[klt0825]

Agreed, don't run AV at all. It is always fun to take something from metasploit, see that is detected by most AVs - change one or two strings that are obvious choices for signatures and watch detection rates drop to close to 0. Even behavioral or heuristic detection is absurd sometimes (IE is writing into the process memory of notepad? Probably fine). It is a really tough problem to solve, to be fair to AV vendors.

[gizmo686]

>IE is writing into the process memory of notepad

I don't have much experience in this area, but shouldn't that be prevented by the kernel unless IE got specific permission to do so?

[yuhong]

Not in most cases as far as I know, unless it is specifically sandboxed.

[kibibyte]

Dumb question: since modern CPUs and operating systems support virtual memory, shouldn't it be impossible for processes to access memory of other processes, since processes no longer have to deal with shared memory?

...unless you're alluding to security exploits that manage to subvert that mechanism.

[bcoates]

Windows subverts that mechanism by providing APIs that unprivileged apps can use to access each other's memory.

On Windows, any programs sharing a desktop are within the same security boundary and are not protected from each other by design.

[kibibyte]

Huh...I never knew that. I wonder why the APIs were designed this way; there has to be legitimate uses for this, right?

[arnnr]

I think the answer here is compatibility. But we finally are in a turning point. OSX's new apps and windows metro apps are sandboxed.

But until running mostly apps becomes the norm in a desktop system beware that not having admin privileges doesn't not mean you can NOT: load programs at startup, read most of registry settings, passwords, read memory of/close programs of same sec level. A malware doesnt need admin rights to do evil.

Still I believe AV products are useless even for inexperienced users.

[Dylan16807]

In the end, instead of using debug features, the files could be altered before starting a process. Programs on the same user account have no protection from each other, and windows isn't going to give you a false sense of security.

If you want apps to be blocked from touching each other, they need individual user accounts or equivalent. Operating systems for phones do this, but this kind of system hasn't been ported to a normal desktop.

[lmz]

debuggers?

[voltagex_]

I was firmly in your camp until recently I saw CryptoLocker - http://www.reddit.com/r/sysadmin/comments/1p32lx/cryptolocke.... This is the first virus in a long time that actually scares me.

I've checked, and current versions of MSE will detect this in time, but it's fast approaching the point where Windows will be running in a snapshotted VM with no network access.

[qoo]

It gets really scary when the ransomeware's makers require their victims to login to some MMORPG and paid in virtual gold.

[yuhong]

Well, the attack vector seems to be mostly ZIP email attachments with EXEs.