UAC, SmartScreen & False Positives

Thank you . So then what is the purpose of blocking unwanted elevation? Blocking unwanted elevation is what UAC does, but what is its purpose?

 

I voted right: in the majority.... I don't worry about UAC. I just run as admin, because it suits.

 

Hey Kees,

Progress is never made by accepting the status quo, especially when the current technology does not have a purpose.

Yeah, that is pretty much the idea of AutoPilot.... "RUN BY SMARTSCREEN" looks pretty cool btw!

I am just saying that if an Application Whitelisting solution implements file insight and measures to auto allow the obviously good files, somehow when a file is not auto allowed, it is then considered to be a false positive. But yet when an Application Whitelisting solution blocks ALL files either way, then it is not considered a false positive.

 

I see, thank you. But how does the end user benefit from privilege escalation, when UAC is not designed to block malware? To me, that is the very definition of a paper tiger.

 

Of note in regards to SmartScreen is a recently discovered vulnerability in Edge that allows for a SmartScreen bypass: http://fixmibug.com/smartscreen-fil...er-fakes-native-malware-warnings-by-edge.html . Don't know if MS has patched this one yet.

 

If you're running as a limited admin and get a UAC alert, the process is asking for full admin privileges to run. Normal application software doesn't request or require full admin privileges. The alert is a clear tip-off that something abnormal is occurring.

 

Yeah, I totally get that... but A LOT of software requires full admin privileges, which is not an indicator of malware (or clear tip-off that something abnormal is occurring).

 

I don't know Dan as I don't use either. But IMO yes it could be a FP if you get a reaction from UAC and or SmartScreen would have to see the detection to really know so I voted Yes.

 

How funny, I actually voted No .

Ideally, this is how I believe this all should work.

Since elevation of privileges is not an indicator of maliciousness, UAC should block all new files, whether they require elevation or not. Basically, replace the ancient Unix throwback elevation of privileges technology with a modern technology like Application Whitelisting, and also include some file insight so the user can make an informed decision. A graph that displays the potential maliciousness of the file would be ideal.

SmartScreen is great the way it is, but it is in need of file insight as well. Basically, if a file is known to be safe, then auto allow it, otherwise prompt the user, and let them know the potential maliciousness of the file. SmartScreen could use a lot more indicators of maliciousness, but for now it is fine the way it is.

To me, none of these blocks I mentioned above should be considered a false positive, especially if the user is provided with file insight, so they can decide whether it is worth the risk or not to run the file.

Then for files that are already on the machine… if the security software determines one of these files to be malicious, when in fact is it not, then that should be considered to be a false positive. And it is the only thing that should ever considered to be a false positive.

Just my 2 cents .

 

The only false positives from Smart Screen I've had were ironically from earlier versions of VoodooShield.

 

That is the whole point yes we Security Guru's but how about your Mom or my Mom?

 

Hehehe, how funny... thankfully we do not have that issue anymore (for a lot of reasons ).

BTW, I just installed Run By SmartScreen... it is cool! Since the file is not signed and since it was written in AutoIt, I kinda figured that VoodooAi would tell me it was suspicious, but it scored a surprisingly low 0.2763. It did have one blacklist FP though .

 

That is why UAC and SmartScreen needs a graph with an indicator that ranges from Safe to Unsafe. Or maybe for my Mom, it should be Good or Bad . Just kidding, she is actually pretty good with a computer.

 

Well it was a general meaning, there are allot out there that have a hard time just turning on a PC. But I still say Yes to FP's from either of them.

 

Yeah, I have helped tons of extreme novices over the years. It is quite funny when helping them on the phone, and they cannot find the "Any" key .

Yeah, the definition of FP is totally subjective... but I just wanted to get everyone's opinion, so that I could see all sides of the "debate".

 

Go to here to test SmartScreen functionality: http://demo.smartscreen.msft.net/ . Can't vouch for what is displayed in Chrome and FireFox, but for Edge and IE11, alerts displayed are pretty hard to misinterpret; even for grandma .....................

 

Interestingly, When I clicked the Blocked Download link Edge asked if I wanted to save the file but Norton removed it before I made a selection., so although I didn't start the download it looks like Edge failed that test. Maybe I'm missing something?

 

Hmmm, the alerts I am used to seeing look more like this: http://cloud.addictivetips.com/wp-content/uploads/2012/03/SmartScreen-Filter.png

Maybe this alert is shown when the file is blocked?

And maybe the alerts you posted are shown when a malicious link is detected?

Does anyone know for sure?

 

I went to that link: It lets me download, but when I tried to run it, then I got the warning, but not before.

 

So, I scanned that same file in the download location, and Panda said it was safe. ....Fail.

 

ok , let me explain in a simple way:

UAC block (or will try to block) any Elevation Request (i will use ER) ? why ?

1- because ER are requested by programs to modify the system.
2- Malware always try to modify the system.

as i put in bold, modify is the keyword, UAC prevent modification of the system; now real word example about what i said above:

1- you download an apps (let say a video player) , it ask to modify the system , UAC popup , should a video player modify the system ? for me hell no! I would deny elevation and look for an alternative, however if you are ok then you can allow the ER.

2- you download a HD wallpaper, and when you install it , UAC popup ! what the...!!! at this point is you are not dumb, you will think something is wrong ! and you are right maybe the wallpaper is a wrapped malware.

as you see in those examples, 1 &2 are ER but 1 is not a malware attack , but still unwanted and really unneeded. UAC served his sole purpose : deny elevation and prevented system modification.

as i said in the example above, my system is set the way i want, i dont like any apps modifying it without my authorization. And as you pointed "A LOT of software requires full admin privileges" , yes there is a lot, because some devs code their apps in the way they need higher privileges to function even if this is not needed.

that is normal , SmartScreen, UAC, Win Defender act locally. you still have the right to download what you want (fortunately), but once in the system ; SS, WD and UAC will do their job as they are designed to do.
In your case , you are executing the exe, SS check against its database (which catalog only safe executables), don't recognize it as safe (doesn't mean it is a malware, just not recognized) so it warns you against it.

Panda doesn't say it is safe , it say it is not a threat ,that is the difference. this is not a failure from SS.

 

guest,

Thanks, for the explanation. I tried the same file with a scan by WSA, and it didn't detect a threat, either :

"Some legitimate files are not included in this log
[G] c:\users\owner\downloads\freevideo.exe [MD5: D835CBB9163A63FF26514028D28FBA00] [Flags: 00000000.6801]"

 

normally Win Defender would have detected the thread even before UAC pop up. don't forget that UAC is part of the windows built-in security and shouldn't be tested alone.

it does in a certain way: except the last part.

disconnect from internet , download an unsigned exe ( i remember doing it with the realtek audio driver) , run it : SS warn
connect to internet , re-run the exe; SS is quiet. (because this time it checked its database and see the file as safe).

We all want UAC , SS to detect malicious exe , but then what about Win Defender ? seems you forgot it is there to do exactly what you wanted

Now you can complain WinDef is not that potent , well you may be right but it has room for improvement.

 

yes if it is not a threat then all is fine for the AVs, doesn't mean the file is not a junkware (mean a useless program good for nothing but still not a threat).

 

OK... I just need a "all you can eat, junk detector", since my computer system has had it's fill of junk over many years of browsing, and trying out various software.