• Unlock forum

    Guest, you need to be a "Verified" member to post a new thread or reply in this forum.

danb

From VoodooShield
Verified
Developer
I think this is getting a little complicated and over-thought, speaking from a basic user's perspective. Has anyone examined how another security software alerts a user to a potential threat? It's not all these messages to contemplate and mull over plus various mechanisms to choose from. It's usually just one, plus a menu of what to do next. Look at HitmanPro. Alert: it's a banner blocking your entire desktop plus a Windows chime. That's about the ultimate in warnings!

I think if Defender is set to give an audible warning, you will get that plus a text warning. This combo would be very difficult to ignore but hard to say whether a given user will proceed regardless. You want to close that hole a little more that a user will proceed regardless of warnings. At some point, the software has to back away and say "OK, you've been warned." This is often a very quick dynamic; people maybe want whatever that is now, not after having leisurely thought about it. This is often my mindset.

Like this would be good if a user somehow ended up on a bogus shopping site or as Andy Ful mentioned, prepared to open an email with a malicious attachment socially engineered to be relevant.
Great insight plat1098! And to that, I would like to add the issues of UAC's method of prompting. In short, UAC displays a required, affirmative user prompt without file insight or user recommendations. The prompt should not require the user to respond to it... for obvious reasons, this is dangerous. Second, the prompt should include file insight and user recommendations so the user can make an informed decisions.

This is why when people suggest that novice users are unable to handle VS prompts, but they are somehow able to handle UAC prompts, I am just absolutely baffled.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
...
BTW, when VS toggles to OFF in Smart Mode, its security posture is almost identical to AutoPilot at this point. So essentially, when VS is in Smart Mode, it is pretty much toggling between AutoPilot and Always On. Thank you!
I think that in Smart Mode the chances of using the methods mentioned by me are very small. The most vulnerable users will be usually toggled to Always ON Mode, because they do not bother to close the web browser all day.
 
B

BVLon

Great insight plat1098! And to that, I would like to add the issues of UAC's method of prompting. In short, UAC displays a required, affirmative user prompt without file insight or user recommendations. The prompt should not require the user to respond to it... for obvious reasons, this is dangerous. Second, the prompt should include file insight and user recommendations so the user can make an informed decisions.

This is why when people suggest that novice users are unable to handle VS prompts, but they are somehow able to handle UAC prompts, I am just absolutely baffled.
I think they simply allow everything in UAC... that's why Windows 7 reduced the number of alerts.Iif you ask me, UAC is totally useless... even I myself allow everything in UAC...
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
...
This is why when people suggest that novice users are unable to handle VS prompts, but they are somehow able to handle UAC prompts, I am just absolutely baffled.
The novice users are surely unable to properly respond to UAC prompts - they have equal chances to do it right or wrong. But as time goes on, they can learn, and then a habit of using UAC can be an advantage.
 

danb

From VoodooShield
Verified
Developer
I think that in Smart Mode the chances of using the methods mentioned by me are very small. The most vulnerable users will be usually toggled to Always ON Mode, because they do not bother to close the web browser all day.
Maybe "Close your
I think they simply allow everything in UAC... that's why Windows 7 reduced the number of alerts.Iif you ask me, UAC is totally useless... even I myself allow everything in UAC...
Yes, in general they do, I have seen this countless times in person. A user will click the Yes UAC button and say out loud "yes, I want to allow you"... kind of in a frustrated / uppity tone. The reason for this is simple... UAC was not designed or built to be a security mechanism, and even Microsoft has admitted this. UAC was designed for force devs to not run everything as admin.

I remember being extremely excited for Vista to come out because I had heard of the new feature known as UAC, and I was hopeful that it would reduce infections. But when I saw how it was implemented and realized that it was not designed to be a security mechanism, I was quite disappointed. This was obviously a few years before VS, and probably in a strange way led me to the idea for VS.
 
B

BVLon

Maybe "Close your

Yes, in general they do, I have seen this countless times in person. A user will click the Yes UAC button and say out loud "yes, I want to allow you"... kind of in a frustrated / uppity tone. The reason for this is simple... UAC was not designed or built to be a security mechanism, and even Microsoft has admitted this. UAC was designed for force devs to not run everything as admin.

I remember being extremely excited for Vista to come out because I had heard of the new feature known as UAC, and I was hopeful that it would reduce infections. But when I saw how it was implemented and realized that it was not designed to be a security mechanism, I was quite disappointed. This was obviously a few years before VS, and probably in a strange way led me to the idea for VS.
I remember Apple using UAC as a major selling point. UAC is good to stop unauthorized changes by very novice users... If you give them a non-admin account, they can't do much on the computer and neither can malicious software as well. Although UAC bypasses have been discovered throughout the years. It's not really malware protection feature.
 

danb

From VoodooShield
Verified
Developer
The novice users are surely unable to properly respond to UAC prompts - they have equal chances to do it right or wrong. But as time goes on, they can learn, and then a habit of using UAC can be an advantage.
It certainly does not hurt to give the user a chance and a pause. But I have always been of the belief, if you are going to do something, do it right, or at least to the best of your ability, especially when it comes to something as crucial as cybersecurity. In other words, in my opinion, UAC is in MAJOR need of refinement or redesign. It also should not be based on elevation, it should be based on something more similar to AppLocker, but that is an entirely new discussion ;).
 

danb

From VoodooShield
Verified
Developer
I remember Apple using UAC as a major selling point. UAC is good to stop unauthorized changes by very novice users... If you give them a non-admin account, they can't do much on the computer and neither can malicious software as well. Although UAC bypasses have been discovered throughout the years. It's not really malware protection feature.
Hehehe, how funny, I remember that!!! Then again, a few years later Apple introduced GateKeeper ;). And they require the user to type the password, not just simply click Allow ;).

 
B

BVLon

It certainly does not hurt to give the user a chance and a pause. But I have always been of the belief, if you are going to do something, do it right, or at least to the best of your ability, especially when it comes to something as crucial as cybersecurity. In other words, in my opinion, UAC is in MAJOR need of refinement or redesign. It also should not be based on elevation, it should be based on something more similar to AppLocker, but that is an entirely new discussion ;).
It should be based on something such as Norton File Insight, or Kaspersky Secure Network.
Microsoft already has their SmartSreen filter, so it should display information when was the file first seen, how many people have used it, who signed it and whether it was downloaded from a trustworthy website.
Even geographical data maybe. I will not launch invoice_for_your_blender.exe if I see that 100 users in China already launched the file... I mean how did my invoice end up there? Also, file released 30 days ago is more likely to be trusted. If it's malware, in 30 days my anti-malware solution will detect it. Trusted programs get modified much less frequently than malware and in general have much bigger user base.
This will put pressure on attackers. If they mutate the malware too frequently, users will not give it admin rights. But if they don't mutate it frequently, AVs will detect it.
Additional contextual intelligence can be added for double-extension files and files that spoof known Windows executables. Also, files such as invoice.exe, document.exe...
It should also prompt the users to "Delay execution till more is known". That would be the best approach. Now that Windows 10 Pro has a sandbox as well, they can add "Run in Sandbox" as an option for all non-MS-signed executables. They can add "Submit to Microsoft for analysis"... There are endless possibilities for improvement...

I agree that GateKeeper is just another failure. They require password, just in case you are now away from your Mac, haven't logged out and someone is trying to make changes at this time. There is similar feature in Linux as well...
 
Last edited by a moderator:

Andy Ful

Level 62
Verified
Trusted
Content Creator
It certainly does not hurt to give the user a chance and a pause. But I have always been of the belief, if you are going to do something, do it right, or at least to the best of your ability, especially when it comes to something as crucial as cybersecurity. In other words, in my opinion, UAC is in MAJOR need of refinement or redesign. It also should not be based on elevation, it should be based on something more similar to AppLocker, but that is an entirely new discussion ;).
Many people will agree with you, including me. Microsoft will not do it, because they know that the default Admin account cannot be secure by design. The much more secure design is well known - this is Standard User Account.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
It should be based on something such as Norton File Insight, or Kaspersky Secure Network.
Microsoft already has their SmartSreen filter, so it should display information when was the file first seen, how many people have used it, who signed it and whether it was downloaded from a trustworthy website.
Even geographical data maybe. I will not launch invoice_for_your_blender.exe if I see that 100 users in China already launched the file... I mean how did my invoice end up there? Also, file released 30 days ago is more likely to be trusted. If it's malware, in 30 days my anti-malware solution will detect it. Trusted programs get modified much less frequently than malware and in general have much bigger user base.
This will put pressure on attackers. If they mutate the malware too frequently, users will not give it admin rights. But if they don't mutate it frequently, AVs will detect it.
Additional contextual intelligence can be added for double-extension files and files that spoof known Windows executables. Also, files such as invoice.exe, document.exe...
It should also prompt the users to "Delay execution till more is known". That would be the best approach. Now that Windows 10 Pro has a sandbox as well, they can add "Run in Sandbox" as an option for all non-MS-signed executables. They can add "Submit to Microsoft for analysis"... There are endless possibilities for improvement...

I agree that GateKeeper is just another failure. They require password, just in case you are now away from your Mac, haven't logged out and someone is trying to make changes at this time. There is similar feature in Linux as well...
Microsoft likes black and white solutions. So, we have the simple, free, and hardly-configurable solution on Windows Home and the paid, complex, and highly configurable WD ATP on Windows Pro, E3, E5.
 
B

BVLon

Microsoft likes black and white solutions. So, we have the simple, free, and hardly-configurable solution on Windows Home and the paid, complex, and highly configurable WD ATP on Windows Pro, E3, E5.
Yeah, but this strategy is not great, because just as @danb I believe if you do something, you should do it properly. Otherwise, better don't do it at all. But Microsoft is not a subject of this discussion. As for the standard user account, it will not help one bit. This is just security on paper. As long as I have admin account, and as device owner I will, whether I will click allow, or I will type a password and then click allow won't make one bit difference. If you want to secure me, you can stop me from running certain file or performing an action. You can do that only by giving me a reason to believe there is something wrong with the executable. If you tell me "Wait! You are the first person to download this file. Would you like to wait until we analyse it?" that's totally different. And that's just a blend of existing technologies, it won't require anything new to be developed.
 
Last edited by a moderator:

Andy Ful

Level 62
Verified
Trusted
Content Creator
Yeah, but this strategy is not great, because just as @danb I believe if you do something, you should do it properly. Otherwise, better don't do it at all. But Microsoft is not a subject of this discussion.
Both of you should not criticize Microsoft. They already found the best strategy for them.
We can agree that this strategy can be not optimal for others.:)
The way of MS security development:
looks good >> let's make it >> Ooops, it is not so good >> let's make another one. :)(y)
Generally, Windows is full of unfinished or halfway features. It looks like a wild tree and not like a solid pyramid.
 
Last edited:
B

BVLon

Both of you should not criticize Microsoft. They already found the best strategy for them.
We can agree that this strategy can be not optimal for others.:)
They may have found the best strategy for them, but it's the users who hold the wallet and decide whether they will buy Windows PC or Mac. Microsoft doesn't play a role in this decision. And whether they will use Defender ATP or one of the 100 third party solutions (and counting). We are calling the shots here, not Microsoft. They have already failed to enter the mobile market, which means they have to work extremely hard on all other existing products. Otherwise their future ain't too bright.
 
Last edited by a moderator:

Andy Ful

Level 62
Verified
Trusted
Content Creator
They may have found the best strategy for them, but it's the users who hold the wallet and decide whether they will buy Windows PC or Mac. Microsoft doesn't play a role in this decision. And whether they will use Defender ATP or one of the 100 third party solutions (and counting). We are calling the shots here, not Microsoft. They have already failed to enter the mobile market, which means they have to work extremely hard on all other existing products. Otherwise their future ain't too bright.
Everything can change. But your arguments are valid for about 20 years or more and still, MS is a giant among lilliputians on the PC OS market. :)
 

danb

From VoodooShield
Verified
Developer
Both of you should not criticize Microsoft. They already found the best strategy for them.
We can agree that this strategy can be not optimal for others.:)
The way of MS security development:
looks good >> let's make it >> Ooops, it is not so good >> let's make another one. :)(y)
Generally, Windows is full of unfinished or halfway features. It looks like a wild tree and not like a solid pyramid.
Absolutely!!! Criticizing products without offering a better alternative is pointless and a massive waste of time. At the risk of sounding like Trump... no one knows that better than me ;).

But that is not what I did here.
 

Wraith

Level 13
Verified
Malware Tester
Does anyone know why ESET and AdGuard flag this site as malicious? One if the many benefits of VS is that it allows the use to upload and scan a file in Cuckoo Sandbox and then decide if the file is malicious or not. But for some reason, both ESET and AdGuard blocks access to the website. I really hope it's a false positive from both.
VS.JPG
VS2.JPG
 

danb

From VoodooShield
Verified
Developer
Does anyone know why ESET and AdGuard flag this site as malicious? One if the many benefits of VS is that it allows the use to upload and scan a file in Cuckoo Sandbox and then decide if the file is malicious or not. But for some reason, both ESET and AdGuard blocks access to the website. I really hope it's a false positive from both.
View attachment 237296
View attachment 237297
Thank you for letting me know! There is certainly malware in Cuckoo that people upload and test, this must be why it is being flagged. I will try to contact them asap.
 

danb

From VoodooShield
Verified
Developer
Does anyone know why ESET and AdGuard flag this site as malicious? One if the many benefits of VS is that it allows the use to upload and scan a file in Cuckoo Sandbox and then decide if the file is malicious or not. But for some reason, both ESET and AdGuard blocks access to the website. I really hope it's a false positive from both.
View attachment 237296
View attachment 237297
This should be fixed now, but if anyone ever sees any false positives for Cuckoo please let me know. Thank you!
 
Top