App Review Playing with UAC

[cruelsister]

Content source

https://youtu.be/pBt6GDAUTSk

 

[Bot]

Thanks for sharing this video! It provides useful insights into User Account Control (UAC) settings. Let's discuss the key points and any questions you may have.

 

[Jonny Quest]

Thank you @cruelsister as this video is timely in what's been posted (by me) and discussed in another thread.

 

[ErzCrz]

Nice video. You'd think Microsoft would have made this sort of thing more secure now in Windows 11.

 

[wat0114]

M$ should be able to at least do something about blocking executables from Unknown Publishers, but of course they haven't figured this out yet or they don't care to. Unless they've done so with SAC but I don't know about this.

 

[Practical Response]

This is why no security will ever protect a user from themselves, as all it takes is a carefully crafted social engineering trick to exploit the plethora of holes in the windows operating system. Playing whack a mole constantly on paranoid levels, increasingly loosing sight of what the system was intended for preoccupied with defending it.

Either learn good habits such as checking files before execution "which many have deemed an inconvenience" or ditch windows for a Chromebook.

 

[wat0114]

or ditch windows for a Chromebook.

Or maybe Lin...

 

[Shadowra]

M$ should be able to at least do something about blocking executables from Unknown Publishers, but of course they haven't figured this out yet or they don't care to. Unless they've done so with SAC but I don't know about this.

I think SAC could help, but it is deactivated and cannot be reactivated on many computers....
If MS could create an option to enable or disable it at will, that might increase security.

 

[Andy Ful]

UAC is an old idea from the beginning of the century, so it is not a modern & useful feature for all users. A modern version of UAC can be probably SAC on Windows 11.
But, the video is kinda biased. It takes the viewpoint of the user who frequently installs applications or uses administrative tools. UAC is for them like excessive dog barking.
However, many people install applications rarely and do not use administrative tools. They can see UAC rarely in predictable situations. UAC alerts can be for them like geese honking that saved Rome.

Of course, there is nothing wrong with liking cats, instead of gees.
I do not like both, but I still like @cruelsister and some of her videos.

 

[wat0114]

UAC is an old idea from the beginning of the century,

Microsloth has had all the opportunity and expertise in house to have evolved UAC into something far superior than what it was and currently is. Just my 2c worth opinion. And, yes, I always enthusiastically look forward to @cruelsister videos as well as those from @Shadowra .

 

[Trident]

UAC can be sort of useful to parents and system administrators of shared devices as well as business environments.
An owner of personal device has no benefit, they will press “yes” and will enter the password.
It also makes easier for behavioural blocking to detect privilege escalation attempts, software can check if there was a prompt as they record them (easiest way). Process went from SUA to admin with no prompt => privilege escalation and possibly attack, depending on other factors.

 

[wat0114]

An owner of personal device has no benefit, they will press “yes” and will enter the password.

This is especially and true. I've been guilty of, although not burned by it yet, this reaction to UAC prompts..

 

[Andy Ful]

This is especially and true. I've been guilty of, although not burned by it yet, this reaction to UAC prompts..

UAC is like a stone tool. But stone tools can be still useful for many people if there is nothing better around. And yes, Microsoft could do much better, but it did not.

 

[Andy Ful]

Comodo's Auto-containment alerts can indeed be a much better idea. But there are also some cons of using Comodo.

I can give a simple example of how UAC (max) can increase safety even on a default Admin account, if there is also a second user account available.
Most malware wants to get high privileges. Most of such attempts can be alerted by UAC (max). If the user does not allow elevation, the malware cannot infect other user accounts.
So, if there is a suspicion of infection, the user can sign out and sign in to another account that is not infected, and continue daily work. The system can be also safely inspected from non-infected accounts. Of course, this works best, with SUA and Admin accounts.

 

[monkeylove]

"User" means a techie.

 

[rashmi]

UAC or any alert is just a "click yes/allow to win" game for most people. Vendors automate security solutions nowadays for a reason. Security is like a secret language that only a few bother to learn.

 

[rashmi]

Comodo's Auto-containment alerts can indeed be a much better idea. But there are also some cons of using Comodo.

Comodo is indeed a strong solution. I found the usability has drastically improved, for unsigned programs too, when I recently tested beta 3. If you know Comodo, you can add signed vendors, trust or ignore programs, and configure settings and other advanced settings to further improve usability and protection. If I remember correctly, in the initial Comodo versions, the default internet security configuration trusted everything on the system installed before Comodo. This was also good for a new set-up or clean system. The internet security configuration was a balanced approach, with the AV and disabled HIPS working passively with modules.

Yes, it has bugs, and I have had my share of bugs like programs reappearing in the unrecognized list, a vendor in the vendor list with the unrecognized rating and no details, etc. But I never had infections or issues using Comodo.

I didn't experience the infamous HIPS rules disappearing bug. I always chose preset rules like allowed, trust, installer/updater, and such on alerts, which generated and created fewer rules. If I remember correctly, many rules and/or something like HIPS generated an alert after you clicked shutdown, which was the cause for disappearing rules. I experienced this 2-3 times with later versions, but I had stopped using HIPS. What I experienced was that I heard the Comodo notification sound after clicking shutdown with nothing visible on the screen. I found nothing in the logs after restarting the system.

@Andy Ful What are some cons of using Comodo, according to you?

 

[Andy Ful]

"User" means a techie.

UAC or any alert is just a "click yes/allow to win" game for most people. Vendors automate security solutions nowadays for a reason. Security is like a secret language that only a few bother to learn.

It is mostly true. Microsoft always had a problem with adjusting security to the needs of an average user.
Anyway, I would replace "techie" with security-aware and cautious. Many MT members are not "techie", but still can use UAC.

Nowadays, it is a problem with UAC usability. Most people use only one account. If the malware triggers UAC and the user refuses the consent, the malware does not stop running (with standard rights). Of course, there is still an advantage when disinfecting the computer.
If the malware could elevate, then the full disinfection is much harder. It is easier to restore all partitions and important files. In some cases, the computer can still be infected.

 

[Andy Ful]

@Andy Ful What are some cons of using Comodo, according to you?

It bricked my system a few times.
I think that Comodo's default configuration can be OK for most users. But, other AVs are OK on defaults, too.
The problems can appear when the user wants to improve the security. One can use @cruelsister settings based on Proactive configuration + no-HIPS - it avoids most bugs. However, such a restrictive setup is not popular among Comodo users.

Edit.
The solutions based on sandboxing are not popular, because many users are not sure what is sandboxed and what is not. Some application features can be sandboxed and others can run in the real system. Some files can be saved in the sandbox and some not. Yes, sandboxing can be sometimes more inconvenient and confusing than UAC.

 

[Practical Response]

It bricked my system a few times.
I think that Comodo's default configuration can be OK for most users. But, other AVs are OK on defaults, too.
The problems can appear when the user wants to improve the security. One can use @cruelsister settings based on Proactive configuration + no-HIPS - it avoids most bugs. However, such a restrictive setup is not popular among Comodo users.

Edit.
The solutions based on sandboxing are not popular, because many users are not sure what is sandboxed and what is not. Some application features can be sandboxed and others can run in the real system. Some files can be saved in the sandbox and some not. Yes, sandboxing can be sometimes more inconvenient and confusing than UAC.

I can remember a time when installing CIS and restarting the system without it crashing was considered a milestone.

I'm going to not pick on CIS so much as group it with other "advanced" 3rd party software solutions. Do you think in your opinion that general users should use such applications that require demonstrations and advice on how to adjust settings they do not understand how to adjust let alone know what these settings do? In your opinion is trusting said 3rd party applications that have to hook deeply into the system in order to provide such detection's wise?

If a user is willing to "learn" a 3rd party applications, wouldn't it benefit them more to "learn" the built in securities. I guess what I'm saying is, if they are willing to pay every year for a 3rd party applications, wouldn't it be smarter to invest a one time payment to upgrade to the pro version of windows and have access to gpedit so the user could learn to adjust and harden on their own if they are actually willing to learn.

Last but not least, wouldn't it benefit the user most if they just learned good habits. What are the chances a home user would be in a targeted attack? If they used external devices to store everything on, kept the system clean and lean, and had good habits such as checking links and addresses, being aware of social engineering, wouldn't a home user stay generally safe?

When is the last time any of you have been infected that was not self inflicted?