http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html Yup, another one ! AntiExe's & Explorer injection prevention Apps, will help block these type of nasties. So even my trusty old ProcessGuard is still valid !
Well UAC is not bulletproof, but it still protects against more then 90% exploits, that is better, that what Windows Defender does, or does not.
UAC even at max (Always Notify) will only notify against malware that requests elevated privilege (Administrator-level privilege). As the vast majority of malware never request such elevation, UAC is not useful against them. One should understand that UAC at max will in the majority of cases provide only a false (and inconvenient) feeling of security than providing any real world protection.
UAC doesn't consist security boundary, nor even security feature. But it brings some security "as a consequence" by encouraging use of LUA for both of dev & user. Tho there're many user mode malware, still what they can do are limited compared to kernel mode malware or malware with admin privilege. Also if more devs avoid giving unnecessary privileges for their apps the damage when those apps are exploited will be smaller. I saw some people regard UAC as a kind of HIPS, which definitely wrong. You shouldn't solely rely on UAC, it can't be comparable to HIPS nor meant to protect vital areas from alteration by itself. Integrity level itself also doesn't consist security boundary. As to inconvenience, on Linux I have to type password when I use sudo, but the difference is Linux can temporary remember it so I don't need to type password every time, but as my setup don't require me to type it 10+ times a day on average so I don't feel any inconvenience so far.
I agree, but this thread is about a method to bypass UAC, not about malware that never request elevation. And in this case, setting it to max solves the given problem.
I agree with this, the reason why I mentioned "HIPS vs UAC" in some other thread, was because I felt a certain member was implying that it was a good alternative to HIPS, but that doesn't make any sense.
I've read that if you set UAC to the highest setting (Always Notify), pretty much all malware will be stopped if it tries to auto execute. Does anyone know if that's true?
Not for the Windows 10 Upgrade bypass: https://www.wilderssecurity.com/thre...-uac-bypass-via-win10-upgrade-app-gwx.377118/
Pretty much yes, because most users either use it at default setting or they turn it off. It has been proven to stop various malware over the years.
