> If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....
It's still a big win because it prevents subverting the underlying system. Logs still tell the truth. Security software keeps running. The damage can be inspected with the operating system's tools.
> I would argue most malware comes down to uneducated users doing the wrong thing
This feels unnecessarily harsh. Those users are the victims of criminal activity. The protective controls could be a lot better.
Windows doesn't offer immutable local file versions to protect against ransomware running as a non-privileged user. It doesn't offer any protection if a single application suddenly starts to overwrite huge amounts of data.
Instead they choose to try and shove OneDrive down our throats as the only answer to ransomware protection.
As someone working in infosec for a largish 2000 seat organisation - it's honestly not inaccurate. No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links. And contrary to what you've said, Windows Defender (in conjunction with Airlock) has actually saved us from ransomware attacks.
> No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links.
That just shows that security training is insufficient and admins need to design their systems and networks to account for that fact. Clicking links is part of everybody's job and should not pose a risk to your organization. Enable 2FA for everything exposed to the internet to mitigate phished credentials.
If an entire company can be paralyzed by tricking a single employee it's a process issue. Just like how wiring out $100,000 same day on the order of a single employee should be blocked by internal controls.
Where I work has recently implemented Airlock and my laptop feels a lot less responsive since. I'm aware of the whole security trade-off, just wondering how noticeable it has been in your organisation, if at all?
Having said that, two things worth considering in my case:
1. My laptop is relatively old and, I think, overdue for replacement (8GB RAM, really?)
2. Windows Defender + Airlock + CrowdStrike + Netskope + Nessus seems an expectedly heavy load on a system
Not sure the exact combination of internal security nonsense used, but my corporate laptop idles at a good 20% cpu utilization. It would not surprise me at all to know that the products are stepping over themselves and scanning each other. Double plus ungood is that any programming tool I use seemingly gets extra scrutiny and can take 10x as long as I know it would on a non-compromised Linux machine.
What other "restore point" functionality does Windows offer by default?
> The initial goalpost was lack of any protection / no alternatives to onedrive
The context was "uneducated users"; they're unlikely to know they could enable controlled access.
They're further unlikely to be able to handle the application problems it introduces such as games having problems saving their state which why it's disabled by default.
So you want to make their lives much harder with two passwords for no good reason? Also, those uneducated users will simply enter the admin password when prompted
It's still "the length of the street" better than having malware installed as root/admin. Malware in userspace is much easier to both detect and remove for the simple fact it cannot embed itself that deeply into the system (barring nation states leveraging zero days, but that's a fee levels above 'regular consumer' advice).
This method has saved me (my parents) more than a couple of times.
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....