Do you disable UAC?

Naturally I agree !!

Another option could be to surf in the Web with a dedicated Linux live cd combined - it's obvious - wit an hardware firewall.

 

"There is no chance that UAC can be bypassed."

This is not correct. Anyone can verify directly with Microsoft that there are some malwares that can disable UAC by exploiting privilege escalation bugs even when set to "Notify always."

For example, variants of Win32.Sality and Win32.Zbot.

Malware authors are always pen-testing consent.exe; UAC is not absolutely "bullet-proof."

Despite this fact, UAC is a worthwhile protection mechanism.

 

As I said before, malware does not magically bypass UAC. Setting UAC to max and leaving scripting on is dangerous, just like javascripts in browsers.

http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html

 

I agree. That is why it is important to monitor\block vulnerable processes shipped with Windows - NET assemblies, host processes, regedit, etc.

I just think the whole enable\disable UAC debate is ludicrous. UAC is just another security tool for the user's tool box that isn't perfect.

 

I was just referring to blaming Windows security features not to work, well they do, but people have to use all of them, not just some.
Defender actually monitors and notifies about changing registry, adding startup entries and such, so Windows does a great job overall.

Well put, it is like saying, do not use AV, because it will never detect 100% of malware. Still interesting reading, like what is the best AV discussions.

 

I agree. Windows 10 security features are much better. I tested Webroot. A Win32.Sality installed a service. Webroot did not notify. Windows10 did !

"people have to use all of them" - (smile says everything)

There are many Windows tweaks that can be performed to significantly increase system security. The problem is typical user doesn't know how to go about it. Also, to do all the tweaks, requires a lot of time and effort; online research + perform all the tweaks.

 

It is pointless debate. Accurate answer is the best AV (or security soft) is the one that works best for each specific user on their specific system.

Create a good layered default-deny configuration that uses system tweaks, software restriction policies, reduce attack surface, use all security features possible, etc - then AV debate is essentially moot.

There is no right or wrong way to protect system - it all comes down to what user wants, what they are willing to tolerate, what they like.

Expecting and pursuing perfectionism in IT security serves no purpose other than to mess with user's head.

 

I tried this, it works efficiently.
I personally installed Rollback RX and Shadow Defender , so i use one or the other or sometimes both , so i always have a clean system every time i log in

 

Some years ago I used Returnil; but virtualization and sandboxing can be bypassed, I read something about in the past. Also to use VirtualBox is not absolutely sure. AS you said in the previous post, if a true hacker want to enter in your system, he'll do it.

 

If you are targeted by someone that wants on your system, then all bets are off - eventually they will manage to get in if they are determined.

Sandboxie has become much more secure over the years; bypass is rare.

Shadow Defender - there have been only a couple of purported - but not definitively proven reports of bypass.

In the past, virtual machines have been bypassed.

These facts don't necessarily mean that any of these products should not be used. While they are not perfect, they are nevertheless worthwhile - if you feel the need to use them.

Same concept applies to UAC. It isn't perfect, but that does not mean it is worthless.

 

I'm not suggesting anything, I'm trying to figure out why people seem to think that UAC plays an important role into keeping their system safe. And I also explained why I decided to disable it, the main reason is because it's freaking annoying and does not provide me any security benefits. And M$ should have improved it, see link. Also, I'm not fighting a war, do you see me criticizing features like "Integrity Levels" or "PatchGuard"?

http://www.makeuseof.com/tag/stop-a...ate-a-user-account-control-whitelist-windows/

 

Danger is the malware signed:

 

I kind of dislike prompts of any kind. I dont like messages I dont like prompts. But I leave UAC on in my W7. The prompts are so rare that they don't bother me at all. I think having it on helps me as I know exactly when I should get a UAC prompt in my everyday usage of the computer, so, if I see a prompt that's unexpected, I would know something is probably not right.

Bo

 

Okay...well where did you obtain CTB.exe from? And from what I can see of the Publisher's name: "Mi You Ne..." that alone would trigger a red flag with me.

 

KMI

 

That doesn't ring a bell with me and not one of my "go to" download sites.

 

So just do like a security noob, install a clean system in a VM , without any security softs , set UAC at max and download some malwares ; i think you may have your answer

On the other side , as you said , if you have lot of security softs (especially HIPS/BB/anti-exe) installed; the necessity of UAC is reduced since the malware should be blocked before UAC needs to kick-in.
Personally i still think letting UAC enabled is still useful in any case.

About UAC's prompts; those shouldn't be a valid reason to disable UAC (especially if you use an HIPS). If you can tolerate HIPS prompts (far more annoying), you can as well for UAC's ones.

 

UAC has the advantage of making it possible to type a password upon each request. This is useful if you don't want other people installing things or accpeting requests that you don't know of. Aside from that, it doesn't provide much useful information regarding the requests.

So if information is the priority, a HIPS module is more desirable. A combination of HIPS + UAC is God, though

 

That's not wise Do that with UAC at Max and EMET, and you'll end up with a ton of infections.

 

maybe but surely less than without UAC

 

If a malware bypass a strong HIPS setted on high protection, I don't think that then UAC can be something.

Eventually, as second defense line, why don't use then an anti exe software ?

 

UAC is useless against good coded malware, so it's pointless to turn it "on".

 

@Magic_The While I prefer not to UAC personally, I don't think the fact that it won't help protect against some (probably a minority) of malware makes it useless.

 

If you check my Signature, you can see i'm using 2 anti-exe : Appguard + NVT ExeRadarPro

I didn't came across yet a malware that exploit your browser, download itself bypassing Smartscreen and Windows Defender, then run itself and disable UAC at max on LUA. If you find one, please send me a sample.

 

I agree very strongly with this and have configured Windows like this for many years. Like the old days "over-the-shoulder" where an Admin needs to type in their password to authorize. I always think it is great to have an Admin account with a strong password and then creating a LUA/Standard account for daily use, both accounts with UAC on max. That way, running that daily LUA account, as you said, would required the password of the Admin account upon UAC prompt for any administrative functions. I still think that there are many merits to running Windows in this manner.