UAC plays defense against Malware

Discussion in 'other security issues & news' started by funkydude, Aug 3, 2011.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    https://blogs.technet.com/b/mmpc/archive/2011/08/03/uac-plays-defense-against-malware.aspx
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    FINALLY

    the reduction of UAC is so absolutely ridiculous in Windows 7 anyways.
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    That should give more users reason to use MSE as well (unless they already have HIPs or such in place).
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A side effect of this is that UAC being disabled on a computer, assuming those who use the computer didn't turn UAC off, is a sign that malware is (or was) possibly present on the computer.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    True.

    And now that MSE is really just Defender in 8 we can expect UAC to be monitored by default with no 3rd party software necessary.
     
  6. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    MSE is not 3rd party software, just not built-in.
     
  7. wat0114

    wat0114 Guest

    Hmmm, maybe time to consider disabling the service and applying the DNS firewall rule to all web-facing apps instead.

     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've turned off UAC without a UAC prompt in a virtual machine that had UAC at its default level (not max) by using the software referenced in this post. The latest MSE didn't block this.
     
  9. wat0114

    wat0114 Guest

    Is there some special way to install this? I find the "Simple" readme.txt instructions incredibly difficult to understand :(
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can use the included bypassuac.exe from a command prompt. You don't need to install anything nor use those directions. Note that you need to have UAC set below max level for this to work.

    Feed the command from Enable or Disable UAC From the Windows 7 / Vista Command Line into bypassuac.exe to disable UAC (set below max level) without a UAC prompt.
     
    Last edited: Sep 22, 2011
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I was going to edit my post after I made it but I didn't think it was necessary.

    It's not built in, which is the point. It's just as foreign as any other software.
     
  12. wat0114

    wat0114 Guest

    Thank you Mrbrian! I'll try that later today.
     
  13. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Guess that equals a big fail for MSE..
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    All anything has to do is inject into explorer.exe (or any other whitelisted application) and then have explorer.exe elevate automatically. I don't see what MSE can do to block this.
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Is it? None of us know how it works.

    If I was to guess, this alone won't trigger any detection whatsoever, it wouldn't make sense. It will only contribute heuristic points, more points would be required to flag a detection. For example, malicious activity.
     
  16. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Thank you for the information MrBrian. I will give it a try in VM.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This is what I would assume as well. When the heuristics looks at a file and ALL it does is bypass UAC, it might not flag it. If it bypasses UAC and then tries to install silently and blahblah blah, yeah it'll probably flag it.
     
  18. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    You sure? When run as a standalone tool I get this:
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It worked fine for me in a Windows 7 x64 virtual machine. I'm not sure why that's happening. Perhaps security software is interfering?

    @1chaoticadult and wat0114: You're welcome :). Did either of you encounter any problems (if you tried it)?
     
    Last edited: Sep 23, 2011
  20. wat0114

    wat0114 Guest

    Hi MrBrian,

    It's not working for me. The command seems to initiate and do "something" but UAC remains alive and well, even at below maximum setting. I'm probably doing something stupid, missing the boat completely perhaps o_O Can you please spell out the command for me on this one? :oops:
     
  21. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I also need the command spelled out. I don't think I'm doing something wrong as well. Ugh...
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In a command prompt, enter bypassuac /c "%windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"

    Note: Edited because first attempts were wrong.
     
    Last edited: Sep 23, 2011
  23. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I've tried that, I'm getting incorrect input

    Edit: Operation Successful. Checking to see if UAC is disabled. Got it MrBrian, thanks.
     
    Last edited: Sep 23, 2011
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Did it work for you? I just tested it here in a virtual machine, and it works.
     
  25. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Yep I got it to work in my VM.
     
Loading...
Thread Status:
Not open for further replies.