Do you disable UAC?

Maybe because UAC was never designed as a security feature per se, even thought it might appear to some people like one. Its purpose is to make using a combination of standard + administrator accounts easier and more convenient.

Also, more information would overwhelm the average user.

No one ever said UAC is the Be-all and End-all of of computer security. This is exactly why a lot of people use additional security products and why antivirus programs are considered a must for the average user regardless of UAC being turned on or off.
In other words: why not use both?

 

Unfortunately, HIPS alerts only make sense to a very small faction of security absorbed fanatics such as some members of security forums like this one. To the average user they mean nothing and are more of a nuisance than a benefit.

Which is why you elevate to admin for only known installers you willingly obtain from known trusted sources and install. Anything that prompts for admin rights unexpectedly should be summarily denied.

well that's one way of looking at it; the other is that HIPS delays the legitimate steps required to properly install on the system, in the process, annoying the heck out of those trying to install it while responding to an avalanche of pop-ups.

So how would these same less knowlegeable people understand a HIPS warning, especially something along the lines of xyz123.dll is attempting to inject into process c:\Program file\abc987.exe?

 

UAC is a tool made to warn the user about privileges escalation made by a process/program. It was never designed to specifically stop malwares, but it can help prevent their execution.


- For Average Joe, UAC is better than any cryptic HIPS which will scare him and make him choose the block button, then screw his system.
- For happy clickers, nothing can protect them; they will click yes on UAC or HIPS for every shady softs, keygen and cracks.
- For advanced users like us, members of security forums , UAC is not necessarily needed but it is a another good tools in our bag.

To bypass UAC you need several conditions not so easily accessible:

https://www.greyhathacker.net/?p=796

 

Thanks nice read. So Rollback RX works good on Windows 10? Do you happen yo have an SSD drive also?

 

Thx

 

It Works well now, no more issues like i had with v9 , i dont have SSD.

infos i collected about RX

https://malwaretips.com/threads/rollback-rx-users-guidelines.53653/

 

Because of the dumb UAC alert which doesn't give you info about why apps need admin access?

Seems like you missed my point. This is not about expert vs standard user, it's about if it makes sense to present some alert or not. With security tools those alerts make perfect sense.

That's why some form of white-listing should have been implemented. When you install a trusted app, no UAC alert is needed.

You didn't read it correctly. I said: anti-exploit will auto block the attack.

 

I keep UAC enabled.

 

@Rasheed187 You seem to be quite anti-UAC for someone who believes all bets are off with admin privileges. Did you happen to use LUA before it was introduced? Even disabled, you are still using UAC if you use an admin account (post Windows .

In the end, you'll need a lot more supporters to reason with Microsoft. But I personally don't find UAC as terribly implemented as you do. And more are seeing that, although it is not ideal.

 

It does (or i didn't understand what you were saying.)

Smatscreen (on Win8/8.1/10) is doing it via reputation but it is not linked to UAC.

Let say Smartscreen doesn't exist, how would you implement that ? hash? certificates?

 

I'm not against UAC, I'm against the way it's implemented. The point is that most people will click on "yes" when UAC pops-up. Because most of the time you will see it when you run software yourself. If you say "no", then apps won't install or won't run. There is no white-list option, plus it gives no info about why apps need admin access.

Can you give me an example of an UAC alert that gives info about the specific modification that a certain tool needs to make?

 

UAC purpose is not to show you what modifications will be done, but just that a process ask for elevation. UAC is not an HIPS / BB / anti-exec or anti-malware ; most people mistaken and think it is but UAC is just a privileges escalation blocker.

Now many malwares need higher privileges to do their nasty stuff , hence trigger UAC. it is why people think it is an anti-malware tool; but UAC is not , the proof is that it kicks-in for any processes , suspicious or legit.

 

Yes I know, and to me it would have made more sense if UAC acted more like a security tool. But since it doesn't, I consider it be a useless feature, especially because of the way it's implemented. And to clarify, I'm speaking specifically about UAC, I don't believe that related technologies like the "Integrity Levels" feature are useless.

 

To give some more info:

Problem 1: There is no way to white-list tools that require admin rights to function correctly, like Process Explorer and AutoRuns.

Problem 2: There is no way to white-list apps that you want to install. Don't forget, all app installers need admin rights, this is not logical.

Problem 3: Instead of alerting about apps that truly need admin rights, UAC will alert about all app installers, simply because "Program Files" is not accessible for non-admins.

Problem 4: UAC doesn't give any info about what modifications some app wants to make. So people won't understand why some app needs admin rights, and will not think twice about elevating.

 

Have you done some malware "testing" ? if you did, you would observed that many of them ask for privileges elevation (the rest are those specifically designed to bypass UAC in specific conditions , posted earlier in the thread). For me it is not a "useless" tool; it does what it is supposed to do. Now you have to understand that Windows security features are made to work with each other:

Smartscreen , UAC , Windows Defender are related and works in cooperation. That is why you will surely never see UAC becomes something you like it to be , the whitelisting is supposed to be done before UAC kicks-in by either Smartscreen or Windows Defender.

Taking UAC as a standalone component is wrong, now put it alongside the other Windows security features , and then you can see its reliability. I dont even mention LUA and other registry tweaks to ban unsigned executables to run (which is 90% of malwares).

Of course , you may say that Windows built-in security is not strong enough, compared to 3rd party security softwares, that may be true for the Home version but now if you have the Enterprise version, you gains Applocker, Bitlocker, Device Guard, Group Policy, and many other stuff to lockdown the system very tightly. I had a friend that customized his system in a way he doesn't need any security softs. he just use what windows offered him. Sure, not everybody (especially me, i wish i could ) can afford Win10 Enterprise...

 

You must not believe in Microsoft's definition of UAC then... I think it'd be a lot clearer if you just said "UAC prompts are useless" instead of just "UAC is useless".

 

I don't know why people keep bringing this up, like it's some ground breaking news? Yes of course most malware need admin rights, but if you're about to install some tool, you probably already trust it and will elevate rights.

I don't even use crap like Win Defender and SmartScreen, there are way better solutions. The end conclusion is, if you're using security tools, you don't need to keep UAC enabled.

Yes, I guess so.

 

Not at all. Did you read about those legitimate sites hacked and distributing exploited apps. Some apps aren't supposed to need elevation.
Let sayyou download a famous media players you were used to install (which is not supposed to get higher rights) and you have UAC disabled, then the site was hijacked few hours ago and the installer packed with a FUD RAT, hence evading your security tool.
Now how can you tell without UAC that this player is asking elevation rights?

That is your point of view , Windows defender/smartscreen are far from being bad; not the best but surely not crap. Not saying most users aren't aware like us about security softs.


I think you are wrong, some malwares may disable your security tools even easier than disabling UAC (which require certain specific conditions).

And i repeat again and again, UAC is not an anti-malware tool and can't be compared to them.

 

No, @Rasheed187 - that is not the end conclusion.

The end conclusion is that every single time that a new thread about UAC are posted on Wilders, then you post precisely the same confused statements about UAC where you continue to mention HIPS.

First of all, UAC and HIPS has NOTHING to do with each other.
Second, classic HIPS was popular ten years ago and absolutely nobody cares about them in 2016.

Next I will repeat my own answer to you from the last time UAC was discussed in yet another Wilders UAC thread :

UAC was introduced to lessen the burden of running with reduced rights.

If a user or developer still in 2016 has not accepted the benefits of reduced rights, then I don't think it's the OS that has issues.

And finally, being active in the right forums outside Wilders will make one aware of some of the most dedicated researchers in this area, and thereby knowing just how much acknowledgement Microsoft receives due to how many kernel improvements that are being implemented.
Every new Windows 10 build raises the bar further.

It's quite impressive.
Ways to bypass UAC are getting squashed across the board, new methods are rare, complicated and also getting squashed.
And even more important - in every single post/report about a UAC bypass I have ever seen, the researcher comes to the exact same conclusion every single time : Set UAC to max and use a standard user account and all UAC bypass methods are effectively blocked.

When the people who are actually hammering at the kernel on a daily basis repeatedly comes to that conclusion, then I see absolutely no reason to question UAC's effectiveness.

 

Exactly

Indeed

Happy to see i'm not the only one defending UAC , i start to get tired explaining what is UAC

 

Totally agree. Even for a security enthusiast, those messages do not readily make any sense.
UAC on the other hand does give you an easy and clear way of making a decision whether or not you should allow a program elevated privileges.

 

No confusion. The point is: UAC only alerts that an application needs admin rights, HIPS monitor the holy system and what happens, report all activities and protects the system. Obviously no match between UAC and HIPS security and protection capacity.

Not true. Common users, those that open all emails attachment, use as password " password " or 1234 etc.... don't care HIPS, but aware users consider them one of the most important element of their security. And common users probably when UAC alerts them push yes exactly as they push next...next ... in every installing process

 

I have mine set to max, it is pretty much the only thing, that protects my computer, I solemnly rely on it.

It can be bypassed with the help of powershell and windows scripting host, both can be disabled, then the UAC will firmly hold the ground.

 

Cerber Ransomware and UAC Bypass:

https://blog.malwarebytes.org/intelligence/2016/03/cerber-ransomware-new-but-mature/

 

I'm afraid you're the one who is confused. My point is that if UAC worked like a "dumbed down" HIPS, the UAC alerts would have made more sense. And what is the idea behind running with reduced rights? To protect against malware that need full rights. But if you're worried about this, simply use AV + anti-exploit, these are both designed to block execution of malware both on LUA and admin account. Not all malware need admin rights, see this: http://hexatomium.github.io/2016/02/16/lua-powers/

And I'm getting tired to explain that I do understand the idea about UAC, but I'm trying to come up with ideas in order to improve it, and make it less annoying. What did you think about post #91?

https://www.wilderssecurity.com/threads/do-you-disable-uac.384223/page-4#post-2571846