Malware damage by UAC bypass?

[Nikos751]

Thanks for the info! I 've read many opinions here in MT and I believe if the user is well educated he will be ok with the windows security features you mention.
However for some reason I cannot get myself fully convinced despite th fact that I am a experienced user. I m afraid of malware that can do damage by bypassing UAC.

 

[Cats-4_Owners-2]

Thanks for the info! I 've read many opinions here in MT and I believe if the user is well educated he will be ok with the windows security features you mention.
However for some reason I cannot get myself fully convinced despite th fact that I am a experienced user. I m afraid of malware that can do damage by bypassing UAC.

Nikos751, I have (quite often) felt just as you do ..which is probably why I additionally use Sandboxie Free http://sandboxie.com/ and browse within a containment sandbox. Truly, you have no reason to worry about malware getting past the fail safes, not unless you randomly download with carelessness or play lots of those so called 'free' games at their websites, only You, the "User" (& Star of U.A.C.) can accept & "Activate" a breach to your system. This cannot happen if you are in "Control". That, and if you remain awake!

 

[Littlebits]

Thanks for the info! I 've read many opinions here in MT and I believe if the user is well educated he will be ok with the windows security features you mention.
However for some reason I cannot get myself fully convinced despite th fact that I am a experienced user. I m afraid of malware that can do damage by bypassing UAC.

If you search on Google you will found a lot of incorrect information about malware bypassing UAC, the only report Microsoft has of malware bypassing UAC was on a beta version of Vista which was patched on the final release. I'm sure that UAC does have some vulnerabilities but for some reason malware writers don't try to exploit it. They prefer to write simple malware that prays upon the user's own ignorance like fake alert pages for Java, codec packs, Flash Player, Fake AV scans, etc. that fools the user into manually downloading the infected file and running it. If a malware does have the ability to bypass UAC then why can't anyone find any samples of them?

Malware hunters have been searching every since the final release of Vista and still not one single malware sample can be found that can bypass UAC. If someone looking for this sample can not find it then what would be the chances of a user accidentally getting infected by it?

Microsoft Malware Protection Center (which is now the largest malware research center) still has not found a single malware sample that can bypass UAC. So if they do exists, they are so extremely rare that you would have a better chance of winning the lottery 5 times in a roll than ever getting exposed to one.

If anyone finds a malware sample that can bypass UAC, please send me the link.

Thanks.

 

[Cats-4_Owners-2]

..and if/when we find that malware sample, then we can get down to winning that lottery 5 times in a row using the Littlebits "Rosetta Stone" method!!!

 

[Nikos751]

Littlebits, from what you say, you mean that if utilize uac,wd and smartscreen properly, there is no danger from almost any piece of malware? I ll probably do some further testing on vm with win8.1 and windows security to see how it goes. I ve already done some with third party av but when smartscreen was on, almost nothing unknown could run. Does uac/smartscreen work the same with applications that run auromatically too (ex from app data folder)?
This is somewhat out of topic so, you could send me pm if you want.
thanks for sharing your knowledge!

 

[jerzy601]

I use this program has just Eset AV is a very good program inoffensive, light worthy install no problem.

 

[Koroke San]

If anyone finds a malware sample that can bypass UAC, please send me the link.

Thanks.

I'm not a UAC fanboy but imao UAC can be bypass but it's rare.Some peeps bypassed UAC.
You please check & clear my conclusion.

( search in virus total, now many antivirus detects it as malware.

 

[Littlebits]

I'm not a UAC fanboy but imao UAC can be bypass but it's rare.Some peeps bypassed UAC.
You please check & clear my conclusion.

( search in virus total, now many antivirus detects it as malware.

Those are not bypasses, a bypass is when a malicious process infects the system without triggering UAC prompts. These are examples of hack tools which still hasn't never been known to be used by any malicious infection. Hack tools just change system configuration, both of these hack tools in this video are blocked by Windows Defender/Microsoft Security Essentials and probably most other AV's. Sure UAC can be disabled by some hack tools but these tools do not infect the system. Microsoft has already added all known UAC hack tools to their database and so has most other respectful AV's. Also if the user chooses to approve the UAC prompt it still is not a bypass.

Enjoy!!

 

[Koroke San]

Those are not bypasses, a bypass is when a malicious process infects the system without triggering UAC prompts. These are examples of hack tools which still hasn't never been known to be used by any malicious infection. Hack tools just change system configuration, both of these hack tools in this video are blocked by Windows Defender/Microsoft Security Essentials and probably most other AV's. Sure UAC can be disabled by some hack tools but these tools do not infect the system. Microsoft has already added all known UAC hack tools to their database and so has most other respectful AV's. Also if the user chooses to approve the UAC prompt it still is not a bypass.

Enjoy!!

But what about the second video? he can put that same coding & create malware to bypass UAC

 

[Littlebits]

Littlebits, from what you say, you mean that if utilize uac,wd and smartscreen properly, there is no danger from almost any piece of malware? I ll probably do some further testing on vm with win8.1 and windows security to see how it goes. I ve already done some with third party av but when smartscreen was on, almost nothing unknown could run. Does uac/smartscreen work the same with applications that run auromatically too (ex from app data folder)?
This is somewhat out of topic so, you could send me pm if you want.
thanks for sharing your knowledge!

The first thing is in order for any infection to happen on a system, a file must be downloaded or transferred from another infected system. Modern malware doesn't not automatically download or transfer itself, the user has to manually do this. Some malware can download inactive infected files in your browser's cache or temp files but still requires manual execution by the user with Admin rights.
UAC at default config will always prompt you when running a process tries to make system changes excluding UAC hack tools which are blocked by your AV. SmartScreen will also block downloading unknown files and hack tools. The Secure Boot feature on Windows 8 also automatically fixes corrupted boot sectors settings which are changed by malicious processes mostly rootkits. USB autorun is disabled by default on all modern Windows.

UAC and Secure Boot doesn't work correctly in virtual environments just like many other security products.

I believe if you do use Windows default security correctly on Windows 8, you should not get any infections. The only exception is like toolbars bundled with other installers, but that is really nothing because they all include uninstallers and a very easy to get rid of. Of coarse if you pay attention and uncheck the adware then no problem at all.

I have not had one single infection not even just basic adware using my Windows 8.1 laptop with Windows default security.

Thanks.

But what about the second video? he can put that same coding & create malware to bypass UAC

No this is still hacking not bypassing, yes you can make malware to bypass UAC, but who has did it? and where is the malware sample?
This is an example of hacking with a boot device which would have been blocked anyway on Windows 8 by the secure boot feature.

Enjoy!!

 

[Koroke San]

No this is still hacking not bypassing, yes you can make malware to bypass UAC, but who has did it? and where is the malware sample?
This is an example of hacking with a boot device which would have been blocked anyway on Windows 8 by the secure boot feature.

Enjoy!!

And what about window 7, window server, XP & vista? They don't have secure boot b; Anyways i still believe there are some hackers in this world who can bypass UAC & creates malware to bypass it which they don't release in public or it will flag by AV. Not UAC or any AV/security suite is 100% bullet proof That's why i always on CFW autosandbox ( blocked ), smartscreen & UAC at max. 3 layer protection & yes mah common sense

 

[Aleeyen]

I have used it for a long time along with KAV and its a very good product. Though there are few problems, like it creates some problem if you're using wireline LAN. There are few other things, but security wise its a great product.

 

[Aleeyen]

No this is still hacking not bypassing, yes you can make malware to bypass UAC, but who has did it? and where is the malware sample?
This is an example of hacking with a boot device which would have been blocked anyway on Windows 8 by the secure boot feature.

Enjoy!!

I am not an expert, but I have always heard that UAC can be very easily bypassed.

 

[Nikos751]

I just tested with some samples in Win 8 virtual system with windows security features. Smartscreen blocked every undetected sample as unknown so UAC didnt show what it can do. I could test also with those undetected samples, with smartscreen off, but this does not make sense as smartscreen is supposed to work together with the others. maybe I ll do it though.
PF does a good job preventing unknown malware as I ve seen some months ago but why dont use just smartscreen & UAC?

Update: did the test with undetected samples and almost none of them caused any uac prompt to appear. One of them locked the system until reboot. should I assume they dont damage the system or uac would have worked every time if the system was real? Or simply, nothing that can run automatically would do damage without causing uac to react?
Littlebits, could you explain?

Example: This trojan was found running on the system. (did a quick scan with hitman pro after a reboot) http://www.sunbeltsecurity.com/Thre...d=4853632&cs=0D57E937D9C9A0FDB84EA9C044EE826C

 

[Ink]

Not UAC or any AV/security suite is 100% bullet proof That's why i always on CFW autosandbox ( blocked ), smartscreen & UAC at max. 3 layer protection & yes mah common sense

OT:

It's a nice layer to the OS, but Windows SmartScreen is sometimes hit-n-miss, so it cannot replace WD/MSE. (Not speaking of IE SmartScreen).

Setting UAC on high won't make much of a difference if you click Allow on an unknown publisher's software to run. Did you know you can install the Firefox web browser without admin rights (ie. no UAC prompt). Yes, it's highly unrealistic that many will use this, but have you considered using a Standard User account with a password-protected Admin account to prevent programs from running with higher privileges?

If you have common sense, what's the reason for Blocked Mode on Comodo Sandbox? Also did you know the Comodo Sandbox on Fully Virtualised and Partially Limited can be bypassed? (Search: "comodo sandbox bypassed").

 

[Koroke San]

OT:

It's a nice layer to the OS, but Windows SmartScreen is sometimes hit-n-miss, so it cannot replace WD/MSE. (Not speaking of IE SmartScreen).

Setting UAC on high won't make much of a difference if you click Allow on an unknown publisher's software to run. Did you know you can install the Firefox web browser without admin rights (ie. no UAC prompt). Yes, it's highly unrealistic that many will use this, but have you considered using a Standard User account with a password-protected Admin account to prevent programs from running with higher privileges?

If you have common sense, what's the reason for Blocked Mode on Comodo Sandbox? Also did you know the Comodo Sandbox on Fully Virtualised and Partially Limited can be bypassed? (Search: "comodo sandbox bypassed").

First of all i have common sense. Second i always says that everything is not 100% bulletproof. third I know smartscreen will miss malware too so i enabled UAC at max. And no! I don't allow click to unrecognized or untrusted source when UAC prompt. when i see a unknown file prompt then i first search about it in google or test it in virus total or if i'm act like paranoid then i'll test it in sandboxie. If everything is alright then i'll allow that file in my real PC And no, i don't want to get annoyed using standard user account since i mostly install & uninstall softwares & my daily use need mostly administrative privilege. and i know..as i always doubted that CFW sandbox fully virtualised & participially limited can bypass too since it's not stronger like sandboxie so why i use auto-sandbox ( blocked ) First layer is smart screen, then UAC & then CFW hips & autosandbox (blocked) which blocked untrusted application from unknown source. I use it coz it blocked pieces of malware to run in my pc during malware pack execution test. so why i like it..as u know not every peoples have different taste Some times i can mistakenly click allow on UAC like when i using my computer at night & feeling sleepy. I have my common sense & can use free av like avast with window firewall & shadow defender. Thnx for reading, cheers

 

[Cats-4_Owners-2]

Update: did the test with undetected samples...(did a quick scan with hitman pro after a reboot) http://www.sunbeltsecurity.com/Thre...d=4853632&cs=0D57E937D9C9A0FDB84EA9C044EE826C

Thanks Nikos!
I bookmarked sunbelt security.com , for future reference!

It's a nice layer to the OS, but Windows SmartScreen is sometimes hit-n-miss, so it cannot replace WD/MSE. (Not speaking of IE SmartScreen).

Setting UAC on high won't make much of a difference if you click Allow on an unknown publisher's software to run. ...have you considered using a Standard User account with a password-protected Admin account to prevent programs from running with higher privileges?...

Huracan, I have UAC set on high & use two password protectd Admin accts, but download infrequently. So, now I'm going to try using a guest account for most of what (I don't) do!

Koroke San quote:

"I use it coz it blocked pieces of malware to run in my pc during malware pack execution test. so why i like it..as u know not every peoples have different taste Some times i can mistakenly click allow on UAC like when i using my computer at night & feeling sleepy. I have my common sense & can use free av like avast with window firewall & shadow defender. Thnx for reading, cheers"

Koroke,
UAC can also mean "User is Asleep Control"!

 

[Littlebits]

Update: did the test with undetected samples and almost none of them caused any uac prompt to appear. One of them locked the system until reboot. should I assume they dont damage the system or uac would have worked every time if the system was real? Or simply, nothing that can run automatically would do damage without causing uac to react?
Littlebits, could you explain?

Example: This trojan was found running on the system. (did a quick scan with hitman pro after a reboot) http://www.sunbeltsecurity.com/Thre...d=4853632&cs=0D57E937D9C9A0FDB84EA9C044EE826C

If you ran this test in a virtual environment that is the problem, UAC needs direct access to the kernel which is blocked in virtual environments. Also like it said some keygens, some Trojans and other type of password loggers sometimes will not trigger UAC prompts because they don't do anything that harms the system or tries to make changes to system or user files.

So you need to research the samples that you used and make sure that they do try to make changes to system or user files.

Most trojans to not infect the system directly or make system changes, they sometimes download other types of malware which will infect the system, record use data and sent it back to a server, lock or encrypt user files, display fake notifications to get users to pay money, etc. The good thing about these trojans they are almost always hosted on suspicious fake alert websites and are rarely bundled with other software. They are very small in size and very obvious to a cautious user. A careful user would never manually download these kind of files unless they just wanted to test them.

Even though so far nobody has provided a malicious file that can bypass UAC, other than certain types of trojans that don't infect the system or cause changes to the system config or user files, that doesn't mean that these type of malware don't exists but it does mean if they do exists, they are very extremely rare. So rare that you are more likely to be exposed to malware that tries to bypass HIPS, sandboxing and virtualization which has been proven to exists but also rare.

For hacking a system to bypass security- it happens all the time to businesses, large companies, governments and military agencies.
But is extremely rare for a home user to get hacked since there is not enough data to collect from a home user system.

Hackers are professionals and are paid good money to hack systems- but the price to pay if you get caught is very severe punishment, even death sentence in some countries. Hackers will not take the risk to hack a home user's system unless they know they can get very valued data. If a hacker wants to hack your system then they will and there is nothing you can do to stop it no matter what type of security features you have installed. If they can hack into the most secure businesses in the world, then they could very easy hack your system. Nothing is hack proof.

But you do have control over what you download and execute which is the best protection they you can get.
Malicious files just don't magically appear on your system, you have to manually allow them, the only exception is if your system happened to get hacked then they is nothing at all you can do to prevent it.

Enjoy!!

 

[Koroke San]

UAC can also mean "User is Asleep Control"!

 

[Nikos751]

If you ran this test in a virtual environment that is the problem, UAC needs direct access to the kernel which is blocked in virtual environments. Also like it said some keygens, some Trojans and other type of password loggers sometimes will not trigger UAC prompts because they don't do anything that harms the system or tries to make changes to system or user files.

So you need to research the samples that you used and make sure that they do try to make changes to system or user files.

Most trojans to not infect the system directly or make system changes, they sometimes download other types of malware which will infect the system, record use data and sent it back to a server, lock or encrypt user files, display fake notifications to get users to pay money, etc. The good thing about these trojans they are almost always hosted on suspicious fake alert websites and are rarely bundled with other software. They are very small in size and very obvious to a cautious user. A careful user would never manually download these kind of files unless they just wanted to test them.

Even though so far nobody has provided a malicious file that can bypass UAC, other than certain types of trojans that don't infect the system or cause changes to the system config or user files, that doesn't mean that these type of malware don't exists but it does mean if they do exists, they are very extremely rare. So rare that you are more likely to be exposed to malware that tries to bypass HIPS, sandboxing and virtualization which has been proven to exists but also rare.

For hacking a system to bypass security- it happens all the time to businesses, large companies, governments and military agencies.
But is extremely rare for a home user to get hacked since there is not enough data to collect from a home user system.

Hackers are professionals and are paid good money to hack systems- but the price to pay if you get caught is very severe punishment, even death sentence in some countries. Hackers will not take the risk to hack a home user's system unless they know they can get very valued data. If a hacker wants to hack your system then they will and there is nothing you can do to stop it no matter what type of security features you have installed. If they can hack into the most secure businesses in the world, then they could very easy hack your system. Nothing is hack proof.

But you do have control over what you download and execute which is the best protection they you can get.
Malicious files just don't magically appear on your system, you have to manually allow them, the only exception is if your system happened to get hacked then they is nothing at all you can do to prevent it.

Enjoy!!

thanks for providing the time to type all this. Very useful and informative.
If a user browses the web and enters all kind of grey pages but does not let files to be downloaded to the pc, he only clicks everywhere and cancel any transfer going to start.. will windows security protect him fully from any malware coming from these sites?