Security Frustrations - Bundle of Questions (Defender, UAC)

[Guest]

Frustrated Vista Home Premium user, very IT literate whose stupidity you may
nonetheless take for granted; your patience is appreciated (but if you can
live with UAC/Defender you already have more patience than I do)

I have startup programs I trust that Defender always blocks.

I don't see the "Alert dialog with Action Menu", just the Defender balloon
from the systray at startup, so I never see any option to add a program to
the Allowed Items list. How do I allow programs of my choice? When should the
dialog appear?

I have turned off "Auto Start" Real-Time protection, and that didn't seem to
make any difference either, despite what it says in Help. Any ideas why?

I also understand that the heuristics used to detect "harmful or unwanted"
programs include looking for the string "updater" in the file name... I have
updaters I trust which are also blocked, is there any way to disable just
this aspect of the heuristics? Or any other way to get them to run silently?

Misc gripes: program classification: as a startup item Microsoft Windows
Explorer is classiffied as Permitted, but as a Running Program (with suffix
:3088, ?PID?) it is marked Not Yet Classified - what's going on here? Why on
earth does the Defender's History claim a program name is "Unknown", when the
app path is in the bottom pane? (but you can only see it if the window is big
enough). How does a program get its classification?

And I wish Defender would explain which specific settings catch particular
programs! Any way to tell?

Oh, and I know that UAC is supposed to catch programs that require Admin
privileges, but is there any way on this great green earth to tell it "Yes, I
know! I have approved this program with Admin password, don't ask me again
*unless the app changes*!"? [Surely MS could check for program alteration,
other security apps can!] And why doesn't it say WHAT, requiring admin
privilege, the program wishes to do/which rules caught it - put it under an
Advanced button to avoid frightening the masses if necessary, but don't omit
it!

I kept my XP machines free of problems for >2 years with a combination of
RegRun (which has an excellent application database behind it), Norton
Antivirus and Steganos Antispyware; I can't believe how after so much effort
by MS, Vista security could have been made so unfriendly, intrusive and
obscure.

I have already reset my main account to Admin, so at least I don't have to
TYPE my password at every UAC prompt, which already defeats part of the MS
objective... if I am just being plain dumb and people can answer the above
questions great - otherwise I think both UAC and Defender are going to be
turned off and I'll run security the way I used to...

Given that not all apps have been adapted to the preferred MS model yet, can
you tell me how to set Vista/Defender up for peaceful AND secure running?

Thanks!

Julian

 

[William Beard]

Wow, Julian. You got my attention. But, since I'm the only user on my
computer, I was automatically setup as Administrator (I think. Well it says
Administrator on the User Accounts window.). Remember how in XP the Windows
Defender was in installation. Well, they took care of that. It's not on
the "Program and Features" unless they have hidden it somehow. It is listed
under Program Files on the C: drive. One of the folders I can look into.
You might checkout "Control Panel...System and Maintenance...Performance
Information and Tools...Manage startup programs.

If you really want to blow a fuse...take a look at the Event Viewer.
Children, don't try this at home. One of the easier fixes was that the
Viewer showed me a file that was missing. Yeh. A search confirmed that the
file was not on my C: drive (File: I8042prt.sys). Oh, I cleared the log and
rebooted to make sure it wasn't a false reading. But, sure enough, the
error reappeared. It cost me twenty bucks to get a copy of the file (you
don't think Microsoft would make a copy available. The Event Viewer says
it's missing (not is so many words), but does the Microsoft Update download
me a copy? Hahaha. I put it into the System32 Folder and guess what. No
more missing I8042prt file errors.

I even brought my computer tech in on one error involving the BIOS.
"IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 7,
function 0. Please contact your system vendor for technical assistance."
The last I heard he was calling Microsoft for advise on how to resolve the
error. I don't plan on seeing him again for a while.

I even went so far as to publish my Event Viewer errors as questions on the
Windows Vista Community Discussion Groups. Guess what. I have not had one
reply on any of them. I would like to think that some bright young MVP is
staying up nights trying to resolve the errors, but something tells me that
no one wants to have anything to do this them. So, if you have a strong
stomach, take a look at your Viewer. I have a feeling our friend Kirk has
never even heard of the Viewer.

Keep Smiling...I makes them worry.

Frustrated Vista Home Premium user, very IT literate whose stupidity you
may
nonetheless take for granted; your patience is appreciated (but if you can
live with UAC/Defender you already have more patience than I do)

I have startup programs I trust that Defender always blocks.

I don't see the "Alert dialog with Action Menu", just the Defender balloon
from the systray at startup, so I never see any option to add a program to
the Allowed Items list. How do I allow programs of my choice? When should
the
dialog appear?

I have turned off "Auto Start" Real-Time protection, and that didn't seem
to
make any difference either, despite what it says in Help. Any ideas why?

I also understand that the heuristics used to detect "harmful or unwanted"
programs include looking for the string "updater" in the file name... I
have
updaters I trust which are also blocked, is there any way to disable just
this aspect of the heuristics? Or any other way to get them to run
silently?

Misc gripes: program classification: as a startup item Microsoft Windows
Explorer is classiffied as Permitted, but as a Running Program (with
suffix
:3088, ?PID?) it is marked Not Yet Classified - what's going on here? Why
on
earth does the Defender's History claim a program name is "Unknown", when
the
app path is in the bottom pane? (but you can only see it if the window is
big
enough). How does a program get its classification?

And I wish Defender would explain which specific settings catch particular
programs! Any way to tell?

Oh, and I know that UAC is supposed to catch programs that require Admin
privileges, but is there any way on this great green earth to tell it
"Yes, I
know! I have approved this program with Admin password, don't ask me again
*unless the app changes*!"? [Surely MS could check for program alteration,
other security apps can!] And why doesn't it say WHAT, requiring admin
privilege, the program wishes to do/which rules caught it - put it under
an
Advanced button to avoid frightening the masses if necessary, but don't
omit
it!

I kept my XP machines free of problems for >2 years with a combination of
RegRun (which has an excellent application database behind it), Norton
Antivirus and Steganos Antispyware; I can't believe how after so much
effort
by MS, Vista security could have been made so unfriendly, intrusive and
obscure.

I have already reset my main account to Admin, so at least I don't have to
TYPE my password at every UAC prompt, which already defeats part of the MS
objective... if I am just being plain dumb and people can answer the above
questions great - otherwise I think both UAC and Defender are going to be
turned off and I'll run security the way I used to...

Given that not all apps have been adapted to the preferred MS model yet,
can
you tell me how to set Vista/Defender up for peaceful AND secure running?

Thanks!

Julian

 

[Guest]

Frustrated Vista Home Premium user, very IT literate whose stupidity you may

nonetheless take for granted; your patience is appreciated (but if you can
live with UAC/Defender you already have more patience than I do)

I've lived with it for over a year, and I'm not particularly patient.

I don't see the "Alert dialog with Action Menu", just the Defender balloon
from the systray at startup, so I never see any option to add a program to
the Allowed Items list. How do I allow programs of my choice? When should the
dialog appear?

Click the balloon. If you miss the balloon:
1. Select "Windows Defender" from the Start Menu:All Programs.
2. Click Tools
3. Click Software Explorer
4. Select the program you want to run and click the "Enable" button.

I have turned off "Auto Start" Real-Time protection, and that didn't seem to
make any difference either, despite what it says in Help. Any ideas why?

That has nothing to do with start up programs. That just governs whether you
want Defender to protect you from spyware when you read e-mail and surf the
web.

I also understand that the heuristics used to detect "harmful or unwanted"
programs include looking for the string "updater" in the file name...

No, not at all. Defender uses a blacklist to block software that is
considered spyware, and a heuristic detection to block certain actions
without approval. Those actions include many of the most common actions that
spyware take, such as adding themselves to your startup programs, setting up
proxies in your web browser, or hijacking your name resolution services. All
of those are used by criminals to hijack your computer, which is why Defender
blocks them until you approve them.

It is not Defender but UAC that detects installers in several ways,
including by file name. That is done so that installers are elevated to run
as a full admin (with approval) to ensure they always work properly. It has
nothing to do with Defender and if you disable UAC that detection is turned
off, and not needed any more.

I have
updaters I trust which are also blocked, is there any way to disable just
this aspect of the heuristics? Or any other way to get them to run silently?

Yes, you can disable the installer detection in UAC but it is a registry
hack. If you do you must manually elevate installers. It won't automatically
prompt you any more. To disable installer detection run this command from an
elevated command prompt (one running as an administrator)
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v
EnableInstallerDetection /t REG_DWORD /d 0 /f

Misc gripes: program classification: as a startup item Microsoft Windows
Explorer is classiffied as Permitted, but as a Running Program (with suffix
:3088, ?PID?) it is marked Not Yet Classified - what's going on here? Why on
earth does the Defender's History claim a program name is "Unknown", when the
app path is in the bottom pane? (but you can only see it if the window is big
enough). How does a program get its classification?

A program gets its classification through spynet:
http://www.microsoft.com/athome/security/spyware/software/privacypolicy.mspx

And I wish Defender would explain which specific settings catch particular
programs! Any way to tell?

No but you can turn off the ones that offend you by going to Tools: Options
and selecting the things you want under "Use real-time protection
(recommended)." For instance, if you like your spyware to run when you log on
to your computer then uncheck the "Auto Start" box.

Oh, and I know that UAC is supposed to catch programs that require Admin
privileges, but is there any way on this great green earth to tell it "Yes, I
know! I have approved this program with Admin password, don't ask me again
*unless the app changes*!"?

No. An application can perform a lot of tasks, and can be driven to do so
automatically by other applications. To use an "always permit" option would
be most unwise; on par with how other vendors do it in their software.

[Surely MS could check for program alteration,
other security apps can!]

Sure, but how do you know that the task you are taking now is non-malicious,
but the one an application is automating ten minutes from now is not?

And why doesn't it say WHAT, requiring admin
privilege,

How would you do that? Windows is not detecting that the program is trying
to perform an administrative task. Windows is simply responding to what the
program is telling Windows to do. The program tells Windows that "hey, I
would like to be an admin now, can you ask the user if that's OK?" Windows
has no a-priori knowledge of what exact task you are about to take with the
program. Sure, every such task could be automated. To see how that would work
I just trapped some output from a program that may be taking administrative
tasks. In three and a half second the program took 40,728 actions, many of
which are administrative. Windows could certainly prompt you for each, but
frankly, that would be silly. Furthermore, there is no way of knowing which
actions the program is going to take a priori, hence the lack of a "sure,
always allow this program for me" option. When writing my latest book I spent
some time with Symantec's firewall product. It detected a piece of possible
malware that I executed and asked if I wanted to permit it to access the
Internet or not. The action it detected was just a lookup of a name. That was
not particularly sensitive, so most users would hit "Enter" and pick the
default option, which was "Always allow connections for this program." Only
if you went through 8 steps to create a custom rule did you get prompted when
the program tried to upload all your checking account information to a server
in Russia. The "always allow this program" is a horrible option since the
software asking you to decide has no idea what future actions this program
may take.

I kept my XP machines free of problems for >2 years with a combination of
RegRun (which has an excellent application database behind it), Norton
Antivirus and Steganos Antispyware; I can't believe how after so much effort
by MS, Vista security could have been made so unfriendly, intrusive and
obscure.

What exactly are you doing to make it so "unfriendly, intrusive, and
obscure?" I'm seriously interested in that. I don't get of these messages or
blocks on most days and I have run Vista daily since the day it shipped (and
before). The only time I get one of these messages is on the rare occasion
when I install something.

Given that not all apps have been adapted to the preferred MS model yet, can
you tell me how to set Vista/Defender up for peaceful AND secure running?

No. There are three options: secure, usable, and cheap. You get to pick any
two. Your choice. That's a fundamental law of computing. You are responsible
for your own security. You can try to abdicate that responsibility to others,
but, as in the case with my experiment with Symantec's firewall above, it
usually does not work. Technology cannot solve these problems. Security
should not be the major part of what you do with your computer, or even 10%
of it, but in the world we live in today you definitely need to adjust your
expectations a little if you wish to keep your private information private
and your money in your checking account instead of the bad guys'.

 

[Guest]

Thanks Jesper...

Noted info on auto-start, heuristics (Defender vs UAC) and the reg hack
(filed for reference - much appreciated).

I also appreciate the points re not having "always permit", especially that
apps can be drive from other apps... but if the system doesn't give me the
equivalent of a stack trace, how can I tell whether a request for privilege
arises from my direct action (which I should permit) or from some malware
invocation (which I should not permit)? But having thought about this a lot
and I can see how difficult/nasty it could be either from UI AND
implementation perspectives.

I liked your example, but how would Vista security have prevented the upload
of sensitive data? Each time a dialog popped up you would have said "OK,
just this once" and not seeing any difference in the circumstances (because
Vista doesn't tell you) you wouldn't you also have said "OK, just this once"
on the fatal 8th time? (nice "social engineering"!)

An example of my issue is this: Steganos' "updatesafeagent"runs when I start
Safe, when I open a safe and when I close it. It is only legitimately called
called by "Steganos Safe" (though I think 3 calls is excessive!). It probably
doesn't need admin privileges unless it finds an update (which it hasn't
yet), so that may be Steganos' fault, but I do still trust it.

Re Defender... Oh, I did indeed feel very stupid (at first, BUT... see
below) when you said:

Click the balloon. If you miss the balloon:
1. Select "Windows Defender" from the Start Menu:All Programs.
2. Click Tools
3. Click Software Explorer
4. Select the program you want to run and click the "Enable" button.

I immediately went to Defender to look for Enable and suddenly realised my
problem: my screen is quite large and hi res and I have the window
maximised... being focussed on the app list and info pane, having tried
right-clicking for a context menu (a logical choice it seemed) I completely
missed the greyed out buttons in the bottom right corner. Doh! [FWIW I
rechecked the direct help link "Using Software Explorer in Windows Defender -
it doesn't mention Remove/Enable/Disable as far as I can see... ]

So I selected an app, and guess what? The buttons were still greyed out.

I worked through every app in the list and sometimes buttons were available,
but most of the time none were; I can't see the pattern.

I think the UI design is weak here: right-click/radio buttons would have
been better: keep action options close to their targets; buttons so far away
that are nearly always greyed out are not prominent enough.

Examples: two programs blocked at startup from Reg Local Machine
"Macrovision Update Service" and its scheduler are classified as "Not Yet
Classified", and when selected no buttons are available - they cannot be
enabled (or disabled, or removed)

LxrAutorun (Reg Current User) which handles my encrypted USB stick is also
NYC, but has Remove and Disable buttons available. (As I said, I run as admin
now to avoid retyping my long and secure password each time.)

Adobe Acrobat (All Users Startup) has no buttons enabled? Can't I remove it
from startup from here? (Am I expected instead to delete it from the Startup
folder? That's an inconsistent approach)

Now, if an app is allowed to run even if NYC (which would account for
LxrAuto run actually running, which it does) this would not account for
Macrovision not running. What criteria determine whether an app actually
runs?

And how does "Allow" differ from Enable? I still have an empty Allowed list
and no idea how I might add an item to it.

I don't get it at all.

What exactly are you doing to make it so "unfriendly, intrusive, and
obscure?" I'm seriously interested in that. I don't get of these messages or
blocks on most days and I have run Vista daily since the day it shipped (and
before). The only time I get one of these messages is on the rare occasion
when I install something.

LOL! If only I knew! Most points above:I have startup items I still cannot
make run at startup without intervention, despite your help, I have apps I
trust that I always want to run, and run without prompts because they are
used so often - if my trust is misplaced then that should be my problem -
play wailing sirens and fly the Jolly Roger on the screen if you want to put
people off making such choices carelessly, but at least provide the choice.

I do not want to disable UAC or turn off Defender because I appreciate what
they are trying to do for me, but... [da capo]

And this is Home Premium, so I don't have as many security choices as
Ultimate users have - unfortunately... I think many of the Home omissions are
strange/annoying/clever marketing... but that's another topic.

Jesper, you put a lot of effort into your reply, I really appreciate it.

Julian

 

[Guest]

but if the system doesn't give me the

equivalent of a stack trace, how can I tell whether a request for privilege
arises from my direct action (which I should permit) or from some malware
invocation (which I should not permit)?

That is the key problem. There is no infrastructure in the OS to percolate
that to where the access check happens. Theoretically, one could be built,
but it would require some low level instrumentation and modification to
hundreds, maybe thousands, of APIs. That's not a change to be taken lightly,
especially not since you can't just go modify those APIs. There has to be a
path for supporting uses that do not understand the new APIs unless you
intend to break all existing software.

I liked your example, but how would Vista security have prevented the upload
of sensitive data? Each time a dialog popped up you would have said "OK,
just this once" and not seeing any difference in the circumstances (because
Vista doesn't tell you) you wouldn't you also have said "OK, just this once"
on the fatal 8th time? (nice "social engineering"!)

Yep, that's the problem. One of the gripes I have with UAC still is that it
does not give people enough information to make decision yet. That's a
problem that will take a very long time to solve though. I don't know how to
really do that. The problem, as you say, is that people become accustomed to
the dialogs and stop paying attention to them. They become a fast-clicking
exercise.

I immediately went to Defender to look for Enable and suddenly realised my
problem: my screen is quite large and hi res and I have the window
maximised

We can probably find a good home for that screen if you find it cumbersome!

I worked through every app in the list and sometimes buttons were available,
but most of the time none were; I can't see the pattern.

Don't know what that means but I think certain OS components are
automatically permitted and can't be changed. For instance, on the system I
am looking at right now I see userinit and Explorer with all greyed out
buttons. Strictly speaking you can run without Explorer (although it won't be
pretty) but userinit is required. Everything else I can disable.

I think the UI design is weak here: right-click/radio buttons would have
been better: keep action options close to their targets; buttons so far away
that are nearly always greyed out are not prominent enough.

Yes, I definitely find the UI design somewhat obtuse.

Examples: two programs blocked at startup from Reg Local Machine
"Macrovision Update Service" and its scheduler are classified as "Not Yet
Classified", and when selected no buttons are available - they cannot be
enabled (or disabled, or removed)

Did you click the "Show for all users" button? I think that allows you to
modify things that are running for all users. If you do that you elevate the
app and then you should be able to modify those components. If you don't
click that button you can only modify your own components.

Now, if an app is allowed to run even if NYC (which would account for
LxrAuto run actually running, which it does) this would not account for
Macrovision not running. What criteria determine whether an app actually
runs?

Sorry, I don't understand your question. If an app is in one of the startup
items and it is configured as enabled in Defender it will run.

And how does "Allow" differ from Enable? I still have an empty Allowed list
and no idea how I might add an item to it.

You can allow an app to run, but disable it temporarily. Think of it as a
testing feature "I want to run my system with this component disabled, but I
don't want to block it permanently."

LOL! If only I knew! Most points above:I have startup items I still cannot
make run at startup without intervention, despite your help, I have apps I
trust that I always want to run, and run without prompts because they are
used so often - if my trust is misplaced then that should be my problem -
play wailing sirens and fly the Jolly Roger on the screen if you want to put
people off making such choices carelessly, but at least provide the choice.

I think that's the issue really. I don't generally run a lot of third-party
utilities and so on. Those are the ones that are more likely to generate the
popups because the small devs are the ones that have not figured out that
Windows 95 is no longer the standard toward which to write software. I
dislike having all these third-party apps that I can't update, so I will live
without Jolly Roger.

And this is Home Premium, so I don't have as many security choices as
Ultimate users have - unfortunately... I think many of the Home omissions are
strange/annoying/clever marketing... but that's another topic.

Absolutely. It is about "SKU Differentiation" which, frankly, I don't get.
It's making life a lot more difficult for those of us trying to help people.

Jesper, you put a lot of effort into your reply, I really appreciate it.

No worries. I like UAC (and Defender - mostly) and I really hope it succeeds
in what it is intending. It worries me greatly that people are denigrating it
because it fails on things that it was never designed to do in the first
place. Just this past week InfoWorld, one of the most respected magazines in
the industry, carried a dreadful piece on their front cover that basically
echoed all the poorly substantiated opinions from various "luminaries" who
haven't bothered understanding how UAC, or Vista in general, actually works.
They had everything from UACs failure to properly establish a security
boundary (it was not designed to do that) to the firewall outbound filters
being off by default (they are on by default) in the article. It's really
very unfortunate that even a reputable magazine like InfoWorld can't be
bothered to see the bigger picture and make their reporters actually check
their facts.

I'm working on an article for TechNet Magazine on UAC. I will definitely
cover the failure of the popular press to understand the technology and its
willingness to jump on every claim from Microsoft's competitors in there, and
how that is harming the ultimate objective of helping computer users protect
themselves.

 

[Guest]

We can probably find a good home for that screen if you find it cumbersome!

Big for a laptop Sorry, not detachable

Did you click the "Show for all users" button? I think that allows you to
modify things that are running for all users. If you do that you elevate the
app and then you should be able to modify those components. If you don't
click that button you can only modify your own components.

Can't see that Show For All should be relevant; if they are running for me,
then I want to modify how they run for me, I don't care about anybody else.
Why should I have to, how could I know I should do all that, he asked
rhetorically

Sorry, I don't understand your question. If an app is in one of the startup
items and it is configured as enabled in Defender it will run.

I am reasonably sure I have NYC apps that run at startup; Macrovision is
also NYC, it doesn't run. What determines what runs at startup- couldn't be
classification alone if I am (reasonably) correct. What enables apps, on
what basis?

Absolutely. It is about "SKU Differentiation" which, frankly, I don't get.
It's making life a lot more difficult for those of us trying to help people.

And creating the need for some of that help in the first place. Nuff said.

No worries. I like UAC (and Defender - mostly) and I really hope it succeeds
in what it is intending. It worries me greatly that people are denigrating it
because it fails on things that it was never designed to do in the first
place. Just this past week InfoWorld, one of the most respected magazines in
the industry, carried a dreadful piece on their front cover that basically
echoed all the poorly substantiated opinions from various "luminaries" who
haven't bothered understanding how UAC, or Vista in general, actually works.

If Defender and UAC work to spec - and I assume they do - I agree the
denigration is misdirected: it should be directed at MS communication. When
announced or demoed or whatever, MS should have been very clear about their
scope etc. and then checked the reporting immediately afterwards. If it
didn't demonstrate correct understanding immediate re-explanation should have
been required.

MS must be responsible for ensuring that it is being understood - no one
else can be. I do think MS at the very least found it convenient to have the
improved security of Vista attract so much attention up front - but now it is
reaping the whirlwind. That's what you get for too much huff and puff.

I'm working on an article for TechNet Magazine on UAC. I will definitely
cover the failure of the popular press to understand the technology

Hmmm... are you going to say it's perfectly clear or....?

If someone doesn't understand something (general relativity or Vista
security) you can say they are unqualified, stupid, or lazy (or some
combination, which might be true but whether it is helpful to say so is
another matter) - or you can accept that it wasn't explained well enough.

(Unless of course it's quantum mechanics, in which case the famous dictum is
"Anyone who says they understand quantum mechanics clearly doesn't." - which
probably only makes sense if you understand quantum mechanics <g>)

When everyone scores below par in an exam, the examiner would rightly look
to the teacher for having failed in the primary objective - communicating
understanding effectively.

You are fortunate if you can do without some of these 3rd party apps, my
business and interests require many niche applications - I don't think I
should be penalised for not being Joe PC User.

UAC & Defender - I appreciate the ambitions for them; I don't think the
overall execution can be called satisfactory.

Thanks again,

Julian

 

[Alun Harford]

Wow, Julian. You got my attention. But, since I'm the only user on my
computer, I was automatically setup as Administrator (I think. Well it
says Administrator on the User Accounts window.). Remember how in XP
the Windows Defender was in installation. Well, they took care of
that. It's not on the "Program and Features" unless they have hidden it
somehow. It is listed under Program Files on the C: drive. One of the
folders I can look into. You might checkout "Control Panel...System and
Maintenance...Performance Information and Tools...Manage startup programs.

If you really want to blow a fuse...take a look at the Event Viewer.
Children, don't try this at home. One of the easier fixes was that the
Viewer showed me a file that was missing. Yeh. A search confirmed that
the file was not on my C: drive (File: I8042prt.sys). Oh, I cleared the
log and rebooted to make sure it wasn't a false reading. But, sure
enough, the error reappeared. It cost me twenty bucks to get a copy of
the file (you don't think Microsoft would make a copy available. The
Event Viewer says it's missing (not is so many words), but does the
Microsoft Update download me a copy? Hahaha. I put it into the
System32 Folder and guess what. No more missing I8042prt file errors.

I even brought my computer tech in on one error involving the BIOS.
"IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 7,
function 0. Please contact your system vendor for technical assistance."
The last I heard he was calling Microsoft for advise on how to resolve
the error. I don't plan on seeing him again for a while.

You've told your BIOS (or somebody or something has) that your machine
is not running a plug-and-play OS.
You need to change that setting, so that the OS can assign IRQs.

Alun Harford

 

[William Beard]

Alun, how do I do that? I figured out how to get into the BIOS, but I
resist the urge to mess with it.
If you can tell me step by step where to go, what to look for, and what it
should say, then I'm willing to give it a try.

William Beard

 

[Guest]

I'm having similar problems, so just to recap. Is there a way to allow an
application with unidentified publisher? I'm using the latest beta of winrar
and everytime i open a archive, it asks me to allow winrar.exe, also in every
start up i have ASUS motherboard software that asks me three times to allow
it to run (3 different .exes, of which defender blocks one).

Running as an administrator with UAC and all start up apps are enabled in
defender, although they are not yet classified.

Luckily i boot my computer only once a week, but it's still a bit annoying.

So is there a way to always allow these aps when i run them (group/security
policy or registry)?

 

[Guest]

I'm having similar problems, so just to recap. Is there a way to allow an

application with unidentified publisher? I'm using the latest beta of winrar
and everytime i open a archive, it asks me to allow winrar.exe, also in every
start up i have ASUS motherboard software that asks me three times to allow
it to run (3 different .exes, of which defender blocks one).

Sorry, but I don't don't understand the winrar problem. Is it UAC that asks
you to permit it? If so, then winrar.exe is either detected as an installer,
or it has a manifest that asks for it to be elevated. I'm not sure which. You
can try disabling installer detection as per a prior message in this thread
and see what happens.

What is it that prompts for the ASUS motherboard software? Is it Windows
Defender or UAC? The way you get rid of the prompt differs, and if it is UAC,
you really have no options. You should see if you can run your computer
without that software in that case, or pester ASUS to produce a
Vista-compliant software suite for it. It is exactly that kind of software -
requiring interactive users to be admins - that makes UAC so necessary.

 

[Guest]

Can't see that Show For All should be relevant; if they are running for me,

then I want to modify how they run for me, I don't care about anybody else.
Why should I have to, how could I know I should do all that, he asked
rhetorically

So, here is the rhetorical answer:

There are programs that autostart for a single user (for instance, those in
HKCU\Software\Windows\CurrentVersion\Run and in
%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup)
and then there are those that autostart for all users (such as those in
HKLM\Software\Windows\CurrentVersion\Run and in
%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup). You can
freely modify your own startup programs but on a multi-user system modifying
startup programs for other users is an action only administrators should be
able to take. Windows Vista, by definition, is a multi-user system even if
for a particular installation there is only one human being actually using
it. The Show All... button elevates your process so that you can modify
startup programs for all users. In a corporate setting, for instance, I, as
the network security administrator, have a set of things I want everyone to
run, and I do not want users to be able to modify those. By making those
users non-admins I can enforce that because they cannot elevate and
circumvent network security policy. Since the OS is inherently multi-user
(there are three users on every system by default - the Administrator, the
Guest, and the one you created at install - although only one is enabled) all
functionality is designed around the premise that the OS supports multiple
users and that therefore one user must be prevented from making unauthorized
changes to the environment of others.

Does that explain why the Show All... button is relevant?

I am reasonably sure I have NYC apps that run at startup; Macrovision is
also NYC, it doesn't run. What determines what runs at startup- couldn't be
classification alone if I am (reasonably) correct. What enables apps, on
what basis?

I don't know what NYC means here (keep thinking New York City, but that's
probably not it). Anyway, what determines running at startup: the fact that
the program is listed/located/linked from one of the locations listed above,
along with a few other extraneous places. It has nothing whatsoever to do
with classification. A program that is listed/located/linked from one the
auto-start locations is automatically classified as an auto-start or startup
program.

And creating the need for some of that help in the first place. Nuff said.
Exactically.

If Defender and UAC work to spec - and I assume they do - I agree the
denigration is misdirected: it should be directed at MS communication. When
announced or demoed or whatever, MS should have been very clear about their
scope etc. and then checked the reporting immediately afterwards. If it
didn't demonstrate correct understanding immediate re-explanation should have
been required.

Yes. Interestingly enough, the product group, and a few other MS
representatives, such as Mark Russinovich and Steve Riley, have been very
clear about what UAC does and what it does not. The sales force, which
presents the face of Microsoft to the vast majority of customers, have on
occasion imbued UAC with qualities it does not possess. This is really
unfortunate because it means that the popular press has always been able to
find someone with a Microsoft badge that can validate anything they want
validated, however poorly founded the opinion is. The press, of course, still
believes that denigrating Microsoft is the best way to sell advertising, and
are as lazy as anyone else and therefore not particularly interested in
ensuring that their facts are accurate - as the InfoWorld article last week
showed. Microsoft has not been able to exercise sufficient control over them
to help matters much. Rather, the press has relied on sources like Symantec,
who of course have a vested interest in Microsoft being seen as a bumbling
bunch of morons when it comes to security and feels really threatened by the
prospect that Microsoft might actually succeed in anything security-related.
It is kind of like Car and Driver magazine relying on General Motors for the
"facts" and test drive experiences about Toyota's new vehicles. You can
imagine yourself how accurate those "facts" become.

Hmmm... are you going to say it's perfectly clear or....?

No, I wouldn't say that. I'm trying really hard to state objective fact
though.

If someone doesn't understand something (general relativity or Vista
security) you can say they are unqualified, stupid, or lazy (or some
combination, which might be true but whether it is helpful to say so is
another matter) - or you can accept that it wasn't explained well enough.

True, but I have found that the facts about UAC are actually there if (a)
you go looking for them, and (b) you understand enough about the OS and
programming to digest them. That's the key problem: you really need to
understand a fair bit about how the OS works to understand how UAC works. In
the article, as well as in the Vista Security Book, I think I spent most of
my time on "translation"; translating the technical details on UAC into terms
that non-developers actually understand, while at the same time explaining
why it is the way it is. That is the part I have not yet seen from Microsoft.

(Unless of course it's quantum mechanics, in which case the famous dictum is
"Anyone who says they understand quantum mechanics clearly doesn't." - which
probably only makes sense if you understand quantum mechanics <g>)

Funny! I just delivered a presentation where I drew parallels between
information security and quantum physics. Maybe I should write an article on
that too?

You are fortunate if you can do without some of these 3rd party apps, my
business and interests require many niche applications - I don't think I
should be penalised for not being Joe PC User.

You are like a lot of people. It is difficult. To a large extent the whole
point of Windows is that it has such a vast majority of applications written
for it. If it weren't for that, the Mac OS is in some ways a much more
elegant (if far less secure) platform.

UAC & Defender - I appreciate the ambitions for them; I don't think the
overall execution can be called satisfactory.

The Microsoft product groups read these newsgroups. If there is constructive
criticism, by all means, put it out here. Many (most) of the people that
respond to questions here are MVPs (http://mvp.support.microsoft.com) who
have traditionally been very good at ensuring the feedback from the
newsgroups makes it back to the product groups. Even some of the non-MVPs,
like myself, have ways to get feedback to MS that they will listen to.

Windows Defender is a version 2/3 product, so it should be a little more
polished, but UAC is truly a v1 product. It definitely has some growing up to
do and some features to come in future versions. They are looking for that
feedback right now.

 

[Guest]

Defender blocks one of the asus exe files and i have to manually start it via
defender every time. THe problem is with UAC then, i think or that all of
them require administrative priviledges.
But what i was getting at that is there a way to allow an .exe-file to start
always in admin mode, with out any prompts?

when i start winrar.exe it says "an unidetified program wants to access your
computer.
winrar.exe
unidentified publisher
cancel
allow"

 

[Guest]

Defender blocks one of the asus exe files and i have to manually start it via
defender every time.

I just wrote a different post on that. Search the newsgroups for Defender
and there will be instructions for how to permanently unblock it.

But what i was getting at that is there a way to allow an .exe-file to start
always in admin mode, with out any prompts?

No. You can take various steps to make it not prompt, but there is no way to
elevate it without prompts short of rewriting the app. In other words, yes,
you can remove the prompt, but the app may not work properly if you do.

when i start winrar.exe it says "an unidetified program wants to access your
computer.

If the dialog says "User Account Control" in the title bar it is a UAC
dialog. If not, it is caused by a flag IE puts on the binary when you
download it. You can remove that flag permanently either by checking the box
in the dialog or by right-clicking on the binary and unchecking the box on
the general screen for it. Sorry, but I don't have a dialog in front of me
and I can't remember the exact text but it should be obvious.

 

[Carl G]

Hi Julian
Isn't half that security a bunch of crap ?
I turned off UAC already , the dam thing wouldn't eaven let me delete jpg
files I have in my picture folder without 2 UAC prompts.
That is a real crock. That is going way beond security.
I never had any security problems with XP so why should I have to put up
with this stuff?
I also believe we need a certain amount of security but not this garbage.
MY 2 CENTS WORTH

--
Carl G

Frustrated Vista Home Premium user, very IT literate whose stupidity you
may
nonetheless take for granted; your patience is appreciated (but if you can
live with UAC/Defender you already have more patience than I do)

I have startup programs I trust that Defender always blocks.

I don't see the "Alert dialog with Action Menu", just the Defender balloon
from the systray at startup, so I never see any option to add a program to
the Allowed Items list. How do I allow programs of my choice? When should
the
dialog appear?

I have turned off "Auto Start" Real-Time protection, and that didn't seem
to
make any difference either, despite what it says in Help. Any ideas why?

I also understand that the heuristics used to detect "harmful or unwanted"
programs include looking for the string "updater" in the file name... I
have
updaters I trust which are also blocked, is there any way to disable just
this aspect of the heuristics? Or any other way to get them to run
silently?

Misc gripes: program classification: as a startup item Microsoft Windows
Explorer is classiffied as Permitted, but as a Running Program (with
suffix
:3088, ?PID?) it is marked Not Yet Classified - what's going on here? Why
on
earth does the Defender's History claim a program name is "Unknown", when
the
app path is in the bottom pane? (but you can only see it if the window is
big
enough). How does a program get its classification?

And I wish Defender would explain which specific settings catch particular
programs! Any way to tell?

Oh, and I know that UAC is supposed to catch programs that require Admin
privileges, but is there any way on this great green earth to tell it
"Yes, I
know! I have approved this program with Admin password, don't ask me again
*unless the app changes*!"? [Surely MS could check for program alteration,
other security apps can!] And why doesn't it say WHAT, requiring admin
privilege, the program wishes to do/which rules caught it - put it under
an
Advanced button to avoid frightening the masses if necessary, but don't
omit
it!

I kept my XP machines free of problems for >2 years with a combination of
RegRun (which has an excellent application database behind it), Norton
Antivirus and Steganos Antispyware; I can't believe how after so much
effort
by MS, Vista security could have been made so unfriendly, intrusive and
obscure.

I have already reset my main account to Admin, so at least I don't have to
TYPE my password at every UAC prompt, which already defeats part of the MS
objective... if I am just being plain dumb and people can answer the above
questions great - otherwise I think both UAC and Defender are going to be
turned off and I'll run security the way I used to...

Given that not all apps have been adapted to the preferred MS model yet,
can
you tell me how to set Vista/Defender up for peaceful AND secure running?

Thanks!

Julian

 

[cquirke (MVP Windows shell/user)]

Defender blocks one of the asus exe files and i have to manually start it via
defender every time.

Which .EXE is it? Is it really "from Asus", or is it a malware
name-alike? Does an Internet search for that file name, plus (say)
Vista, find others with the same issue, and perhaps fixes?

But what i was getting at that is there a way to allow an .exe-file to start
always in admin mode, with out any prompts?

Not in the startup axis, no. There are very good reasons for that.

when i start winrar.exe it says "an unidetified program wants to access your
computer.
winrar.exe
unidentified publisher
cancel
allow"

Is WinRAR starting up in the startup axis? If so, why?

"Jesper" wrote:

Oh, OK ... so WinRAR and Asus issues are separate.

In the case of WinRAR beta, clearly they have something to fix before
it works in Vista. Feed this back to the WinRAR folks, as one would
with any beta feedback, and see if they fix it in a new build.

In the case of Asus, it smells like XP bundleware that hasn't been
tested in Vista, and is thus prolly best avoided. Perhaps there's
coverage of this issue in an FAQ at the Asus site, and/or a fix?

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...

 

[Guest]

Hi, We are trying to make an application Vista compatible. We have
VeriSigned an installer and a program it schedules to run after a re-boot by
placing its name in the RunOnce part of the registry. This makes UAC
"happy", it says we are the signer of the application instead of saying
Unknown. But it does not make Windows Defender happy. When the reboot
program happens then the second program, SetupF.exe, is blocked and the
little "you better see this quick because I'm disappearing soon" kind of
message comes up saying "Some Startup Programs were blocked". If the user
chooses allow blocked program it gives the UAC prompt for do you want this
program signed by "Us" to run. The second half of that is fine. But if we
choose the option to open Windows Defender then SetupF.exe is in the
unclassified section and the publisher is listed as "Unknown Publisher".
So apparently signer (in the VeriSign sense of the word, as signed by
SignTool.exe) is different from Publisher. How do we specify Publisher?
Then at least the program would not be listed as coming from an Unknown
Publisher. Even better would be if we could get it to run without the extra
Windows Defender prompt and only give the UAC prompt (it is marked Require
Administrator in an embedded manifest).

Any thoughts, fixes, links?
Thanks,
Chas