Tests find Vista's UAC nails rootkits

Vista's UAC has a security feature that marks it out from any other type of Windows security program -- it can spot rootkits before they install. This is one finding buried in a report published in two German computer magazines some months ago after testing by the respected AV-Test.org, which set out to find out how well antivirus programs fared against known rootkits.

The answer: not particularly well ... either for Windows XP, or Vista-oriented products.

Of 30 rootkits thrown at XP anti-malware scanners, none of the seven AV suites found all 30, a similar story to the six web-based scanners assessed. Only four of the 14 specialized anti-rootkit tools managed a perfect score. For Vista, only six rootkits could run on the OS, but the testers had to turn off UAC to get even this far. Vista's UAC itself spotted everything thrown in front of it.

In a period of where Vista has received criticism, Microsoft's programmers can at least point to evidence that UAC is efficient at stopping infections from happening automatically.

View: PCWorld

Report a problem with article
Previous Story

Potential Facebook IPO keeps investors speculating

Next Story

Samsung: 1 TB, $199

71 Comments

Commenting is disabled on this article.

Anyone "smart" enough to run all processes under the admin context is welcome to it. You think you can trust 3rd party hardware and software then that's up to you.

Personally, after a decade in IT I don't trust companies like Amazon and Apple to ship hardware that is virus free. Good thing really as they have both had virally infected devices sent out to consumers. All it takes it for your AV to miss a DAT update and your infected.

You smart enough to risk your entire IT security on your AV manufacturer pumping out correct DAT's in time....? You honestly think that trusted sites like Neowin, Facebook and Reuters vet their adverts so that nothing malicious can be ran through the flash / js advert that your reading? Going to trust your friends not to have a virus on their machine so you can be 100% sure email and IM conversation attachments are all trustworthy?

The professionals keeps UAC on. The ones with it off are simply the ones that trust their 3rd parties and friends to be as IT savvy as you - in otherwords arogant.



There is no way to be sure about anything regarding IT security. You cannot trust any website you visit, any hardware you connect up or any software you install. I personally don't even trust my AV DAT's anymore - they've screwed people's computers up far too many times thanks.

The only thing you can trust is yourself not to make mistakes. The problem is that to use a computer you HAVE to trust 3rd parties to an extent. This includes advertisers, hardware manufacturers and software developers. I don't trust them with root access to my computer - I use UAC.

Microsoft can create a system 99.9999% secure of rootkit, rootkit are a VULNERABILITY of the system himself and not a feature that can be used correctly.

More specifically, regedit can include a tools to check, see and perform a fix of incorrect entries, this will stop almost any rootkit in the market (with the exception of some "file-based" rootkit).

I've always wondered myself how vista determined on its own if an action leads to a 'Admin needed' situation or not. Like, 'next' buttons in installers showing the UAC shield. Does it know beforehand that by clicking next admin rights are going to be needed?

"UAC is efficient at stopping infections from happening automatically"

So... UAC is doing what it's supposed to be all along. Shocking! Now, what do we tell the people who thought they could do a better job than UAC and turned it off?

Yep, sorry to say, but if you get hit with something you can't blame Vista.

I for one hated UAC.. I decided to disable it at first thinking it was annoying. I now have it on full time. The only time I see the pop-up (Yes one pop-up) now is when I want to run CCleaner. It's doing it's job.

Ok, I really would like to see some proof about UAC constantly popping up and annoying people. So far, I hear a few people crying about it for the sake of, well, just crying about it.

There's only three reasons that UAC should pop up constantly:

a) You are configuring and setting up your computer for the first time.

b) You are doing alot of tweaks to your system's configuration or adding many programs.

c) You are using poorly-coded software from the Windows XP era that blindly asks for admin rights just to save a file.

If somebody can show me a normal situation where UAC is harassing them, that is NOT in one of the above three scenarios, then I will eat my own words.

I highly doubt anyone can, though. I think people are whining just for the sake of it, and want to jump onto the waahmbulance bandwagon.

(CoolBits said @ #1)

Interesting what they did there but that's physical access which is totally different. If you have physical access to a machine then pretty much nothing can stop you (well maybe encryption).

UAC will only prompt if something requires administrator privileges, this is educating the software developers too as they shouldn't need these privileges for day to day running of programs.

Looks like they pre-installed stuff on the Vista machine too. This install would not have occurred without UAC activating.

With this method you get SYSTEM privileges... nothing was preinstalled jut live linux CD... and NO UAC prompts with SYSTEM privileges...

Bye bye parental controls for example hehe

(DaveBG said @ #16.4)


What can i say. LOLMAO :D

Anyone with LiveCD can do that. ROLFCOPTER



Welcome to data secure CoolBits:

Rule 1 - if you don't control physical access to your machine, it isn't your machine

Read up the rest yourself. Try CompTIA Security+, Microsoft's recommendations or just common sense.



Whoops - I fed the trolls....

Anyone believing that they have a secure system when there is physical access is, quite simply an idiot. I can't think of a single OS that a competent sysadmin can't pwn with physical access.

Anyone wondered why server rooms and datacentres have locks on server, racks, entrances. Plus CCTV, biometrics, mantraps and sometime physical security guards as well.

Feel free to try it with Ubuntu, Mac OS X, even HP-UX. Unless you have encryption, ripping out a HD will reveal all of it's details. This is NOT a Vista 'hack', it's a well known security problem within IT, which is why the above measures are implemented within datacentres and why things like Vista's BitLocker is useful on enterprise laptops.

(stevehoot said @ #16.5)
Feel free to try it with Ubuntu, Mac OS X, even HP-UX. Unless you have encryption, ripping out a HD will reveal all of it's details. This is NOT a Vista 'hack', it's a well known security problem within IT, which is why the above measures are implemented within datacentres and why things like Vista's BitLocker is useful on enterprise laptops.

Yes, good examples include OS X: Target disk mode, single-user mode, and the password reset utility. All three could be used to compromise the machine, but they also require physical access to the machine.

(stevehoot said @ #16.5)
Whoops - I fed the trolls....

Anyone believing that they have a secure system when there is physical access is, quite simply an idiot. I can't think of a single OS that a competent sysadmin can't pwn with physical access.

Anyone wondered why server rooms and datacentres have locks on server, racks, entrances. Plus CCTV, biometrics, mantraps and sometime physical security guards as well.

Feel free to try it with Ubuntu, Mac OS X, even HP-UX. Unless you have encryption, ripping out a HD will reveal all of it's details. This is NOT a Vista 'hack', it's a well known security problem within IT, which is why the above measures are implemented within datacentres and why things like Vista's BitLocker is useful on enterprise laptops.

I agree... but on other systems you notice instantly that your password was reseted and machine compromised...
Ok on osx you have single user mode... but still not so easy as this one :)
How does a legit user notice this hack? You cant...
You dont even need to reset password as you have SYSTEM access that is even higher than admin

(CoolBits said @ #16.7)

I agree... but on other systems you notice instantly that your password was reseted and machine compromised...
Ok on osx you have single user mode... but still not so easy as this one :)
How does a legit user notice this hack? You cant...
You dont even need to reset password as you have SYSTEM access that is even higher than admin :)

With Vista at least you will know your password has been reset too. And SYSTEM in Vista has lower privileges than Administrator (not your normal local admin account), while the reverse in XP is true. This hack of your also did not get pass Bitlocker, which will encrypt partitions while in offline mode.

Finally all the Vista haters will have to eat some of their words, this will hopefully make it more clear to some that UAC is in fact a great feature.

(Ely said @ #13)
Finally all the Vista haters will have to eat some of their words, this will hopefully make it more clear to some that UAC is in fact a great feature.

Nope... You're wrong..
See even one negative test overrides EVERY positive article..

Anyway.. we're going to see MS/Vista/any other MS OS bashing till the company is gone..

(ana04 said @ #13.1)
See even one negative test overrides EVERY positive article.. ;)

Well UAC, by design, will block EVERY rootkit attempt, as long as the user does not click OK.

A lot of good arguments here.
UAC I defiantly agree was done correct this time by Microsoft. Ive got it turned on for my computer and I am the sole user with Admin rights. I have yet to see it pop up for probably 2 weeks now. I dont see how it is so annoying other than when you are first installing your apps and settings.

The biggest argument I am seeing here revolves around the novice computer user and most of us here are not that and I think Microsoft finally started thinking more about them and did this correctly. Yes most users probably get used to seeing the UAC pop up and ignore it and click OK and this is due to poor security and computing habits from the past decade or so because we still have stupid people downloading Trojans etc. However UAC does seem to be helping change all that even if it is annoying which is really what its come down to, to get people to be aware of the malicious stuff out there.

My dad actually came to me the other day saying he downloaded a new anti spyware program from some ad on yahoo, well we all know that thos have nasty side effects, turns out it was some kind of damaging program and because it was an EXE file UAC popped up when he tried to install it, but instead of the usual yellow waring it was the bright red one which steered him away from installing. So I think this is a step forward by Microsoft.

Your anecdote about your father is really an excellent point and illustrative of how UAC can help the casual user. Thank you for posting.

MS can hold then hand of its million of users. If they implement security measures, and the user installs something undesired because of being "stupid", it is not MS fault.

However, i have disabled UAC, but i do know what i'm doing. UAC is working and most users should use it and pay close attention on what they are doing.

UAC is not 'hand holding'. If anything, it's giving you a very powerful tool for tuning the privileges given to launching processes.

If you understand what UAC is, you're far less likely to turn it off, based on what I've seen. As you seem to think that it is Microsoft holding the user's hands, AND you have turned it off, I'm inclined to believe that you do not.

I'm a true enthusiast, and I've been using computers for nearly two decades. I've amassed a lot of knowledge and a lot of experience in that time, and I still leave UAC on for two reasons- One, it's not really very annoying because it's rare that I see a UAC prompt anymore, and two, it's saved my a$$ once. Even people that know what they're doing can make a mistake when they're not paying attention as well as they should be! And, after spending hours trying unsuccessfully to remove a Vundo trojan from my one and only XP box, I'm grateful for as many stopgaps as possible- including UAC! It only takes one mistake to make you wish you'd left it on!

What people dont understand is that UAC is out to TEACH people anyway!!!

Programmers to stop requiring admin priveledges on software

End users by alerting them of anything that could be seen as dangerous

Over time you should expect to see less pop ups - but thats in the long term when people understand...

I do find the UAC popups annoying that said It has saved me a couple of times when I wasn't paying to much attention and clicked something I didn't want to.

On my home pc it's off and will never be on. I control that pc and no one else touches it. UAC will never exist on that machine as long as there is a way to turn it off. I have a firewall, anti-virus and no cookie gets by me that I don't want...UAC, for me at home, is complete overkill IMO. For the wider world, if this broad brush, sledge hammer approach to security works then so be it...ya friggin bozos.

(EduardValencia said @ #2)
GOD THANK YOU GOD!!!! Thanks for TEACHING THIS Anti -MS-UAC-Everything Fanboys that they are wrong!!!!!!!!!!!!!!!!!!!

Thank you GOD Thank You!!!

-Kneels & Pray-

First of all, I'm not sure the term Fanboy applies to someone who doesn't like something, but it sure as hell applies to your reaction...a classic, very odd reaction of adoration to something like UAC. Dude, you are a UAC fanboy.

I fail to understand how UAC is overkill. I can easily go through a 10 hour day's work without seeing a UAC prompt. Unless you're constantly changing the configuration of the OS, or trying to write to protected folders such as Program Files *cough*, then I can't understand your reasoning for disabling it. Most people I've seen complain about UAC whine about how they get a prompt every time they try to copy/paste a crack into a folder inside of Program Files. During the course of a normal day, you should never see UAC.

UAC, your firewall, antivirus, etc. all have different goals.

UAC's goal is to keep proccesses at the lowest privilege level they need to accomplish their task which is arguably a better defense than some of the others.

Just because it stopped them all doesn't make it any less annoying.
It's just a trade off on how much annoyance you can take compared to the security benefits of said annoyance.
And that goes for a lot of this day and age's firewall products too.

Thank you. It's funny how UAC is one of the first things that Vista haters point to and complain about when it's actually one of the best things that Microsoft got right. Thank you Microsoft for finally realizing that users do not need to be running with full Administrator rights and following in the path of Linux by creating UAC. Not only that, Microsoft made it even less annoying than the Linux approach by not requiring the user to enter a password every time.

My main concern about UAC is that people will get in a habit of just clicking OK every time the box comes up. But despite that, it's still good that the user is at least given a warning when an application attempts to make a system-wide change.

(Chugworth said @ #1)
Thank you. It's funny how UAC is one of the first things that Vista haters point to and complain about when it's actually one of the best things that Microsoft got right. Thank you Microsoft for finally realizing that users do not need to be running with full Administrator rights and following in the path of Linux by creating UAC. Not only that, Microsoft made it even less annoying than the Linux approach by not requiring the user to enter a password every time.

My main concern about UAC is that people will get in a habit of just clicking OK every time the box comes up. But despite that, it's still good that the user is at least given a warning when an application attempts to make a system-wide change.

only when you are an administrator ofcourse, normal users have to provide an administrator password ;)

i think all of the current solutions (uac, su, sudo) have their advantages

(Chugworth said @ #4)
Thank you. It's funny how UAC is one of the first things that Vista haters point to and complain about when it's actually one of the best things that Microsoft got right. Thank you Microsoft for finally realizing that users do not need to be running with full Administrator rights and following in the path of Linux by creating UAC. Not only that, Microsoft made it even less annoying than the Linux approach by not requiring the user to enter a password every time.

My main concern about UAC is that people will get in a habit of just clicking OK every time the box comes up. But despite that, it's still good that the user is at least given a warning when an application attempts to make a system-wide change.


Actually, I believe you can configure those programs to have a grace period in Linux. For example, the password I enter at a kdesu or gtksudo password prompt remains active for a bit while I am configuring things (monitor resolution, date/time, etc.) in Fedora 8. sudo does the same thing when I'm using the command line.

(rpgfan said @ #1)
Actually, I believe you can configure those programs to have a grace period in Linux. For example, the password I enter at a kdesu or gtksudo password prompt remains active for a bit while I am configuring things (monitor resolution, date/time, etc.) in Fedora 8. sudo does the same thing when I'm using the command line.

A grace period is about the dumbest thing you can do. With a grace period, all malware has to do is sit around and wait for you to do something else that requires administrator priveleges before it can root your box...

(Chugworth said @ #4)
Thank you. It's funny how UAC is one of the first things that Vista haters point to and complain about when it's actually one of the best things that Microsoft got right. Thank you Microsoft for finally realizing that users do not need to be running with full Administrator rights and following in the path of Linux by creating UAC. Not only that, Microsoft made it even less annoying than the Linux approach by not requiring the user to enter a password every time.

My main concern about UAC is that people will get in a habit of just clicking OK every time the box comes up. But despite that, it's still good that the user is at least given a warning when an application attempts to make a system-wide change.


+1

What a load of ********.

Let's say Mr Noob downloads and runs BritneysFlange.avi.exe. The UAC pops up a couple of prompts asking whether they are sure they want to run the file, but of course they're sure they want to see Britneys's flange so they OK past all the prompts, what brilliant protection.

People stupid enough to get infected will ignore the prompts and those not stupid enough just get annoyed by them.

So what would YOU suggest?

You're quick to complain about UAC, but what is your alternative?

(Worse for you, golly-gee, UAC actually WORKS; in fact, in Vista, it stops rootkits deader than doorknobs.)

Why is it that when faced with solid security actually designed into Windows (which is what a lot of users complained rightfully that XP was sorely lacking) the same complainers want to invalidate it? Is it a case of "Be careful what you wish for; you might actually get it."?

And for the users who actually do pay attention, this will prevent a drive-by-download and install from happening without their consent. See, I can turn it other ways too!
UAC stops things from happening automatically. It puts the user in control. Some users may not know what to make of this newfound control, and will try to go back to their old ways, but for those who'd like more control, UAC is just the trick.

You don't get it.

UAC might work in a lab but it doesn't work in the real world because the kind of people stupid enough to be effected by the kind of things it might protect against just ignore the protective prompts.

I don't care if you want to use Vista or any other OS more power to you but don't use bull**** stats like this to justify UAC and dismiss the people that point out the basic flaws.

(lardboy said @ #3.4)
dismiss the people that point out the basic flaws.

The basic flaw is the user. The basic flaw will always be the user. NO SECURITY SYSTEM IN THE WORLD CURRENTLY IN PLACE OR EVER WILL EXIST can protect a user or group of users from his/their own stupidity. If it did, the program would be quickly uninstalled , deactivated, or not bought at all, and the user would continue on their own clumsy way.

LOL for people who want to see Britney's flange - there's no hope for them anyway.

I don't care what people think, well done Microsoft.

I'm no Microsoft fan boy - I mostly use XP and linux - but sometimes you have to give credit where credits due.

(PGHammer said @ #3.1)
So what would YOU suggest?

You're quick to complain about UAC, but what is your alternative?

(Worse for you, golly-gee, UAC actually WORKS; in fact, in Vista, it stops rootkits deader than doorknobs.)

Why is it that when faced with solid security actually designed into Windows (which is what a lot of users complained rightfully that XP was sorely lacking) the same complainers want to invalidate it? Is it a case of "Be careful what you wish for; you might actually get it."?


Actually, the point lardboy had was that users need to be educated in secure computing habits. I don't see many dialer programs these days, which also happened to be a masquerade for trojans, but I really don't think porn surfers have any more secure habits than they did way back in Windows 98. UAC is nothing more than an extra few "OK" (or was it "Allow"?) buttons to the average horny person that just wants to see some nudity. That's pretty much all Vista's UAC is - a bloody thorn of the beautiful rosebush that is Vista. I can say it is slow with certain configurations, but I can't deny that it doesn't look good.

(PGHammer said @ #3.1)
So what would YOU suggest?

You're quick to complain about UAC, but what is your alternative?

There is no way to stop a noob from eventually destroying his/her PC. That is the way of the noob. With "features" like UAC Microsoft annoys the rest of us.

Tell me how I'm going to get a rootkit when I don't download untrusted software? I have never had any trouble with viruses on my PC other than when I was lazy and did something stupid. Even then it wasn't much trouble to remove them because they were unable to download their payloads thanks to my firewall. Besides, as the OP said, UAC isn't going to stop a noob from allowing an infected program to execute since they are purposely trying to install it because they think it's a codec they need or something.

(lardboy said @ #3)
What a load of ********.

Let's say Mr Noob downloads and runs BritneysFlange.avi.exe. The UAC pops up a couple of prompts asking whether they are sure they want to run the file, but of course they're sure they want to see Britneys's flange so they OK past all the prompts, what brilliant protection.

People stupid enough to get infected will ignore the prompts and those not stupid enough just get annoyed by them.
you've got it wrong...
some people stupid enough to get infected will ignore the prompts, and some other people stupid enough to get infected turned off UAC to begin with and didn't get the prompts.

the SMART people left UAC enabled and denied the prompt when it came up.

(PGHammer said @ #3.1)
Tell me how I'm going to get a rootkit when I don't download untrusted software?

How about drive-by-downloads when you visit a website or using an SQL injection technique!!!!

(neo158 said @ #3.10)

How about drive-by-downloads when you visit a website or using an SQL injection technique!!!!

Sorry, comment was aimed at toadeater.

(lardboy said @ #3)
What a load of ********.

Let's say Mr Noob downloads and runs BritneysFlange.avi.exe. The UAC pops up a couple of prompts asking whether they are sure they want to run the file, but of course they're sure they want to see Britneys's flange so they OK past all the prompts, what brilliant protection.

People stupid enough to get infected will ignore the prompts and those not stupid enough just get annoyed by them.



You misunderstand the purpose of UAC. UAC is not to stop you from installing malware on your computer. Heck, there's plenty of malware that doesn't even require admin privileges. And as you say, another prompt isn't going to stop that. Although it may, by chance, because UAC is scarier than most prompts.


However, the purpose of UAC is entirely different, and so your point is irrelevant. UAC exists so that when Outlook or Firefox or another application is exploited via a remote code execution vulnerability, the malicious code cannot harm other user accounts or the system itself. Or in the case of Protected Mode IE, it means the malicious code can't really do anything.

The prompts are a very small part of that. Basically, if you clicked on an e-mail message and this triggered a vulnerability in Outlook - instead of your machine being instantly pwned, it would either completely fail silently (because Outlook is running without admin privileges) or at worst you would see a UAC dialog, and have a very good chance of stopping the attack. While users might click "continue" when trying to run BritneysFlange.avi.exe, they are far less like to click "continue" if they have no idea where it came from.

Not only are they working against malware that may run undetected, but they are also helping novice users eyeball anything that might run before clicking OK on it. I've heard the argument that because of UAC people are more likely to just click through security pop-ups, but at least MS can hide behind the "hey, we tried to stop it" excuse when that happens, in which case the blame falls (as always) at the fingertips of the end-user.

(Ani Maul said @ #1.1)
Not only are they working against malware that may run undetected, but they are also helping novice users eyeball anything that might run before clicking OK on it. I've heard the argument that because of UAC people are more likely to just click through security pop-ups, but at least MS can hide behind the "hey, we tried to stop it" excuse when that happens, in which case the blame falls (as always) at the fingertips of the end-user.

Which it very well SHOULD.

In fact, Microsoft's UAC warnings are a lot more intelligible than most warnings from other anti-malware products (yes, Symantec; that means you), and a great deal more verbose than those of even Security-Enhanced Linux in Enforcing mode (that says a lot about SELinux, and none of it good). Helping the user spot suspiscious software (or even suspiscious SOURCES of software) is one way to help slow down (if not halt) the spread of malware; even better to do so with newbie users (still the largest single source of rootkit-infected and zombified PCs and networks). Question is: now that it's been proven to be effective, will Microsoft's security mavens get sledged for being too effective compared to their open-source (SELinux) and commercial (Symantec) counterparts?

(PGHammer said @ #1.2)

Which it very well SHOULD.

In fact, Microsoft's UAC warnings are a lot more intelligible than most warnings from other anti-malware products (yes, Symantec; that means you), and a great deal more verbose than those of even Security-Enhanced Linux in Enforcing mode (that says a lot about SELinux, and none of it good). Helping the user spot suspiscious software (or even suspiscious SOURCES of software) is one way to help slow down (if not halt) the spread of malware; even better to do so with newbie users (still the largest single source of rootkit-infected and zombified PCs and networks). Question is: now that it's been proven to be effective, will Microsoft's security mavens get sledged for being too effective compared to their open-source (SELinux) and commercial (Symantec) counterparts?

I agree that Vista's UAC is good for this, but the popups are far too frequent. This is why people will just keep clicking. End-users need education on security to help prevent such infections without going through 20 popups every time they move their mouse. Vista's UAC as it is now is more annoying than it is useful.

I would rant about how horrible SELinux is to configure depending on what you want to do, but this is about Vista's UAC, not SELinux.

(rpgfan said @ #1.3)
I agree that Vista's UAC is good for this, but the popups are far too frequent. This is why people will just keep clicking. End-users need education on security to help prevent such infections without going through 20 popups every time they move their mouse. Vista's UAC as it is now is more annoying than it is useful.

I disagree - once the computer is set up, you don't get much in the way of UAC popups, I've found.

(rpgfan said @ #1.3)

I agree that Vista's UAC is good for this, but the popups are far too frequent. This is why people will just keep clicking. End-users need education on security to help prevent such infections without going through 20 popups every time they move their mouse. Vista's UAC as it is now is more annoying than it is useful.

I would rant about how horrible SELinux is to configure depending on what you want to do, but this is about Vista's UAC, not SELinux.

Compared to what?

Better that the user be warned more often (even if the warning has a chance of being false) than to have ONE bad apple get through. (Hindsight is always 20/20.) A good part of UAC's verbosity is about User Education/User Feedback, as one thing Microsoft picked up from the Usability Labs is the impact reinforcement (both positive and negative) has on the user experience. However, the vast majority of the griping about UAC is from those that consider themselves Power Users (and think they know better than Microsoft).

I have never kept UAC turned off on any computer I've owned or worked on (and, at worst, only turned UAC off systemwide under specific unique circumstances for less than five minutes on any system; after that period, it was reactivated). And that is *despite* a computer background that predates the PC (in fact, it goes back to the heyday of IBM's System 360 and 370 mainframes). I usually *don't* have a problem with UAC in typical computer usage, and I've been using Vista since before the Great Code Rewrite, and since that changeover (and the birth of UAC), most of the time it's been my sole operating system. I can pretty much say that I have basically a *Jack-of-all-trades* older PC (it does a little bit of everything; not stellar in any one task), and Vista (UAC and all) lets me get my gamut of stuff done, and with much less in the way of unwelcome interruptions than XP did (on the same hardware). UAC has been given a trial-by-fire (by me), and it has earned its spurs, in my own humble opinion.