The anti-virus industry is a result of DOS and Windows not having a unix permission model. Running as the user with highest privileges was the norm.
Now that a unix permission model is the norm, viruses are comparatively gone and replaced by malware that simply tricks the user into installing it. No permission model will help you against this. As a partial result, now we see things like iOS where we remove control from the user, or OS X where we try to make it inconvenient to be duped into giving access.
There are certainly still exploits that don't require duping the user, but the anti-virus industry certainly wasn't established based on these.
That's not really true. No permission model will be 100% effective, but a more fine-grained permission model might lead to more users saying "Um, no, mysteriously executable pornography, I don't want to give you my bank records and the ability to email my friends."
Let's imagine that I have privilege grouping sub-users, something like name.banking, name.work, etc. Now my work files can't see my banking unless a window pops up going "Would you like Experimental Thing for Work to have access to name.banking?"
I think being able to explain to the computer how my data is grouped, and access patterns in it, is more natural for users than most of the security models we have today.
It's also much easier to have two copies of the browser load, depending on if I'm invoking it through name.banking or name.general. And much easier to explain to grandma you do banking when you use name.banking and you look at cat photos in general.
Grandma isn't stupid, she doesn't understand how technology work. Making permissions based around how she categorizes her information and how she divvies up tasks is more natural for her than insisting security only work if she understand how computers work.
I said it's not going to reach 100%, probably whatever we do. Probably there are ways to improve on the Android and iOS permission models - there was talk in another thread about "deny this permission but fake it" options, there are probably ways things can be presented better, there might be ways permissions can be divided better, &c... Manifestly, there exist plenty of users that don't pay enough attention to what permissions they're granting. I wouldn't be surprised to learn that it's an improvement over user behavior patterns on user-account-only permission systems, though.
The UNIX world was hardly a model of security until somewhere around 2000. Both HP-UX and Irix of that era could be hilariously insecure, with it being utterly trivial to break through the permissions model.
Thanks to UNIX boxes being the bulk of the always on systems attached to the internet at that time they presented most of the attack surface, and consequently an industry of people to attempt to protect them.
No they aren't. There's tons of them. You don't need to be admin for a virus to be a problem. All the data a user cares about is owned by that user anyways. There's plenty of "haha I encrypted your files, pay me if you want to access them ever again" extortion viruses.
All the instances of these that I've seen rely on social engineering to do their thing though (we had a teacher at my school fall victim to one recently, which is moderately entertaining [when you have up to date backups] when you have a bunch of read/write network shares), as opposed to regular files/executables 'infected with a virus' which is how I generally look at viruses in the traditional sense.
Lots of viruses used social engineering since the start. The only difference now is that once run, it doesn't have admin privileges, so it is harder for it to make itself a permanent fixture on the system.
Not for the vast vast majority of users. An OS or programs are by far the easiest things to obtain; modern windows or mac also ship with rescue images. What I'll miss from my drive are the documents I've created, work I've done, pictures, moves, etc. Per-user protection -- such as using root to install -- protects the OS or programs, but helps not at all with anything that's painful if it gets lost.
