Do you disable UAC?

Yes exactly, and UAC doesn't actually stop malware from running, it blocks it only if it requires admin rights.

You're still missing the point. The alerts that I get from my security apps make sense, because they give me info about whether an app is trustworthy or not. A UAC alert doesn't provide me with that info. Don't forget, all app installers require admin rights, and portable apps may or may not require it.

 

@Rasheed187 I got it, you want clear infos about why the alert pops-up.

You can't compare UAC with a behavior monitoring tool telling you every system modifications , UAC is just an elevation blocker , so it does what its job quite good and gives you enough infos (name, signer and path of requesting process); after reading those infos, you allow the elevation or not, this function helps to hamper some malwares to get higher privileges, that's it.

Once you understand that , you don't need to disable it since it works in association with your security tool as another watchdog.

To take an analogy: You have your house protected by an ultra-sophisticated alarm system , it doesn't mean you don't need to lock your door.

 

(Warning - massive wall of text ahead. Have coffee within reach. )

Sigh !! No, I'm not confused.

But I see that once again @Rasheed187, you have managed to derail a thread with your massive postings about yet another topic that you have no clue about.

I'm sure you're a very lovable person when met in the real world and I do not mean to offend you, but I must say that I find your massive postings of wrong information to be problematic.

It's problematic because Wilders are a big site that has been around for many, many years.
Not only are there a lot of members here but a hundred times more people are just passing through Wilders in their search for an answer to their IT questions.
Due to the number of posts and threads combined with the number of years Wilders has been active, it's pretty much impossible to Bing/Google a IT question and not have a Wilders thread pop up high on the search results.

You like to debate issues. Nothing wrong with that.
The problems lies in the fact that whenever you start to pick up interest in a subject, then you begin to wonder how things might be, could perhaps be or wonder what if, without ever checking if that is true. You never test anything or gets your hands dirty.
You just assumes something must be a certain way.
Next you start posting how you think that something works, and when you reach 8-10 posts on any given subject then in your mind these fantasies becomes proven facts to you.
Usually it doesn't take long before others tries to explain that there must be something you have misunderstood and kindly lead you in the right direction - and then all hell breaks loose, and you make even more misinformed posts because you refuse to accept that you have the wrong idea about the subject discussed.

We saw it in the "Sandboxing Chrome"-thread that mostly are filled with your unproven ideas about Chrome needing an additional sandbox around its own sandbox in order not to be instantly owned when online. Lot of users passing through Wilders got confused and thought they where in danger.
We see it in the exploit-blocker threads for EMET, HitmanPro.Alert and MBAE where you repeatedly claim that the developers are doing it wrong. Next you always state that you doesn't really know how the features are implemented, but "you just want the developers to do everything different then what they currently do".
Again lots of confused users passing through Wilders, that can't make heads and tails in all the mess those threads have turned into.
And we see it repeatedly every single time a thread about UAC are posted. Then you become really excited and ramble on and on about UAC not being a HIPS and therefore you think it must be "retarded" as you so kindly told me in one of the many UAC threads not so long ago.
Again tons of users passing through Wilders over the years have been very, very confused due to these massive number of misinformed posts you make.
And now you have begun rambling in the Bouncer thread, again with things you have not tested and that you do not understand how works.

I find all of this to be an unfortunate mess, because such posts affects an huge number of especially unregistered users for years to come.
Your FUD are simply dangerous.

For the last time - the UAC prompts are just a tiny fraction of the OS's protection of system areas. It's the small visible part that end users see.
The entire system are built upon the fundamental principles about keeping user land and system areas separated, limiting privileges, separating privileges. These fundamental principles has been the foundation of every major OS dating back to UNIX. Implemented in different ways, but I'm not even going to touch on that since you already have huge problems wrapping your head around the UAC implementation.

This works and works well.
It doesn't matter if you like it or understand it or approves of it, @Rasheed187.
Every OS vendor do it because it has proven to be effective. In theory as well as in actual use.

When UAC was implemented with Vista, the tech-media flooded their sites with stories about how impossible it would be to use Vista - how dare the OS show a prompt. And over a few months the global IQ dropped collectively, and forums was bursting with users unable to think for themselves so they just agreed with the stories in the press.
The usual story of the masses - why try something first hand when it's so much easier to just repeat something somebody else said and fear the unknown.

IF the tech-medias would for once in their existence have done something wise, then they would have spent a few months massively informing why Microsoft had implemented UAC, why it was of utmost importance to get away from the unfortunate default-full-admin of the time.
Had the tech medias done that, then the entire Windows ecosystem would have been a lot safer from that point on.

But no - as always then every change are transformed into a disaster in the press, because disaster stories are better click-bait than informative stories and the more clicks - the more money in the medias pockets.

So in the end Microsoft had to dumb down the implementation when Win7 was released and allow a bunch of their own binaries to be allowed to silently auto-elevate and at the same time introduce a couple of new UAC levels that allowed this without notifying the user.

This was only done due to users like you @Rasheed187, that refused to learn but just went on and on in forums about how they could not master to differentiate between when to click and when not to.
And this dumped down UAC level with silent auto-elevation (and without proper validation) are the sole reason UAC bypasses became a problem.

Which means - set UAC to max and use a standard user account and silent auto-elevation will NOT happen and you will have NO UAC bypasses.

Tons of users has tried to explain this to you.
I'm surprised to see @safeguy show up in this thread, because he is one of many that in the past has put in a lot of hours trying to explain this to you.
He must be shaking his head when seeing this subject come up again.

Again and again will the many users who experiment with new malware found fresh ITW daily, tell that UAC will block the samples.
In this thread alone I notice @illumination, who is very active in the malware hub on another site, tell you that UAC blocks the samples from gaining foothold in system areas.

As always, you ignore facts that tells you that you have misunderstood the discussed subject.

@hjlbx even did a test just for you with UAC at default when running the Cerber ransomware currently circulating.
And even with UAC at default it was blocked.

Again you ignore facts that shows UAC works as intended.

When a link to Malwarebytes report of the Cerber ransomware was posted here, you instantly replied :

No, @Rasheed187 - HIPS are not needed.
Set UAC to max and use a standard user account and no UAC bypasses.
And of top of it - the specific sample in question was ALSO stopped with UAC at default, as shown here in thread.

When this kernelmode link was posted you thought it was something new.

It's not. It's the well-known auto-elevation problem that are mitigated if just set UAC to max and use a standard user account.


Next your constant mentioning of HIPS - it's 2016, nobody cares about classic HIPS. Nobody. Not a living soul. Why do you think that there are only two persons active in the HIPS thread ?

If you moved from Win7 to Windows 10, you would know that the entire OS now monitors for suspicious behavior.
Anything introduced to system will have its behavior tracked. Vertical and lateral movement are recorded in the Persisted Store.

UAC has been expanded in Windows 10 (now called Smart UAC), and anything requesting elevation will result in a deep scan of the file/process in question. If known malicious, file/process are blocked and removed.
If not known malicious, then findings are added to Persisted Store.

AMSI are introduced in Windows 10, capable of scanning file, memory, streams, URL/IP content and reputation check, tapping into scripting engines. If dynamically created, doesn't matter. AMSI has time to piece together the pieces. If obfuscated, doesn't matter. AMSI has time to wait for the point in time when unobfuscated. And again, findings added to gathered intel about the suspicious file/process/script or whatever in question.

Why do I mention all this ?? Because THIS has value. It's the chain of events that has value.
This gathering of information can paint a picture that deem something suspicious into being malicious.

Not your HIPS obsession that just screams about individual events - a loaded b, x injected in y and so forth. Who gives a flying >insert profanity of choice here < ??
Those HIPS prompts are like seeing 1 single frame of a movie and then be asked to write an essay about the entire movie.

The across time behavioral analysis are a thousand times more meaningful and valuable, then your freeze-frame-HIPS-prompts.

It doesn't matter if it's a quick'n'dirty rush attack or a slow moving sleeper. The behavior will be tracked.

Windows Defender will tap into these data in Persisted Store as well as cloud will chime in with intel from the masses, resulting in suspicious behavior ending up deemed malicious.

If you can't see the benefits of this as opposed to your click-click-click-click-click-click local freeze-frame HIPS's, then I start to wonder if you just participate in these debates with your FUD posts with the sole purpose of causing mayhem.

I fully agree with @Hiltihome 's post :

You are on a tireless war against every single security mechanism built into the OS, with your constant FUD statements in so many threads.

It's two interesting questions @Hiltihome asks - "whom are you fighting for ?" and "who pays you ?"

No matter what the answers might be, you are surely putting many, many Wilders visitors at risk.

To wrap all of this up, UAC does exactly as it says on the box.
Set UAC to max and use a standard user account, and the silent auto-elevation bypasses are blocked.
This leaves attackers to rely on exploits. Upgrade to Windows 10 x64 and a huge portion of those are mitigated. Add a exploit blocker and any remaining entries into system has been reduced even further.
This pretty much leaves attackers with either staying in user land or performing social engineering. Both of these are mitigated in the same way - make sure Windows Defender are activated and have its Cloud fully activated, make sure SmartScreen are activated both in browser and systemwide and set it to require Admin approval.
(I noticed your remarks about SmartScreen earlier in thread, and again you showed to be misinformed - not only are SmartScreen a reputation database system wide as well as in browser, but as of December 2015 it also targets zero-day drive-bys)

And if in enterprise environment, then add Device Guard to the above, sign your own in-house binaries and only allow binaries signed by Microsoft or your own certificate to run.

Like I have said before - test for yourself instead of posting things that aren't true.

Like @guest said to you, test this yourself and you will see that you have misunderstood this subject.

Like @Windows_Security told you in the bouncer thread - why don't you test things for yourself and you will suddenly understand.

It's not difficult @Rasheed187.
Load Windows 10 x64.
Set UAC to max.
Windows Defender activated with both cloud options enabled also.
SmartScreen activated in both browser and systemwide and set to require Admin approval.
Password on Admin account.
Enable a standard user account and use this account at all times.

The only thing that makes sense to add are an exploit blocker of choice.
(and optionally an adblocker to stay sane on the world wide web of today -but that is cosmetic and off topic to this thread)

That was a long post. The short version would have been - "test and educate yourself instead of posting FUD that put users passing through Wilders at risk", but since this is UAC thread number ~500 on Wilders, then short posts apparently doesn't work.

UAC are limiting access and damage possible, and it does exactly as it is supposed to.

If to use an analogy, then let me ask you this - when your dog has diarrhea, do you then want it to have free access to every room in your house or would you prefer its access was restricted to a single room ?

(if anybody fell asleep during this post, then I'm truly sorry and apologize )

 

The problem with HIPS is that all the vendor products have one problem or another - especially on 64 bit\Patch Guard systems.

COMODO & ESET - disappearing rules
SpyShelter - cannot detect Hollow Process and memory injections
McAfee - past problems with whitelisted processes abused and causing bypasses

I'm of the opinion that a truly effective\functional HIPS would be the best protection in the right hands.

But therein lies the problem, one has to practice with malware to familiarize themselves with malware behaviors - and recognize an infection as it unfolds on the system.

The best solution is not to execute any unknown files on your system to begin with.

So what can you do?

AppGuard + NVT ERP + HMP.A or other effective combos that do offer equivalent protections.

Like I said, UAC is just another tool for the user's imperfect tool bag.

 

[QUOTE="hjlbx]
AppGuard + NVT ERP + HMP.A or other effective combos that do offer equivalent protections.
[/QUOTE]

I agree with @Martin_C: User Account with UAC (set to deny elevate unsigned), Smartscreen (require Admin consent) would do the trick running in a standard user account, combined with AV and Adblocker and chances are near zero an average PC user will ever get infected. On Windows 10 I keep Windows Defender as AV, because it is OS-aware (gets all OS-tracking data to make sophisticated decesions).

 

I test online exploit pages. OS tweaks, built-in OS protections, combined with AV do not always protect because my setup is for testing and running as limited Admin.

However, I will admit, for what you suggest the probability that an infection will happen during typical use is very low indeed; probability greatly favors no infection.

 

LOL, may I ask this are you a professional comedian? So much text, but you ain't saying nothing, at least nothing new. I can't believe that I actually read most of that crap. To me UAC is useless and annoying, you can write a whole book about UAC, but that isn't going to change.

Let's face it, it's clear that you didn't understand what was said in the Chrome and Bouncer and any other thread. You clearly don't have the technical know how, so that's why you get confused. But don't project your confusion on other Wilders users. And stop spreading FUD about me, that's my advice. Because you made a complete fool of yourself and wasted people's time.

 

No, you didn't get it, I'm saying that to me an elevation blocker like UAC is not needed. A HIPS could easily implement the same feature, but developers don't because the fact that some process requests admin access doesn't tell you anything.

Well, it might tell you something strange is going on when it pop ups out of the blue, but HIPS and anti-exploit try to block exploits at an earlier stage. And again, not all malware need admin rights. So that's why to me UAC is not needed, but if people think it's a nice security layer, it's fine with me.

 

You still seem to misunderstand why I keep bringing up HIPS, it's because those alerts have value to me, a UAC alert has not. You don't know anything about HIPS, so you will probably not know what I mean. You also keep mentioning that nobody cares about HIPS, how is that even relevant? Does anyone even care? Is it supposed to hurt my feelings LOL?

You keep saying, test it yourself, but there isn't anything to test, if you already know you're about to run malware, then of course you are going to block it from elevating. Also, if SmartScreen and Win Defender are so good at blocking attacks, why do you need UAC? Logic clearly isn't your strongest point.

 

Of course.

So many users repeatedly tell you to test things for yourself, because your postings are one big mess and nothing but FUD end to end.

You always state that you don't need to test, because you once read something that you thought perhaps meant something, so no reason to test things for yourself.

Every post on this site here with tests showing you that you are wrong, are just ignored by you.

And then you call me a confused comedian

Of course, Rasheed187. Of course.

 

That's once again you spreading FUD. No offense, but if all these technical discussions are way over your head, perhaps Wilders Security isn't the right place for you. Did you ever thought about that? Just because you didn't understand a single thing of what I posted in this and other threads, doesn't mean others don't, and also doesn't mean I wasn't right.

 

So since so many users, including me, are saying the same thing to you - then, according to you, none of us are bright enough to be active here on Wilders ??

It's pretty much just you, that has the right opinions and fully understands anything discussed here in any thread.

Okay. Interesting.

Edit : Not going to waste more time on this, because I can see it is impossible to get to a point where you realize that perhaps it's not everybody else that are wrong, and I predict this thread will just turn into a down winding spiral of mud throwing.

 

No it's just you, let me explain it:

I'm not trying to convince anyone to disable UAC, I'm explaining why to me it's pointless.

In the Chrome thread I was not trying to convince anyone to run SBIE on top, I was explaining that if they did, they would not be more at risk, they would most likely be even safer. In the Bouncer thread I was trying to explain that protection against code-injection, isn't the same as protection against "code execution" exploits. And finally, in the HMPA thread I was mostly trying to come up with ideas to make it less prone to conflicts with other tools.

All of this was misunderstood by you, which leads me to the conclusion that you don't have any technical know how, so telling me that I made a mess of those threads is quite laughable, especially coming from you, someone who clearly doesn't know how to interpret posts.

 

Unfortunately the average home user probably doesn't know about HIPS. I suspect Microsoft's UAC is their attempt to bridge the gap between using more sophisticated tools to address a form of executable protection for that group of users. It is simple and basic but questions them about running an application on their system. Some users here want/need a more comprehensive tool set that provides additional info and/or security. Some may even be happy using UAC with or without other security software.

For the record I don't use UAC or HIPS software.

 

You may be right, MS in every version of Windows tried to make it more usable for the average users. UAC is simple enough and combined with the other built-in security tools provides decent protection.

 

You can tell a lot about a person by looking at how they respond to criticism.

There are people who reflects upon what the opposing side has to say, and are always ready to consume new input and broaden their views.
They will get far in their life.

And then there are people who immediately starts to kick and scream and claim the opponent are not intelligent enough to understand the discussed subject.
They will never accept that the world might not be flat.
They will isolate themselves.

 

LOL, weak come back. I mean, that's like the pot calling the kettle black. I called you "confused" and that triggered one of the most pathetic posts ever made full of FUD. And not a single thing I mentioned about you misunderstanding my posts was untrue, so I don't believe it was an unfair conclusion to make.

 

Agree.
Also I don't understand why some people compare UAC with HIPS and then say UAC sucks because it doesn't work like his/her HIPS.

 

You missed the point. I'm saying that if you use HIPS and other tools like anti-exploit, UAC is pretty useless. Others don't agree, because they see UAC as an extra security layer that isn't annoying to them. That's all.

 

Since so many users here and especially me are apparently so incredibly stupid according to you and you are so extremely intelligent - then show us.

Try the setup both I and other has mentioned again and again in this thread.
On page 8 alone of this thread I see three different users mentioning pretty much the same setup.

Dazzle us with your apparently superior intellect and show stupid me how you manage to surf around with that setup and boom - be infected.

Everything is possible, but considering how many users here that hasn't seen it happen - and this is Wilders, after all - then it must be extremely rare.

 

@Martin_C

I really appreciate your replies in this thread. Thank you.

 

What the hell are you talking about? You're still confused? For the record, I have been running as admin for 14 years and I never got infected. I could also say: run with HIPS in auto-block mode (no alerts) and see if you can get infected. That isn't the point of this discussion is it? I already said numerous of times that there isn't anyone wrong or right in this thread, it's a matter of preference. So I'm not sure why you're so emotional. Oh wait, probably because I called you confused LOL.

LOL, I can also appreciate a good comedian once in a while.

 

Well judging on the reaction of FleichmanTV he is not alone. Have a look at Bouncer thread where Martin-C is referring to and read back your responses, to quote a few to 4Shizzle: "You have to be kidding me" or to me "You are completely missing the point" there are more people not following you.

 

Ah, so when told to put your money where your mouth is, then all we hear from you are :
But ..
But ..
Wait ..
What ..
Why ..

And then a big no-show from you.

Oh, and by the way - I'm not the one being emotional.
You're the one who is trying to put on a show with all your "LOL"'s all over the place, while you're desperately backpedaling.

 

And thank you, @FleischmannTV and @Windows_Security.

Glad to hear that posts are also well-received by some.