Do you disable UAC?

LOL, only some form of HIPS would protect against this.

Yes exactly, and people forget that when I say HIPS, it doesn't necessarily mean it will bombard you with alerts, nowadays they got auto-blocking features like safe banking, anti-logger (keystroke encryption) and anti-exploit.

 

I am not going to touch on the purpose of UAC...that topic had been beaten to death. More importantly though, users need to realize that disabling UAC disable more than just the prompts.

There are other ways to deal with the "annoyance" factor...

1. One can enable the built-in admin (with UAC disabled) and use that only for admin-intensive activities when offline.

2. There's the task-scheduler trick to create UAC-promptless shortcuts for selected programs on the default AAM account.

3. One can use an elevated launcher (only 1 UAC prompt at the start) to launch other programs without UAC prompt. If even 1 prompt for the launcher itself is unacceptable, you can use RunAsRob to remember the password. Look up MrBrian's detailed posts on these.

https://www.wilderssecurity.com/thre...-standard-account-when-uac-is-enabled.280471/

https://www.wilderssecurity.com/thre...program-with-admin-privileges-without.359206/

Wilders members...if you guys can keep up with HIPS, configuration, updating these programs from time to time to fix bugs/incompatibilities, this is a piece of cake/walk in the park in comparison.

 

I see with these 2 problems, you are annoyed about the repeated prompts about legit apps you may use or install. I can understand that. It can be done if MS would link UAC with the reputation system used by Smartscreen; now why they don't do it is the question.

With this, we start to get closer to an anti-exe or HIPS. Maybe MS just want UAC to be an elevation blocker, nothing else.

There is the the behavior of an HIPS/BB/anti-exe ; in that case many basic users won't even understand the alert and may block a legit access process fearing an infection then complain why the soft they downloaded is detected.

 

I believe this doesn't happen on Win 8, UAC stays active in the background, but apps will auto-elevate. I think M$ should have taken care of the annoyances, and I didn't like the third party fixes.

http://www.brianbondy.com/blog/140/...-disabled-with-process-integrity-in-windows-8

Well, someone already made a similar comment (about UAC alerts), but the point is that if we already have to deal with that stuff, the last thing I need is having to deal with UAC which provides virtually no security whatsoever.

 

Yes obviously, but perhaps my "dumbed down" HIPS idea wasn't even feasible, because I just realize that UAC only processes the elevation request, it doesn't even know why some apps needs admin access. But I'm sticking to my main points:

1 Malware doesn't even need admin rights to do damage.
2 No white-listing options makes UAC too annoying.
3 People will click on "YES" when UAC presents an alert, 9 out of 10 times.
4 Malware can bypass UAC, this has been proved several of times.
5 So you might as well turn UAC off, and rely on security tools.

 

I dont see yet a malware bypassing LUA with UAC at max.

UAC at default = weak defense. I can say the same with security tools. Nothing should be left at default state.

 

I test malware on a Daily Basis, and can tell you in Windows 10, Smart Screen is not even close to being useless. I literally have to allow a sample past it almost every time I execute them, maybe once in a blue moon one will execute and bypass it, but guess what, when that happens, usually UAC grabs it. I understand your preference, but do not condone you calling it useless. If you were to test it yourself, you find it is far from. Last I'm going to mention in this thread on this subject, because debating this with some is much like trying to clap with one hand.

 

UAC is on, set at MAX, LUA, Smartscreen is on.

 

PM if you can, just have a few questions about that setup.

 

On W8.1 64-bit I tested (2) versions of Cerber ransomware. UAC set to default. In both cases, UAC (consent.exe) was triggered when Cerber process executed cmd.exe.

In fact, consent.exe was caught in an endless loop; at the UAC prompt select "No" and another UAC alert would reappear within a few seconds.

The only way to break the endless UAC loop was to use CTRL + ALT + Delete and select Task Manager. It took sometimes quite a few times, but eventually it would suspend the UAC loop and the Cerber initiated processes could be terminated using Process Explorer\Hacker.

If it weren't for UAC, Cerber would have smashed the system. It gave me time to formulate a strategy to deal with the malware processes.

UAC has value - despite the fact that it isn't 100 % bulletproof.

Against malwares I will utilize all available mitigations...

 

Good to know. In the article , Cerber looked very scary; but in fact is just a basic malware. as i said (and some others here and there) , UAC used by a cautious user is a decent and useful tool. In the hand of a happy clicker even the strongest tool is useless against attacks.

100% agree with this.

 

Built-in OS protections are the easiest to deal with since their very well optimized for the system... so why not use all of them ?

 

yep , not saying they are the only one that work correctly at kernel level ; where others 3rd party tools have to put hooks and other shady workaround , creating new attack vectors if exploited.

 

What else does it disable?

 

Protected Mode for IE and Protected View for Office when files downloaded via browsers have the MOTW (Mark Of The Web);

 

Thats an important info there. Thanxx for the info.

 

Try using the registry setting:

"Validate Admin Code signatures"

set to 1.

 

When I say "useless" I'm talking about the UAC alerts. If you think that Win Defender is great it's cool with me, but I think there are better choices. And I agree about the debating comment, just look how many times I have to repeat myself to get my point across.

The point is that in general UAC won't help to prevent malware from running on your system. There are 2 ways to get infected:

1 By exploit.
2 By user run/install.

When it comes to 1, if malware doesn't need admin rights or is able to bypass UAC, you will never get to see the alert. If you do get to see it, you have to be a trained user in order to recognize that you're being attacked.

When it comes to 2, if you download some app, and the AV says it's clean you will allow it to elevate. Let's say it doesn't require installation and UAC still pops up, how would you know whether it's normal that this app requires admin rights?

 

Wasn't it you who said that UAC isn't meant to be a security tool? There is no need to compare them, because it isn't even a fair contest. And those "shady hooks" is mostly a thing of the past since Windows 64 bit with PatchGuard was introduced. It's most likely easier to bypass a UAC alert than to bypass or exploit a good quality security tool.

This doesn't happen on Win 8 and 10, it stays active even with UAC in silent mode (disabled), if I'm correct.

 

Thanks @Sampei Nihira . I appreciate the infos.

 

Also Integrity Levels if on Vista or 7, which means Chrome sandbox too.

 

so you agree with me ?

 

Are there any security tools that UAC interfere's with starting at boot? The only one I know of is hostsman

 

Thanks for that info