Reducing malware risks with UAC and reputation services

I'm not saying it's a bad idea, but it's not a solution to the general problem that I have with UAC. And why auto elevate when you can't blindly trust digital signatures, that's my point. The whole UAC alert system needs an overhaul.

 

BOTH you guys Kees & Rasheed187 raise excellent points. To Kees I may look into that WindowsEight forums tweak.

To Rasheed187 I am 100% in your camp on UAC. I run straight up Windows 8 (not even 8.1) and I had about enough of that silly M$ pop up ALWAYS INTERFERRING NOT TO MENTION WASTING TIME every time that box jumped up on apps THAT I ALREADY KNOW ARE SAFE but unsigned and need elevation so I disabled that distraction loooong ago. You are right. With the Research and Development of that conglomerate you would think they could easily have already made some provision for a more User-Friendly approach with UAC instead of just throwing it in AS-IS and breaking momentum for users who have to answer with a mouse click a zillion times like lunacy. We are well into near one quarter of the 21st Century already and this is the best that they can offer? Bahhhh.

That's why conscientious and thoughtful creations like NoVirusThankYou is graciously brought about is a very welcome introduction for me personally in order for it to FILL THAT VOID for UAC and traps processes exactly like expected as well as some other alternatives that are designed to help minus the distractions that UAC only offered and also SAVES GREATS AMOUNT OF TIME better spent moving on forward instead of getting bogged down with yet more pop ups.

 

Yes exactly, and what is the point when ALL app installers (signed or not) need admin rights? It would make more sense if only apps that need to perform privileged stuff, like loading a service or driver and injecting code, would trigger a UAC alert. This way, all regular apps could be installed with medium rights, so there is no need to elevate them, and you won't get to see a dumb UAC alert. And of course there should have been a whitelist for all apps that need to run with admin rights.

 

Maybe someone who is native English can assist me. I'll try to explaine the key point again:

UAC can be set to silently elevate, so I don't understand you keep saying you don't use UAC because of the pop-ups. With silent elevation you won't see an UAC warning anymore.

Set UAC to block unsigned software to elevate. This reduces the admin space infection risk to 10%, while still being able to RUN unsigned software. With the reg files provided in post 2, you can switch this block on and off in the unlikely situation you need to install unsigned software.

Set Smartscreen to require admin consent, when running unknown software downloaded from the internet. So you are using a cloud whitelist against drive by's and shot in the foot user errors. (see picture post 17, Windows protected your computer)

Use USB manager to set a deny execute on USB disks and you have the two most common infection sources covered: CNET download link USB manager

Stack URL blacklists to stay away from risky places. When you don't have the skills to build your own FREE Sophos UTM or are not willing to pay for ASUS 87 router with Trend Micro or a Sitecom Router with (annual) hitmanpro, an easy and cheap solution is to stack reputation services, bringing safety by the numbers (the larger the user base the better as rule of thumb):
a) Use Norton DNS Connect safe
b) Use Chrome's safe browsing
c) Use Avast Online Security extension

You will stack up the URL blacklist of Microsoft, Google, CyberThreatAlliance (Symantec, Intel and Fortinet) and Avast.

 

First of all sorry, for asking such a noob question!

Suppose an user (like me) running as Admin. Configuring the system to "block unsigned to elevate", will of be any useful?
Isn't the malware/application running in admin will have full privileges by default?

 

Just my 2 cents.

IMO UAC shouldn't be used only to block unsigned software, but to block every elevation out there regardless of the origin of the software. This is useful not only to block malware, but to block unwanted signed software that is - or comes with- Adware, because once the main program gains elevation it can install Adware without user permission. Heck, even PowerISO, which is a payware software, comes with signed Adware that is automatically copied to the /temp folder (malwarebytes caught that one for me once).

So, the first rule of thumb is to download software from the developer's webiste only. 7-zip, for example, is not signed, but it's reputable and GPL licensed, so once you double-click on it you can securely allow it unlimited access to your OS. The same for LibreOffice, 0AD, etc.
If you use UAC only to block unsigned software, at some point you might find a signed piece of malware that comes through a drive-by, and UAC might not protect you. But if you limit ALL software from elevating priviledges, it could protect you.

Next, install EMET and configure it either to "Max Security Settings" or make it so that the Execution Prevention is set to "opt out", this way you can disable such mitigation on the software you trust.

One of the most important security features out there is Sandboxing. You can use Sandboxie, but I prefer COMODO because it's more advanced, it's completely free and it has an awesome HIPS+Firewall+Sandbox combo.

Avira has the best scanner out there, so I'd recommend using it as well. You can use Avira with COMODO and Malwarebytes, all together and with no issue at all.
However, DO NOT use your antivirus as your first line of defense. It's there to have a certain amount of certainty that the software you're about to install isn't malware (malware, here, maining anything "bad" for the OS).

What I did when I used Windows:

• Create an account named "Admin" and set a strong password to it;
• Create a limited account for day-to-day use;
• Set UAC to Max, so whenever a software requires installation Windows would prompt me to type the Admin password;
• EMET to almost Max settings, Execution Prevention set to off on the aps that need it, like GTA Vice City;
• Firefox running on EMET and COMODO's Sandbox;
• Avira Free, customized settings for better security;
• COMODO Firewall, customized to make my PC "invisible", and set to accept only the connections I need;
• COMODO HIPS to safe mode;
• Malwarebytes Premium, custom settings for optimal security;
• Windows up-to-date, except for those spyware updates;
• TrueCrypt, both partitions encrypted (system partition and documents partition);

There are other security products out there, but as long as you don't install everything you see in front of you, you'll be fine with the above. Remember to run your office app sandboxed whenever you need to open a family, friend, or boss file, you never know what people have on their machines so always use your digital condom

 

No you run Windows 8.1, so every process runs with Medium Integrity Level, even when you run as Admin. That is why UAC was introduced. Switching on or off unsigned elevatio block reduces malware risk (by 90%)

 

Ok, Thanks!!

Yes that UAC!! Why didn't i thought off that. Guess i forgot about it..

By the way i am on Win 10. Will update signature.

 

Ok, I must ask one more question -
Is there any program/setting for Windows 10, which by default allows newly introduced programs to run with low integrity instead of medium integrity?
I believe this will reduce the chance of doing damage by unknown executable's to do a little lesser damage, if it got bypassed by smart screen?

 

No there is no easy way to change integrity levels. You can use the icacls command, but then you need to figure out which data folders that program uses and make them also low IL. Luckily Windows 10 has a lot of default apps which run in AppContainer, so a best practice is

1. Install Chrome (or Opera or Yandex) and make it your default browser
2. Disable Windows Media Player and Internet Explorer 11 (Turn Windows features on or off)
3. Use Windows Apps Mail+Calendar as an alternative for Outlook
4. Use Windows Apps Photo's + Groove Mucis + Films & TV + Windows DVD player as an alternative to Windows Media Player
5. Use Edge as your PDF reader (on disk) and Chrome PDF-plug-in for internet viewing as alternative to Adobe PDF reader.

With those easy tweaks you will run all internet facing in AppContainer or Chrome Sandbox (Low-Untrusted IL)

 

Alternatively open those documents in Edge using microsoft online and run them in AppContainer.

 

Interesting. Didn't know Edge has a sandbox.

 

Opera doesn't have a sandbox. The only other Chromium browser that I know of with a built in sandbox is Chromium which is almost identical to Chrome but without proprietary plugins or Google specific code.

 

UAC is not meant to be similar to HIPS or whitelist solution. It's not whether you trust an app or not - it's whether you allow a program (or a user) to elevate their privileges or not. I can still trust an app but don't want it to elevate it's privileges if it doesn't have to. If let's say Word would try to elevate it's privileges when I open a file, I would probably deny it as it has no business asking for those privileges. I would still "trust" Word but I wouldn't give it admin privileges.
When it comes to installers you can disable application installation detection using gpedit:



You will get notification only when installer needs it (in my experience that is the case most of the times - only few apps will truly install inside user profile).

 

Install Opera. What does it run as, AppContainer? Then it has a sandbox.

 

AppContainer is an external sandbox which is only in Windows 8 and later. Chrome and Chromium have an internal sandbox.

 

Ok, I spent a few hours with Windows 10 this afternoon, both the July 29th upgrade from Windows 7 and the recent 1511 upgrade. I couldn't find any easy way to tell if an app was using AppContainer so I assume all the "Modern" apps are and that includes Edge. All regular Windows software is on its own. That is why Kees is recommending substituting the newer apps for Media Player, Outlook and Internet Explorer. The new new apps will all be sandboxed in AppContainer. Edge does have a sandbox that is shared with all the "Moderen" apps. Chrome and Opera can't use AppContainer so there are only external sandboxes for it like Sandboxie.

There are no user tweaks or adjustments I could find for Appcontainer in Group Policy. In the the 1511 upgrade there are quite a few new tweaks for Edge but disabling Javascript has been taken away.

 

Good news now you can set it manually https://connect.microsoft.com/IE/Feedback/Details/2032022

Disable javascript registry tweak
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
"1400"=dword:00000001

------

Enable javascript registry tweak
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
"1400"=dword:00000000

 

Thanks for the tip!!

Though i use Edge as PDF currently, i am currently not comfortable with Chrome being the primary browser.

For now using Firefox + uBlock Origin (Deny 3rd Party Script/IFrame, and popup blocking), which should reduce the attack code a lot (unless the attack code is 1st Party).
Also, i will see if i can run firefox in low integrity mode. I have to research about it. So, this step should atleast bump little more security to the mix. Lets see!

Maybe once Edge has Extension support and if it has uBlock i might shift. Also a nice reading about Edge, especially browser security comparison tables..

 

You are pulling my leg are not you. Changing Chrome for Firefox means dumping the low right sandbox also. I would not advice using Firefox unless you run it in a seperate VM or sandbox (Sandboxie, Comodo, ReHips, Cybergenic Shade) to compensate for the missing sandbox in Firefox.

 

Thanks for confiming this. I thought Opera indeed had a sandbox (now that they're using Chrome's engine), too bad they didn't implement Chrome's sandboxing feature then.
I've tried Chromium but found the daily updates to be little too much to handle. There's no "installable" version of Chromium as far as I know, thus no auto-update. Correct me if I'm wrong.

 

I'm only using Chromium in Linux and haven't been bothered by updates. Any updates would be handled by the distro's update service. In both Opera and Chrome for Windows there is a separate program that does the updates and that can be deleted to disable updates. In Chrome it is the Google Updater in its own folder. In Opera it is "opera_autoupdater.exe". In the Windows version of Chromium there has to be a similar program. The autoupdating can also be disabled in the Task scheduler and in the case of Chrome, by disabling the Google update service.

 

I prefer having an auto-updater. Too cumbersome to fiddle around with zip's every time there's an update available.
Seems Chromium for Windows doesn't come with an installer or auto-updates : https://www.chromium.org/getting-involved/download-chromium , while Chrome builds do.
Can't figure out why there's no official stable and installable Chromium for Windows.
Digging deeper I believe there's an updater/installer for Chromium but afaik it's not an official site : http://chromium.woolyss.com/

 

Yes this is the purpose of UAC, but like I said before, the way it's working currently is not logical, since every installer needs admin rights, so no wonder that people are trained to quickly click on "yes".

I do want to see UAC pop ups, but only when it makes sense, see my previous posts. And no, I don't care about whether software is signed or not, I care about what actions some app wants to make.

I'm saying that in fact it should have worked more like a HIPS, with clear alerts about why some app needs admin access, this way people would actually get a feeling for what is risky or not. And you would see a lot less UAC alerts, because most alerts are now triggered because app installers need write access to the Program Files folder, and after that the app runs perfectly fine with medium rights, where's the logic in that?

 

I get a full installer for 64 bit Windows and a full zip file for 32 bit Windows from the Chromium downloads page plus portable versions. Much better than Chrome which defaults to a stub installer and makes you go through hoops to get the full installer.

The zip file my preferred way to do it. I like software that can be freely cloned from computer to computer without an installer. That is what I do with Opera and Chrome after doing an initial install in a VM session. Autoupdating conflicts with my basic approach to security which is to lock down the system and software and only update and install software when logged on to an administrative session for that purpose. The autoupdates can only download in my Windows systems but they don't have permission to execute or install so the browser just gets locked in a download loop and keeps giving an error message and restarts the download after the install fails.