I would like to know what the experts here think.
I am running my PC with only normal user priviliges (so I am not in the local administrators group).
Furthermore I use Google Chrome for surfing the web, so webcode is trapped in Googles Sandboxes in the Browser.
Is it enough for me to just have the on-access scanner running? I am thinking of uninstalling the webshield…
Your setup makes you less vulnerable to the more severe effects of getting infected but it doesn’t leave you immune from infection.
My take on just having one level of scanning, a mistake. Keeping it off your system rather than try to deal with it when it is on your system is a much better option IMHO.
You only have to browse the viruses and worms forum to see that hacked sites is a major issue at present and the web shield is very proactive in its protection against this.
I have webshield still enabled and will also keep it.
But the main question is, how a virus/trojan/malware can be executed, if I am just surfing with user rights (and using chrome).
What harm can it do? Can it execute itself (not me executing it actively)?
Can it execute in memory, before it is written to disk (because then it is trapped by the real-time file shield)?
It only can execute with normal user rights (in my setup/usage)…
So it cannot do any harm to important parts of the registry or protected system files.
It cannot install any services, because simply it has not the rights.
Is it possible for code to execute itself just by downloading?
Can the code do any harm to the system even if it is trapped in the sandbox of the browser.
Does the browser sandbox furthermore protect the system from malicious java code?
In the end it comes down to these questions.
As a local admin user: webshield all the way! no question…
But as a normal user… Discussion is still open…
It would be interesting to construct a hypothetical infection szenario in this “secure” setup…
By the way: Also think of data leakage to the internet as an infection (spyware in this case).
Because data leakage does not necessarily have to use admin rights.
When you enter a web page, that has been hacked, they have code inserted into the page. That usually takes the form of an iframe which will have a URL to run malicious script from another site. It can and does include the HTML Script tag and this contains javascript, which can perform the same functionality. This javascript is mostly obfuscated so that the purpose of the code isn’t clear.
There is no what harm it can do as that relies on the URL it is trying to redirect you to and what the payload is at the other end and none of these are constants.
Running as a limited user should (note should) prevent the malware copying files into the system folders and creating registry entries in system areas of the registry, but it doesn’t prevent it creating entries in that Users area.
Really there is no discussion, what harm does it do having it enabled, it has minimal impact on resources, so no contest. There is malware that attempt privilege escalation and if that happens your limited user theory is dead in the water. As I said it limits the damage that can be done but doesn’t make you invulnerable. You have the information now the choice is yours, I’m done.