UAC, SmartScreen & False Positives

Discussion in 'polls' started by VoodooShield, Jan 14, 2017.

?

When UAC or SmartScreen blocks an item, should that be considered a false positive?

  1. No

    37 vote(s)
    88.1%
  2. Yes

    5 vote(s)
    11.9%
Thread Status:
Not open for further replies.
  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    When UAC or SmartScreen blocks an item, should that be considered a false positive?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    UAC no (since is doesn't use detection mechanisms), SmartScreen might trigger FP, but IMO not likely.
     
  3. guest

    guest Guest

    UAC block elevation requests legit or not, this is its only purpose. it doesn't care of FPs.

    When an exe is executed , Win Def and Smartscreen will check first then UAC will pop if the said exe needs elevation.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    SmartScreen details:

    • Anti-phishing and anti-malware support. The SmartScreen Filter helps protect users from sites that are reported to host phishing attacks or distribute malicious software through socially engineered attacks. This protection is URL reputation-based, which means that it evaluates the URLs to determine whether they are known to distribute or host unsafe content. SmartScreen Filter also provides application reputation checks, which check the reputation of a downloaded program itself, or the digital signature that is used to sign a file. If the file or certificate has an established reputation, no warnings are shown. If the file does not have an established reputation, the user is at higher risk of malware infection and is shown a more severe warning. The reputation-based analysis in SmartScreen Filter is an additional layer of protection to help protect against malicious software.


    • Heuristics and enhanced telemetry. New heuristics combined with enhanced telemetry allow SmartScreen to identify and warn users about malicious sites more quickly.

    Ref.: https://technet.microsoft.com/en-us/library/jj618329(v=ws.11).aspx
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    UAC is crap, I don't even know why you bothered to open this thread. :D
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Disagree. UAC is an alert that an attempt is being made escalate privileges. As such the question about being a false positive frankly doesn't made any sense.
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I also disagree. I still remember when UAC was first introduced with Vista, some tests were done to check detection of rootkits by AVs. The testing team had to disable UAC as it blocked all rootkits before any AV could be tested... Some people might find UAC a hassle to deal with, but crap it is not.
     
  8. guest

    guest Guest

    I agree, most of the youtuber have to disable UAC or Smartscreen to do their malware testing, because if they don't, their samples are blocked. Saying that UAC is crap is showing lack of understanding of it.
    UAC is just here to block unwanted elevation, legit or not; not to block every malwares in the wild...if a malware doesnt need elevation, UAC will stay quiet.

    Blocking malware is the job of Smartscreen and Windows Defender, and both combined do it quite well.

    UAC is like a a stop sign. You can obey it and stop, then look both ways - left and right, you can disobey it and blast right through the intersection, or you can ignore it like a child and die miserably.
     
    Last edited by a moderator: Jan 16, 2017
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This could turn into a crazy conversation, so I will be as careful as possible ;). I agree with everything you said guest, even the "UAC is just here to block unwanted elevation, legit or not; not to block every malwares in the wild". I have read from a few different sources that UAC was implemented into Windows as an attempt to force developers to not have their applications run as admin, but rather to run as invoker. So yeah, its purpose is not to block malware.

    But the end result is that UAC turned out to be a half baked product, because it is not designed to block malware, and it only blocks applications that require admin approval, and basically does not perform one useful task well.

    Basically, UAC is a Windows feature in search of a purpose.

    Wouldn't it be better to just do it right, and implement application whitelisting instead? Yeah, I know there is AppLocker, but that is only for Pro versions and a 5-6 step process to whitelist each item.

    Anyway, I am not meaning to start a war with anyone here... I know how passionate people are about security software (especially UAC :)), but I was curious what you guys thought about these points.

    BTW, while they are at it... SmartScreen could use some file insight ;).
     
    Last edited: Jan 17, 2017
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    If user is logged in as standard user, UAC becomes some kind of witelisting. User can run anything that doesn't need admin approval and can't modify system.
    IMO main problem with UAC is that programs want admin rights that they wouldn't need, if they were built with developers having security in mind.
     
  11. guest

    guest Guest

    Not at all, you see it like this because you take UAC out of his context, UAC isn't supposed to work alone. Just do a small test ; choose a program; disconnect from internet; then when you want run it, Smartscreen should popup , smartscreen play the role you expected from UAC.UAC just does what is was made to do; it is not a malware defense system , it just alert and block a program to get elevated rights. anti-malware defense is the job of WinDEf and smartscreen.

    so you answered your own question ^^ business is business...

    not sure what you mean by file insight, SS check the program against a database. .

    it is why a advertise the use of SUA.

    yep some apps requires totally unneeded elevation...this is the backlash MS created by using admin account as default account. Linux learnt from that and did the right thing.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, MS currently and always has recommended running with a standard user. If you run as a standard user for regular PC activities such as browsing, you will not receive any UAC alerts because privilege escalation is not allowed. MS sets up a limited admin account by default since without one, you could not perform basic admin activities on your PC.

    Now I also realize what this posting is all about. That is, VoodooShield disables UAC which is unacceptable.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    OK, I didn't know that and my previous post was not meant for any specific software... or developer...
     
  14. guest

    guest Guest

    This is why we can't have nice discussions. :thumb:
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    @guest, I see what you are saying, but what purpose does it serve to block files based on elevation of privileges? How does this help the end user? By file insight, I mean SmartScreen should provide more information about the file that is being blocked. SmartScreen has actually come a long way, and it is now quite effective, but it is based primarily on the digital signature and the prevalence of the file. It would be great if they would add some indicators of maliciousness as well, so the user is better informed.

    @itman, You know as well as everyone does that VS has not asked the user if they wanted to disable UAC for a very long time. The point is that UAC and Application Whitelisting is not subject to false positives... but once you add file insight to an Application Whitelisting utility, it is then subject to false positives.
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I agree... it would be in everyone's best interest to make our discussions as grown up, civil and productive as possible.
     
  17. UAC protects admin space
    Since Vista introduction UAC had an option to block unsigned elevation. After Windows 7 turned out to be a a succes most software companies choose to get their software signed.

    Smartscreen protects user space
    Smartscreen replaced the dumb "untrusted sources" pop-up to warn users a program came from the internet and is another push to get software signed.

    AI/ML
    The trick will be to prevent the 4% malware which is signed from entering your system. When AI/ML blocks installers from an already installed program or from a reputable well known software supplier, I would call that a FP.
     
  18. What an epiphany, that is something more people should do, let's make SU great again, Do you run as Standard User?
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    @Windows_Security, ok... cool, that helps. I really am just trying to get my head around this, which is why I create the poll in the first place.

    You said "The trick will be to prevent the 4% malware which is signed from entering your system. When AI/ML blocks installers from an already installed program or from a reputable well known software supplier, I would call that a FP."

    I agree with the "already installed program" part... that would obviously be a false positive. On a side note, it is funny that you mention this though, because UAC will continue to prompt because the file is not actually whitelisted after the user allows it. I have actually seen brand new laptops with preloaded manufacturer utilities being blocked by UAC, each and every time the file is launched ;).

    But more importantly... regarding "reputable well known software supplier"... my point is that the file is blocked either way by UAC or Application Whitelisting, so how does adding file insight to an Application Whitelisting block, make it acceptable to call it a false positive?

    Also, I am simply suggesting that out of all of the available "features" of a file, elevation of privileges is one of the least useful in terms of actually performing a helpful function.

    I really am confused ;).
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    To put it another way...

    Application Whitelisting's main purpose is to stop malware.

    If UAC was not designed to block malware, what is its purpose?
     
  21. That is why I have set UAC to elevate signed programs silently (block unsigned) and added SRP basic user as default (to allow install with runs as admin). With Vista UAC threw so many pop-ups my wife blindly clicked YES. Windows 7 UAC improved lot, but I use this since our Vista Business lisences.
     
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I think @guest said it best:
     
  23. Hey Dan,

    Let's use the first principle in RUP/XtremePrograming/Agile development: BE HUMBLE, use what is already their

    Why not use Smartscreen to validate GREYWARE? see link "RUN BY SMARTSCREEN"This has the advantage that you don't have to build and maintain a cloud based whitelist :D

    So auto-pilot mode blocks known malware (AV-blacklist scan), blocks executables with unsafe AI rating (say 0.3 and higher) and checks whether AI-ML blocked program has same signature as already installed programs. When YES prevent FP and allow depending on user settings. When the new program does not have a signature of an already installed program, run the executable through Microsofts cloud using RUN BY SMARTSCREEN. When it is blocked by Smartscreen it is definitely risk-ware.

    SO user could choose a notification scheme
    - SAFE: allow silently, allow with tray notification, let user decide
    - GREY: run by smartscreen silently, run by smartscreen with tray notification, let user decide
    - RISK: block silently, block with tray notification, let user decide

    In this scenario RUN BY SMARTSCREEN would replace CUCKOO sandbox
     
    Last edited by a moderator: Jan 17, 2017
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I guess I am not following you on this.

    UAC is about privilege escalation. Smartscreen in reference to downloads is a reputation check. Both are distinct, different, and independent protections. Whitelisting is context dependent; it only applies to the security product it is used in. UAC and SmartScreen within Win 10 are global protections again independent of any third party security software protections.

    I will also add that Win 10's SmartScreen's download reputation protections outside of the browser are limited in scope as noted in this test by SANS where two identical ransomware were downloaded by different means: https://www.wilderssecurity.com/thr...-for-business-beta.387755/page-4#post-2645421 . The solution to this problem is to use Run By SmartScreen as @Windows_Security has elaborated on above which adds a UAC like component. That is, if you can tolerate the alerts. Note, I have not tested Run By SmartScreen and can not vouch for its effectiveness. Finally, neither SmartScreen version is going to detect APTs that run from memory.

    -EDIT- Regarding UAC, here is a POC for a fileless bypass of it: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ . Most important to note is the author's closing comment:

    This particular technique can be remediated or fixed by setting the UAC level to “Always Notify” or by removing the current user from the Local Administrators group.
     
    Last edited: Jan 17, 2017
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I totally agree... UAC has come a very long way since Vista. You said it best "With Vista UAC threw so many pop-ups my wife blindly clicked YES.", and it still has that effect on people. I watch novices and average users all the time use their computer, and a good 90% automatically click "Yes" the UAC prompts, without even reading the prompt. Believe me, if you saw this in person, it would make you cringe the same way it does me.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.