UAC, SmartScreen & False Positives

It depends what the application wants to do.
"requireAdministrator"-manifest = UAC-prompt
"asInvoker"-manifest = no prompt
"asInvoker"-manifest, and the application wants to install a driver = UAC-prompt
"asInvoker"-manifest, and the application wants to copy files to C:\Program Files\ = UAC-prompt

 

Don't worry Dan, I know exactly what you mean, we're on the same page. Last year I had this huge discussion about why UAC in its current state (no white-listing) is useless to me and probably to a lot of other people, bot experienced and regular users. So I'm not going to respond to the people who think that UAC is important in terms of system safety.

Yes exactly, the fact that some app requests admin privileges, doesn't tell me anything about whether it might be malicious or not. What people forget to mention, is that ALL app installers require admin access. And some tools like Process Explorer make use of dynamic driver loading, that will also trigger a UAC alert.

 

Yes exactly, what's far more important than LUA and UAC, is making sure that malware never gets to run on your system. Before you install or run some app, you always make sure that it's safe with the help of some form of AV (signature-less or not). If the app is clean, you are going to allow it, so no need for a UAC alert. Of course you can also get infected via exploits, and we all know that anti-executable/exploit and sandboxing are very effective in stopping exploits, these tools are way more important than LUA/UAC, so UAC is not worth the hassle to me.

 

THE PROBLEM WITH UAC IS THAT IT DOES NOT BUILD A WHITELIST

IT HAS THE SHORT TERM MEMORY OF A CRACK ADDICT AND THE LONG TERM MEMORY OF A RETARDED 100 YEAR OLD

 

FYI - http://www.makeuseof.com/tag/stop-a...ate-a-user-account-control-whitelist-windows/

 

because you use an HIPS, UAC wasn't made to take account if the user has a 3rd party security soft or not; it was made to give the possibility to every users to allow or block elevation.
Im sure you would enable UAC if you didn't have any 3rd party apps.
"it is not because you are in a tank that seatbelts are useless...because there is cars too..."

of course it doesn't... it wasn't made to detect malwares like a scanner would... only block Elevation, some people relate UAC as a malware blocker, because malware often ask elevation... but it is not its purpose, just a consequence of its purpose.
Is it so hard to grasp it?

of course because in both case, there is a the system's change...which enter into UAC monitoring field.

Both Dan and you wrongly keep considering UAC as a malware blocker of some sorts... it is not, it is just an elevation blocker. nothing else; once you get it, maybe you will stop saying it is useless.
Useless mean without purpose and use, not the case of UAC; it has its purpose and use.

I dont like anything doing changes in my system without my permission, whatever it is legit or not, so im glad UAC is there.

 

LOL reason

 

Water is wet

1. Do you really think that forum members don't know these bypasses?
2. Do these bypasses add a remember option to UAC?

 

No, we understand that UAC has a purpose, because without it, running in LUA would be pointless. What we are saying is that LUA/UAC is not important to us, when it comes to keeping the system safe. What you seem to forget, is that LUA/UAC was mainly invented as a way to protect the system against exploits. So if you're worried about exploits, use anti-exploit and sandboxing, which tackles exploits/malware in an early stage, no matter if malware needs admin rights or not.

And for the 1000th time, if you install some app you already know it needs admin rights, otherwise it can't be installed. If it's a portable app, it may or may not need admin rights, but only HIPS can tell you why it need admin rights. The reason WHY some app needs admin rights is crucial to know, with that I mean, you need to know what type of modification will be made to the system. So this is the reason that UAC is pointless to me, it's not an important layer to me, in fact it's freaking annoying.

 

SUA/LUA was made to protect from malicious or accidental changes to the system files and settings and protect a user account files from being accessed by another user; not only protecting against exploit.

the keywords is changes.

Think again about Average Joe, does he know what is a sandbox, what is an anti-exploit? hell no! they don't even know about exploits. We know because we are on security forums, but Average Joe isn't. So UAC ultimately protect them in some extend if they are a bit careful of what they do.

You still don't get it right? or you like to argue? UAC is here to block unwanted elevation and changes to the system; installation is voluntary change ! what in that you can't understand...i cant say it more simply ! even a kid understand this...
if you install something, you are supposed to know what you are installing and it is supposed to be safe.

Annoying or important is only a matter of opinion, doesn't mean useless; as i said above , it is not because you don't need it that it become useless...you seems too dependent of your BB/HIPS or whatever.


to resume simply : UAC purpose is to block UNWANTED elevation. that is it.

Anyway, if after i what i just said, you still opposed those facts, i can't do much anymore.

 

LOL, it's you who doesn't get it! We're currently not talking about the need to restrict other people, of course you need LUA for that. But we're talking about LUA/UAC as a tool to keep the system safe. According to you it's an important layer, according to other people it's not. What's so hard to understand about that? Speaking of Average Joe, they will for sure click on "yes" every time, otherwise they can't install software! So do you really think they even bother to think about if it's normal for apps to request admin rights?

 

In case people still don't understand, I will try to explain. These scenarios are based on a one-user machine.

Scenario 1:

LUA/UAC as protection against exploits: malware gets loaded via exploit, and if it doesn't need admin rights, you're out of luck. If it needs admin rights, you might see some UAC alert. If it uses code execution + privilege elevation, then you probably won't see a UAC alert. Anti-exploit will simply block malware from running at all. A sandbox will let malware run in a virtual sandbox with low privileges, so it can't do any damage. It might even interfere with certain types of privilege elevation exploits.

Scenario 2:

LUA/UAC as protection against user installed (manual) malware: this is non existent, since all app installers need admin rights, so you have no choice but to click on "yes". If portable apps (that don't need to be installed) asks for admin rights, it might be fishy, but how to know why it needs these rights? So the only way to stop manual malware is with tools like AV (with AI or not) and HIPS/behavior blocking, they will inspect apps both pre-execution and post-execution. No need to see some useless UAC alert.

 

In regards to the purpose of UAC, Microsoft TechNet describes it best:

Practical applications

Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.

Ref.: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/user-account-control-overview
​

A couple of key phrases to note: "silently installing" and "inadvertent system-wide changes."

 

do i need to draw pictures or what?...

installation is WANTED elevation ! UAC purpose is supposed to alert & prevent about UNWANTED elevation !!

if they happy click, whose fault? UAC surely not. it is the user fault.

as @itman quoted

do you get it now?

why you mention HIPS and sandbox all the time? we talk only about UAC and its relevance.Do you think Average Joe will use them? i dont think so. Most have no clue about security , some cant handle UAC , so how they can handle HIPS. These a security geek tools. nothing else.

Of course HIPS/sandboxes does better protection; they are made to alert on everything or isolate everything; but this is not the topic; we don't compare UAC against 3rd party security tools...we talk about UAC usefulness as a windows mechanism, assuming you don't use other security apps.

You are off-topic.

LUA/UAC is about alerting of unwanted silent elevation, this scenario of yours talk about wanted elevation; so irrelevant.

Take VLC portable , if it ask for admin rights , this is fishy , because a player has no reason to do system changes. You need to do some research beforehand to evaluate requirements of the said apps. Things that most users won't do because of carelessness and lazyness.

You don't need to be dependent of an HIPS to know what a program try to do.

About malicious stuff you still have Windows Defender, Smartscreen , etc... you forgot them?

on Win8-10 , UAC is now part of a set of mechanisms, if the file is malicious , smartscreen and WD should popup even before UAC.

honestly , if you don't understand by now what i am saying, i will stop replying to you, because it means you are closed to anything that differs from your point of view.

 

Seriously, this is getting ridiculous. I have already explained that I'm talking about LUA/UAC vs security tools, in other words, which one is more important, when you need to keep a system safe. You say you should use them both, I say that people can stay safe even when running as admin. How many times do I need to explain this?

The examples that I gave explain why I believe that LUA/UAC is not that important, both for experienced and regular users, even though most "security experts" will disagree. Again, I'm talking about a scenario where you're the only user, so no need to restrict other people. It's not worth the annoyance, especially when I know I can stay safe as ADMIN. No offense, but that you can't understand such a simple thing is a bit shocking to me.

 

That's my point, 99% of the time when you get to see a UAC alert it's going to be wanted. So does it make sense to annoy people with these alerts on a one-user system? Even worse, you can't even white-list apps! Plus, elevation of rights doesn't tell me anything about the intention of some app, perhaps it simply tries to write files to "Program Files"? But according to you it's crucial to see UAC alerts. Well, that's fine with me.

Average Joe doesn't know if it's fishy or not, especially because they are trained to click on "Yes". Average users also don't know the difference between installers and portable apps. And to clarify, my comments are about LUA/UAC being crap, obviously you can not say that UAC alerts should be considered to be false positives, that doesn't make any sense.

 

Well if a person doesn't like UAC, then do a bypass of it. As @Windows_Security pointed out to me, everyone on Wilder's knows how to do that.

However my opinion is if a UAC bypass is employed, it must be initiated and controlled by the user; not by some third party security software deciding what and what not should be bypassed.

 

http://www.thewindowsclub.com/create-elevated-shortcut-run-programs-bypass-uac or Google for Winaero elevated shortcut free (available for Windows 7, 8, 10) or UAC Trust Shortcut (there are many others offering simular freeware since 2009).

When someone is skilled enough to disable UAC, they are skilled enough to apply UAC bypasses and don't need to disable UAC anymore.

 

so you are very offtopic (at least in this thread)

we all know that , that 3rd party security softs are more efficient , because they are made for blocking malwares; UAC just for blocking elevation...

Yes because not everybody use HIPS-like security apps like you , for example if i use Shadow Defender to test a unknown/suspicious app (portable apps, supposed to be safe keygen, etc..), and the said apps ask for elevation , if i disable UAC , how i know the elevation was requested? by looking in a crystal ball?

yes with security apps, but we talk here about UAC usefulness without security apps here. just UAC and Smartscreen (plus Windefender for those on Win8/10)

You are always comparing UAC with security apps you are using, so it is just your system , who cares of how your system is setup.
We talk about general usage of UAC that most people will encounter (aka people without 3rd party softs) and your setup example isn't one of them.

Now answer me on this :
- remove all your security apps, just use the barebone Windows built-in security features like Average Joe will have, let say you share your computer with your wife or kids , will you enable UAC or not?


if you like, you can create your own thread like "if i have an HIPS, do i need UAC?" then all your previous points will be on-topic and valid.

 

exact

 

No, I'm not off topic, because I responded to Dan's question about why it's so important to know if some app needs elevation. Regardless if you're running security tools or not. According to both Dan and me, it's not that interesting.

Also, funny how you didn't respond to my question. Again, if 99% of the time the UAC alert is expected, is it really worth keeping it enabled for the 1% of the time that it's not expected, for example during some exploit attack? And I'm not talking about malware testing, of course most malware will request elevation, so no wonder you're going to deny it, because you already know it's malware.

Didn't I already explain that LUA is needed to restrict other people? But why wouldn't I use security tools? You're not making any sense. And I don't know why you think that most average users are not using any security software. Almost all noobs that I know use at least some free AV. My advice to them is: if you're annoyed with UAC, just turn it off, because the chance of it saving the system is minimal.

 

I'm not sure what you mean with this, what is there to bypass? To clarify, on Win XP I always ran as ADMIN, then I switched to Win 8 and the first thing I noticed is how annoying it is to run as protected admin with UAC enabled. Again, not worth the hassle. Do you really think I'm going to click on "yes" every time I need to install software, or when I need to run some app that needs admin rights?

 

Methods to keep UAC enabled but stop it from always alerting you on program execution: http://www.makeuseof.com/tag/stop-a...ate-a-user-account-control-whitelist-windows/

 

ok, because you are a formula 1 pilot you don't need the basic security belts in you family car... sound smart /sarcasm

yes it is. So you don't use condoms because you think the 1% chances to get HIV is not risky? sound smart again to me.

I asked you about in the case you don't have any security apps, just answer Yes or No, would you enable it in that case?
Funny how you elude to answer this simple question, because you know you will enable UAC, you told it in some other thread...because your beloved HIPS will be not there to support you anymore, you won't be able to tell anymore what the unknown app is trying to do and obviously this will lead you to enable UAC because it is better than having nothing.

Because i had to fix their computer all the time due to my previous job; i had some experience with Average Joes. It is why i can't let you tell that UAC is useless; after i explained them how to behave with unknown executables and when they get the prompts, i never saw serious infections again from them.

ummm so if you are annoyed by 3 prompts a day, better disable UAC and use an HIPS or BB that will gives you 20+ prompts ! very funny.

Anyway we better stop this discussion, you are totally impervious to UAC for some reason i don't know. so it will lead to nothing. even Dan agreed with me in some extent than UAC has its usefulness but only need to be enhanced.

im done on this discussion.