How reliable is windows 7 UAC?

Discussion in 'other anti-malware software' started by Antimalware18, Jul 20, 2013.

Thread Status:
Not open for further replies.
  1. Antimalware18

    Antimalware18 Registered Member

    Joined:
    Dec 12, 2008
    Posts:
    417
    Just like the question asks, how reliable is windows 7 uac against the malware field? Is it reliabke at detecting changes and then stoppung those changes from perhaps a file that was dropped through a exploit? Or is it bypassed galore?
     
  2. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    31
    Hi,

    From my research, I have found that UAC is OK to use but should not be relied on as a security measure.

    What exactly does UAC do?
    How is UAC bypassed?

    Hope that give some info but some of those links/info may be outdated now...
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    I consider UAC as additional and not main layer of protection.
     
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    UAC is only one of the OS defenses. On my Ultimate Windows7 it is an essential element, but is part of package. This package has not been bypassed by live / fresh malware samples since early 2010. Only once a sample was able to do some harm which was partly corrected by windows protected files. This resulted in being unable to install/update ANY program. The bypass was related to hole microsoft intensionally designed to bypass AppLocker.
     
  5. guest

    guest Guest

    I only use UAC as privilege limiter and elevation notifier. UAC's reliability highly depends on the user IMO. I'm not a click happy user so it plays a pretty big role in my setup (though I don't rely on it too much).

    I still don't understand at why did Microsoft designed SRP and AppLocker with such design flaw. To me it feels like you're riding an armored tank in the middle of a battlefield with an opening hatch. o_O
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    AppLocker, but they provided an optional fix after receiving complaints. Making things easier for scripts used by companies (large corporations ease of central management versus security). Same with UAC, Vista default is Windows 7 max (user complaints useability versus security)
     
  7. guest

    guest Guest

    An optional-underrated-barely-published-so-not-everyone-knows-about-it-unless-you-dig-info-about-it beta hotfix.
     
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    In addition to the links provided by sthmptn, you also have to be aware of these:

    Why Windows 7's Default UAC Is Insecure
    Windows 7 UAC whitelist: Code-injection Issue (and more)
    Bypassing User Activation Controls

    Recommended: Set UAC to the highest setting (Always Notify).
    Better still: Run as LUA/SUA

    To sum it up:

    UAC is no security boundary. It just makes it easier for the masses to run with least privilege compared to XP and its predecessors. Default settings are just to quieten down the noise level by consumers. The logic is one of a compromise - both technically and marketing-wise. Slightly better security is better than nothing (users disabling UAC)

    LUA is better (helps against the elevation issues linked by sthmptn as elevation occurs in a different user context). However, fact remains malware can run just fine with limited rights.

    SRP/AppLocker can help against most malware nowadays (inc. LUA-compatible ones). That's why Kees/Windows_Security can get pass against all those malware samples. However, SRP/AppLocker come with stupid "by-design" holes (hotfix only for Win7 -thanks a lot MS:cautious: ). They also do nothing against memory-only execution.

    EMET should be your primary bet to counter exploits at it's early stages on Windows. To get the most out of it, 64-bit Windows recommended for better ASLR.

    Here's a good guide by our member HungryMan (although I prefer to go with path rules for Applocker for convenience)
    Windows Hardening Guide
     
    Last edited: Jul 24, 2013
  9. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    How to check if I've already installed this Applocker hotfix?
     
  10. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Just found in installed Win updates
     

    Attached Files:

  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    1. UAC
    True, I have it on max with a deny elevate for unsigned software, also added NSA advices for group policy to deny installation of all sorts of unsigned binaries (drivers, activeX, powerscripts,etc). Simply because there are so many ways to get executable binaries on/in your system.

    2. SRP/Applocker helps prevent, but LUA is better
    I like the default level run as basic user, to stop all high risk file extensions from executing in user space. When you want to lock down your PC, Applocker offers more granular control (with SRP basic user, I still am able to right click install).

    3. EMET
    Closes down memory intrusion when with Vista or higher (ASLR in Win7 is better than Vista, Win8 beter than Win7) to a mimimum.

    4. Malware in user land
    That is why I locked (through GPO) user accessible autorun entries. Have added Outlook, Chromium policy templates to prevent user form changing important settings (installing add-ons).

    UAC does not protect against side by side attacks, therefore it is important that all risky touch points/internat threatgates run with low integrity (e.g. Chrome sandbox, Chrome's extra control with PPAPI flash and own PDF reader). That is why I use a browser with low rights (and use Chrome's PPAPI flash with chromium). On top of that I have set a deny execute file access (ACL) on all download, media, e-mail (drive by folders) and deny autorun and execute access to USB drives (GPO)

    5. Windows hardening
    With GPO you should disable all remote services and dynamic desktop like functionality. I disabled 60 windows services (not for performance, but security attack surface reduction).


    With this (safe_admin) mix, the 'admin door' is still available. When running LUA as safeguy says (with deny elevation for basic users), that door is not accessible anymore.

    Regards Kees
     
    Last edited: Jul 27, 2013
  12. guest

    guest Guest

    Did you install it manually or through Windows update?

    Too bad home users of Windows 8 can't make use of AppLocker. You can create rules but can't enforce it (just like 7 Pro), which is pointless. I prefer it over SRP actually. :(

    Anyway, to derail it a bit further (lol), is using SRP/AppLocker still recommended? And does whitelisting mode and blacklisting mode make any differences in terms of all those bypasses?
     
  13. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Manually. I just wanted to check as I jump between snapshots of EazFix and could lose it.
     
  14. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    I have it off. I prefer other 3rd party solutions that are less intrusive in their pop ups.
     
  15. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Could you specify how to do this?
     
  16. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    This should give you a decent starting point. Just type "services.msc" into the start menu and it should pop up. This is all of the services running on your computer.
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Yep, you nailed it. First disable as many options in Group Policy using NSA templates, next use black vipre's advice for ultimate/professional version of your OS (this one is for Windows 7). I used mix between safe and tweaked (mostly tweaked, rest on safe e.g. for Wireless and NAS-device).
     
  18. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Thanks, guys.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    How reliable? Well there's no better alternative if you want anything like sudo on Windows. If you're looking at it from just a malware prevention perspective, you're far from seeing the whole picture.
     
  20. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    I've just applied the same. The only difference is that I had to make "WLAN AutoConfig" to Automatic as my PC didn't connect to my WiFi Router if it were in Manual.

    As I often jump between snapshots with my Eaz-Fix I have to find the way to quickly store and deploy the services settings back. The only solution that I found is the corresponding feature of "Advanced Uninstaller". It also can compare the existing service config with the one you want to load. What helped me to figure out the problem with the router.
    Doesn't there exist native windows-7 mechanisms for that?
     
  21. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    There is a better alternative. It's called Surun. :)
     
  22. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Can't anywhere find the templates. Can somebody give direct link?
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    How is it better (especially in terms of reliability) than something built-in with Windows? Is it even compatible with Windows 7 64-bit?
     
  24. guest

    guest Guest

    I consider it just more bloatware that needs to be ripped out of the OS:thumbd: o_O o_O
     
  25. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I can't claim it is more reliable than UAC, but I can't say that it is less reliable either. What I can say is that it hasn't failed me once over many years of use. The main advantage is that its useability is far superior to the never-ending prompting that is UAC. And, yes, it is compatible with Win7 x64.
     
Loading...
Thread Status:
Not open for further replies.