Standard account is useful, for guarding the operating system from a particular user. 😉

I think the advice to run as a standard account comes from the era of worms and viruses. By denying access to system files, it was much harder to infect and spread. But ransomware is about user data. Different game.

There's plenty of reasons to run as a Standard account beyond preventing ransomware. Your closing thoughts at ~7:30 are bang-on. Security is a manifold process: it's Standard accounts, proper segmentation, principal of least privilege, etc.

Finally you're making that video! Running malware as admin is really nice to show off what the malware does but it doesn't say much about an everyday scenario or how good the malware is at escalating privileges.

THIS is what we needed as a video. Started watching it, and curious to know if the non-admin group is actually right for newer cyber threats.

Thanks for the video with Task Scheduler, it helped zero in on a problem. I already knew about autoruns and process explorer, but Task scheduler showed some recurring processes and their triggers, last time ran, etc. really cool

I’ve been using Trend Micro for years after seeing your original test on the channel. I was really happy to see it’s effectiveness at the end of the video. Thanks Leo!

Since you've done recent Linux security videos as an addition to your Windows security videos, I know it would be very difficult, but I think it'd be really neat to see some macOS security videos, as there isn't a whole lot of info in that area that I have found.

Thanks for doing this test! I would expect ransomware to be able to encrypt any and all data a Standard account user would have access to. I was hoping to find out if other parts of the system could be affected as well.

Ive been considering using a standard account on my computers for a while now. Thanks for the demonstration

Hi Leo, A lot of security has to do with being very vigilant and using sound secure methods that are known to work and like most of the high-tech industry, it's always changing.

Do you have any plans to put Trend through the extensive Ransomware tests like you have run Kapernsky and others through? Very interested to see how it stacks up compared to some of the other solutions out there.

@The PC Security Channel That desktop wallpaper looks so cool !

Please wanted to see more Trend Micro malware test videos in this year. Also test its APT protection.

"Everybody knows the dark mode is for pros" 😎

Standard user accaunt with a seperate admin accaunt that are both password protected and with UAC on Max is a good habit to get used to. Its also smart way to keep other users away from uninstaling programs or disable av. Its another layer of protection that is smart to have

It's like they always say, in Cybersecurity you don't look for what a person know, but how a person would approach and apprehend a situation, in simple terms, Problem solving traits.

Can you retest comodo? It’s been a while, and they’ve updated quite a bit. Would love to see how effective the “Comodo Container” is.

Standard user accounts certainly do reduce the blast radius and prevent VSS being disabled, so it is a worthwhile addition to a defence in depth approach. My fear is when ransomware starts filling the free space up with random data, to not only make forensic recovery of encrypted files more difficult, but to also cause the hard drive to reach capacity and induce windows itself to delete the volume shadows. That could be done from within standard user accounts, and with SSD's could be accomplished in 20 minutes or so.

Thanks for the informative videos. Is there a way to get hands on those ransomeware viruses that you used for testing ?

I wonder if it could circumvent the user separation - for example, even if you run it as a regular user, could it embed a payload in a way that as soon as you login as an admin, it's restarted and encrypts from the admin role too...

One of the key points of making standard users is control over what is installed. Sure, some programs can run locally, so let's get that out there. However, system wide applications cannot install without UAC getting involved to let the user install. I think of this more for computers shared by a family. So I make standard accounts for the kids. They cannot install programs and cannot access and/or corrupt my data. They can lose theirs (you did back up, right and make sure backups are not just to another drive on the same system, right?) so you minimize what is at risk at any given time. However, if the standard user has read access, data can be exfiltrated to someone else. So not letting that user even read other users data is part of a multi-layered security plan.

It was very helpful, thank you!

I mean, sure ... but it comes at the cost of many things that need to be followed as well. (avoid running programs with elevated permissions as much as possible. / use control folder access for important documents / don't give fulll read/write access to users who only need read access / don't keep critical files in only 1 spot / use version control software for project files & user created files / enable & use UAC @ max settings / etc) -- Though my personal favorite is, install steam/other game mangers outside of a protected folder alongside the games. This seriously cuts down the possibility of rogue games/programs for games even needing elevated access for anything, and while your games & launcher could be nuked it helps stop ALOT of the accidental or even malicious games/programs any normal user would ever see from entirely destroying everything. The problem is that most users benefit the most from being put onto standard accounts, because it prevents auto exploitation, and forces a prompt box for thinking about what's going on. This will never fix 'stupid/impatient/ignorant/greedy' users who will want & attempt to get free things, go to shady shady places, and force run software from uncertain places while taking risk on risk all for a free thing or easy gain. Normal users aren't targets for 'targeted attacks', their computers which make up the majority of the advice aren't valuable (or hold valuable information). Though don't think it wasn't noticed how twisted it, conflating corperate security & home security measures, just to promote a home security product.

I also wonder which Tier is Trend Micro in terms of Security ? As per your previous tier list of Antivirus you made.

Of course standard user account by default won't help without proper written rules in group policy.

Is the Av not using fingerprinting on the files though, rather than some more subtle behavioural technique?

Folder encryption would still protect data, admin or not. If sharing a single PC with others, it's a must for local file storage otherwise just use cloud. Admin vs standard makes a diff only in a very basic/limited scenario.

So you should keep highly sensitive documents in folders on your admin account, and switch logins when you need to access them, or at the very least, store sensitive docs there and provide read-only access to the user account.

How good is Windows Defender's controlled folder access feature at protecting against ransomware? Given the fact that I'm running on a standard account with Windows Defender and it's constantly blocking stuff via the controlled folder access feature, I'm curious if that plays a major part in protecting your system or not.

Oooo can I send you a virtual machine to test out? What Virtualisation software do you use? I would simulate the setup I use and instruct my techs to configure (often via GPO's).

Very interesting. Thanks Leo

Love the Interstellar wallpaper

The key is "defense in depth." In other words you should be using multiple layers of security from the rule of least privilege (aka standard user accounts), an AV, network IPS, strong passwords, 2FA, and secure back ups. Network shares a nice but probably shouldn't be relied upon for official data storage. Using a web based application like Sharepoint to store official documentation may be a better solution so if you are a victim to a ransomware attack only the data on your computer is lost. Which sucks, but wouldn't harm the entire business since core documentation and data is stored on a separate server. You "could" gate a network share where the user always needs to authenticate to access it. This would at least prevent any automated ransomware from taking over but if you're already authenticated in the risk is still there. That said white listing only approved software and .exe files on workplace computers would help avoid a lot of this. The adversary would really have to work hard to get around that first by knowing what is the authorized software and then making their malicious ransomware look exactly like the legitimate software. This isn't something I would put effort in for a home user in trying to implement. The administrative overhead in making this all work is a pain in the butt.

Another thing I find problems with a standard user account is that if you use that standard account 99% of the time, and that user account gets hit with ransomware, then there goes all your data anyway. If you did an admin account it would do the same thing. Not to mention some ransomware can have UAC bypass in it if you used a user account and the ransomware needed admin privileges. It’s always a good idea to have a modern AV like kaspersky or bitdefender as those will 1. Detect the ransomware 2. If the AV detected a UAC bypass, it would most likely set off the exploit protection on top of it.

Hay I have a question what's the difference between Avast and Avast one?

Best advice is to just stay away from shady websites and avoid opening e-mails you didn't expect.

Can you the trend micro Max Security along side Norton AV?

User Account is not problem for R groups.. its sofisticated atack with privilage escalation, network pivoting and lateral movment.. goal is DC (win active directory) and backup (NAS) server.

Leo - would it be possible to do the same with a more locked down system using GPO?

i could've used this video when i got ransomed a while back. for the discord nitro ransomware [which i did have at one point], all i really did was restart my computer and i guess windows defender cleansed it? not too sure what happened

Yes any data the user has security to modify (not read only) Ransomware will be able to encrypt. They will be able to steal any data you have read access to (which might be sensitive). Being a standard users (or being an admin and not clicking your UAC) will prevent it from doing things like switching your DNS to a rouge DNS server.

Both aren't most modern exploits using privelage escalation or rootkit type of trick?

Which antivirus should i buy..... Kaspersky internet security or Kaspersky total security

Thank you for video! :) You should test HP Wolf Security solution.

The admin account in this demonstration was not passworded had it been that dirty discord executable would have triggered the admin account password prompt before it could run. If it was this simple to run malicious files on standard accounts every work, school or public network would be doomed.

AV-Comparatives, one of the world’s foremost antivirus testing organizations based in Austria, conducted a performance test in April 2022 that compared 17 international antivirus brands and ranked them based on their impact on device performance. K7 Antivirus emerged as the winner in the test with an impact score of just 1.6, establishing that K7’s antivirus has the least impact on device performance.

Please re-test McAfee antivirus because I think it's improved a lot since 2020. Thank you!

To be honest, I can own to glibly parroting the mantra of using a standard or user account in days gone by. As a Unix, later Linux user, this was a standard procedure anyway, keeping your dirty mitts off the root account was built into many distros, either by restricting the root account to the console or stopping its use altogether in favour of using the "sudo" command should you need admin access for a limited action. Indeed I can recall arguing that Microsoft giving out admin access by default on most primary installations was a real source of humour back in the day. Of course this all predated the dawn of ransomware. The idea of encryption of data was all very well when it first came into being but when unscrupulous people started to use this to hold data for ransom changed everything, especially as, even with access management and need to use control, plenty of damage could be done. That's before we get to temporary elevation of privilege which keeps getting patched out only for malware writers to find alternative ways to gain a position of power on a system. It gets to the point where the best way to avoid infection is not to turn your computer on in the first place, but that's no use to anyone. As for Trend, I always used to use Housecall as a double-check on a given Windows system. It's a single pass system that is free to use to back up other antivirus programs just so that you give the system the best chance of surviving an attack. Otherwise I use Bitdefender on some systems, Windows Defender on others and at one time I used Kaspersky.

Does kaspersky protect against this too Leo?

Please where can I get these random ware for educational purposes?

Couldn't the OS dev prevent encryption, or know the encryption key used to undo because its using your processor to encrypt, and it can save how its doing it. So in a future version it could be as easy as going to start>settings>encryption>undo and it have a list of all most recent changes?

Doesn't alot of malware rely on the fact that most people will by default be in the administrator account?

Thanks!

Can you please do a malex and a Ransomware test with Kaspersky Internet Security and Malwarebytes Premium (both active at the same time)? This would be nice. Thanks in advance :D It would be interesting if this two softwares would work together.

Which vm software are you using?

where can i download the sample malware with your script to try on a demo machine. im trying quick heal antivirus also sold as seqrite endpoint, thanks.

Will shark wire capture the key being sent back to the assholes the encrypted your PC?

The cybercriminals could consider security risks in a website as a goldmine to penetrate the company’s operations. They could even damage the vital resource on your website - making you start from the ground. Ransomware attacks can occur when businesses fail to follow basic web security policies and frameworks.

can you test eset smart security premium

I can't use my pc so I can't test, my question is, If a ransonware that locks you screen runs as a standard account, the malware will lock only your screen or he doesn't have the right privileges to do so?

It’s ridiculously funny how this video just came out after Britec09’s video…

I don't really agree with your statement around 5:38 mostly due to in my particular expirience whenever theres a change in the file system on a standard user account, you would have to type in user name and password in order to overwrite the files. You can add new files but not change them without credentials from what I have seen. please let me know if this is different for you guys.

does windows sandbox is more secure then use normal windows?

at some point, youre going to do something in user account that requires admin privileges, and you wont be thinking of the consequences because you want to install/run said program. well......now your regular user has admin privileges. But if the virus is memory resident then wouldnt it activate when you login to admin anyway, after logging out of user?

Hi, im using your links to buy some AV buy the links seems to be bad

my friend installed some "warzone hacks" on my pc a couple years ago but i had put him on a user account

does it affect our partitions file?

Try the new Scan and Protect portable cloud scanner from Sophos brother. Interesting, as it performs similar to NPE with a reputation based scan. Yet, for example it finds caffeine.exe as malware, let's you choose to upload it for analysis. It seems to take the evolutionary approach, better to see faces in the woods than to miss them and get caught. I know you are aware of the "Sophos Virus Removal Tool." Now they have an updated version. Cheers mate. --

I am wondering if reset to factory setting, will that remove virus?

Hey, Where can I find these type of ransomwares? Thanks!

No security pro would say you are safe with a standard account. Priv escalation is common knowledge.

The reason you run as a Standard User is because only through this all you additional measures are still in place and can not turned off, like Applocker, Bitlocker, Firewalls, Antivir etc. That's the concept vehind it.

U have alphv? If not i can send it to u?

That was a blow to bitech

Backups, backups, backups...

KASPERSKY BEST

I mean, this is a standard thing on pretty much every other modern OS to not make the user a root/admin account

best channel, more videos pls

Nice, I always assumed ransomeware would know how to get around user account restrictions, so there would be no difference. As for dark/light mode, I tend to regard dark mode as a young noob bull, I never had it 'before' and my eyes were not bored out of my head, so it's a load of bull (so are they going to print inverse, they can't handle white paper)

Plss test windows security in windows 11 it would be great!

I switched to Linux long ago and never looked back. However, I'm required to use a specific app which only runs on Windows 11 and I just bought a separate laptop for that. Nevertheless, my daily driver is a Linux.

How to become a cyber security expert?

Some of your statements are misleading, using an account with local admin rights doesn't mean you have access to the whole network, and using a "standard user" doesn't mean you don't have access to all network shares, the 2 are completely separate things...

how reliable is virustotal?

What is the point of using a standard account when UAC exists?

Thx m8 I

Believing in random comments from on the internet is usually bad advice

There is a big exploit in UAC, that a malware can disable it without admin permissions, get full access to Windows (I didn't say Windows home edition, I said Windows computer edition), and it can do everything even if you are a standard user, it works on Windows 11 too.

Is he running all this malware in a VM? And is the host probably a PC that's totally disposable and is routinely wiped? Even then, isn't the firmware of that host at risk?

youtube did not tell me about this video

Ransomware bypass admin user, softwares security... 😰

what to do if standard acc got infected. 😂 give us full process.

it triggers me so hard that leo turned of file extension xDDD.

I didn't understand it completely.

ahem, Create an admin account then create a standard account as your main, whala

Oh no, your files, have been encrypted! LOL

hey

You see, privileges permit you to do things. Having less of them is better. This is why web servers run as www-data and not as root. Because www-data can read the files required for hosting a web server while root is god. A user can read and write user files, and nothing else. While NT/SYSTEM AUTHORITY is god. If a virus gets executed with user rights, it can do all the things the user can, that includes deleting all the user's files, encrypting them, or sending their firefox passwords database off to the hacker (use a master password by the way). Just because one type of virus targets your user data doesn't mean the advice of running as an unprivileged user is bad or useless. If you have multiple users on your system, one idiot can't nuke all your files, unless of course everybody is admin. Just because a vulnerable web application can delete the website that is hosted doesn't mean running the website as root doesn't matter. "Security in depth" is they key terms to put into your search engine here. Running unprivileged doesn't mean you are safe. Running antivirus doesn't mean you're safe. Updating your system regularly doesn't mean you're safe. Using strong passwords doesn't mean you are safe. There is no one click solution to cyber security. But you reduce attack surface by doing all of the things above. And that is also why windows defender is good enough even though it's one of the most targeted AV for evasion. You don't rely on this one thing to keep you safe and you never should rely on any one thing to keep you safe, because such a thing doesn't exist. Be smart, check your sources, be updated, have a backup and don't click yes on every prompt you see without reading. When in doubt go to the official source and double check. UAC doesn't stop users from deleting all their files isn't the argument and saying that it is is dishonest. The argument is "It's safer.", and that is true.

Reason why standard got affected is because you did NOT made it both Password protected!!!