Virus-scanner suffers the consequences of the ‘Local Admin Syndrome’

As an ICT consultant, I regularly come across the situation that users are the administrator (or root) at their workplace (laptop or pc). Every security specialists knows that this is one of the worst ideas. Malware can easily gain access and lodge itself in the system. The virus scanners and other locally running security tools will not be able to detect the malware anymore.

We can jump to conclusions and state that this is not the way it should be. This may be correct, but often the demands from the user are different. The types of user demands can be distinguished into two types:

1. Application driven
In order to use a specific application, the user needs administrator privileges, which are often required to execute special updates or actions. Therefore, the user does not require these privileges constantly. A situation that occurs less frequently these days, is that the application itself demands to run with administrator privileges. This type of application should be phased out ideally.

2. Work driven
Some of my clients have employed engineers who perform the maintenance for the appliances of customers. Often, they need special software for this, which generally requires admin-privileges to address the hardware.

Nowadays, a workplace is equipped with an up-to-date virus scanner and, optionally, the necessary other security tools. Unfortunately, someone with administrator privileges can execute a wide range of actions, including disabling all security software. If the user is able to do this, a virus may as well. An infection of a virus consists of a number of steps and the first step is always to turn off or modify the security software. Subsequently, the actual infection will initiate.

Complete disruption of the network

One contaminated workplace might not seem serious at first, but this is a misconception. Recently, I was called to assist a customer with serious networking issues. The disturbance became increasingly bad, and at times, nobody could continue working. Usually, this disturbance ended after one or two hours, but the processes within the company had been idle during that period. A cause could not be determined immediately, because the network seemed to perform as required and no overload could be seen. However, a higher load was visible within the hours the network faltered. This overload was not high enough though to count as the single factor responsible for a complete disturbance of the network.

Several users had administrator privileges at their workplace. Immediately, I realized that the antivirus software on several computers was switched off. Users had done this manually, because they reported being hindered by it. When we compared the logs of the antivirus server and the firewall, a couple of workplaces stood out. Upon forcing the installation of the antivirus software, the alarm bells sounded. The workplaces were infected with a virus. Upon further investigation, it appeared to be a botnet. The workplaces were subsequently taken, fully formatted, and so forth.

Sudo and runas

A user does not need the administrator privileges at all times. In fact, the number of privileges in order to do one’s job is decreasing. A modern operating system has a command such as ‘sudo’ or ‘runas’. This type of commend allows a user to temporarily increase the privileges for one commend or application. The remaining process will continue to run following the standard user rights.

However, this happens rarely. Users experience this as ‘difficult’ and are convinced of their own knowledge and behavior. This is not true. Attackers are getting smarter in misleading users. Therefore, there is reason enough to assume that a user might be ‘tricked’ at some point. We have to assume that today or tomorrow a workplace might get infected with a virus and everything has to be done to prevent an outbreak.

If working with ‘runas’ or ‘sudo’ is undesirable, another strategy has to be devised. Start with information. Clearly indicate the risks and provide clear guidance for the user. If information is sufficient, a user will be more likely to switch to ‘runas’ or ‘sudo’.

Direct access

Assume that, despite the information, something does go wrong. The workplace will get infected at some point. Approach these workplaces as any other system on the internet: completely unreliable. The workplace is used for attacking your network, thus take the appropriate measures. Restrict its access to the internal network and place it in a separate network. Subsequently, give the user access to internal resources based upon a vdi or sbc-workplace. There are several techniques available to offer this type of workplace to external users. In some cases, a user will also need direct access to documentation or email. Different cloud services might be useful for this.

What matters most is decreasing the amount of company data on the local system. If the local storage of data is necessary, it is important to investigate the data. If company data should not end up on ‘unknown’ systems, this data should not be available to download to a workplace.

Reset default image

What remains is support. If a workplace is managed properly, it should be good for a couple of years. However, you may assume that, during this period, continuous updates might be necessary. A user that properly manages its workplace will refrain from using an administrator account. Therefore, distinct agreements have to be made between ICT and the user. The support should not exceed resetting a default image and replacing defective hardware.

It is, first, a matter of questioning the administrator privileges. For a standard user, these privileges are not necessary. For user that does need these privileges, a piece of education is required. Start by explaining ‘runas’ or ‘sudo’. If this is not option, the ICT department should refrain from taking responsibility and only support the user with ‘best effort’.

Martijn Bellaard has been working for TriOpSys as a lead architect for 3 years. At the beginning of 2017, he has pursued his life-long dream and has become a teacher at the Hogeschool van Utrecht. This article has been published on 29-01-2015.