UAC refinement/improvement request

  • Thread starter Thread starter Lester Stiefel
  • Start date Start date
L

Lester Stiefel

Under User Account Control in Vista, you get a "nag screen " every
time you open an unsigned program. Is there a way to add an "allowed
Application" list to this control, so the user can run certain
applications without having to walk through the prompts?

I would think that if the program has proven to be trustworthy, one
should be able to add them to an allowed list (to remove the prompts).
 
Lester,

The problem, as I see it, is that there are malicious programs out there
that try to substitute more common programs with trojans/worms/virus's etc.

So, you tell the O/S to not notify you any longer. The next day you get hit.
The malicious program runs now without your consent.

Are you willing to take responsibility for this, or would you come here
screaming that Vista is no good - as so many others would?

I use ZoneAlarm Internet Security Suite in Windows XP. It has a lot of
warnings due to the O/S firewall section. I got tired and started giving
things blanket approval and said "don't ask me again". Yep! Eleven months
ago I got nailed by a drive by download that imitated an application on my
computer. It took me hours to try to repair the damage. I finally ended up
going back to a previous image I created using True Image. If I didn't have
True Image I could have been at it for many more hours.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User
 
Richard Urban said:
Lester,

The problem, as I see it, is that there are malicious programs out there
that try to substitute more common programs with trojans/worms/virus's
etc.

So, you tell the O/S to not notify you any longer. The next day you get
hit. The malicious program runs now without your consent.

Are you willing to take responsibility for this, or would you come here
screaming that Vista is no good - as so many others would?

I use ZoneAlarm Internet Security Suite in Windows XP. It has a lot of
warnings due to the O/S firewall section. I got tired and started giving
things blanket approval and said "don't ask me again".
Click to expand...

This is why we invented hashing algorithms. As it stands now, people click
continue when the UAC prompt comes up because it comes up so many times. So
when a USC box comes up asking if Nasty Trojan can do its stuff, it doesn't
get spotted.

You will notice that ZoneAlarm specifically will re-request permission if it
detects how that the program in question has changed. I'm unsure how it
detects this, but it ought to be via a hashing algorithm - if not, then ZA
is weak. But if some malware modifies, or masquerades as, a legitimate
program, when it asks for authorization how do you know whether to grant it
or not? If you are prompted every time, you won't notice, so you'll grant
it. If you've previously told ZA to remember your wishes, you'll know that a
re-request means that the program has been modified, and therefore you can
assess whether you think this change was expected or not, and act
accordingly.

Likewise, if UAC were to behave more like ZA, we would have more effective
protection because we would know that a previously-trusted program had been
modified.
 
CJM said:
This is why we invented hashing algorithms. As it stands now, people click continue when the
UAC prompt comes up because it comes up so many times. So when a USC box comes up asking if
Nasty Trojan can do its stuff, it doesn't get spotted.

You will notice that ZoneAlarm specifically will re-request permission if it detects how that
the program in question has changed. I'm unsure how it detects this, but it ought to be via a
hashing algorithm - if not, then ZA is weak. But if some malware modifies, or masquerades as,
a legitimate program, when it asks for authorization how do you know whether to grant it or
not? If you are prompted every time, you won't notice, so you'll grant it. If you've
previously told ZA to remember your wishes, you'll know that a re-request means that the
program has been modified, and therefore you can assess whether you think this change was
expected or not, and act accordingly.

Likewise, if UAC were to behave more like ZA, we would have more effective protection because
we would know that a previously-trusted program had been modified.
Click to expand...

Sygate, one of the best firewalls ever made, used a similar method when
notifying a user to allow or disallow something internet access. I really don't
understand why this couldn't have been built into UAC. I agree that a lot of
users are going to become numb to the prompts and just click right through
them.

It was a sad day when Symantec bought Sygate.


-Michael
 
MICHAEL said:
Sygate, one of the best firewalls ever made, used a similar method when
notifying a user to allow or disallow something internet access. I really
don't
understand why this couldn't have been built into UAC. I agree that a lot
of
users are going to become numb to the prompts and just click right through
them.
Click to expand...

Indeed. I'm a fan of Vista but UAC is a missed opportunity.

I have no insider knowledge, but I suspect that this will be one area that
sees some work in SP1. Hopefully along the lines that we have identified.
 
So, you tell the O/S to not notify you any longer. The next day you get
hit. The malicious program runs now without your consent.

Are you willing to take responsibility for this, or would you come here
screaming that Vista is no good - as so many others would?
Click to expand...

What's the difference? You see the name of your app pop up every day, and
every day you say OK. How are you supposed to know when the popup is for a
malicious program vs your trusted program if they go by the same names? It
seems to me that either way you're screwed.
 
msnews said:
What's the difference? You see the name of your app pop up every day, and
every day you say OK. How are you supposed to know when the popup is for
a malicious program vs your trusted program if they go by the same names?
It seems to me that either way you're screwed.
Click to expand...

If I click a shortcut to a program it opens up. For a malicious program to
"hook" itself to that shortcut wouldn't it have to modify the shortcut? And
then wouldn't UAC popup, and warn you that a program that you didn't start,
is trying to change your system?
 
Ray Rogers said:
If I click a shortcut to a program it opens up. For a malicious program to
"hook" itself to that shortcut wouldn't it have to modify the shortcut?
And then wouldn't UAC popup, and warn you that a program that you didn't
start, is trying to change your system?
Click to expand...

If the rogue program copies itself over the original then, UAC or not,
you're screwed. If it is started from another location I think (can anyone
confirm) that it would be treated as a different program, even if it has the
same name as the allowed version, which means you'd get your warning.

The argument for ~not~ having a trusted application list would only hold
true if the rogue program first copied itself over your original and then
only if it started automatically.
 
My biggest bitch with UAC is that it doesn't provide nearly enough
information to make an informed decision. For example: if the
executable/program is signed it should indicate as much. It should also
tell me WHY it needs elevation (in other words what the heck is it trying to
do that requires elevation).

J
 
My biggest bitch with UAC is that it doesn't provide nearly enough
information to make an informed decision. For example: if the
executable/program is signed it should indicate as much. It should also
tell me WHY it needs elevation (in other words what the heck is it trying to
do that requires elevation).
Click to expand...

Yep, I think UAC will undergo a MAJOR improvement. Hopefully no later
then SP1, while not normally used to "upgrade", Microsoft is well
aware that as presently configured UAC is badly broken and my guess is
they will address the many flaws and total lack of user friendlyness
sooner rather than later.
 
msnews said:
The argument for ~not~ having a trusted application list would only hold
true if the rogue program first copied itself over your original and then
only if it started automatically.
Click to expand...

By storing a hash for each trusted application you will be able to tell the
that the application has been over-written/modified - it's a simple proven
technique.
 
By storing a hash for each trusted application you will be able to tell the
that the application has been over-written/modified - it's a simple proven
technique.
Click to expand...

Microsoft doesn't know how to do simple. ;-)

Vista weights in a 8 GB for a typical install. How nuts is that?
 
Back
Top