UAC, SmartScreen & False Positives

@Tarnak this would be the best app ever, but i don't see it coming soon

 

We can wish.

 

Sorry for the confusion... that was not an executable file, it was just a picture of a SmartScreen alert .

 

Dan, I know....I was just trying to answer your query. Cheers.

 

Cool, thank you, that helps!

Here are the first 30 malware samples from VoodooAi's training data set, 7 of them are set to "asInvoker", so they will not trigger a UAC prompt.

http://www.voodooshield.com/artwork/el.PNG

I can certainly see some utility in alerting the user before a system change is made, but to me, if 25% or so of all malware does not trigger a UAC prompt, there is probably a better way, right?

 

We should see if Pete can test his samples with only the built in Windows security features. How do you suppose it will do?

 

Yeah, sorry, I realized that later on .

 

Does Windows Defender and smartscreen ignore them? why people think UAC is the only feature of Windows...UAC is part of the security eco-system of Windows. If you think UAC is supposed to work alone , so you are wrong.

yes you can have plenty of tools , winpatrol, VS, etc.. the point is those tools aren't built-in in Windows or well-known; MS doesn't care of security paranoid geeks like us, they just care of Average Joe.
They did features to help them be safer in without much difficulties. If MS implement the changes you wanted , what will happen? security vendors will crybaby like they did when MS decided to build-in Win Defender. I wish MS do what you wanted, and it seems to comes step by step:

- Edge virtualization, Win Def with anti-exe capabilities, etc... but we won't see them on home versions yet.

i would hope he will use all of Win10 security-features, means:

SUA, UAC , Smartscreen, Windows Defender.

of course nothing is 100% unbypassable but i think he will be quite well protected if he doesn't click yes to any of the prompts

 

True, but out of all of the thousands of computers I have worked on throughout the years...

Running SUA: 0%
UAC enabled: roughly 25-40% (from what I remember, 91% of all users disable UAC)
SmartScreen: Almost 100%
Windows Defender: Almost 100%

SUA is secure, but it is simply unusable for most users.
UAC is OK (and it has improved dramatically since Vista), but it is still annoying and users almost always click Yes without even thinking about it, partially because it does not offer file insight.

And when you remove one or two of these features from the ecosystem, the entire thing breaks down.

So in a real world scenario, I suppose the test results would look something like this: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf

I guess I am never meant to understand the purpose of UAC. I should have just listened to my second grade teacher when she told me “Dan, yours is not to reason why, yours is just to do and die ” Just kidding.

 

1- it is MS fault to let people create default account as admin account but if they force SUA , people will get mad...
2- this is user fault.

People are faulty not UAC, it is the user's carelessness and haste that doom them. I am on SUA with UAC at max asking for pasword (pin in my case) even in my admin account. i have to answer the prompt only when i do changes in my system setting or do maintenance tasks. not in my daily use or browsing; so basically i never have UAC prompt when surfing , watching videos, or working.
i have no idea what people doe on their system to get dozen of prompts per day...

obviously, but why you want remove any of them ?! do you remove your bladder because it is annoying to go pee?

did you see this point ! how can you assess win10 security by allowing this:

"Operation Algorithm (page 5)
2. If necessary, we granted a permission to run malware with administrator privileges."

LOoooooooooooooooooooooooooooooooool, facepalm ; all test labs and youtube testers disable several of windows security features, if not they can't run their test at all !

Since i know you, you always considered UAC as a full standalone security feature which it never was and never made for. so i know why u made VS in the first place and why we clashed when VS v1 automatically disabled UAC

In some way, it was good you didn't understand its purpose, if you did we won't have VS

 

Keep in mind, SUA, UAC, SS and WD were not all developed and released at the same time . So it was not like they were all designed together as a unified ecosystem.

I was extremely happy when I first learned of UAC before Vista was released, but once I had the pleasure to experience UAC, I was highly disappointed. For the most part I agree with what you are saying, but I have to disagree with blaming the end user for UAC not being designed so that it is user-friendly enough for novice and average computer users to use properly. I really do not believe it is the users fault... they are just using what is provided to them. And if a significant amount of users are incapable of properly using a feature, then the feature needs to be redesigned.

You are absolutely correct that VS was designed to be an enhanced version of UAC, and VoodooAi was designed to be an enhanced, system wide version of SmartScreen. In all fairness, doesn't VS work just was well with SUA, SS and WD as UAC does? Same with VoodooAi and SS?

I think this is a good example of what Kees was saying when he said "Let's use the first principle in RUP/XtremePrograming/Agile development: BE HUMBLE, use what is already there". I am simply working with what I have been given to work with . I am still not sure what Kees meant by the BE HUMBLE part, I have only experienced pride once in my life... and that was when Molly shared her food with another dog. For the record, Molly is a Yellow Lab, not a Golden Retriever .

BTW, do any of your favorite security apps (possibly listed in your signature) disable any of the vital features of the MS security ecosystem? A simple yes or no is more than sufficient, my intention is to not start a war .

I think MS has done an amazing job with hardening Windows and creating a relatively secure OS. But I also think it should be locked when it is at risk .

 

Nope, not mine.

 

But I thought VoodooShield disables UAC? .

 

Hehehe Dan you crack me up!

 

Hehehe, sorry, had to do it (as much grief as I have taken for 5 years on VS and UAC ).

 

I am just a [simple] user of security software. After, running XP under admin for nearly 10 years, UAC is a new concept for me. As far, as I can tell I haven't changed anything when it comes to a default setup in my Surface Book: "How to Change User Account Control (UAC) Settings in Windows 10" - https://www.tenforums.com/tutorials/3577-user-account-control-uac-change-settings-windows-10-a.html

 

Hmmm, interesting. I noticed that the article you posted mentioned malware... "User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment."

So after a quick google search, I found the original Microsoft user guide for UAC. And it does mention malware, five times.

https://msdn.microsoft.com/en-us/library/cc505883.aspx

 

Having a little trouble accessing that link, for the moment. Will try it in the Surface Book, after it the battery has been recharged.

"Unable to complete secure transaction

You tried to access the address https://msdn.microsoft.com/en-us/library/cc505883.aspx, which is currently unavailable. Please make sure that the web address (URL) is correctly spelled and punctuated, then try reloading the page.

Secure connection: fatal error (51) from server.

https://msdn.microsoft.com/en-us/library/cc505883.aspx

Transmission failure.

..Make sure your internet connection is active and check whether other applications that rely on the same connection are working.

..Check that the setup of any internet security software is correct and does not interfere with ordinary web browsing.

..If you are behind a firewall on a Local Area Network and think this may be causing problems, talk to your systems administrator.

..Try pressing the F12 key on your keyboard and disabling proxy servers, unless you know that you are required to use a proxy to connect to the internet. Reload the page.

Need help?

..Open the Opera Help.

..Go to Opera's online support desk."

 

indeed they were not originally

UAC is easy to use, yes or no? that is it. Now if the user dont know (or is lazy to do some research to know) what he is executing and click yes, whose fault?
Anyway, happy clickers will happy click yes on everything; the guy downloading a infected crack for his most loved soft will allow it whatever its security feature will tells him, it is a lost war; devs can only secure willing people or those who cares of their system.

You are absolutely correct that VS was designed to be an enhanced version of UAC, and VoodooAi was designed to be an enhanced, system wide version of SmartScreen. In all fairness, doesn't VS work just was well with SUA, SS and WD as UAC does? Same with VoodooAi and SS?

VS complement them which is a good thing, but im opposed to any software that try to replace them by force.

Nope , it is why i choose them firsthand, they add what i judge necessary to me that lacks in Win10 security feature.

let me demonsrate:

- Appguard, anti-exe because im on Win10 Home and don't have Applocker, i wish i have Win10 Enterprise lol
- ReHIPS: multi-program isolation + application/process control; lacking in Windows.
- HMPA : i use it mostly to protect against exploits and to encrypt my keystroke.

try to sell VS to MS

(it see they already planned to use some feature similar to VS)

 

Apologies to Molly. Be humble is not addressed to you, Be humble is the leading principe of RUP/XP/Agile system development, meaning you should first try to re-use what is already available, so you can use al your time and energy to innovate. The speed of innovation increases with re-use. Re-think with re-use, means be creative and think out of the box when designing functionality, but re-use (code, technology, materials) when implementing new ideas (less time and resources needed to produce, means lower prices and time to market).

When you could re-use Windows Smartscreen, you don't need to build a cloud whitelist yourself, so you can spend all your creativity and energy on building something NEW instead of REPLICATING something which already exists. I have no idea whether you could use it, but it is worth to look at it.

 

Any links? besides general intention to use AI/ML (link)

 

At work, when trying to connect to customers' computers, users have to launch remote access software which requires admin privileges. In past few months I noticed that more and more customer deny UAC prompt when first encountered. Only after support guy says it's OK, they allow it. I guess people do slowly learn not to allow what they don't understand. Though I don't know how this same users behave on their home computers.

 

@Windows_Security i don't have them in mind, it was an article about the future of WD implementing basic anti-exe capabilities. im sure it is somewhere here on WD thread.

 

I'm also on the side that UAC isn't primarily a malware blocker. It blocks and asks for elevation for any program, malicious or not. So, when a malware is blocked from doing things that require admin rights, it is merely a consequence of UAC's purpose. Malware protection is just secondary to the primary purpose of UAC, that is, to block elevation by default.