Is there a way to remember a trusted program ...

[Guest]

Is there a way to have UAC remember a program I trust so that it won't popup
the UAC consent window everytime I start it?

I'm trying to load on startup 'Process Explorer' but I can since it requires
permission.

If the procedure to have a program load on startup is different than not
having the UAC window popup, I'd like to know for the popup as well since
there are other software that I would allow without question (unless they
change of course).

Thx in advance

 

[Guest]

Found out you can't do it.. sorry for the bother.

P.S. hope they add a feature that would allow us to remember trusted
programs until they get changed or modified.. pretty much every firewalls I
know have this feature. SP1 anyone?

 

[Ronnie Vernon MVP]

Rej

If this were possible, it would make UAC useless. This would open a
vulnerability path that could be used to compromise the system since any
malicious program would be able to piggyback on the program that is
automatically granted system wide privileges.

 

[cquirke (MVP Windows shell/user)]

[QRtSH]

Re: Is there a way to remember a trusted program ...

....without malware being able to set itself as "trusted"?

Be careful what you wish for...

------------------------------------ ---- --- -- - - - -

"For every complex question, there's a simple
answer - and it's wrong." H.L. Mencken

 

[Jimmy Brush]

Found out you can't do it.. sorry for the bother.

P.S. hope they add a feature that would allow us to remember trusted
programs until they get changed or modified.. pretty much every firewalls I
know have this feature. SP1 anyone?

This will not happen.

UAC is not a firewall.

The prompt is not just asking if you trust the program, but if you are
the one running it.

If it did not prompt, then any program could launch the trusted program
and use it against you.

For example, if you trusted a program that wiped all of the data from
your computer to not prompt, then any program, even programs that you do
not start or do not prompt, could launch that program and wipe data off
of your computer.

 

[Guest]

Ron,

Well, if I understand how Comodo Firewall Pro works, any program that tried
to access the internet had to do so *exactly* as it was at the time you
allowed it and asked to remember it.

So, if someone injects code into its memory space, Comodo will detect that
and stop the access and re-ask you for the access.. explaining why too. This
happens also for tons of reasons..
- Different parent (caller of application.. if it's not me, then it would
let me know),
- dll was hooked to app, it will detect that as well and ask
- etc etc.

To me, those seem to be the necessary security features that UAC could use
as well (with preferred/trusted app if that was included). This way, *noone
else* could start an app.. (different parent). If the app gets modified *in
any way*, it'd get blocked as well... etc

Thinking on this while I'm writing this, what if an app gets changed by a
virus while I'm using XP and then when I'm back to Vista, using the same app,
AND being the original user that ask it to start, I'd get the same UAC popup
and I'd tend to say -- ok continue -- without thinking twice about it... but
with the Comodo way, it would *know* that the program was modified in some
way and would tell me so.

Somethings to think about

REgards...

 

[Guest]

Jimmy,

I hear ya on this, but check my answer to Ron below for my arguments.

Regards...

 

[Guest]

c,

Aye, I hear you there .. there have been occasions in my life where I got
what I wished for and it didn't always turn out the way I anticipated

But what I'm hoping for is simply an easier way to manage the security (for
the users). I see tons of messages on the forums about how people are tired
to always have to click on the 'continue' button. To me, this is an
indication that perhaps ways should be found to alleviate the repeatedness
(spelling? -- french Canadadian here of the process.

See my post to Ron about what I said about how Comodo manages it's
protection. Although it's a firewall, they did implement some very solid
security features.

Btw, I don't work or am I in any way affiliated to them.. I was just
impressed with their implementations and thought I'd share it since it
*might* reflect hte subject matter.

Regards....

--
Rej

[QRtSH]

Re: Is there a way to remember a trusted program ...

....without malware being able to set itself as "trusted"?

Be careful what you wish for...

------------------------------------ ---- --- -- - - - -

"For every complex question, there's a simple
answer - and it's wrong." H.L. Mencken

------------------------------------ ---- --- -- - - - -

 

[Guest]

Ron,

Forgot to mention that the 'same app' used on both Xp and Vista is currently
Process Explorer and AutoRuns from SysInternals. Since they don't have
installers, I use the same .exes for both operating systems.

--
Rej

Ron,

Well, if I understand how Comodo Firewall Pro works, any program that tried
to access the internet had to do so *exactly* as it was at the time you
allowed it and asked to remember it.

So, if someone injects code into its memory space, Comodo will detect that
and stop the access and re-ask you for the access.. explaining why too. This
happens also for tons of reasons..
- Different parent (caller of application.. if it's not me, then it would
let me know),
- dll was hooked to app, it will detect that as well and ask
- etc etc.

To me, those seem to be the necessary security features that UAC could use
as well (with preferred/trusted app if that was included). This way, *noone
else* could start an app.. (different parent). If the app gets modified *in
any way*, it'd get blocked as well... etc

Thinking on this while I'm writing this, what if an app gets changed by a
virus while I'm using XP and then when I'm back to Vista, using the same app,
AND being the original user that ask it to start, I'd get the same UAC popup
and I'd tend to say -- ok continue -- without thinking twice about it... but
with the Comodo way, it would *know* that the program was modified in some
way and would tell me so.

Somethings to think about

REgards...

 

[Jimmy Brush]

Ron,

Forgot to mention that the 'same app' used on both Xp and Vista is currently
Process Explorer and AutoRuns from SysInternals. Since they don't have
installers, I use the same .exes for both operating systems.

So, you're saying that UAC should remember what program launched the
admin program, and then only prompt if a different program tries to
launch the program?

That's a good idea.

Unfortunately, it 1) still doesn't ensure that *you* are the one
launching the program, it just ensures that a certain program is doing
the launching, and 2) it is not yet possible for the system to make that
assurance.

For example, let's say you launch a program from the start menu that you
want to always elevate without asking.

That's all well and good, and it seems like a reasonable tradeoff
between security and usability, but in reality it only appears so.

It is trivial to run code in the process of explorer, and really in any
process that lives in the same privilege level, and its not merely a
matter of "checksumming the file" to verify it hasn't been changed,
there are ways to get code to run inside of a process that wouldn't be
detectable using that method.

It's not just about you trusting the program, but just as much if not
more about ensuring that you are the one starting it.

I do think it is possible to do this without a prompt; however, the
problem is much more challenging than it appears at first glance .

 

[Guest]

Hi Jimmy,

So, you're saying that UAC should remember what program launched the
admin program, and then only prompt if a different program tries to
launch the program?

That's a good idea.

Unfortunately, it 1) still doesn't ensure that *you* are the one
launching the program, it just ensures that a certain program is doing
the launching, and 2) it is not yet possible for the system to make that
assurance.

Thanks although the credit goes to the developers of Comodo -- I've
learned about the technologies from them recently.

'It is not yet possible for the system to make that assurance'. -- from what
I've seen on Comodo, it can assure who starts the program and if it's *not*
able to, it detects it as an 'Invisible parent' -- meaning it's not you as
well.

Again, I need to remind you that altho I've done some development a few
years back in C++ VS 6.0, I'm no 'expert' in these matters. What I perceive
as them being able to detect the parent might be different as how I'm
describing it.. the best way for you guys to know for sure would be to test
it yourselves although the Vista version isn't out yet.. only XP (Vista
version is Beta as of now).

For example, let's say you launch a program from the start menu that you
want to always elevate without asking.

That's all well and good, and it seems like a reasonable tradeoff
between security and usability, but in reality it only appears so.

It is trivial to run code in the process of explorer, and really in any
process that lives in the same privilege level, and its not merely a
matter of "checksumming the file" to verify it hasn't been changed,
there are ways to get code to run inside of a process that wouldn't be
detectable using that method.

- Aye, if they are checksumming to verify the integrity of the file, perhaps
you are right, but from what I've seen, they seem to use something else..
I've tried changing an .exe myself using an hex program and restart it, and
it detected it as changed -- no clue as to how they do that but so far, it
seems to work.

It's not just about you trusting the program, but just as much if not
more about ensuring that you are the one starting it.

- I hear you there... that's the purpose of the security added the Vista and
I'm *all* for security (not a fanatic, but I scan my PC every month, boot
intense scan every 3 months or so -- I even rescan every files I'm
downloading even tho my scanner is scanning them while I download etc).
As I mentionned previously, from what I've seen, I am not able to start a
program other than my double clicking on it without Comodo detecting it..
again, not being an expert, perhaps someone at MS could play around with it
and who knows, find a way to make UAC even better than it already is --
there's always place for improvements. just need to find the correct way to
do it

I do think it is possible to do this without a prompt; however, the
problem is much more challenging than it appears at first glance .

That I completely agree with you and indeed it *is* challenging, but I
have faith in the team to come up with a solution in the near future --
there's no stopping progress after all

btw, I'd like to thank you for replying.. I think this is a very interesting
subject and who knows, it might lead to some sort of a glimpse of a
solution... who knows

Regards...
--
Rej

btw if you're interested in testing the software in question, I could send
you the link altho I'm sure if it's in the forum rules or not. another easy
way is to search for it using 'comodo firewall pro'.

 

[Guest]

Just realized that changing a few bytes with an hex program would modify the
checksum of the program

lol, perhaps that's how they do it, I'm just not sure..

Rej

p.s. That's what happens when i try to answers intelligently after an all
nighter ;/ sorry about that.

 

[cquirke (MVP Windows shell/user)]

also Jimmy Brush

It's similar to what All-Seeing-Eye and PrevX do, like an "internal
firewall" sort of behavior.

Both of these aren't bulletproof, and (1) is important, because so
many programs can be automated to do different things via CLI
parameters etc. The problems with "has this program changed?" are:
- contents of code file, as checked by MD5, version
- contents of in-memory process, i.e. runtime code injection
- whether it's the file, or an ADS attached to the file
- whether the file is being "glove-puppeted" (i.e. BHOs in IE)

'It is not yet possible for the system to make that assurance'. -- from what
I've seen on Comodo, it can assure who starts the program and if it's *not*
able to, it detects it as an 'Invisible parent' -- meaning it's not you

Not sure how well this works, given the lengths UAC has to go to (e.g.
resetting the display) to prevent automation of its own UI.

The old model was "anything that happens during your logged-in
session, we assume you wanted to do, and you are responsible for", and
that just doesn't work very well (aside from scapegoating the user).

UAC is a step away from that, and towards putting the interactive user
back in (some) charge over automated and remote processes.

What I perceive as them being able to detect the parent might be
different as how I'm describing it..

It's not easy... everything's designed to be so open to OLE etc. that
it's hard to maintain contexts such as which user's rights are in
effect, which security zone it is in, etc. and all of those things are
fences rather than walls (i.e. often bypassed in various ways).

- Aye, if they are checksumming to verify the integrity of the file, perhaps
you are right, but from what I've seen, they seem to use something else..

OK, as checksumming:
- is "noisy" when code is frequently updated
- misses in-RAM injection, ADS, automation and "glove-puppeting"

I've tried changing an .exe myself using an hex program and restart it, and
it detected it as changed -- no clue as to how they do that but so far, it
seems to work.

Trickier to do, but; try chaning the in-memory image while leaving the
on-HD file alone, and see if that's detected?

Then copy Calc.exe to an ADS on a copy of Notepad.exe (or something
similar) and run the ADS code; is it seen as Notepad, Calc, or other?

-------------------- ----- ---- --- -- - - - -

"If I'd known it was harmless, I'd have
killed it myself" (PKD)

 

[Guest]

cquirke,

Thanks for the reply (replies

I've currently moving and I'm about to unplug the PC until I'm at my new
location.. I'll check out your replies more thoroughly once I'm somewhat
setup and be able to answer them then.

Until then

Regards...