Discussion in 'other security issues & news' started by itman, May 23, 2017.
You need admin rights for it? I don't. And why do start it 10 times a day btw?
Exploits are the main reason why people are advised to either run as non-admin or to use UAC as protected admin. Without exploits it would hardly benefit users. And it's not only about the amount of clicks, it's about if alerts are worth it or not.
It always triggers an alert on my system and so do other tools, mostly system utilities. I use PE to check if everything is OK, and even if I would run it 4 times a day, it's still over a thousand clicks. And all for what? Because of fear for the "super exploit" that will probably bypass UAC anyway?
I hardly get an alerts or elevation prompts in my SUA. I must be doing something wrong.
Something is wrong on your system. I can start PE in my SUA account without any problems. And I just switched to my admin account and started it therein, too, without UAC prompt. And I've set UAC to max.
Weird, so you're not running any tools that require admin rights and almost never install apps? Then it's probably indeed not a problem, but I still don't see the need for it when it's easy to stay safe as admin.
Weird, perhaps they have updated PE, will check it out. BTW, I'm using Win 8.1, so perhaps it acts differently on this version.
Were you running under a standard user account? If so, the UAC alert was triggered when the ransomware portion attempted to modify any local admin files.
Yes I also. I only get them under Admin account when updating software. That's about 10 prompts a week.
The default mode for Process Explorer is medium integrity i.e. SUA privileges.
I already figured it out, when running PE in medium mode, it can't display integrity and user-name of all processes. So no choice but to run it as admin.
I hardly get any UAC alert in my normal scenario usage, Process Explorer didn't trigger it at all.
Also to get back on track, the issue is that a select number of Win utility processes allow for hidden elevation of privileges. Current malware is exploiting these processes. With UAC set to its default level, these utilities when run as hidden will not generate a UAC prompt. Hence the strong recommendation to set UAC to the max. level.
Quite frankly, I still don't get it. You said:
... but on the other hand:
Why would one start PE 10 times a day (or only 4 times) unless there is a specific problem? It seems that you are not so confident that you stay safe as admin. Neither would I.
Right. And in order to stop execution of this malware it's prudent to add SRP (or AppLocker - but I'm not familiar with the latter). I've been using it for years without problems.
obviously you don't run any software that needs admin rights. And don't trot out the old well change software. That just doesn't work.
That's just me being paranoid, but that doesn't mean it's not easy staying safe. And even when running in SUA I would still use my system monitoring tools. Also, 10 times a day is of course a bit of a joke, but in general I like to keep an eye on the system. The funny thing is that even Task Manager makes UAC pop up.
But you never answered my question, are you really that afraid of the "super exploit" that's able to bypass all security tools except SUA? Because that's the main reason why people use SUA and UAC. I sometimes have the feeling that people don't even realize this.
I'm interested to hear more about why you feel SUA improves security over admin account plus UAC (set to MAX). Is admin + UAC/Max exploitable my malware in a way that SUA is not or is the problem that users give permission to prompts without sufficient scrutiny? From my experience the main problem with UAC is average users don't understand it and click the prompts indiscriminately, which makes it worthless.
The main reason why people use SUA and UAC is to maintain least privilege...not because they are afraid of "super exploit". Exploit mitigation lies in the kernel improvements made by Microsoft and through the usual updating and patching OS, browsers, etc.
You really need to re-learn OS basics and best security practices before preaching to the choir. There's no need to brag about how "safe" you can be running as admin when most of us are able to do so too. There's nothing special about running as admin and running 3rd-party tools, HIPS, whatever fancy your boat. We've all done that before. Heck, we can even run those on SUA account. If we can manage to stay "safe" without 3rd-party tools, I think that speaks volumes for itself.
I'm not Minimalist but I hope you don't mind me chiming in.
You may want to read this:
Hopefully, it will clear up some misconceptions of what UAC is or isn't; and why SUA unlike UAC is considered a security boundary.
Here's a great article that explains in detail why if you run as a local admin, you need to set UAC to the max level: https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ . If you don't want to read the whole article, scroll down to the Run As section and start reading from there.
Guys like you are exactly the reason why I believe people are missing the point. What if exploits and malware didn't exist? Would we then need SUA and UAC on a one user machine? No we wouldn't, so yes it IS about the super exploit that people are so afraid of. Even when they are already using a multi-layered setup they still think they are at risk.
There's nothing new or special about SUA, no need to feel superior and all smart just because you did choose to use it with or without any third party tools. Most people/noobs don't care for it. I just think it's amusing that people on this forum think it's an absolute must. But perhaps I shouldn't be surprised, it's just another layer to them, and we all love layers.
Guys like you are the ones who are lacking the humility to understand that OS developers and security researchers would not be designing the OS and talking about limiting privileges if they really believe one can run as admin and rely on AE and HIPS to solve all "super exploit" issues....
I mean seriously...the sheer arrogance of it all befuddles me...
To make things worse is you are the one running multiple "security" apps and yet have the audacity to imply that people running with UAC or SUA are somehow "afraid" of "super exploit"...
Now you're just being silly. We all know why SUA and UAC exist, that's not the discussion. But you seem to lack the ability to understand this. Of course it's needed to restrict other users and can be also used to protect against exploits and malware as a bonus. The question is if an already heavily protected user needs it, I guess it depends on the user. But in general, most browser exploits will be easily tackled with AE and sandbox. Unless you are targeted by elite hackers, but I doubt SUA/UAC will save the day LOL.
That's why I keep repeating myself, I have always said that with current security tools, there is no need to use SUA. No need to combine security tools + SUA, so if you do, then yes you're pretty paranoid, even more than myself.
Well that's how MS explains it and since they are developers, they probably know best? If there is UAC bypass they don't "have to" fix it, since UAC was probably never meant to be "catch them all" solution.
Personally I don't know of any ITW malware that would bypass admin+UAC on max, but not SUA, but some malware might bypass UAC on default level (which is used by most users).
As said before, UAC is a tool that can help careful and knowledgeable. Nothing can help people that click Yes to all prompts they get.
You are right. I'm being silly by feeding a troll. Nobody was talking about "super exploit" or other 3rd-party security tools until you came here and sidetrack the discussion as usual with the same rhetoric of how people can stay safe as admin and that UAC is not needed.
I didn't sidetrack anything, I'm just saying that UAC with default setting is irrelevant when it comes to providing security. That's what this thread is about. And when start to talk about SUA, I ask them if they fear super exploits that can blast to true AE/Sandbox/HIPS and what not. And when you can't answer the question you become frustrated and start accusing people of being trolls, same old same old.
Separate names with a comma.