App Review Playing with UAC

[ForgottenSeer 107474]

I think SAC could help, but it is deactivated and cannot be reactivated on many computers....
If MS could create an option to enable or disable it at will, that might increase security.

Agree: but there is WHHL to the rescue (with WDAC-ISG and SRP blocking risky file extensions which use LoLBins) @Andy Ful


Also I think Comodo with @cruelsister is better when replacing contain with block. IMO it makes no sense to run software of which the security application can't determine it is safe. Blocking instead of sandboxing also takes away the confusion sandboxing gives for most users (as mentioned by Andy). Using a sandbox for me is a sign of lack of trust in your own program. The only case for using sandboxes is when the program you run has vulnabilties. Then it makes sense to sandbox (but the sandbox has to be persistent over sessions).

That said: I tried the latest Comodo beta and it crashed on a fairly vanilla Windows 11 setup (Office + Chrome + 2 user applications installed), which surprised me, because on Windows 7, I was using Comodo Time Machine and Comodo Cloud Antivirus (with block in stead of contain, CCA also had an option to ask the user when I recall right) on a similar setup (only difference was the office version 2010 in stead of 2019).

 

[cruelsister]

However, such a restrictive setup is not popular among Comodo users.

Andrzej- With all due deference to you and your remarkable work, I have to disagree. Comodo really allows almost total freedom with normal daily operation being unaffected. The only exception to this would be when an application is installed as the application must first be vetted by C to be benign before being sandboxed.

This extra step done by Comodo to assure the non-maliciousness of a given file, although seeming to be overkill, has served the user well in the recent past as legitimately signed and counter signed malware (E-file and Magniber are a couple of examples) were stopped by C when allowed by almost all others.

On the topic of UAC, as almost all others have other forms of primary protection already in place (Defender if nothing else), UAC doesn't add anything to a Users Defense against the Shadows except annoyance and a false sense of security.

m

 

[ForgottenSeer 107474]

UAC doesn't add anything to a Users Defense against the Shadows except annoyance and a false sense of security.

RE: "does not add anything"
Okay, so you don''t use a safety belt in your car neither. Safety belts reduce severe injuries, but don't prevent them 100%. Same applies for a simple appendicitis operation, a very very small percentage goes wrong or flying in an airplane (also has a minor risk). When something does not work in 100% of the situations, it does not mean it is worthless. When comparing your statement with real life situations it does not make sense. Microsoft also says it is not a security border and yes you are right, 99% of people put to much trust in UAC. Your video is a convincing demonstration that UAC is not a security border. Thank you for posting

RE: "annoyance"
The only UAC prompt I see on my laptop is when a system cleaner runs and by scheduling a high rights tasks at startup it runs without a prompt. Shows how easy it is to circumvent a UAC prompt

Although I am (like many of MT) a cruel sister fan, I felt the need to disagree with you. It is not a binary YES-NO.

 

[Andy Ful]

Andrzej- With all due deference to you and your remarkable work, I have to disagree. Comodo really allows almost total freedom with normal daily operation being unaffected. The only exception to this would be when an application is installed as the application must first be vetted by C to be benign before being sandboxed.

I think that the problem can be both with installations and software updates. Also sandboxing with high restrictions loses some benefits of other sandboxes, like useful information about malicious behavior. But, I can accept your remark. Comodo in your settings is a great setup for me. I used it for a long time on my father's computer.

On the topic of UAC, as almost all others have other forms of primary protection already in place (Defender if nothing else), UAC doesn't add anything to a Users Defense against the Shadows except annoyance and a false sense of security.

It is mostly true because most users do not know how to take some benefits from UAC. But it is possible (for security-aware users), as I will explain in my next post.
I understand your viewpoint. If one is happy with CruelComodo, the UAC can be seen as an unnecessary annoyance.

 

[Andy Ful]

How to use the stone tool.

If you can see the UAC prompt, you have two scenarios:

1. Expected.
2. UnExpected.

In the first scenario simply ignore the alert and allow elevation. Use application installers from trusted sources (like Softpedia).

In the second scenario gently press the <Enter> key, think, and inspect a little. Now, You have two new scenarios:

1. The UAC prompt is correlated with opening the particular file.
2. UAC appears "out of the blue".

The first case:

1. The file is a document, media file, etc., but the application that opens the file wants to update -----> update the application and open the file again.
2. The file is a document, media file, etc. but something else wants to execute & elevate -----> I can be infected -----> sign out and sign in to another account.
3. The file pretends to be a document, media file, etc. but it is an executable instead -----> I can be infected -----> sign out and sign in to another account.

The second case:

1. Some application wants to auto-update ------> allow the update and open the file again.
2. Some strange new process asked for an elevation -----> inspect the event.

I think that even non-techie but security-aware users can learn to recognize the danger related to:
I can be infected -----> sign out and sign in to another account

Indeed, this is not a bulletproof method but it is far better than nothing, when using the AV without advanced tweaks.
It is true that it mostly fails with ransomware. But ransomware is often the payload delivered at a later time by the malware that can be exposed by the above method.

Edit.
In some cases, the ransomware wants to elevate and then waits several minutes to fool the AV sandboxes. The above method can also expose the infection before the files are encrypted.

 

[wat0114]

UAC alerts display some information about the file trying to execute, or in the case of CS' demo, the file that bypasses UAC without user interaction, which can be useful to the user who pays attention. A grey background will be a known publisher file, while a yellow background, like the bypass in CS' demo, will be an unknown publisher.

Obviously the bypass demo has done the damage or started it, but if the user is paying attention, maybe they can take steps to at least prevent further damage. I agree 100% with @LennyFox post above.

There is an informative article on how UAC works:

How User Account Control works

Learn about User Account Control (UAC) components and how it interacts with the end users.

learn.microsoft.com

 

[Trident]

I have to agree that UAC can’t increase the overall security posture for single home users, as it’s not well understood what the software will do once allowed, and fail to do once denied admin rights. When you display the same dialogues upon trying to change the system time and upon trying to launch malware, this dialogue starts to be meaningless to the user.

HIPS can be considered an “overblown” version of UAC (per-action-permission system) and for obvious reasons, only 2-3 vendors offer it in home products now, with Eset and Comodo being primary and Kaspersky offering “smarter”, more autonomous HIPS with less questions. Asking the user what should be done in terms of security is a concept that is not preferred — it didn’t work for Panda in 2005 and it didn’t work for Bitdefender in 2008. It certainly doesn’t work for Comodo, Eset, Microsoft or anyone else in 2024 either. It didn’t work for WOT when they relied on the “huge user base” to tell them which website seems safe and which doesn’t.
Security is the job of professionals and not the grandma looking to Skype or the teenager looking to play Dota and watch YouTube.

In this relation, the permission system in iOS/Android/MacOS/ChromeOS can be considered modern version of UAC that allows users to understand what exactly they are allowing — still far from perfect though. Perhaps if UAC evolved to be something similar, it would be somewhat useful.
The Mac implementation of UAC is this, also not great but much less noisy and users understand that elevating is a big deal. All apps, including installers work non-elevated.
Fingerprint is required when actions affecting personal files are to be performed - obviously to confirm that it’s you, the owner. Password is required for system-related events like updates.

Elevating Privileges Safely

Describes techniques to use and factors to consider to make your code more secure from attack.

developer.apple.com

And Linux Polkit (similar to Apple):

Polkit - Wikipedia

en.m.wikipedia.org

Some may say SAC or smart screen filter are natural evolution of UAC but they cover what’s allowed to run, whilst UAC covers what’s allowed to make changes that can turn out to be harmful.
They are essentially very different and all 3 complement each other, together with Microsoft Defender.

 

[wat0114]

UAC's main purpose, I believe, is to run accounts as Standard users with the Standard token, including Administrators (Admin approval mode) who get an additional administrator token. Applications and Windows functions, as the article explains, will run in the more secure Standard user context, and only when something expected and harmless requires elevation, the Administrator just has to answer a Consent prompt, rather than entering credentials every time. It's not quite as ideal and secure as running in a dedicated Standard account, but it offers those who perform numerous administrative tasks daily and hate the inconvenience of entering credentials every time, a suitable compromise. Clicking on Yes to elevate as opposed to entering credentials then clicking Yes is far more convenient.

 

[simmerskool]

I can remember a time when installing CIS and restarting the system without it crashing was considered a milestone.

When is the last time any of you have been infected that was not self inflicted?

Last time: 2000 iloveyou (was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line "ILOVEYOU"...) The email was from a law firm I had been consulting with -- it infected a lot of offices at the time.

 

[ForgottenSeer 107474]

I remember on Vista McFee or Symantec or some other well known security vendor provided a program which made UAC remember you choices.

With UAC there is an option to silently elevate and block unsigned processes. I had hoped Microsoft would have used the SAC as an extra option for UAC to silently elevate only SAC whitelisted programs (because the default setting also uses a whitelist with windows processes). When I studied we used a lot of open source software which dated from XP times (and nearly always required elevation) and I have to agree with @cruelsister in such situations (using software which require admin privilege al the time) UAC can be annoying as hell.

Note1: when I disagree with cruelsister and say that it is not a binary YES-NO (post), I thought I should discuss the arguments in which I agee with her also. I am a CS-video fan after all

Note2: I am very thankfull for @Andy Ful his free software (see post), so when I see CruelSister and AndyFull disagreeing on topics I feel the strange urge to mediate between two very respected members

 

[blackice]

I remember on Vista McFee or Symantec or some other well known security vendor provided a program which made UAC remember you choices.

With UAC there is an option to silently elevate and block unsigned processes. I had hoped Microsoft would have used the SAC as an extra option for UAC to silently elevate only SAC whitelisted programs (because the default setting also uses a whitelist with windows processes). When I studied we used a lot of open source software which dated from XP times (and nearly always required elevation) and I have to agree with @cruelsister in such situations (using software which require admin privilege al the time) UAC can be annoying as hell.

Note1: when I disagree with cruelsister and say that it is not a binary YES-NO (post), I thought I should discuss the arguments in which I agee with her also. I am a CS-video fan after all

Note2: I am very thankfull for @Andy Ful his free software (see post), so when I see CruelSister and AndyFull disagreeing on topics I feel the strange urge to mediate between two very respected members

They are both reasonable and very intelligent people. It will work out.

 

[Andy Ful]

... when I see CruelSister and AndyFull disagreeing on topics I feel the strange urge to mediate between two very respected members

There is no need to worry.
Disagreement + respect and tolerance = OK.

 

[danb]

I have personally witnessed thousands of “Yes” UAC end-user clicks since it was released with Windows Vista in 2007, and not a SINGLE “No” end-user click. I remember how excited I was when Microsoft announced UAC in 2006, and was hoping it would drastically reduce malware infections, but was highly disappointed when I experienced the implementation first hand. A lot of people do not know this, but my disappointment in Microsoft’s implementation of UAC was a huge reason VoodooShield was created in the first place.

The main issue with UAC is that it requires the end-user to make a binary decision on the spot, and even worse, the UAC affirmative user prompt provides little or no file insight or user recommendation to the end-user so they can make an informed decision. The end result is that the end-user almost always simply clicks "Yes".

@Trident is not wrong when he says “Asking the user what should be done in terms of security is a concept that is not preferred”. But at the same time, allow-by-default guarantees breaches and infections will only continue. There has to be a happy medium, we just have to find it.

In short, this is the principal problem that we have been working on for over a decade, and are open to suggestions for usability improvements, especially from those who have not tried CyberLock first hand. We have fixed the major issues with UAC, but there is always room for improvement, especially when it comes to usability.

 

[monkeylove]

It is mostly true. Microsoft always had a problem with adjusting security to the needs of an average user.
Anyway, I would replace "techie" with security-aware and cautious. Many MT members are not "techie", but still can use UAC.

Nowadays, it is a problem with UAC usability. Most people use only one account. If the malware triggers UAC and the user refuses the consent, the malware does not stop running (with standard rights). Of course, there is still an advantage when disinfecting the computer.
If the malware could elevate, then the full disinfection is much harder. It is easier to restore all partitions and important files. In some cases, the computer can still be infected.

For me, "techie" means knowing what those things in the system tray mean. It's like that article where a professor found out that his uni students did not know the concept of computer folders and files.

Meanwhile, this reminds of that default-deny issue: you're told that something needs to access the 'net or something like that. Allow or deny? Meanwhile, you're flooded with lots of work.

So you allow and it leads to havoc. Or you deny and it causes the system to crash. Or nothing happens, which means it's either safe or now doing something else in the background that's undesirable.

Then you're told that you're not "techie" enough, or not a techie at all, or that you should have learned even though you have no time to do so, or that you're computer-illiterate even though you're an expert in other things that are even more important, or that you should have followed "common sense" by not accessing "unsafe" sites or using "unsafe" software even though it turns out that you weren't doing that, or that you can always restore even thought that doesn't solve things like data theft, and so on.

Ultimately, one begins to realize that security programs have to be increasingly complex and operate intelligently and independently as users access increasingly complex systems that they need but won't understand.

 

[Sandbox Breaker]

This is why no security will ever protect a user from themselves, as all it takes is a carefully crafted social engineering trick to exploit the plethora of holes in the windows operating system. Playing whack a mole constantly on paranoid levels, increasingly loosing sight of what the system was intended for preoccupied with defending it.

Either learn good habits such as checking files before execution "which many have deemed an inconvenience" or ditch windows for a Chromebook.

I've been on Chrome OS enterprise. Too many holes in windows.

 

[B-boy/StyLe/]

Thanks for the video. And lovely song for a background. If I remember correctly, this is from the movie "Master and Commander" ending song.

 

[cruelsister]

Thanks for the video. And lovely song for a background. If I remember correctly, this is from the movie "Master and Commander" ending song.

It's Part 5 (passe calle) of Boccherini's String Quintet in C major. Op. 30, No. 6. It took me a while to come up with a background video that fit the song.

 

[ForgottenSeer 109138]

I've been on Chrome OS enterprise. Too many holes in windows.

I myself use ChromeOS as my main. The security on these devices is among the best, at least for now until they become a bigger audience and target, but as you pointed out there are certainly "less holes" to contend with. I enjoy my ChromeOS though, as I am able to get on it and just use it as intended.

To be fair though, I do the same with windows. I can open a windows laptop with nothing but default security and an ad blocker in the browser and just use the device as intended. I used to run my windows machine this way for a long time just fine. I kept analysis tools on hand to manually check the system from time to time, but other then, I did not focus on it as much as I used to when I did all the security/application testing here. I would keep Process Explorer/Autoruns both with VT enabled, PeStudio and TCPview on the device for checking from time to time. I of course always checked files and applications "downloads" ect in VT or PeStudio before execution, I always cross referenced websites before proceeding, I "verified" everything as I was never in too big a hurry to not be cautious and thorough. I kept everything backed up and on external devices should something happen, never storing personal important items on the system directly. No infections in all that time. It was not tons of security that kept my system clean, it was habits.

 

[simmerskool]

I've been on Chrome OS enterprise. Too many holes in windows.

is there an "official" VMware ChromeOS Guest, last time I looked I think the answer is No. I do not want to run ChromeOS on laptop, is someone offering a desktop computer with ChromeOS? I do have a Linux flavored VM that I use sometimes and perhaps not often enough. Would like to have ChromeOS_VM.

 

[ForgottenSeer 109138]

is there an "official" VMware ChromeOS Guest, last time I looked I think the answer is No. I do not want to run ChromeOS on laptop, is someone offering a desktop computer with ChromeOS? I do have a Linux flavored VM that I use sometimes and perhaps not often enough. Would like to have ChromeOS_VM.

You can throw ChromeOS flex in Vmware.

Spoiler: Flex

Upgrade Your PC: Faster and More Secure with ChromeOS Flex

Install ChromeOS Flex, a secure, cloud-based OS for PCs and Macs. Easy to install and manage, bringing the benefits of ChromeOS to your organization.

chromeos.google

There are ChromeOS desktops called Chromebox, a couple examples:

Spoiler: Asus

ASUS Chromebox 5｜Mini PCs｜ASUS USA

With full support for Android apps from Google Play, ASUS Chromebox series gives you the ability to run your favorite mobile apps with the power of a mini PC.

www.asus.com

Spoiler: Acer

Acer Chromebox Enterprise CXI5 | Chromebox for Business | Acer United States

Acer Chromebox Enterprise CXI5 comes with the business capabilities of ChromeOS already unlocked, letting you streamline your business and optimize your space.

www.acer.com