run the scanner as admin from limited user accounts. When I posted what I did I was under the impression that they'd already made that change so I apologize for the incorrect info.
Link to post
Share on other sites
sman

sman

Posted
Posted

Hi @exile.

 

When Standard user, does'nt have the OS privileges / permission to access critical areas. and needs to specifically ask for it for running the app as Administrator with a valid Admin password, how can MBAM by-pass this OS control and run with full privileges??

 

If apps can by-pass this control, and access critical areas. user accounts/privileges/OS permission all stand vulnerable, a very serious flaw. and un-likely scenario..

 

Further, only 'running app' will be present in the Systray/Taskbar and a running app, as stated above, cannot grant / alter the user permissions..The user only will have to set the executable file properties to 'Run as Administrator' and then run it (and not while

'it is running')

 

Yes, the application may then, when running check 'whether it is run with required privileges' and if not, may prompt the user for 'required privileges'..

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Hi @exile.

 

When Standard user, does'nt have the OS privileges / permission to access critical areas. and needs to specifically ask for it for running the app as Administrator with a valid Admin password, how can MBAM by-pass this OS control and run with full privileges??

It is accomplished by using a service which runs when the computer starts. We'd simply have our service (mbamservice.exe) launch the UI (mbam.exe) with the same privileges that it has, which is currently SYSTEM (the SYSTEM account has higher than/the equivalent to admin privileges). UAC (and even versions of Windows prior to Vista which had no UAC) does not restrict a privileged process (in this case mbamservice.exe) from creating child processes (in this case mbam.exe) with the same privilege level that it has. In fact, many existing AVs already function this way and have admin privileges within limited user accounts (Kaspersky Antivirus, for example, I know for a fact does this). That's also why, even in admin accounts when UAC is enabled and you launch the UI of your antivirus and perform a scan, there is usually no UAC prompt even though the scanner is fully capable of accessing, deleting from and writing to all areas of privilege (such as system folders) on the PC.
Link to post
Share on other sites
sman

sman

Posted
Posted

Oh.. This changes, the entire outlook to user account permissions.. Now whether, application launch at startup the criteria, for control by-pass, or not a binding requirement (ie. can an application launched anytime during the login session, can also override the account/control privileges)? or rather, when a standard account run, is said to be safe, to prevent access to critical system areas, can a malicious application, override it anyway?

 

Pl. confirm, as I'm very concerned.. Tks..

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Yes, it does indeed override UAC and similar technologies, however to do so such an application's installer must be approved by a system administrator (hence the UAC prompt when installing any application that installs a driver or service on the system, like Malwarebytes Anti-Malware does as well as AVs).

To guard against malicious use, such processes cannot be modified or manipulated by user mode processes so there is still protection in place to prevent unapproved malicious processes from using such processes/services to bypass UAC.

As for how safe/secure it is, I can't really speak to that as it is all per Microsoft's specifications, but I do know that since the implementation of User Account Control in Windows Vista and newer operating systems that the vast majority of malware now runs in user mode in order to avoid UAC prompts which also means that typically only the user account active when the infection installs itself on the system is affected. Of course this is not true of all malware since threats like ransomware and rootkits require drivers and higher levels of access, but typical run of the mill malware is designed this way so that users cannot stop the payload from installing on the system by simply clicking 'No' to a User Account Control prompt. This also means that limited user accounts aren't nearly as useful or effective as they once were for thwarting malware attacks and since the implementation of UAC in Windows, even admin accounts are just about as safe as limited user accounts (as long as UAC is turned on, of course).

This is also the reason that once a service is installed, all of which run with at minimum admin level permissions, and usually SYSTEM level permissions, you don't see a ton of UAC prompts to allow each one to launch when the computer boots up, even when logged into a limited user account (though even in an admin account, when UAC is active, you will still see UAC prompts whenever launching any normal application, like MBAM Free, when it requires admin permissions).

So what we would do is basically modify the way that MBAM works so that its service would be used to launch the UI/tray process, thus giving the scanner the same level of access and permissions that our service (which is used for realtime protection) has, thus eliminating the need to ever have to run the UI/scanner as admin for Premium users when MBAM is set to start with Windows, even under limited user accounts. Of course, if MBAM is not configured to run at startup, you'd still need to approve a UAC prompt in order to launch MBAM, otherwise it would not be able to start and launch its services.

Link to post
Share on other sites
sman

sman

Posted
Posted

Hi exile360

 

I see no reference in this Technet article on 'UAC' https://technet.microsoft.com/en- us/library/cc709691(v=ws.10).aspx, about overriding of UAC..

 

As far as I understand, the article says about 3 requirements for privileged access/run, an administrative token for applications (with 'Run as Administrator' option), local Administrator login/authentication, user consent to UAC prompt.. These requirements seem to be mandatory, for any administrative activity..

 

Citing the example of 'Disk cleanup' run, emphasizes on user consent & UAC..

 

On consent at the time of installation will do away with UAC/user consent later, effect on startup-items and overriding UAC, no reference is made.. No clarity as such..

 

Sorry, I'm at sea now and need help to get it right.. Tks in advance..

Link to post
Share on other sites
exile360

exile360

Posted
Posted

It's the user token I believe. A process which is running in memory can pass its user token which grants it access/privileges/permissions to a child process that it launches. You can test this yourself by launching Task Manager and terminating explorer.exe then choosing 'Show processes from all users' which puts Task Manager in admin mode and then click File>New Task (Run...) and in the Create New Task dialog box check the box next to Create this task with administrative privileges. and type explorer and press Enter. The Explorer window you just launched is now running in admin mode so any process you use it to run will be running as administrator without any UAC prompt. You can test this by copying a text file (or any file) from a user accessible location such as your documents or desktop and pasting it into your C:\Windows folder which would normally require permission from an admin to write to. You'll find that the file copies to the location without any UAC prompt. If you then close that particular Explorer window and then navigate normally to C:\Windows and attempt to delete the file you copied there, you will receive a UAC prompt and will be required to approve the deletion of the file. Additionally, any process that you launch (such as a program shortcut for Malwarebytes Anti-Malware if it isn't running currently) will be launched with full admin permissions and you'll get no UAC prompt to execute it. You can test that one by exiting MBAM from the tray, verifying that its services are no longer running by checking Task Manager (mbamservice.exe and mbamscheduler.exe as well as its main UI/tray process mbam.exe), then using that admin mode Explorer window to launch MBAM's shortcut from the desktop or START menu, or by double-clicking its main EXE, mbam.exe directly located in your Program Files/Program Files (x86) folder under the Malwarebytes Anti-Malware directory.

To get Explorer back to normal simply terminate it with Task Manager once more and perform the same step as before but this time without checking the box next to Create this process with administrative privileges.

As for startup items, the only ones that have this special capability to run with higher user credentials without a UAC prompt are services (located in the registry under HKLM\SYSTEM\CurrentControlSet\Services) and the RunOnce keys (though I believe the RunOnce key might vary by OS, though the services are consistent). As I understand it, this occurs because services are considered non-interactive processes that run outside of the current Windows session (basically, they launch before any user logs on thus there are no user credentials to be had technically). But it still holds true that such services can launch an interactive process such as the UI/tray module for an antivirus application, which as I explained before is how many AVs tackle this very issue with running under limited user accounts yet still being capable of removing malware which might be located in protected locations without the necessity of a UAC prompt or running as admin to do so. They also sometimes simply have the limited/user mode process (the UI/scanner) 'talk to' the service and have the service do the actual work itself or by talking to a driver (drivers are just like services and in fact are found in the same loading point in the registry which I indicated previously).

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.