Reducing malware risks with UAC and reputation services

I would highly recommend chrlauncher (http://www.henrypp.org/product/chrlauncher) which takes care of updating Chromium on Windows easily, portable and open source as well. You can configure it how you like as well. It's relatively new and gets updated regularly.

 

That's logical to me. Installing an app is not the same as using it. Developers can create programs that don't need admin rights to be installed or to be run. I don't know why they don't. Some apps (like system maintaining software) need admin rights to be run, which is also logical to me. I don't see what is illogical here.

 

Where do you download the Chromium installer from? Chromium's official download page has a similar zip package that the woolyss site mentioned above has.
Or are you referring to woolyss site when you say there's an installer?

Perhaps I'm underestimating the benefits of the simple zip download-and-run concept. I tend to have as few programs as possible outside the Program Files + Windows directory.
The Chromium folder is protected by software restriction policy and only allows the exe and dll's necessary to run the program.
I like your strict approach to security. It's nothing I've pursued yet, perhaps I'm little too lazy to log out to install /update software. I just run runas (admin) from my regular account.
With your approach, it's more secure - e.g. moving the Chromium folder to Program Files (for consolidation and easiest overview), set a secure ACL and allow only admins to update it.

Another thing ; I'm little curious about security patches - When google Chrome releases a security patch, is this implemented in the Chromium builds? The guy running Woolyss.com recommends
updating Chromium once a month - not sure if this has anything to do with security patching.

 

Thanks for the suggestion, I'll keep it in mind.

 

No offense, but is it really that hard to understand? Fact of the matter is that all app installers need admin rights, so let's say that some average user installs a download manager for example, the user will of course allow it to elevate, otherwise it won't install.

During install it installs a service and driver, it injects code into the browser, perhaps it even modifies boot data. Don't forget that this average user is not using sandboxing or HIPS, and the AV flagged the file as clean. So now your system is owned by a trojan with rootkit capabilities running in medium integrity.

So what I'm saying is UAC should be tweaked so that most apps can be installed without ever needing admin rights, and if some app does need admin rights, give clear info about why it wants this. This would result in less UAC alerts, and would make average users more cautious, plus they won't be annoyed, especially if you also implement a white-list.

 

@Rasheed187
I understand it, don't worry. You are just looking for solution to your "problem" in wrong place.
"So what I'm saying is UAC should be tweaked so that most apps can be installed without ever needing admin rights...". I guess you should be saying: " Programs and their installation should be created in a way that they wouldn't need admin rights". It's not UAC warning that is creating a need for admin rights, it's programs or their installation. Why do all programs want to install in Program files and not in user profile folders? I guess that developers need/want a user to have admin rights when they install their software.

 

I'm looking for the solution in the right place, namely Windows. If you know that it's common practice for apps to install to Program Files, then make it writable for non-admins. If you already know that some apps need admin rights to function correctly, make a white-list. If you know that some users will be annoyed by UAC alerts during install, then make a "trusted apps" installation folder. This way there is no need to completely turn off UAC, and you would still be able to benefit from it during an exploit attack for example.

 

@Rasheed187 is this so hard to understand? As Minimalist said your are parroting your problem in the wrong place, so let's repeat again until you grasp it:

UAC can be set to silently elevate, so you won't see any UAC pop-up

Set UAC to block unsigned software to elevate. This reduces the admin space infection risk to 10%, while still being able to RUN unsigned software.

Set Smartscreen to require admin consent, when running unknown software downloaded from the internet. So you are using a cloud whitelist against drive by's and shot in the foot user errors. (see picture post 17, Windows protected your computer)

 

I will check out the tweaks, and will report back. But like I said, my posts were not meant to criticize your idea, it was just a general rant against UAC, so there isn't anything for me to understand. But honestly, when you're already using anti-exe, sandboxing and HIPS, there really is no need to keep UAC enabled. I now have it running in auto-elevate mode, which is a risk in theory, but that's why I'm using security tools.

 

Program files should be writable to non-admins?? There should be trusted apps installation folder ?? That's the same as saying there should be no restrictions for limited users. Just run as admin disable UAC and you will have what you want. Or try approach that Windows_Security suggested.
As said before UAC is not a security feature, it's a convenience feature (so you don't have to give admin credentials when doing admin stuff).

 

I already have what I want, and of course I was talking from a "running as admin" point of view. When you're a limited user, you shouldn't be complaining about UAC anyway. My point is: because of all the annoyances I had to disable UAC, this means that it doesn't give me any security advantages, and in a way it can be seen as a security feature, because it might be able to protect against exploits that are trying to elevate to admin rights. And obviously, you should be able to lock down all the things that I mentioned, if you want to restrict limited users.

 

Is this applicable to Windows 7 also?

 

@rethink,

UAC is the same, only Smartscreen is not on the desktop with Windows7. To prevent downloading exectables you need to apply the 1806-trick. There should be some old post of mine on how to switch on/off download protection (Kees195.

Regards Kees

 

Set UAC to auto block unsigned executables to elevate
Set UAC to auto allow signed executables to elevate
Have Smartscreen on.
Running WSA.

Any other Windows system policy I could tweak to eliminate more threats? 1806 trick? Is that possible in Windows 10? Used it in Windows 7. Using Chrome so I think I should be fine.

 

Pretty light and strong setup

1806 is redundant on windows 8 and above due to improved Smartscreen on Desktop.


Regards Kees

 

Thanks for the input - and also, very good thread!

 

Hi Kees!

I like this setup, is very light! but when i enable it i can't open a very nice tool which is "Hard Configurator" by Andy Full.
How can i whitelist it in UAC, or how can i open this exe?

thanks Tonino!

 

Best you ask him on MT. I don't think he posts here anymore, unfortunately.

 

Thanks SHvFI! I tried open it from task manager! It worked!

 

I really like this tweak, I made shortcuts to the reg files so I can switch back and forth easily. It is a lot easier than restricting yourself to a standard user account

 

I wonder if this UAC bypass works even when it's set to Max?

https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass

 

https://www.activecyber.us/activelabs/windows-uac-bypass

 

I also assumed that max. UAC setting as posted previously, would detect the hidden privilege escalation. This is because the escalation was to "high" privilege; i.e. full admin level. It is the bypasses to System level that one needs to be concerned about.

 

I agree fully with Rasheed187 what he said in every post on wilders about UAC, imagine what your life would be like if you didn't click the same thing over and over and over, damn maybe you'd become a president in your country
leaving it off also avoids calls from my mother asking me what to do? allow or not allow?


and what he said covers the passive malware or passive attacks, for active attacks it doesn't really matter what you have, you'd need a blue team

if you really need the placebo of feeling safe, hips and network oriented tools like ESET with firewall
there are infinite ways to navigate around uac (standard level) or SRP (not even on by default)

dunno if UAC does that well but OSA is focused on system level privileges in the lockdown/experimental category which is quite cool, dunno if effective but I cached stuff with it already, most YT video hacks or hacks online you find you see "system level priviledge" after whoami