MRG Effitas 360 Degree Assessment & Certification Q4 2016

Please read up on what socially engineered malware actually are, since that are in fact the majority of what end users will face.

 

Ref.: https://usa.kaspersky.com/internet-security-center/threats/malware-social-engineering#.WK8pLmAo5PY
​

What are not SEM:

1. malicious scripts that begin execution upon access to the web page.
2. browser hijacks.
3. drive-by downloads
4. malicious ads on a web page.
5. exploits
6. access of a web page via search engine i.e. direct URL access
7. SQL injection
8. Cross-site scripting
9. Brute force password attacks

Etc., etc.

 

Everything on that homemade list of yours, can be part of socially engineered malware.

 

I don't see how this is relevant. Malware is also capable of running inside LUA/SUA or whatever people want to call it. So Avecto can't simply say that these exploits are "mitigated" just because they assume that all malware need admin rights.

OK, so on Win 8 it's crap? And yes, on Win 10 it's a lot better. But again, this test (from MRG) was about Win Defender and other AV's.

 

True. Ransomware is a good example although it would only be able to encrypt files in standard user folders. However, most malware needs at least limit admin credentials to do any significant damage.

 

Read about this:

http://hype-free.blogspot.nl/2009/07/what-can-malicious-program-do-under.html
https://securosis.com/blog/counterpoint-admin-rights-dont-matter

 

This article might explain standard user accounts a bit better. And yes as noted, privilege escalation from a SUA is possible; basically as is already known, nothing in Windows is "bulletproof":

Ref.: http://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html

​

 

This article seems to have totally overlooked so called "portable apps", that do not need to be installed. So you always need to use AE even inside LUA. BTW, I'm getting to see ads on that page, weird.

https://en.wikipedia.org/wiki/List_of_portable_software

 

Indeed, however Portable Apps who needs to do admin tasks , still need elevation (depending the chosen UAC level).

 

There seem to be some misunderstandings in several posts above.

The Avecto report have nothing to do with if a program/malware can run with limited privileges.
The Avecto report are about the consequences of all the vulnerabilities throughout the year.
On a normal Admin account the vulnerability when exploited will own you if it's the right/wrong vulnerability.
On SUA the vulnerability when exploited will keep the attacker stuck in limbo.
No privileges = no tampering with OS, security, restrictions or anything else in place to protect.

Next there's a link posted to a article that claims that privilege escalation from standard user accounts are known.
The author of that article are confusing UAC bypasses with SUA bypasses.
UAC bypasses are known, that is true.
SUA bypasses would automatically be top priority on first following OS update since SUA are a clearly defined security boundary.
So the author of the article must have been low on coffee.

That the author was confused can further be seen from the mentioning of Chrome.
Installing Chrome on SUA and run it, has nothing to do with privilege escalation. It just run with limited privileges.

Finally there's a mentioning of portable apps being overlooked. This are in no way relevant, and certainly not overlooked.
Run a portable app in SUA and it runs with limited privileges. It's doesn't elevate on it's own.

 

@Martin_C I agree with what you just said

SUA is used to limit privileges , as do Linux.
The big difference is that Linux force the user to run on limited account (default account) , MS big mistake was to set the admin account as default account.
This mistake generated lot of issues and is the Root of all Evil:
- devs get used to program their softs to be run on admin accounts.
- users get used to do everything as admin because it is "simpler"

from that malware witters get their job made easier.

 

@guest, I agree.

Default Admin are a burden from the past.
I really wish default SUA would be enforced.

Sadly we all know that many end users refuse to accept progress.

We all remember :
A : "My icons are square now ? How can the world be so cruel. We will all cease to exist."
B : "Icon shape doesn't matter. What matters are the underlying structure. Now every application are individually sandboxed and system access restricted."
A : "?? ?? ?? ?? ?? My icons are square now ? How can the world be so cruel. We will all cease to exist."
B : "Here are several links with documentation of the redesign of the OS, why it was needed and a walk-through of the huge security benefits it brings to all end users."
A : "?? ?? ?? ?? ?? My icons are square now ? How can the world be so cruel. We will all cease to exist."

 

Exact, you know on Linux forums i didn't see much people complaining about being on limited accounts, they looked for it. and this made Linux popular and safe.

 

Yes, the Linux crowd are a different group of users.
They generally don't fall victim of the tech-media driven hype/paranoia/click-bait nonsense, like many "User A"'s from general population that I mentioned in post #112 sadly do.

These "User A"'s often doesn't have a chance to know what is right or wrong, since the tech-media will rather release click-bait nonsense than realistic informative articles.

 

Below is an excerpt on this excellent article on privilege escalation: https://attack.mitre.org/wiki/Privilege_Escalation . In the article, you can click on the "system weakness" privilege escalation areas noted below for further detail:

The really pathetic thing is many of the above privilege escalation bypasses were so well known that the old Comodo leak test and the now default Matousec tests specifically used many of them for verification in proper third party HIPS configuration. Unfortunately, those tests are no longer valid since the authors never upgraded them to be functional for Win 8/10.

 

Since posted quotes are apparently not being read before actually posting them, then allow me to repost the important part of the quote made in post #115 :

And as already mentioned several times throughout thread - SUA bypasses would automatically be top priority on first following OS update since SUA are a clearly defined security boundary.

And :

This has nothing to do with SUA.

 

Again for clarification about post #115, "Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM privileges." What this article is about is existing Windows "system weakness" that can be exploited running under any account privileges.

 

Wrong, in the report they assume that all malware need admin rights, that's why they say "mitigated". The exploit itself is not stopped by SUA, but the malware might be stopped depending if it needs admin rights. But there is is still plenty that can be done inside SUA, like for example spying, data-stealing or encryption.

http://hexatomium.github.io/2016/02/16/lua-powers/

The point isn't about elevation, but the article makes it look like you can't run download and run apps inside SUA, which is false. For example, someone could send your teenage daughter some innocent looking app, which turns out to be a keyboard and webcam-logger. As said before, such an app doesn't need elevation, so I'm afraid SUA won't help.

 

I reread the article and their methodology says:

So SUA in reality doesn't mitigate underlying vulnerability it only lessens the impact a possible exploit could have on a system. To totally remove vulnerability patch has to be applied.
So an article title is misleading - vulnerabilities are not mitigated by using SUA (we wouldn't need updates if that was true) but consequences of exploit could be less severe if run under SUA.

 

The following wearing of an automobile seat belt analogy might help.

Wearing a seat belt(SUA) could minimize your injuries and save your life. On the other hand if you have a major collision with a semi-tractor trailer(advanced malware) , you're today's latest "road kill"(infected PC).

 

Yes exactly, so it's very silly to say that exploits are mitigated. If they didn't make use of sandboxing and white-listing, I would call Avecto a complete joke based on this report, because it's misleading.

https://www.avecto.com/defendpoint/

 

I don't know their solutions so can't comment on them.
Their report doesn't show that there was any testing conducted. They performed only statistical analysis of security bulletins released by MS looking for specific sentence to be present in executive summary.
Sentence "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights" also doesn't say much about impact of specific vulnerability and how much SUA can restrain possible exploits.
Don't get me wrong - I still endorse SUA usage, but this report is hitting mass media and readers reading it can come to wrong conclusions (as "we are safe from exploits since we use SUA").

 

Exact both.

As i kept saying since soooooo long, SUA (and by extension UAC) limit the impact of malware on the critical areas of the system. Not being designed to block all malware. Remember that malware don't pop from nowhere on your system , but the user get them inside in a way or another.

 

One thing to take note of in my "seatbelt" analogy is in regards to the advanced malware statement. It is readily available today since the bad guys moved to the malware as a service model.

 

Yes, luckily at the moment most malware still requires admin rights (https://securelist.com/blog/software/76751/malicious-code-and-the-windows-integrity-mechanism/) so using SUA is somewhat "security through obscurity" approach. If more users switched to SUA, we could expect that malware would also be "configured" to work under SUA.