UAC, SmartScreen & False Positives

Exactly.

 

If the user executes a file with "run as administrator", or if a file "needs" more rights or if the file has an embedded manifest "<requestedExecutionLevel level="requireAdministrator"></requestedExecutionLevel>",
the UAC-dialog is displayed to "alert" the user that a file wants more rights.
Now the user can put in his credentials/can click on Yes, and the job of UAC is done.

After clicking on pictures or clicking on email-attachments, the UAC-dialog isn't really expected and the user should be aware of this.
Or if a signed file was modified, the user can see a "yellow" UAC-dialog. The user should be aware of this too.
(Some time ago the installer from "Classic Shell" was replaced with a malicous one, this means the user could see a yellow UAC-dialog.
But some users didn't care and allowed it to execute (the malware killed the MBR)... more info: #5)

But if the user always enters credentials for every UAC-dialog, without thinking, fine. The UAC-dialog doesn't "prevent" it, it's job is to show an "alert/prompt".

 

Glad you brought this. I became quite proficient with Smartscreen after I found some very nasty targeted resident ransomware that was doing a bypass on the SmartScreen add-on used by Outlook.

The alert you received is generated from the resident version of SmartScreen that is always running in Win 10. All this does is scan downloads and in my opinion is marginally effective.

The MS web link I posted is for testing the additional browser protections added when using SmartScreen. This is where SmartScreen is most effective. Also my testing has shown that the alerts displayed for anything downloaded from the browser are much more descriptive and in my opinion, effective. Browser based SmartScreen uses an additional rep database that is updated at the minimum every hour. This file is injected into both Edge and IE11 at browser startup.

-EDIT- Also these new advanced SmartScreen protections are available for both Chrome and Firefox. I don't know exactly how they are implemented in each since I don't use either of them.

 

Don't worry, I did not tell her . I see what you mean now, thank you!

 

This reminds me of something, and actually I just got off of the phone with a client in a similar situation.

Anyway, there are A LOT of medical software that does not work with UAC, and I have been on the phone with several of these medical software developers, and the first thing they ask me to do is to disable UAC. It is ironic because out of all of the computers that contain your personal information (and therefore should be protected), medical offices are at the top of the list.

 

I totally understand… but if UAC is as intrusive to the user as it is, shouldn’t one of its purposes be to focus on malware as well?

 

Thank you mood... BTW, do you know what happens when the manifest is missing? I am assuming that UAC will throw a prompt. I only ask because a lot of malware removes the manifest on purpose. When I get a chance, I will test to see.

http://www.voodooshield.com/artwork/el.PNG

 

That's great to know, thank you itman!

 

So I'm still the only Yes to the Poll Question. Maybe not everyone is voting?

 

To regular user it could be intrusive, for me it's not. I know when I'm going to see UAC prompt, because I know when I'm doing admin stuff. Not getting one would feel strange to me.
For me UAC is like confirmation request to user: "Are you sure that you want to do this? This is going to affect your system!"
Windows without UAC would be more user friendly. But it would also allow user to bork their system without a beep. There would be no security question when user would try to let's say delete system files or do other harmful actions (OK, I'm simplifying, but you probably know what I mean).

 

I am going to change my vote to Yes right now.. just for you TH .

 

Yeah... I completely agree. But I also think that if more info / file insight was provided to the user, then novices and average users would be more likely to not just automatically click Yes. Basically, there is not much to read on the prompt, so they automatically click Yes.

I also think that ALL NEW files should display a prompt... not just files that require elevation. To me, elevation is an arbitrary aspect of a file that does not determine maliciousness.

 

Yes I know, info on UAC prompt doesn't tell much. User have to connect UAC prompt with actions they were just performing and from that conclude what the prompt is about.
All new files displaying prompt would be to much. At each update or program install it could trigger thousands of prompts and this wouldn't be useful at all.
Personally I like how UAC is now designed (and how it can be configured) but I also don't expect it to be anti-malware solution. It only protects system from apps running in user space (with other security measures - ACLs, IL...).

 

In stead of disabling UAC, it is also possible to set it to ELEVATE SILENTLY (in red) and ONLY ELEVATE SIGNED executables (in blue)



It is always better to decide for yourself, but when people just click OK, because Vista learned them this bad habit, it is a pragmatic way of both lowering protection (silent elevation) and increasing protection (allow only signed).

Only four to five percent of the malware is signed. so although it is a compromise with a hole in it, in combination with an AntiVirus it works well for users with low security awareness, since 99% of the valid software is signed.

I have it on my wife's laptop since 2010 without problems (well once Microsoft released an update which thrashed their own signature recognition, but this was a problem for everyone).

 

Are this settings in GPE or Regedit?

 

If the applicaton has a "require-Administrator"-manifest then the UAC-prompt should always appear. If you now remove the manifest then i guess the UAC-prompt doesn't appear.
Only if the user requested admin-rights with "run as administrator" or it "needs" admin-rights (for example for installing a driver, copying a file to c:\windows\system32 , ...)
I think you have to try it out.
Compile an application with such a manifest and then compile it again but without the manifest, then you'll see.

I have this setting also enabled since a long time. It's a good countermeasure, because signed malware is not very common (i hope so )

You can change the setting with GPE, Regedit or Local Security Policy Editor (secpol.msc)
For example with secpol.msc: navigate to Security Settings - Local Policies - Security Options ... now you can see the options mentioned in #89
But you can reach it with the Group Policy Editor too.

If you want to change it with the Registry Editor:

 

it is not to you to dimiss UAC but the medical software developer to recode his soft properly. i don't see why a medical soft need elevation... it is not supposed to modify the system (or gain deep access) .

This is the typical example of badly programmed software i mentioned earlier.

 

@mood thx

@Djigi group policy (M$ link to corresponding registry)

 

This is the same registry tweak that i already have...tnx...i was thinking that this is something different...

 

cool we there are at least 3 members using this nice trick to harden windows (reduce attack surface to admin space with 95%) at last I am not alone ....

One is a weirdo, two is a group, three is the start of a movement the Moodji tweakers movement

 

FYI - https://securingtomorrow.mcafee.com/mcafee-labs/signed-malware-continues-undermine-trust/

Ref.: http://www.securityweek.com/new-zeus-variant-sphinx-offered-sale

Sphinx also allows cybercriminals to steal digital certificates that can later be used to sign malware, and use webinjects to change the content of a webpage to trick users into handing over sensitive information.

Sphinx is designed to work on Windows Vista and Windows 7 with User Account Control (UAC) enabled, and it works even on user accounts with low privileges, such as the “Guest” account, the developers said.
​

Hence the need to set UAC at max level.

 

These are not small time developers... these are massive, multi-million and multi-billion dollar companies, and they develop extremely sophisticated software. Off the top of my head, I am guessing that since most of these endpoints / software connects to a medical instruments or machine (for example, an MRI machine), maybe elevation is required? Just a guess, and I can try to think of more possibilities if you would like. But my point is, UAC incompatibility is extremely common in the medical sector... a sector where it is vital to have extremely secure endpoints.

 

Ok, here is a file that is digitally signed (not that this necessarily matters) and the manifest is set to asInvoker (the Execution Level is listed in VS's user prompt if you click details twice, and this feature is extracted directly from the manifest).

Anyway, at default UAC settings, UAC will display a prompt for this file. Why is that?

http://www.majorgeeks.com/files/details/dvdfab_passkey_lite.html

 

because it install a driver.

UAC doesn't automatically allow signed files, it just tell you via his banner's color that the files is signed or not. then it is to the user to decide. UAC is working normally and as it should do.

 

Everyman free to decide for his own, because your need for security probably differs from my need and you are using UAC in a different security setup context as I do. I hear what you say, but I am not the person who immediately builds a concrete shelter in his garden when a meteorite hits Siberia, so I leave my UAC settings as they are.

P.S. The info is from 2015 based on 2014 data. ~ Removed OT Remarks ~