Anti-virus vs. Non-Admin

This may be controversial, but I truly believe it and I'll say it:

With today's threat landscape and the way malware works today, you are better off running as non-admin WITHOUT anti-virus than you are running as admin WITH anti-virus.

If your anti-virus/anti-spyware/anti-malware software requires that you run as administrator in order to protect you, GET RID OF IT.  It is not worth the cost.  As Paul Coddington put it, it's "sort of like having a burglar alarm that only works when your house is unlocked and the doors are open."

Most if not all of the most prevalent malware out there today simply will not work if it runs with non-admin privileges.  That will change over time -- especially after the release of Windows Vista -- which is why I preface my assertion with "With today's threat landscape".  Hopefully by then, anti-malware solutions will have changed, too.

[Addendum - June 4, 2006, 2220 EDT]  I would like to clarify one point:  If you are running as non-admin, you are better protected if you have good, up-to-date anti-malware that works well as non-admin than if you have no anti-malware protection at all.  (On the other hand, if the anti-malware contains bugs in high-privilege code or exposes other elevation of privilege paths, maybe you're not!)

Comments (70)

  1. Knox says:

    Wow!  Being a bit kookie, I’ve been doing this for about the last three years.  I completely concur.  In offices that I admin for, we all run as non-admin with no permanently installed anti-virus.  Instead, we scan the machines weekly the machines, just in case.  I’m happy with this approach.  Also, not having any permanent anti-virus really improves the responsiveness of the machines.

  2. wim says:


    Especially in the light of all those problems with antivirus software lately

  3. So basically running Windows Vista without any antivirus means that wee will be, thanks to UAC, better protected than we even could be in Windows XP?

  4. Bucky says:

    Terrible advice.

    You seem to fail to take into account:

    1. Elevation of rights exploits

    2. Potential personal or business damage of running or propagating viruses

    3. Potential personal or business damage of running data mining Trojans

    4. Time and expense required to resolve issues listed above

    If your anti-virus/anti-spyware/anti-malware software requires that you run as administrator in order to protect you, replace it find one that DOESN’T require admin rights.

  5. Ruskiru says:

    I’ve ran my home laptop XP laptop under an LUA account for years without anti-virus and never had any problems.

    However, I’m sensible and know what I’m doing. The average user needs to have anti-virus that is compatible with LUA.

    Even with both of these safeguards in place, I’ve still seen users’ machines become infected!

  6. Bucky – I don’t disagree with your advice to replace rather than get rid of the AV.  My point is that the malware that is most likely to infect users today doesn’t attempt elevation of privilege because it assumes it’s running fully-elevated already.  It won’t run or propagate as non-admin.  You are better protected running as non-admin without AV than running as admin with it.

  7. Walker says:

    … but you are BEST protected by running as non-admin with an AV running that works with LUA. I think that really needs to be said.

  8. Walker:  And now you have said it, and so it has been said. 🙂

    THAT said, I have set up numerous relatives with non-admin accounts and usually no AV, and they have had NO problems with malware.  My mother-in-law recently bought a new computer from a major OEM.  It came with a popular AV product from a major security vendor.  I set up her non-admin account and left the AV in place at first, but it didn’t work well as non-admin, so I eventually uninstalled it.  No problems with malware since.

  9. Andrew says:

    Hi Aaron,

    Thanks for addressing my comments earlier in this entry. Another option I was thinking of instead of changing antivirus was to set up a runas shortcut to the update program (if that is what doesn’t work in the antivirus product under a limited user).

    I am not sure if, for some people, the hassle of finding a new virus scanner is worth it though as XP is inherently not all that secure when it comes to privilleges (at least compared to Vista). The programs are still directly tied to the system level (as opposed to a sandbox). The only virus scanners I know that run non-admin are some corporate av products that don’t come in single licenses and a couple of buggy or fairly weak scanners which are no better than having no scanner and being educated about safe computing.

    I think running SAFER policy and just keeping users as admin is probably just as safe as running at LUA (in terms of real world likelihood). No mass attacks are going to target (or inadvertently effect) people running SAFER policy?

    In terms of Vista, I really don’t know if running antivirus on the client is worth it, it depends on how well Vista fairs against malware (which I can’t answer). Maybe an on-demand scanner will be a good idea. But seriously, if you download from trusted sites and maybe even have some form of hash verification/whitelists (Vista should have this built in before execution. Do they? Maybe not.), I can’t see there being any more risk. Other areas of entry such as through exploiting vulnerable programs, should be patched rather than using a virus scanner. If someone can exploit a program you are running, they are not going to have any trouble getting past a virus scanner.

    Two-factor authentication is another pro-active solution that helps to eliminate the only other major threat to the average consumer (the other being backing up data). Virus scanners are just a really annoying and reactive band-aid (that can be exploited themselves as we have seen again lately).

    There is no way on earth I am going to have some virus scanner running in the background all the time. But the question is what are the antivirus companies going to do? To me it sounds like they are adding MORE features to their suites for Vista. ARGHHH. I will just have to figure out some command line scanning method myself I guess.

    Aaron, in terms of your mother-in-law’s setup, I think that is fine too. Personally, the only virus warning I have had since XP SP2 has been one ActiveX add-in wanting to install (which thanks to the security settings, it came up with the prompt to install or not install, so I didn’t). Emails are scanned at the exchange before getting to the client PC as well (and most ISPs do this now).

    BTW my physcic abilities say that major OEM was Dell and the antivirus was McAfee 😉 In most situations, people will not install many new programs, so there is always the option to completely lock down what they can and cannot execute via local/group policy. So even if someone who is not so experienced with computers falls for the "here is a patch from microsoft, follow this link, etc etc", they cannot run the program anyway.


  10. Fernando Cima says:

    Hi Aaron, I know this is not what you meant, but the blog entry does look like you are saying that you can dish your antivirus if you are using non-admin accounts.

    Since that would be incredibly bad advice (and we also don’t want the distorted recommendation to be next Slashdot headline), I suggest you could clarify it in the blog entry. Get rid of your non-LUA aware antivirus, but get another one that works ok!

    btw I’m glad your mother-in-law never got a malware in these three years without AV. I’ve got several friends who run Mac without AV who haven’t either. But I don’t consider them to be safe, only untargeted for the moment. It is trivial to write LUA-aware malware, just like it is trivial to write Mac OS malware, it wasn’t done just because of it wasn’t necessary. Yet.

  11. Tim says:

    I agree that when Vista is released, malware writers will change their habits.  Right now, it is possible to get malware such as keyloggers running when a user logs on and all this can be installed when the user is running as non-admin (albeit it will only run with the interactive user and not all users), but we’ll see even more of this when Vista comes out.

  12. Ben says:

    Aaron: I absolutely agree. I’ve been running non-Admin since I started using NT (the feature is there for a reason, after all). On corporate networks anti-malware procedures should be implemented at the gateways to those networks, so there should be no chance for malware to enter and then spread if LUA is implemented as it should be across the board.

    One thing I think might be worth adding to this is that it’s possible since W2k not only to deny write access to system directories but also to deny execute access to user directories. Thus, malware inadvertently downloaded into the user’s profile (including web cache) is unable to execute without a conscious change of security on the files themselves or their parent directories. I’ve implemented this on all of my own systems and I think it does help prevent malware attack significantly more than LUA alone. The user can’t even run malware accidentally anymore.

  13. Brian Reiter says:

    @Andrew: "I will just have to figure out some command line scanning method myself I guess."

    I recommend ClamAV as a command-line scanner to compliment LUA configuration. It won’t break stuff by installing a filesystem driver or anything.

    I maintain ClamAV builds for Interix (aka SFU 3.5 or SUA). I got into it because I was frustrated with a string of about half a dozen buggy AV systems. I was looking for an on-demand, command-line scanner that I could run on Windows in a LUA configuration. I specifically wanted something that installed *no* kernel mode drivers.

    I was looking for a commercial solution but found ClamAV and decided to try to port it onto Interix since SFU 3.5 had just been made available for free at the time.

    Currently the Cygwin-based version has more in the way of a GUI but the Interix version–which  has none–runs much faster. Also the threaded ClamAV daemon, clamd, only runs under Interix. Of course, you have to have Interix installed…

    ClamAV site

    ClamWin site (based on Cygwin)

    SFU 3.5

    SUA (Win2k3 R2 and later)

    Interopsystems hosts the ClamAV package for Interix

  14. Andrew – the SAFER approach is better than running everything as admin always, but it’s not as good as running everything as non-admin and elevating specific tasks on an as-needed basis.  What if some malware drops some code on your system – maybe in your My Documents folder or elsewhere in your profile that it’s allowed to write to, and puts a shortcut to it in your Run key (which lots of malware does)?  Result:  the next time you log on, that malware runs as full admin.

  15. Andrew says:

    Brian: Those elements you mentioned (kernel mode drivers etc etc) are exactly what I am trying to avoid. But it can be done with some of the more trusted (to me) solutions. I won’t really be implementing something like that until Vista though. XP is a bit shaky for me.

    Aaron: I know there are a number of methods to get around the policy, but I am looking at it from the "are people actually using these methods" perspective. In terms of the registry keys, most malware seem to use HKEY_LOCAL_MACHINE at the moment, which I am guessing would be denied.

    My line of thought is: there are *probably* (I don’t have enough knowledge, but that is my guess) many elevation of privilege methods in XP, and also, many ways malware can work just as well as a non-admin in XP (even with a virus scanner). Maybe I am wrong though, and maybe escalation of privilege attacks are not so easy in XP. And maybe, if malware is running under a normal user, it gives the virus scanner and firewall a much bigger advantage.

    It would be a non-issue for me if migrating to a different virus scanner wasn’t so hard in circumstances where people have just recently purchased a number of virus scanners (that don’t work properly as non-admin). As friends and friends of friends who own small businesses sometimes seek my advice, it is hard to tell them that they should ditch their current setup, format all of their computers, and invest $300 in new security software. And the reason that is hard is because as far as I know, SAFER prevents most of the same malware that LUA does at the moment, and LUA in XP may be able to be targeted just as easily as the SAFER policy. Maybe I am wrong, or maybe that can be your next blog entry: "Privilege escalation in XP, why LUA is still relevant" 🙂 But really, the situation I am describing isn’t really worth talking about (where somebody has recently purchased anti-virus software that doesn’t work as non-admin). Obviously, the ideal setup is LUA and a virus scanner that works under LUA as you mentioned.

    Although I am not as concerned about the virus scanner as some people are. Viruses have to come in by exploiting a program, or by the user running something on purpose. Both of which can be mitigated without a virus scanner, which is reactive anyway.

    Ok my comments are bigger than the blog so I think I may have violated some ethical guidelines.

    Keep up the good work. These blogs are excellent reading, especially in comparison to many other sources of information on the Internet. I think it is great that a company can provide a means for letting the community interact with some of its staff.

  16. Sean R. says:

    Forcing the non-admin environment on my users has done more for us than any anti-virus software could. Though we still run anti-virus software to protect against problems inside the users environment, and for the users that have to run elevated applications.

    I’m tempted to hold an Intuit developer hostage until they make Quickbooks work as a non-admin.

  17. Joyce says:

    We are living in an internet time where you can not without Anti Virus Software and such. Too bad, but I think it will only get worse by time.

    My place for free Anti Virus Software is:

    They always have the latest and best anti virus  available and have good reviews of all available anit virus programs.

    Viruses should be stopped and people distributing these viruses should be put in jail. They jeopardize our operating system.


  18. Joyce, that site just looks like a thin shell around Google ads.  And I still maintain that some (not all) AV will leave you worse off.  Be especially careful of random tools you find on the internet – a lot of free so-called anti-spyware tools actually install spyware and keep it from getting removed.

  19. Small Potato says:

    It’s been nearly a year since I joined my current employer as a System Administrator. The domain was originally configured such that the domain users were local administrators of their machines because, according to the previous sysadmin, it was "easier" to administer (namely installing software or do other troubleshooting work). There were virus and spyware infections often, and there are still traces of those infections several years ago, such as logs by the virus removal tools, or some spyware dlls left on the computer.

    I have gradually changed it so that all domain users are limited users of their machines. It proves that 99% of the users do not need to be administrators (even myself for a lot of the time), and the domain is now much more stable and secure, and we have not seen a virus or spyware entering our systems (for nearly a year).

    There are still a few rogue users who insist on requiring their accounts set as local administrators (as they say their job nature needs that, and the managements believe that, unfortunately). Of course they are still the most problematic users, bringing technical support request every week, mostly corrupted installation of software, virus and spyware infections.

  20. Stefan Kanthak says:

    I’d wish to read this statement from an MS spokesperson!

    @Buckie: you assume that malware is denied execution by an AV scanner. Why?

    Just think of the most common attack vector: surfing the net. AV scanners will detect malware downloaded by a browser when written to the disk (if at all)… when it already has been interpreted in the browser.

    As Ben wrote: remove (or deny) execute access from every directory the user is able to write. This especially includes %UserProfile% and the browser cache. Before SAFER you have to use NTFS permissions; these can be reset by the user since he is owner. With SAFER (and of course NTFS in place) allow execution only from %SystemRoot% and below and %ProgramFiles% and below (and exempt *.LNK from the list of executables, else the start menu won’t be of much use). A "normal" user doesn’t need to execute arbitrary programs!

    Or deny execution from %UserProfile% and below, %HomeDrive%%HomeShare% and below, ?:RECYCLE? and below, ?:System Volume Information and below,

    %SystemRoot%TEMP and below.

  21. Leolo says:

    Hi Aaron,

    Please, excuse the offtopic, but I need to know one thing about UAC in Vista.

    If an app requires admin privileges, the secure desktop kicks in and shows a confirmation window that you cannot ignore (you can’t do anything until you acknolewdge it)

    Wouldn’t this be an opportunity for some kind of Denial of Service attacks?

    Imagine a program or service that launched a barrage of commands that requiered admin priviledges.

    Wouldn’t the user be swamped with confirmation requests? Wouldn’t he or she be unable to open the task manager to kill the offending process?

    Maybe I’m totally wrong. Please correct me in that case. I’m very interested in this.

    Many thanks.

  22. Leolo, that’s a good question — I had thought about that scenario too.  If malware is already running arbitrary code on your desktop, there are lots of other similar DoS attacks it could mount without invoking elevation windows, and which it can also do on current versions of Windows.  For example, it could create a bunch of always-on-top windows that always grab focus and prevent you from getting to anything else on your desktop.

  23. Leolo says:


    Thanks for your reply. I hadn’t thought of that. But you’re right, once malware is running on your system I guess is already too late 🙁


  24. Ryan says:

    Hey Aaron,

    I am an IT intern at a company that recently began placing new employee accounts in the "users" group instead of the "power users" group that they were traditionally placed in for reasons that were mentioned above.  From what I hear it eliminates pretty much every problem but also eliminates few needed privileges here and there that we can’t seem to get back; namely, downloading activeX controls.  I’ve researched for a couple days now and have tried messing with IE settings (seems to be a higher problem than this) as well as group policy settings for add-ons, but it almost seems impossible to give non-admin groups certain privileges, even when the admin tries to allow it.  The only solution we can think of is to create a whole new group that resides somewhere between admin (power user) and limited user that will have totally custom settings… something that will take awhile to create just to allow one little privlege.

  25. Ryan, you hit a pain point there.  Installing ActiveX is one of the tough nuts to crack for non-admin on XP (along with installing local printers).  The issue is the vast majority of ActiveX controls require the ability to write to HKEY_CLASSES_ROOT (HKCR) in the registry at the time of installation – and typically also the ability to put their files into a system-wide location (often somewhere under %windir%).  There really isn’t a way to grant this ability to a user without opening up a lot of other access.  When a web page indicates an ActiveX to download, Internet Explorer performs a quick check to determine whether the user has the necessary registry access, and doesn’t even display the download option if the check fails.

    So, how to get around this while maintaining your more secure posture?  A couple of options include:

    * Install the ActiveX using a browser running as admin (e.g., via RunAs).

    * Deploy the required ActiveX through SMS or other enterprise management tool;

    * See whether the ActiveX can be registered into the per-user portion of HKCR using something like RegSvrEx:  (I talked about the "per-user" aspect of HKCR in here:

    I recognize that none of these are really great options.

  26. romulo says:


    I’ve been successfully implementing the LUA approach with no anti-virus software for at least two years. My Win2k machine at home has three average users and has never had to be disinfected and/or reinstalled.

    Unfortunately, at the company I work for, the IT staff doesn’t know of the LUA benefits, and prefers to go with everybody as local administrators plus an anti-virus solution. The later is a real resource hogging, and you have the impression the computer is working for the anti-virus, not for you.

    I hope your words help me persuade them to adopt the LUA approach and ban the real-time scanner.



  27. Alex says:

    So, what AV solutions do not require admin?

  28. Richard says:

    I’d like to make a few comments here.

    First, you will find several articles at that address this and related topics.

    Second, to the issues with active-x, sorry, but perhaps the safer route would be to switch to Firefox.

    Third, some anti-whatever products out there will only work or update in admin mode (bad), some will apply updates in non-admin mode or on reboot, and some will do a mix and require major updates from an admin id.

    Products that will only work in admin mode, like opening eFax attachments, for example, are simply poorly written products and should be avoided.

    Finally, it is always best to operate in a non-admin mode, especially when permanently attached to the internet. A hardware firewall (e.g., router), along with software firewall, antivirus, antimalware, antispyware, antiadware are recommended. Except for the hardware part, good-enough free versions of the various software items I just listed are available. Just check trusted sources for which ones to use.

    Richard, I don’t understand the point you’re trying to make about ActiveX and Firefox in this context.  The problem here is that it is difficult to install or deploy ActiveX when running as non-admin.  How does switching to Firefox improve that picture, particularly when the ActiveX controls in question contain business-critical functionality?

    — Aaron

  29. Ajay says:

    I have been switching over my main machine to work as non-Admin and was going to change my other machines once I felt like I really understood the issues.  One of my other machines is prettyy much dedicated to being a media server where I keep all my ripped CDs.  I popped in a CD to rip and got some kind of license agreement about installing software and a light went off in my head remembering the whole Sony rootkit fiasco.  Some quick reading up on it showed that whether you accept the aggreement or not it still installs the rootkit.  Luckily a rootkit wasn’t installed (according to RootkitRevealer).  I don’t know if I had an updated version of the CD or if my anti-virus caught it. After that incident I switch my other machine over to using LUA accounts immediately.  

  30. Gordon Fecyk says:

    Four highly visible clients, over 100 users, three years.  No anti-virus, yet no malware.

    I cover privilege escalation exploits by denying execute permissions to anything that isn’t in Program Files or %systemroot%.  I put together a simple one-machine hack which is available from the Anti-Windows Catalog downloads page, but you can go further using Group Policy and logon scripts to enforce this behaviour.  Just copy the examples from my tool into your logon and logoff scripts.

    The end result?  If it isn’t installed by an admin, it doesn’t run.  Period.  In larger networks I further use Group Policy to deploy software without going to each machine… where possible (damn WebEx.)

    Now if only I can convince WebEx to stop updating their garbage so frequently…

    Does that policy apply to admins?  Some application installers extract files to the temp folder and execute them from there.

    – Aaron

  31. Gordon Fecyk says:

    The hack I put together removes the Execute permission for Files from the profile’s user, but it doesn’t remove the other default security.  So Administrators / Full Control and SYSTEM / Full Control is still there.  If the user happens to be an admin, they can still launch executables in their profile.

    Yes, it’s possible for a user to reenable execute on a file they downloaded.  And a browser exploit trying to launch an executable from a browser cache could try reenabling Execute on the file it’s trying to launch.  There are other ways to catch these, such as specifying a Logoff script that empties the browser cache and %temp%, and re-removes Execute from Files for the user.  Besides, nuking and rebuilding someone’s profile is a lot easier than nuking and rebuilding an OS.

    My dream system would always remove Execute for Files in a user’s profile and their Recycle Bin, and in Shared Documents, and not allow the user to put it back.  Then I’d have it keep Full Control for Administrators and SYSTEM, so admins can install stuff.  I’ve tried specifying ACLs directly in the Security Configuration and Analysis Snap-in, but it doesn’t accept %userprofile% as part of a path, and there isn’t a construct for RECYCLER[user’s SID].

  32. Richard says:

    Hi Aaron. Not sure how to respond to your comment to my posting at the location of the comment, so I am filling in the form and suspect this will just get added at the end. Anyway, about my comment about active-x. Active-x is non-standard IE specific code, and, according to IE messages when running IE, it can cause harm. Firefox by default does not allow active-x, causing poorly coded and designed websites not to work properly in Firefox. Hope that clarifies my comment.

    I figured that’s where you were going, but whether your comments are accurate (I may disagree), they’re not relevant in this context.  That’s the point I was trying to raise.  –Aaron

  33. Jeremy says:

    So how do you guys all know you don’t have malware, if you never run AV?

    Great question, Jeremy.  The way I check is to use AutoRuns from SysInternals.  Malware will generally hook into one or more auto-start entry points (ASEPs).  There are far fewer ASEPs available to non-admin code than to admin code, and if you run AutoRuns as admin it also lets you see the ASEPs of other accounts on the system.  So you run as non-admin and possibly get infected.  (Note that unless an elevation-of-privilege vuln is exploited, only the non-admin user’s profile is affected – other accounts and the integrity of the OS are unaffected.)  At some point you log off, log in as local admin (not infected), run AutoRuns and check the ASEPs of your non-admin account.  Even a user-mode rootkit that has taken control of the non-admin user can’t hide from this analysis (unless it has found an ASEP that isn’t covered by the very extensive AutoRuns analysis). — Aaron

  34. Robin Bankhead says:

    Aaron, I totally agree with the point you were making.  I speak as someone who’s a few months into the non-Admin experiment at my office, and the the main stumbling-block in this has been the antivirus.  My employer has been a long-time devotee of a certain market-leading consumer solution (starts with an ‘N’) because you can pick it up in most shops and it ‘just works’.

    Well, not if you intend to be non-admin it doesn’t.  Its update feature craps out under LU accounts, with no clear indication as to why. (I lost count of how many support pages I waded through before finding confirmation that the practise was unsupported.)  I did my best to overcome this with the aid of a Scheduled Task using Admin credentials, but the updater’s convoluted architecture thwarted this too.

    I have lobbied hard against renewal of this crap software, and have been permitted to trial a few alternatives.  My experience thus far:

    BitDefender Personal Edition, AVG Free, NOD32 Personal, Kaspersky Personal, all happily run and update without apparent issues for non-Admin. (NOD32 may be connected with a rise in dumprep.exe problems, but I can’t back that up.)  Please note these are simply the findings of a newbie sysadmin, no endorsement given or implied, etc.

    For the person who asked about antivirus apps that a non-admin could use, there’s a starter.  so far I haven’t found any (apart from the ‘N’ product) that do have issues, but it certainly would be interesting to see all the big players evaluated on this criterion.

  35. tony roth says:

    If your smart enough to run as non-admin then your smart enough not to visit sites that are harmful nor open up stupid emails. Its obvious that this will not work for the average joe!  

  36. @Tony Roth – it’s impossible to know whether a site will be harmful.  Miscreants hack into reputable sites, or buy space from ad banner companies that display on reputable sites, to inject zero-day vuln exploit code to visitors’ browsers.  And beyond that – accidents happen, too.

  37. tony roth says:

    yes thats correct, but a standard disclaimer from ms is,

    "In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site."

    and this is supposed to be mitigating factor.  I’ve always kinda laughed at this statement

    don’t get me wrong I actually agree with what your saying and its exactly how I’ve been configured for ten year but its a requirement to have at least a natting router(firewall is nice) between you and the inet.

    there are alot of ms and non ms apps that don’t run as a normal user within a corporate environment its easy to deal with, but to the average joe its confusing.  

    thanks and keep up the good work!

  38. Gordon Fecyk says:

    I thought the ‘N’ brand AV worked better than that, at least since roughly 2004.

    But my usual response to the usual question of anti-virus software vs limited accounts follows Rob Rosenberger’s comparison to airport security:

    Summarized thusly:

    "Well let’s see here, mister Bin Salen Odama. I noticed a powerful bomb in your briefcase here, and you were spouting some terrible anti-american rhetoric, but your name’s not on any of our databases for known terrorists.  Have a nice flight. Oh, and don’t forget your bag."


    By the way, I had to wait a full year since 2001 to use that anecdote without getting blasted for insensivity.  Ironically, certain government projects are starting to respond exactly like conventional anti-virus software. But that’s a rant for another forum.

  39. McoreD says:

    We should have a list of AV software that runs perfectly under LUA.

    So far I know AVG Free Edition runs great.

  40. Sophos runs fine under a LUA. I’m not convinced on running without AV software though. Worms and other nasties don’t care what user level you are, and there’s plenty of others that exploit things to gain higher priviliges. Not only that, but you can still get stuff installed in the browser, etc. I honestly wouldn’t feel happy running without AV.

  41. Spiral says:

    I saw a  few mentions here about denying execute permissions on files under user directories.  Theoretically it sounds good, but does this really work.  I know that wouldn’t solve all malware issues, but I feel it would mitigate a lot of risk though from click happy users.  It seems too easy though, and I feel like I am missing something here.  Can anybody elaborate on this user execute config?  And if effective, some ways to go about implementing the NTFS permissions.

  42. Bill says:

    is it a myth that there are AV out there that runs in LUA?

  43. mario says:

    Hello everybody,

    I’m convinced that to have a computer Non-Admin

    is better since we navigate carefully or use the computer with care but how to make a coputer Non-Admin ? Please apologize my ignorance.

  44. jacky says:

    Hello everyone,

    I searched some useful antivirus tools for protect my computer, after free trial many tools, i find RunSafe program is very useful.

  45. Ok, I’ll admit it. I’ve been living dangerously for the last several years.

    Simply put, I refuse to install any kind of antivirus or personal firewall software on any of my systems. This includes a Windows XP Home system that was used by my children as

  46. Jorge Luis Vejerano says:

    I ask to F-Secure Team an they say:

    “Dear Jorge,

    Thank you for contacting F-Secure.

    With regards to your enquiry, basically there are advantages and disadvantages working with an account with non-admin rights as compared to admin rights.

    Aaron suggests that it is more secure to work with an account with non-admin rights without an anti-virus installed rather than working with an account with admin rights with an anti-virus installed.

    There are some advantages working with a non-admin account such as, if a malware infects your computer, it is difficult for the malware to cause severe damage because some components or files cannot be modified or accessed.

    If there are no anti-virus installed on your computer and if your computer is infected, it will be almost impossible to remove the infection eventhough the damage caused is minimum.  There are certain malware that can cause great damage even in a non-admin environment. Most viruses and worms replicates itself and this could cause greater damage. Trojans and spywares could still infect your computer and steal valuable information without you knowing it.

    Among the disadvantage of non-admin rights is that it will be difficult for you to make certain modifications or enhancements to your system because all this requires admin rights.

    Please feel free to contact us again should you need further assistance.

    Thank you

    Best regards,


    I am making the changes from admin to no-admin.  Is true, very, very difficult.  For example, office doesn´t work. “Windows installer” popups appears every time I execute Word or Excel.


    What version of Office are you running?  The installer should appear the first time you run a particular app, but not every time you run it.

    My recommended practice is to do all your day-to-day stuff using a non-admin account, and to use a separate admin account for administrative tasks — including cleaning a malware infestation from your non-admin account if necessary.  Just be very sure to keep your admin account very safe — don’t browse the web, etc. while logged in as admin.  Fast User Switching is the safest way to use your admin account.

    Aside from that, they are correct that LUA-aware malware can do lots of bad stuff in a non-admin account — but it remains easier to detect and remove.  Anti-malware that forces you to run as admin all the time makes you less secure.

    — Aaron


  47. CFGIGOLÔ says:

    "You are better off running as non-admin without anti-virus than you are running as admin with anti-virus." – Aaron Margosis…

  48. Ed says:

    I completely agree. I have been doing all internet and email work for over a year now (18 months)as non-admin, (using "drop my rights"), and with nothing but windows firewall running. I keep checking, and the system is clean.

    There are other measures I take, such as using the trusted sites the way it is meant to be used, turning off automatic cookie handling and other restrictions, but I am convinced that running online as non-admin is the main protection.

    I love it! My machine isn’t bogged down with the so called "anti virus" bloatware.

    I wish I had known about this before.

    I even use "drop my rights" in batch files (with the "start" command, so I can launch IE with a specific site, etc).

    I am convinced that "anti-virus" programs prey on the paranoia we have from hearing about all the evil stuff on the net.

    I did a test on a freshly formated empty machine.

    1. I installed one of the well known "anti-spyware" programs.

    2. I ran a scan (I had not logged on to the internet yet)

    3. The program reported malware in the machine.

    4. I knew for a fact that it had put it there!

    I did this same test with two other programs with the same results.

    My conclusion is that running as non-admin is many times safer than depending on the bloatware being sold and given away that claims to offer some protection.

  49. Chris says:

    Aaron, what is your consensus on going without AV and without a third-party firewall, now that Windows Vista has been released?

    I’m forcing myself to run as a standard user on Vista Ultimate. Yes, I get the occasional prompts for the administrator password, and I’m fine with that.

    My PC came with Norton Internet Security 2007. I’m using it for the AV and firewall features. I have to say that the product is much improved over the version from past years. It works great on Windows XP. On Vista, however, I’m seeing inconsistent results.

    When I need to make a change to any of the NIS settings, it prompts me for the administrator password–as expected. When a new program attempts to access the Internet, however, rather than NIS prompting me (as it does when I’m logged on, rarely, with the administrator account), it simply blocks the request–making an entry to that effect in its security log. This results in a lot of programs failing to respond to what I select, failing to submit feedback, failing to check for updates, failing to submit bug reports, etc. I’ve tried different settings, but the product just doesn’t seem to be very standard-user friendly.

    I’ve brought this to the attention of Symantec technical support numerous times, since they advertise their product as Vista-compatible. However, they are clueless about the issues encountered when running as a standard user. I brought the matter to the attention of a manager at the Symantec booth at TechEd; he is trying to escalate the issue for me.

    Are you running Vista as a standard user? What are you using for AV and anti-malware, if anything? Are you using a third-party firewall?


    Currently I’m running Vista as a member of the Administrators group.  That may sound crazy given everything I’ve said on this blog over the past few years, but on Vista, running as a member of the Admins group is effectively the same as running as a standard user — as long as you never elevate anything.  Elevating an app on Vista is a lot like running something with MakeMeAdmin on XP, but safer since credentials/keystrokes cannot be spied on, and elevated apps are better protected than they are on XP.  Hopefully I’ll blog about this sometime soon.

    Microsoft has a standard anti-virus product which is required on all domain-joined systems.  I (begrudgingly) run it on my Microsoft-domain-joined systems, but usually don’t run any anti-malware on my non-joined systems other than what ships in Windows.  On some systems I disable Windows Defender.  However:  I’m paranoid, more security-conscious than the average computer user, and install almost nothing that doesn’t come from major vendors who demonstrate they’ll defend their reputations (I won’t install QuickTime) — so I’ve got other defenses to compensate for not running anti-malware.

    I’m very happy with what the Windows Firewall brings, so that’s what I use.  I don’t agree with the premise of outbound firewalling to block malware.  It creates noise popups for the user (for every app you install that connects to the internet!), and doesn’t prevent malware from hijacking approved apps.  If I’m writing malware that needs an outbound connection, I’m going to start iexplore.exe without displaying a window and inject my code into it as a DLL.  When my malware establishes an outbound connection, your firewall product will identify it as IE and allow it through without prompting.  W00t.  Trivial.

    — Aaron

  50. Chris says:

    Thanks for the follow-up, Aaron. Interesting to hear that you are running Vista as a member of the Administrators group.

    Concerning ‘never elevating anything’: I’d be concerned when running as an administrator that I would inadvertently elevate an application simply by entering text into another application at the same time that the first application forces the focus to change to the ‘elevation prompt’. These kinds of focus changes happened frequently with WinXP; is it no longer a problem with Vista? In any case, when running as a standard user, the ‘elevation prompt’ requires the input of an administrator’s complete password–something nearly-impossible to enter inadvertently. Is this a valid concern, in your opinion?

    [Aaron Margosis]  From this UAC blog post:

    UAC prompts will not “steal focus” from the user’s task. If the operating system cannot determine that the prompt was generated from the foreground window the current user is using, we will alert the user with a highlighted operation in the taskbar that an application is requesting elevated privileges. The user can select to elevate at his or her convenience and not be disrupted by an unplanned application elevation.

    Also, in the simple “consent” dialog case, the “approve” option (“Continue” in US English versions) is not the default, so it’s not as likely to be approved inadvertently.

    Based on your comments, for a small business (i.e., non-domain) user, for AV, anti-malware, and firewall, do you think that a combination of a basic third-party AV package, Windows Defender, and the internal Windows Defender is sufficient? Do you think that something like NIS is overkill? And all this while running with an administrator account?

    [Aaron Margosis]  Hmm, I’m not prepared to make a general recommendation one way or the other on that.  What works for me may not be right for you.

  51. Chris says:

    Thanks, again. Obviously, my last paragraph should have read: "Based on your comments, for a small business (i.e., non-domain) user, for AV, anti-malware, and firewall, do you think that a combination of a basic third-party AV package, Windows Defender, and the internal Windows *Firewall* is sufficient? Do you think that something like NIS is overkill? And all this while running with an administrator account?"

  52. Andy Dowling says:

    I began running my XP workstation without anti-virus shortly before I read this blog entry last year. I’ve mostly relied on software restriction policis applied to my non-admin account to keep me safe – and for the past 15 months or so I have had 0 malware issues. Having a whitelist of trusted applications is a much more appealing strategy than relying on an endlessly updated list of malware.

  53. Table of Contents – blog posts on Aaron Margosis’ Non-Admin WebLog

  54. Nick Brown says:

    I don’t think it has to be a choice between anti-virus and non-admin.  All our users are admins, we have no anti-virus software, and no major virus problems.

  55. Arup Roy Chowdhury says:

    LUA works quite well, been running it for years combined with SuRun and Avira and am yet to be infected. Avira updates fine under LUA. SuRun makes it a breeze to access admin features when needed just like Linux and I highly recommend it for those considering to run as LUA.

  56. Chris says:

    I work for a major virus vendor and if a customer chooses to run as admin that is their choice and most of the time nothing can be done to change that as the political battle will not be won.  BUT, if a customer running as admin chooses to use AV they must expect infections to run rampant.  If they choose to run as admin they are 100% stupid if they do not put any compensating controls in place to prevent an end user with admin right from shooting themselves in the foot.

    Just plain stupid.  

    [Aaron Margosis]  A major virus vendor?  Interesting.  How much do you usually sell your viruses for?

  57. Davidm says:

    So does anyone know of any malware than will infect an xp machine while running as a LUA user. I have a tech that claims he has seen it happen.

  58. Tom says:

    > So does anyone know of any malware than will infect an xp machine while running as a LUA user. I have a tech that claims he has seen it happen.

    Yes, it happened on my PC. Since than I am using LUA + SRP (software restriction policy) + kafu.exe



    More on the subject here:


  59. u64 says:

    If we never want malware we must choose

    to use Linux.

    If we can accept malware misery from time

    to time and again and again, forever. Then

    we should pay to get Microsoft Windows,


    Windows-install translation,

    “Do you accept your life to become a living hell,

    Press F8 to Continue”

    [Aaron Margosis]  Oh, yes, after all, there have never been any vulnerabilities in Linux, nor any attacks on Linux, nor any worms that have compromised lots of Linux servers, right?  (Moron.  Please troll elsewhere and leave my blog alone.)

  60. John says:


    I've been running Non-admin for several years without AV, until I "stumbled over" an unsecure page that turned my screen blue. I bought now AVG Threat Labs (…/about ) and I can download website reports and see where the threats are lurking if I am not sure about a particular website. However, I still run as non-admin.

  61. Stu says:

    John, misunderstood, you must have bought an AVG antivirus (…/internet-security) and not the AVG ThreatLabs – that is their website rating and security site.

  62. Kobe says:

    John, I think you’re are a bit confused. AVG ThreatLabs is a threat detection website and not a piece of software . TL is a cool tool though, as it helps keep you safe when visiting any site.

  63. Matt says:

    John, Hey, I'm quite sure you didn't buy AVG ThreatLabs ( as that is a site dedicated to security ratings and is not antivirus software (…/internet-security). TL is a very useful site which tells you about site threats.

  64. David C says:

    I agree with this premise ABSOLUTELY whole-heartedly ..

  65. David C says:

    PS – its 2011.  Do you still believe the same ( that "good least access" > "admin + AV" )?  Or has the landscape changed significantly?

    I just want to validate that I'm still doing the right thing.  I've worked under this premise for .. jeez .. over 15+ years now.  I can honestly say I've never gotten a serious virus (actually none to my recollection).  And I connect to the internet just about everyday.


    PPS – IE doesn't really play by those rules (in my experience, its not as secure as other options).

Skip to main content