Hello everyone,
Today I will be talking about User Account Control (UAC) – why people shouldn’t underestimate it and leave it disabled and how it can potentially save you from becoming infected by malicious software.
[DISCLAIMER]
I have intentionally set the font size to 3 because this thread is very long and with the normal font size it may actually be even more of a pain to go through... I highly recommend you zoom in once in your browser, and it will appear much nicer to read the text (as opposed to reading it without zooming in once or as it is by default).
If you find any false information/mistakes in this thread then please let me know so I can fix them.
[/DISCLAIMER]
Why you should leave it enabled
I regularly see people complaining about how UAC failed to protect them or how they became infected (after disabling UAC) and then complaining about how Windows security is awful – the truth is that the built-in Windows security can be exceptionally good if used correctly and it can be a huge life saver. The problem isn’t the actual protection features (in this case UAC) but how some people use it… They expect it to sit in the background and automatically catch out zero-day malware… News flash: UAC was never designed/intended to do something like this, it is really there to give programs privileges they wouldn’t normally have by default (gives them more power over your system which can allow them to do deadly things they wouldn’t be able to do without these privileges) under the consent of the user operating the machine.
Commonly, the people you find lurking on online forums posting comments similar to, “Windows security sucks”, “Windows is awful for protection”, “Microsoft need to understand us and add some protection mechanisms”, “It’s important to use a third-part AV and not rely on Microsoft protection otherwise you’ll become infected”, “Windows Defender sucks”… (list can go on with similar comments), will be the same people who either disable features like UAC altogether (and not even run them on the minimum to be enabled) or aimlessly go around granting programs they have never even heard of before administrator privileges on their system…
Well, in my opinion, everyone should leave User Account enabled – it’s a very useful security feature built-into Windows (Windows Vista and upwards) and it’s been improved throughout the Windows editions (vulnerability patches, enhanced security additions). If you use it correctly, then you will be much safer than without it… You may be asking yourself, “how exactly do I use it correctly?”, and the answer to that is very simple and can be shortened into one sentence: ONLY ALLOW A PROGRAM TO RUN WITH ADMINISTRATOR PRIVILEGES IF YOU TRUST IT 100%.
I’m famous for letting my imagination run wild and coming up with scenarios which will admittedly most likely never happen to you, but are still very possible (e.g. if I wanted I myself could carry out the scenarios myself). Therefore, I will leave some examples of what could happen with UAC disabled which would have been prevented if UAC was being used properly:
1. New Unknown Malware (NUM – yes, I did just make this up, call it a “Wave term”) attempts to load a driver via the Service Manager which will allow it to bypass all security product self-protection mechanisms, shut them down and clean them off the system (like a custom uninstallation but silently without the user being aware), download more malware on the system (ransomware, password stealer, botnet, etc) and conceal it via rootkit techniques. If the sample/s are Fully Undetectable, then most on-demand scanners would be more likely hopeless than not unless they have great hook/DKOM detection and repair in this situation. Whereas in the situation of UAC being used properly, this NUM sample will fail to carry out these actions unless the user willingly allowed it to run with admin privileges before doing their research.
2. Currently Known Malware (CKM) is not detected by a security product installed on their system (e.g. maybe they temporarily disabled the real-time protection or the product they are using just doesn’t have a detection for that specific sample for whatever reason) which when executed will create a new task via the Windows Task Scheduler to allow itself to start-up with administrator privileges without future UAC prompts at boot (and after it has administrator privileges after the next reboot, it will download more malware to the system and store them in protected directories, OR patch other installed programs being held within protected directories, since the CKM would have access to these areas since it’d be elevated now). Whereas in the situation of UAC being used properly, this CKM would fail to execute these malicious actions properly.
3. Zero Day Malware (ZDM) will attack the Master Boot Record when executed (well this sample will) (infect it) so when your system attempts to boot up, it won’t be successful. The MBR is responsible for loading the OS kernel into memory (kernel loader) and if the MBR has been infected then it will either allow malware to become active before the main OS is or it will allow malware to prevent the system from being able to boot into that OS altogether. Sometimes the MBR will load another loader which will be the kernel loader… But that is irrelevant, the point is that the malware can leave the system unbootable without repair options being carried out. Whereas in the situation of UAC being used properly, this ZDM would fail horribly to do this.
4. Dumb Malware From A Dumb Developer (DMFADD) will set hooks on the keyboard to log all the keystrokes typed by the PC user (e.g. via Win32 functions like user32.dll!SetWindowsHookExW which are genuinely used for good purposes within Windows itself (e.g. when you drag Windows and it minimises all other windows, this is accomplished via Windows utilising this function itself, sadly it’s abused by malware for keylogging)) and will also go further by injecting into other running processes to obtain additional details (e.g. from text controls on the GUI of the targeted programs). However, in the case of UAC being active, this may work to an extent but not properly – firstly, the keyboard hooking will definitely be successful without UAC consent (if it’s enabled), however if the targeted programs for injection are running with a higher privilege than the malware (e.g. as administrator themselves due to being trusted and secure based off research), then the malware running with standard rights won’t be able to inject into the trusted programs running with higher privileges! (it won’t even be able to open a handle to them, thus preventing them from being attacked by injection attacks for example).
That being said, I cannot express enough that YOU are the first line of defence when it comes to keeping your system/personal data secure, NOT your protection software. There is absolutely nothing that any protection software can do to keep you 100% safe if you are a click-happy user, careless and don’t pay attention to what you are doing/what’s going on. Even if you are using Default Deny (via Anti-Executable), if you decide to allow a program permission to run, then how can you push blame onto the Anti-Executable software for you becoming infected? It’s the same logic with UAC… If you willingly provide consent for a program to run elevated (with administrator privileges) then you as the user are responsible for becoming infected, you will be the one at blame deep down.
Of course there are scenarios when zero-day attacks may bypass protection features such as UAC (e.g. via a zero-day exploit) and this will allow malicious software to gain additional privileges in the background (silently) without your consent, however at the end of the day, you need to think back to how you ended up becoming attacked in the first place… Were you visiting untrusted websites? Were you using an outdated browser which may have currently-patched known vulnerabilities still out in the open for exploitation (due to using an old version)? Were you executing new downloads you were unsure of being safe or not without doing research first (e.g. scanning at VirusTotal/MetaDefender, even a Google search would benefit you)?
Of course there is a lot more to UAC than I mentioned, however I think I got my point across.
Stay safe and I hope this helped educate someone,
Wave.
Today I will be talking about User Account Control (UAC) – why people shouldn’t underestimate it and leave it disabled and how it can potentially save you from becoming infected by malicious software.
[DISCLAIMER]
I have intentionally set the font size to 3 because this thread is very long and with the normal font size it may actually be even more of a pain to go through... I highly recommend you zoom in once in your browser, and it will appear much nicer to read the text (as opposed to reading it without zooming in once or as it is by default).
If you find any false information/mistakes in this thread then please let me know so I can fix them.
[/DISCLAIMER]
Why you should leave it enabled
I regularly see people complaining about how UAC failed to protect them or how they became infected (after disabling UAC) and then complaining about how Windows security is awful – the truth is that the built-in Windows security can be exceptionally good if used correctly and it can be a huge life saver. The problem isn’t the actual protection features (in this case UAC) but how some people use it… They expect it to sit in the background and automatically catch out zero-day malware… News flash: UAC was never designed/intended to do something like this, it is really there to give programs privileges they wouldn’t normally have by default (gives them more power over your system which can allow them to do deadly things they wouldn’t be able to do without these privileges) under the consent of the user operating the machine.
Commonly, the people you find lurking on online forums posting comments similar to, “Windows security sucks”, “Windows is awful for protection”, “Microsoft need to understand us and add some protection mechanisms”, “It’s important to use a third-part AV and not rely on Microsoft protection otherwise you’ll become infected”, “Windows Defender sucks”… (list can go on with similar comments), will be the same people who either disable features like UAC altogether (and not even run them on the minimum to be enabled) or aimlessly go around granting programs they have never even heard of before administrator privileges on their system…
Well, in my opinion, everyone should leave User Account enabled – it’s a very useful security feature built-into Windows (Windows Vista and upwards) and it’s been improved throughout the Windows editions (vulnerability patches, enhanced security additions). If you use it correctly, then you will be much safer than without it… You may be asking yourself, “how exactly do I use it correctly?”, and the answer to that is very simple and can be shortened into one sentence: ONLY ALLOW A PROGRAM TO RUN WITH ADMINISTRATOR PRIVILEGES IF YOU TRUST IT 100%.
I’m famous for letting my imagination run wild and coming up with scenarios which will admittedly most likely never happen to you, but are still very possible (e.g. if I wanted I myself could carry out the scenarios myself). Therefore, I will leave some examples of what could happen with UAC disabled which would have been prevented if UAC was being used properly:
1. New Unknown Malware (NUM – yes, I did just make this up, call it a “Wave term”) attempts to load a driver via the Service Manager which will allow it to bypass all security product self-protection mechanisms, shut them down and clean them off the system (like a custom uninstallation but silently without the user being aware), download more malware on the system (ransomware, password stealer, botnet, etc) and conceal it via rootkit techniques. If the sample/s are Fully Undetectable, then most on-demand scanners would be more likely hopeless than not unless they have great hook/DKOM detection and repair in this situation. Whereas in the situation of UAC being used properly, this NUM sample will fail to carry out these actions unless the user willingly allowed it to run with admin privileges before doing their research.
2. Currently Known Malware (CKM) is not detected by a security product installed on their system (e.g. maybe they temporarily disabled the real-time protection or the product they are using just doesn’t have a detection for that specific sample for whatever reason) which when executed will create a new task via the Windows Task Scheduler to allow itself to start-up with administrator privileges without future UAC prompts at boot (and after it has administrator privileges after the next reboot, it will download more malware to the system and store them in protected directories, OR patch other installed programs being held within protected directories, since the CKM would have access to these areas since it’d be elevated now). Whereas in the situation of UAC being used properly, this CKM would fail to execute these malicious actions properly.
3. Zero Day Malware (ZDM) will attack the Master Boot Record when executed (well this sample will) (infect it) so when your system attempts to boot up, it won’t be successful. The MBR is responsible for loading the OS kernel into memory (kernel loader) and if the MBR has been infected then it will either allow malware to become active before the main OS is or it will allow malware to prevent the system from being able to boot into that OS altogether. Sometimes the MBR will load another loader which will be the kernel loader… But that is irrelevant, the point is that the malware can leave the system unbootable without repair options being carried out. Whereas in the situation of UAC being used properly, this ZDM would fail horribly to do this.
4. Dumb Malware From A Dumb Developer (DMFADD) will set hooks on the keyboard to log all the keystrokes typed by the PC user (e.g. via Win32 functions like user32.dll!SetWindowsHookExW which are genuinely used for good purposes within Windows itself (e.g. when you drag Windows and it minimises all other windows, this is accomplished via Windows utilising this function itself, sadly it’s abused by malware for keylogging)) and will also go further by injecting into other running processes to obtain additional details (e.g. from text controls on the GUI of the targeted programs). However, in the case of UAC being active, this may work to an extent but not properly – firstly, the keyboard hooking will definitely be successful without UAC consent (if it’s enabled), however if the targeted programs for injection are running with a higher privilege than the malware (e.g. as administrator themselves due to being trusted and secure based off research), then the malware running with standard rights won’t be able to inject into the trusted programs running with higher privileges! (it won’t even be able to open a handle to them, thus preventing them from being attacked by injection attacks for example).
That being said, I cannot express enough that YOU are the first line of defence when it comes to keeping your system/personal data secure, NOT your protection software. There is absolutely nothing that any protection software can do to keep you 100% safe if you are a click-happy user, careless and don’t pay attention to what you are doing/what’s going on. Even if you are using Default Deny (via Anti-Executable), if you decide to allow a program permission to run, then how can you push blame onto the Anti-Executable software for you becoming infected? It’s the same logic with UAC… If you willingly provide consent for a program to run elevated (with administrator privileges) then you as the user are responsible for becoming infected, you will be the one at blame deep down.
Of course there are scenarios when zero-day attacks may bypass protection features such as UAC (e.g. via a zero-day exploit) and this will allow malicious software to gain additional privileges in the background (silently) without your consent, however at the end of the day, you need to think back to how you ended up becoming attacked in the first place… Were you visiting untrusted websites? Were you using an outdated browser which may have currently-patched known vulnerabilities still out in the open for exploitation (due to using an old version)? Were you executing new downloads you were unsure of being safe or not without doing research first (e.g. scanning at VirusTotal/MetaDefender, even a Google search would benefit you)?
I tried to lighten the mood a bit with the “Wave terms”, however I wouldn’t use them if I were you, they were just there for joke purposes… They don’t really exist in the security world, I completely made them up on the spot for the purpose of this thread.
Of course there is a lot more to UAC than I mentioned, however I think I got my point across.
Stay safe and I hope this helped educate someone,
Wave.
