A better UAC for Vista / Windows 7

[bruceb]

You might want to try this tool from Norton

http://www.symantec.com/norton...e&header=0&depthpath=0

http://www.symantec.com/norton...c&header=0&depthpath=0

that is a FREE Tool from Norton, which replaces the built in UAC'
with a better one, which does have a White List Feature ... and there are no special tricks to let a program run.

 

[hans030390]

Page not found.

I have a better solution...turn of UAC and don't use your computer like an idiot. Also, have good AV software, and run checks regularly. (UAC is only good for certain malware that can easily be avoided)

 

[techs]

I checked the page out, and frankly I would be concerned with something that claims to "partially replace" the UAC. I worry about future compatibility with Windows updates, and that I would need to update the Nortons UAC also.

 

[Nothinman]

I have a better solution...turn of UAC and don't use your computer like an idiot.

Except that's not possible for most people and it's impossible to judge most software's intentions until after you've installed it.

 

[mechBgon]

Originally posted by: hans030390
(UAC is only good for certain malware that can easily be avoided)

I have to disagree with that one. There are plenty of common scenarios where UAC can stop an attack that you couldn't "easily avoid" by your own l33tness. Given a choice between disabling UAC, or disabling my antivirus software, I'd be far more comfortable disabling my antivirus software. And I have some firsthand basis for that, having hunted malware in the wild for a couple years. Leave UAC enabled.

 

[j0j081]

sounds cool but your links don't seem to be working.

 

[hans030390]

Originally posted by: mechBgon

Originally posted by: hans030390
(UAC is only good for certain malware that can easily be avoided)

I have to disagree with that one. There are plenty of common scenarios where UAC can stop an attack that you couldn't "easily avoid" by your own l33tness. Given a choice between disabling UAC, or disabling my antivirus software, I'd be far more comfortable disabling my antivirus software. And I have some firsthand basis for that, having hunted malware in the wild for a couple years. Leave UAC enabled.

It's annoying. And when I run my regular scans (using all my AV software and the guide from elitekiller.com), nothing turns up. This is the same with and without UAC enabled. Why use it in that case? My AV software catches things. UAC has caught nothing "bad" in the time I've used Vista/Windows 7 (both since release).

Now, get a user that DOESN'T know what they're doing, and it's the same thing. They automatically hit yes anyway (reflex to an annoying prompt). What's the point?

 

[blackangst1]

edit: Scratch that link I posted. Its not installing for me.

 

[mechBgon]

Originally posted by: hans030390

Originally posted by: mechBgon

Originally posted by: hans030390
(UAC is only good for certain malware that can easily be avoided)

I have to disagree with that one. There are plenty of common scenarios where UAC can stop an attack that you couldn't "easily avoid" by your own l33tness. Given a choice between disabling UAC, or disabling my antivirus software, I'd be far more comfortable disabling my antivirus software. And I have some firsthand basis for that, having hunted malware in the wild for a couple years. Leave UAC enabled.

It's annoying. And when I run my regular scans (using all my AV software and the guide from elitekiller.com), nothing turns up. This is the same with and without UAC enabled. Why use it in that case? My AV software catches things. UAC has caught nothing "bad" in the time I've used Vista/Windows 7 (both since release).

This is the classic error: "I've never been in a car accident, so why should I wear a seatbelt? What a waste of time. Besides, I'm a great driver and seatbelts annoy me." But the seatbelt will protect you when your great driving fails to save you from something, someday.

UAC, same general concept. By using UAC, you're effectively running your stuff at low-rights level, which is the top proactive defense you can use. Antivirus software isn't a sure-fire defense by itself, as much as we'd all like to think so... after 24 hours, the best detection rates are still below 90% on fresh malware samples (link).

Anyway, having done the research for myself, I advise everyone to run Windows as a non-Admin. There's no simpler way to do that than to leave UAC enabled on Vista/7. If you're not accustomed to being a non-Admin, evar, then it takes getting used to. But try running Win2000/XP as a non-Admin, without UAC to help...

 :light:
:Q <--- you, discovering that UAC is a total cakewalk compared to RunAs and Fast User Switching


If you like your way better, hey... it's your computer. But it's not as secure as the default UAC-enabled setup, particularly not if your user account is an Admin-level account, so it's not good to advise people that it's "only good for certain malware that can easily be avoided."

 

[ViRGE]

Fixed link: http://www.symantec.com/norton...c&header=0&depthpath=0

Anyhow, bsobel posted this a little more than a year ago so it's not necessarily brand-new. I'm not even sure it's been updated since then.

 

[Griffinhart]

I used it under Vista and liked it a lot, but last I checked it wasn't compatible with Windows 7. Has that changed?

 

[blackangst1]

Originally posted by: Griffinhart
I used it under Vista and liked it a lot, but last I checked it wasn't compatible with Windows 7. Has that changed?

It didnt install for me something about an incomplete installer package or something. Downloaded 5 x same result.

 

[bruceb]

Sorry about the link not working properly. And if it was posted earlier, I was not aware of it.
Figured some people would like a more user friendly UAC

 

[stash]

Bill never responded to my concerns about this app.

 

[hans030390]

Originally posted by: mechBgon

Originally posted by: hans030390

Originally posted by: mechBgon

Originally posted by: hans030390
(UAC is only good for certain malware that can easily be avoided)

I have to disagree with that one. There are plenty of common scenarios where UAC can stop an attack that you couldn't "easily avoid" by your own l33tness. Given a choice between disabling UAC, or disabling my antivirus software, I'd be far more comfortable disabling my antivirus software. And I have some firsthand basis for that, having hunted malware in the wild for a couple years. Leave UAC enabled.

It's annoying. And when I run my regular scans (using all my AV software and the guide from elitekiller.com), nothing turns up. This is the same with and without UAC enabled. Why use it in that case? My AV software catches things. UAC has caught nothing "bad" in the time I've used Vista/Windows 7 (both since release).

This is the classic error: "I've never been in a car accident, so why should I wear a seatbelt? What a waste of time. Besides, I'm a great driver and seatbelts annoy me." But the seatbelt will protect you when your great driving fails to save you from something, someday.

UAC, same general concept. By using UAC, you're effectively running your stuff at low-rights level, which is the top proactive defense you can use. Antivirus software isn't a sure-fire defense by itself, as much as we'd all like to think so... after 24 hours, the best detection rates are still below 90% on fresh malware samples (link).

Anyway, having done the research for myself, I advise everyone to run Windows as a non-Admin. There's no simpler way to do that than to leave UAC enabled on Vista/7. If you're not accustomed to being a non-Admin, evar, then it takes getting used to. But try running Win2000/XP as a non-Admin, without UAC to help...

 :light:
:Q <--- you, discovering that UAC is a total cakewalk compared to RunAs and Fast User Switching


If you like your way better, hey... it's your computer. But it's not as secure as the default UAC-enabled setup, particularly not if your user account is an Admin-level account, so it's not good to advise people that it's "only good for certain malware that can easily be avoided."

I've personally been in a car accident and used to have the mentality that things like that "won't happen to me". I can tell you that these aren't really the same thing. It's pretty easy to avoid viruses/spyware/malware. It's not like a drunk computer virus is randomly going to hit your computer. And if you get something, there's usually enough software to clean it up. You don't get this with most other things in life, especially car accidents.

My point is, most users hate UAC and just hit "yes" to everything. What does it matter if it's supposed to provide protection? They're going to get that junk anyway. Sucks to be them. As for me? My computer has always been clean because I know how to use it properly and keep it pretty tight when it comes to security. If me having UAC off causes me to get something by random chance, I know how to take care of it. At the very most, I back up my data (which I do regularly) and do a clean install. No big deal. It only takes me a couple days max to get it up and running like it used to be.

Never had an issue with XP. Never had an issue with Vista (with UAC off). This would not be the case if I was not "smart" with computers.

I've also seen computers that are totally infected with crap that UAC never stopped. Compared to having good AV software, UAC doesn't do anything noticeably helpful.

 

[mechBgon]

It's pretty easy to avoid viruses/spyware/malware. It's not like a drunk computer virus is randomly going to hit your computer

The bad guys are actively trying to make "accidents" happen. Did you know that over 50% of the malware-infecting sites out there are normally-safe sites that got pwned by the bad guys? My employer's site (happened). Photobucket (happened). Asus's site (happened). MSI's site (happened). Monster.com (happened). And so forth.

. And if you get something, there's usually enough software to clean it up. You don't get this with most other things in life, especially car accidents.

One of the main targets of malware these days is stuff like your credit-card details, your WoW account and other game accounts... stuff that you can't get back once it leaks. Cleaning up the infection that leaked them doesn't bring your 80th-level Druid and his gold back after they got stolen :evil: Microsoft's monthly MSRT stats continue to show game-stealing malware is the top infection removed, in fact.

My point is, most users hate UAC and just hit "yes" to everything.

I seem to recall a poll here where most people leave it enabled. edit: oh, and that poll was from two years ago when UAC was still new 😉 I think you also forget that not everyone just hands over their Admin password to their _______ (kid, gf/bf, guests, parental units, roommates).

Compared to having good AV software, UAC doesn't do anything noticeably helpful.

I read Symantec's writeup on Vista and what malware works/doesn't work on it, and they noted that UAC has considerable "stopping power." Here's an overview if you want to read up on it: http://www.symantec.com/connec...threat-survivability-0

Never had an issue with XP. Never had an issue with Vista (with UAC off). This would not be the case if I was not "smart" with computers.

In the course of my SiteAdvisor work, I've set up a highly-vulnerable Win2000 system hundreds of times, loaded with all sorts of exploitable out-of-date stuff, and deliberately sent it to MPACK-infested sites and every other sort of dangerous site I could find. It was nearly impossible to get it infected when using a Restricted User account (which is what Win2000 calls a low-rights account). But if I logged on as an Admin, the box was pwned immediately. Thank goodness for Acronis TrueImage and a 15000rpm Cheetah 15k.3 😉

A recent study showed that over 90% of "critical" Windows vulnerabilities are effectively mitigated by using a low-rights account, which is what UAC is there to help us do. Low-rights operation is the #1 line of defense you can use, and there's a reason Microsoft is moving that direction. Sure, add antivirus and user education / common sense to that strategy, they have their place.

Since you're on Vista, you might want to enable SEHOP too. http://www.mechbgon.com/build/security2.html#sehop

 

[RebateMonger]

Originally posted by: mechBgon
Did you know that over 50% of the malware-infecting sites out there are normally-safe sites that got pwned by the bad guys?

I've had attacks against my Vista PC by several major, very "trustworthy", sites this year. I don't remember the site name, but just two days ago I was shocked when Avast! announced a major commecial site had just dumped malware code onto my PC. After the Avast! alarms went off, a fake antivirus scanning program popped up in Internet Explorer 8, told me I was contaminated, and then asked me to install "special" scanning software.

Obviously, I knew better, but occasionally this stuff knows how to install itself without asking. That's where UAC comes in handy. I find it reassuring to know that it's very unlikely that malware is going to install itself without having to ask for my permission.

 

[mechBgon]

Incidentally, I looked up Websense's report and it's even worse than it used to be:

Web Security

• 75 percent of Web sites with malicious code are legitimate sites that have been compromised. This represents an almost 50 percent increase over the previous six-month period.
  
• 60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008.
  
• 12 percent of Web sites infected with malicious code were created using Web malware exploitation kits, a decrease of 33 percent since December 2007. Websense researchers believe this decrease may be attributed to attackers launching more customized attacks to avoid signature detection by security measures.

from http://www.websense.com/securi..._Report_1H08_FINAL.pdf

 

[Jeff7181]

I'm curious why anyone finds UAC unfriendly to users. So you have to click a button or type in a password to install something... that is the way it should be. And if you have a program that triggers a UAC prompt when it runs, well, that's just a poorly written program in which case who ever developed the program should be scolded, not Microsoft.

I never seem to get a valid response when I bring up the fact that you need to enter a password in Linux, Unix and (gasp) even OS X in order to make system wide changes. This is the way it should be. The best one I get is that they handle it better... how? I use Vista on both my laptop and desktop and I used XP before that, and Windows 2000 before that... so Windows has always been my primary OS. I've used Red Hat/Fedora, Ubuntu, Mint and I've recently gotten a taste of OS X while attempting a hackintosh project. I don't find any of their prompts to enter admin credentials less invasive than Vista's UAC... so what's everyone's big gripe? The fact that you can't make system wide changes without entering a password? Well, neither can malware...