Reducing malware risks with UAC and reputation services

Discussion in 'other anti-malware software' started by Windows_Security, Dec 7, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    So common sense tells us not to trust signed software. This thread is not about auto allowing signed software, neither is it about auto blocking unsigned software to run. This thread is about blocking unsigned software to elevate.

    WHAT ARE THE BENEFITS OF BLOCKING UNSIGNED TO SOFTWARE TO ELEVATE?

    It makes it a lot harder for malware to survice reboot and makes it easier for your (other) security programs to block, disable and remove it from your PC.


    WHAT IS THE DOWNSIDE OF BLOCKING UNSIGNED PROGRAMS TO ELEVATE?


    In laymen's terms elevation means increasing the rights from the default medium integrity level (compared with Basic User rights) to high integrity level (comparable with Administrator rights).

    The default of UAC is still to allow unsigned software to elevate to high/admin rights. This was the setting which was used when Vista was introduced. With the introduction of Vista, the defaults for driver installation was set to block unsigned drivers (enforce driver signing).

    It was still possible to install unsigned drivers, but with Windows 10 Microsoft is also driver and third party components updates through its regular Windows Update mechanism. This software will be signed by Microsoft (Microsoft Windows Hardware Compatibility Publisher and Microsoft Windows Third Party Application Component), reducing the need to grant unsigned software administrator access to your sytem.

    Nine years after the introduction of Vista most software is signed, only some freeware and smaller software companies still release their software unsigned because of the cost related to software signing.


    WHAT ABOUT UNSIGNED MALWARE?
    From 2010 to 2014 the number of signed malware increased rapidly, see for instance this post. In the quarterly report of Mcfee (August 2015 report) a decrease of signed malware is reported.

    In Q3 about 1.8 million new samples of signed malware are discovered. When we put that in perspective of the total number of new malware samples found, signed malware only is 10% of the total.
     
    Last edited: Dec 7, 2015
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    HOW TO CHECK WHETHER YOU HAVE UNSIGNED SOFTWARE (RUNNING)?.

    INSTALL PROCESS EXPLORER

    Download from Microsoft Technet https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

    Select the columns you need to check (see picture).
    Run ProcessExplorer as admin, select VIEW, select COLUMNS and select VERIFIED SIGNER, INTEGRITY LEVEL AND AUTOSTART LOCATION

    upload_2015-12-7_16-0-56.png


    CHECK FOR UNSIGNED PROGRAMS RUNNING
    In this example a program called Calculator is running which is unsigned. Unsigned programs with Integrity level MEDIUM, LOW, UNTRUSTED and APPCONTAINER are no problem, because it is not running elevated(Integrity HIGH or SYSTEM)

    upload_2015-12-7_16-13-18.png



     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    HOW TO ENABLE/DISABLE BLOCKING OF UNSIGNED?

    Save the reg-files somewhere in Program Files and just (double) click on the reg-file to launch REGEDIT and choose OKAY 2x

    You can check whether it works by running an unsigned program as administrator, see pic


    upload_2015-12-7_16-22-21.png

    When an unsigned program is blocked to elevate "A referral was returned from the server" error message is displayed.



    SET UAC TO BLOCK ELEVATION OF UNSIGNED


    Just copy this into notepad and save it with .reg extension (e.g. BLOCK_UNSIGNED_ELEVATION.reg)
    ----------------------------------------------------------------
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001



    SET UAC TO ALLOW ELEVATION OF UNSIGNED


    Just copy this into notepad and save it with .reg extension (e.g. ALLOW_UNSIGNED_ELEVATION.reg)
    ----------------------------------------------------------------
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000000
     
    Last edited: Dec 7, 2015
  4. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    It should be noted that in Windows 10, UAC has been improved.
    Smart UAC in Windows 10 will now evaluate every file or process that attempts elevation.
    If malicious, then executing and/or elevation are blocked.
    If unknown, then the action are recorded in the Persisted Store. If the combined sum of actions/behaviors are then at some point found to be malicious, then the file/process will be blocked.

    Links :
    https://technet.microsoft.com/en-us/library/mt438234(v=vs.85).aspx

    and : https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx#

    In second link, pay attention to sections "Improved detection" and "New technologies"
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    USING REPUTATION SERVICES TO ASSIST YOUR OTHER SECURITY PROGRAMS (BESIDES YOUR AV).

    Reputation service is a numbers game. Microsoft and Chrome dominate the browser market. With Windows 8 and higher Smartscreen also checks file executions on the desktop. So when you use Chrome with Safe Browsing feature and don'd disable Smartscreen, you combine the blacklist of Microsoft and Google.

    According to old tests these build in (Google's safe browsing in Chrome and Microsoft's Smartscreen on Desktop) will block around 80% of the malware downloads. I always found these high numbers hard to belief.

    Another interesting co-operation is by http://www.cyberthreatalliance.org/ in which a few Anti-Virus companies co-operate who score well on URL filtering tests, such as Fortinet, Mcfee and Symantec. They seem to share samples. Since Norton is part of Symantec the free DNS service of Norton (ConnectSafe) this might be a nice extra layer which does not uses the resources of your PC, since all the hardwork is done at the (DNS) servers of Norton/Symantec.

    Depending on the AV you use, adding a browser extension could increase your protection. URL blackisting is a numbers game, so based on numbers reported by OPSWAT, Avast's security extension (for Chrome) would be a good pick.
     
    Last edited: Dec 7, 2015
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @Martin_C

    Thanks for the information.

    Regards Kees
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    Good advice for users that use mainstream software that is mostly signed. Unfortunately most users disable UAC altogether since they don't know how to answer those popups and think that they are annoying.
    Personally I use some software that is not signed and needs elevated rights, so I don't have this option enabled.
     
  8. Lordman

    Lordman Registered Member

    Joined:
    Mar 12, 2006
    Posts:
    67
    Location:
    Spain
    Sorry, norton connectsafe is better than comodo securedns?. Thanks.
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @Lordman

    There are a few DNS players which also offer malware (and phising) protection. Don't know whether Norton is better or worse than Comodo. Only when the Cybert Threat Alliance shares samples, so my assumption was that Norton DNS would get feeded with more malware samples as Comodo.

    I don't know the number of users/endpoints using a specific DNS service. Only Open DNS tells it has 65 million users.

    Regards Kees
     
  10. Lordman

    Lordman Registered Member

    Joined:
    Mar 12, 2006
    Posts:
    67
    Location:
    Spain
    Yes, OpenDNS has more users than Norton but OpenDNS only has antimalware protection on Umbrella paid versions.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,020
    Location:
    The Netherlands
    Interesting, but apparently there is still no UAC whitelist. In other words, it's still retarded.

    http://www.makeuseof.com/tag/stop-a...ate-a-user-account-control-whitelist-windows/
     
    Last edited: Dec 7, 2015
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    :) My first qualification of UAC was sort of simular luckily Symantec came with a tweak to remember UAC prompts on Vista. With windows 7 the default is more relaxed than Vista (prompt for non-windows), so with the TASK trick it is okay nowadays.
     
    Last edited: Dec 8, 2015
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,020
    Location:
    The Netherlands
    @ Windows_Security

    This is the main reason why I disabled UAC, they should have implemented a white-list, it's that simple.
     
  14. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    Retarded ??

    What a strange overreaction to a feature.

    UAC was introduced to lessen the burden of running with reduced rights.

    If a user or developer still in late 2015 has not accepted the benefits of reduced rights, then I don't think it's the OS that has issues.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,020
    Location:
    The Netherlands
    The idea behind UAC is good, but do you really think I'm going to answer the same question over and over again? M$ with their billion dollar R&D department should have been able to figure out that a lot of apps will still need to run with admin rights, so they could have foreseen this problem, it's that simple.
     
  16. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    836
    Location:
    Québec, Canada
    What about UAC-Grabber from abylon ?
    Bitsdujour will have a free deal soon.
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Last edited: Dec 13, 2015
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    See previous post: I use this on my wife's laptop so she does not get used to clicking OK on UAC prompts.

    UAC: Block unsigned to elevate + Allow signed to elevate without prompt
    Since only 10% of the malware is signed this will protect you against 90% of the malware.

    With Smartscreen raised one level, these malware/reputation filters should help to reduce the risk of signed malware:

    1. Norton DNS (set in wireless connection settings)
    2. Chrome's Safe Search with Bitdefender Traffic Light extension
    3. Smartscreen on the desktop (require Admin consent)
     
  19. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    391
    Location:
    The Netherlands
    You prefer Bitdefender Traffic Light now over Avast Online Security?
     
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    No, it is my wife's laptop and I don't fix it when it is not broken. At the time I upgraded from Vista business to Windows 7 Enterprise on my wife's laptop, bidefender's traffic light was allready available as an extension while Avast installed the extension as part of the program (as far as I know it took some time before Avast made the extension available as seperate Chrome extension).

    So my wife got used to the simple green-red icon of Bitdefender. Based on OPSWAT data Avast is the most used ant-virus. So from a clean sheet I would have picked Avast now. On the plus side for Bitdefender's traffic light, it is used as AV-engine in a lot of Anti-Virus products. But the user statistics of Chrome are clear: Avast extension has over 10M users while BD trafficlight has over 100K users.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,020
    Location:
    The Netherlands
    This is exactly what they should have implemented. It would also be cool if you could mark certain folders as "trusted". But when you think about it, wouldn't it be more logical to only give UAC alerts when apps and installers are actually performing high risk operations? This also means that all apps should get write access to "program files", even with medium rights, because this is the reason that all installers need admin rights.

    It's interesting, but a lot of apps are not signed, and I wouldn't even rely on signatures anyway, so no good to me.
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    You know It is 2015 now, have a look at the programs i have on my Asus book. With all the apps of Windows 10 and all commercial software being signed, what unsigned software would an average PC user need.

    upload_2015-12-13_22-6-16.png
     
    Last edited: Dec 13, 2015
  23. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Well than you are missing the point: allowing signed to elevate is a form of whitelisting, using reputation service requiring admin consent for unknown is also a form of whitelisting.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,020
    Location:
    The Netherlands
    That's why is said it's no good to ME, I'm not your average user.
     
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    No, I am not accusing you of being average, don't worry With the reg files supplied in the third post it is possible to switch on or off the unsigned elevation block. As posted in the second post I run also unsigned software, because unsigned is still allowed to run. You don't like UAC prompts and have probably switched it off. I just showed you that you can also set it to elevate signed software silently and use the build in HIPS of your PS to block unsigned software to elevate (protect ring0). With Smartscreen blocking unknown (meaning not in the known good list) you can turn your OS into a user friendly HIPS (protecting ring3)
     
Loading...