Jump to content
Cleatus

quick user "rights" question--program upgrade related

Recommended Posts

So we got out of the dark ages and took off admin right for users on all of our computers.  Short story long, we have 50 machines in "the field" that we have MWB premium on.  So right after we take their rights away (a good thing), MWB comes out with this new version.  So they are getting pop ups to install it...and now cant due to the rights being set to "user".

Any way around this?  I am fine letting the folks keep MWB up to date and updating it themselves.

yes, we need remote support, etc... but we aint gots it right now...

 

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

Unfortunately like most installers, since they need to write to privileged locations such as Program Files, ProgramData (and particularly in the case of security software that uses drivers, like Malwarebytes, the System32 directory) administrative privileges are required for any new builds to be installed.

Honestly, since the advent of User Account Control in Windows Vista and newer Windows versions there is far less risk in running as an administrative user as long as UAC is kept at its default settings or higher since it prevents any executable/process/user etc. without appropriate permissions to write to/access any privileged locations.  Not only that, but since Vista the bad guys have actually adapted to try and avoid permissions issues and UAC prompts by only installing/running under and writing to local user accessible locations on the filesystem and in the registry, meaning most threats pose the same risk whether the user is logged in as a limited/normal user (or even as the much more limited 'Guest' account) and whether UAC is on or off, so in reality you don't gain much if anything in the way of security against actual modern malware when running under a permissions limited/restricted user account.

This was actually a hot topic of discussion a while back when I was still a Product Manager for Malwarebytes as some members of the team believed that modern threats were succeeding in infecting systems with UAC enabled due to some kind of UAC bypass/exploits, however I told them that this was not the case and that in fact they were simply taking UAC/permissions out of the equation altogether by only running/installing under the local user account, hence my desire to have Malwarebytes start scanning offline registry hives and data locations for other user accounts since we had discovered that, due to most malware now functioning this way, it was much easier to disinfect most systems simply by logging into a different user account from the one that got infected thus enabling Malwarebytes to run and that as long as Malwarebytes would scan the other accounts on the system, it would be able to detect and remove the threats from the infected accounts so that's exactly what we ended up doing and it proved quite successful and Malwarebytes has scanned this way ever since.

So TL;DR: unfortunately program installers require administrative permissions so the only way for a user to perform an upgrade to a new version of Malwarebytes would be to either log in as an admin to perform the upgrade, or download the installer for the new build and manually run it as admin (something made possible by UAC as long as it remains enabled as they can then right-click the installer and run it as administrator).

Share this post


Link to post
Share on other sites

By the way, there is a way around this, however technically speaking it would be a violation of UAC/running as a limited/standard user and that would be to use the MBAMService.exe process or some other privileged process with admin or higher permissions to perform the installation, however as I said, this would technically be against Microsoft's recommended best security practices since installing software is literally one of the primary tasks they call out as being restricted to administrative users for obvious reasons since malware and PUPs can be prevented by not allowing any software to install under such user accounts and/or by shielding it behind a UAC prompt (especially effective if you set an administrative password in UAC so that only users who are allowed to have admin privileges and have the password would be able to install software, so doing so through a process that already has admin or higher privileges like MBAMService would be a violation of that since it would require no UAC prompt/password to execute/install the update).

Share this post


Link to post
Share on other sites
9 hours ago, Cleatus said:

Short story long, we have 50 machines in "the field" that we have MWB premium on. 

Sounds like you need to have the business version on all these computers...

40 minutes ago, exile360 said:

Honestly, since the advent of User Account Control in Windows Vista and newer Windows versions there is far less risk in running as an administrative user as long as UAC is kept at its default settings or higher since it prevents any executable/process/user etc.

Sorry, but on our network, no user has admin rights for more reasons that just installing software.

Share this post


Link to post
Share on other sites
1 minute ago, Firefox said:

Sorry, but on our network, no user has admin rights for more reasons that just installing software.

Sure, my point is that, as far as malware is concerned, UAC at default is no different than running under a limited user account.  If you wish to restrict the users themselves then you can crank up UAC to its max setting and it is identical to running as a limited user (as long as you set an admin password of course and don't provide it to them).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.