Robert McLaws: Windows Edition

Blogging about Windows since before Vista became a bad word

Symantec Anti-UAC Product is a Very Bad Idea

Symantec seems to think that Vista's User Account Control prompts people too much, and wants to make more of the security decisions for you. So, lemme get this straight: Symantec launched a three-part b!tchfest (with reports all penned by Joris Evers, I might add) on how (prerelease) Vista was insecure, and then tried to make it more secure by circumventing an actual security feature? That's some great logic if I've ever seen it.

How UAC Works
UAC uses Secure Desktop, which is the same system that manages the Login screen, as well as the screen you go to when you hit "Ctrl+Alt+Del". It's an entirely separate process, which doesn't have any "hooks" that can be used to communicate with the process. Know how the screen greys out when you get a UAC prompt? That's not really your desktop behind the prompt, but a snapshot of your dekstop as it was before the prompt happened (which is why flashing IM windows suddenly stop flashing). See, Microsoft didn't want the experience to be any more jarring than it had to be, so they made it appear that you hadn't left your desktop, when you actually have.

Why Anti-UAC Is Really Bad
The problem with the concept of a UAC Blocker is threefold fourfold (sorry, brain fart): 

  • Opening UAC APIs to allow prompts to be suppressed means that ANY software can come in and do the same thing, which COMPLETELY defeats the purpose of UAC. The reason UAC was developed was because malware was hooking into the OS and rewiring the buttons on confirmation prompts (so that "Cancel" meant "Ok"). Instead of allowing anything to happen without a User's permission, Microsoft decided that certain things can only complete after human confirmation. If a software program interjects itself into the pipeline, how does it determine which prompts are acceptable and which ones aren't?
  • It creates way more problems than it solves. Microsoft VERY heavily tested the UAC subsystem to make sure it was as close to flawless as possible. But when you introduce a third-party in the mix, you create the potential for a weak link in the chain. How would anyone be sure that Symantec's Anti-UAC product went through the same rigorous testing as UAC did?
  • Microsoft spent a lot of time tuning the system to make sure users get as few prompts as possible. Most users won't even see them very often... they just make documents, check their e-mail, and browse the web. The number of prompts you see potentially increases with your skill level, which is unfortunate.
  • Based on what I know about the system, I don't think it's even possible. Microsoft implemented UAC and Secure Desktop in a way that (theoretically) cannot be compromised. If UAC is compromised, that means that Secure Desktop is compromised, which means that someone can spoof a "Ctrl+Alt+Del". Windows has been using Secure Desktop for a long time, and it hasn't been compromised yet AFAIK.

Why It Won't Happen
Look, Symantec screamed bloody murder when Microsoft thwarted their "protection" efforts with PatchGuard. I don't think Microsoft would be dumb enough to publish APIs for working around UAC. And the Windows team would throw down against Symantec in a heartbeat on the issue. Microsoft would immediately treat any "workaround" as a security threat and close it off (Steven Tolouse alluded to this, although more muted than Microsoft's actual response would be). They spent 3 years trying to get it right, and hundresds of thousands of man-hours. Do you honestly think Microsoft would allow that to be bypassed? Yeah, right.

Symantec Knows This
Personally, I think this is a trap designed to get Microsoft in antitrust hot water. Symantec tries to circumvent a Microsoft security feature, Microsoft treats it as an attempt to hack the OS and blocks it, and Symantec cries foul because isn't allowing a competitor to compete in the security space. Don't believe me? It's not like it hasn't happened before.

You Should NOT Trust Symantec On This One
Their products are some of the buggiest products on the market. Even if they did manage to replace UAC with their own system, do you trust them to protect you without their "solution" introducing new flaws into the wild? I highly recommend that you, loyal readers, stay away from this product. I wouldn't touch it with a 35 1/2-foot pole.

The Bottom Line
Look, I know UAC is kinda frustrating at first. But the "openness" of the past contributed to the current security problem. This Internet is not this utopian dream that the liberal techies that invented it thought it was. There are malicious people out there that do malicious things on the Net. Everyone's going to have to put up with a few hassles and learn new things to keep the Internet safe. And if Microsoft has to protect some people from themselves in order to keep MY computer safe, then people are just gonna have to deal with it.

And Symantec should spend less time circumventing existing Windows security features (through workarounds intentional or otherwise) and start coming up with ways to actually make my computer more secure. What a novel concept.

PostTypeIcon
15,543 Views

Comments

  • Graham Fluet said:

    It just that Symantec Knows that the UAC goes overboard.

    Apple had it for a long time, but you dont see it very often, and it requires you to type in  your password. for example: If you are an administrator, you only get it when you add/delete accounts, attempt to modify system files (IF you have the privileges to), attempt to modify parts of the Library, and sometimes if you installing an app (NOT by dragging it to your computer), especially if it modifies system files in the installer.

    And if you are NOT an administator, you get it when you try to modify the system, but that version ALSO needs that name of an administrator, along with their password, but you don't get it when you are editing your home folder.

    January 10, 2007 2:12 PM
  • Dan said:

    Although I dont like Symantecs products, UAC still has a major flaw: giving control to the user. Whenever my mom (who knows nothing about computers, she does email and internet, thats about it) sees a message, she is just going to click continue or yes pretty much no matter what. What UAC needs to do is be able to tell you when something is actually harmful, and not pop-up when you do something routine (like copy a file to another hard drive, the reason why I turned it off in the first place). If UAC can become smart and be able to only pop up in dangerous situations, then it would be awesome. Maybe if Windows could ship with Windows Live OneCare, although I know thats never going to happen unless hell freezes over

    January 10, 2007 3:40 PM
  • Brendan G said:

    @ Graham: In my experience (and I am a "power user"), Vista's UAC behaves exactly as you described it for Apple.

    January 10, 2007 4:09 PM
  • Graham Fluet said:

    Brendan G,

    So, you DON'T get it when you change the time?

    January 10, 2007 4:14 PM
  • Anyone that has used Windows Vista at all will be familiar with User Account Control (UAC) prompts. The

    January 10, 2007 5:28 PM
  • List244 said:

    Dan, have you used Windows Vista? Windows Vista requires a password. If you don't want your mom doing these things, don't give her the admin password. If you don't give her that, she can press "yes" all she would like, no harm will be done.

    Also, everything that it pops up about can potentially cause harm. The reason it can't get "smart" about it, is because if it was "smart" hackers could play with its intelligence. The whole idea is to prevent people from changing your settings without an admin password.

    Graham, you do not get it when you change the time-zone, but yes, changing time does offer a dialog. However, I do not think that a normal user really has any need to change the time. This should be something managed by administration. Especially since you can have it synchronized. With the synchronization, they should have no need for changing it.

    January 10, 2007 7:15 PM
  • Graham Fluet said:

    List244,

    I guess you do not travel.

    January 10, 2007 7:22 PM
  • Bryan said:

    Graham,

    Also remember that the reason that many app trigger UAC prompts is because they're poorly written with respect to security. Part of the goal of UAC is to compel developers to minimize the need for such priveledges in the first place; apps that absolutely have to request an elevation can make the process somewhat safer by providing a valid cert for their binaries. Symantec's actions would undermine any incentive to improve.

    In many ways, Apple had an easier time in this reguard because OSX was so different from MacOS Classic that is forced developed to step back and rethink before porting their apps, so there was more incentive to address these issues up front and earlier on.

    January 10, 2007 7:34 PM
  • Graham Fluet said:

    Bryan,

    that was over 5 years ago. lots of software has been created since and you don't have these problems in Mac os X (except when idiots create drivers for Wacom tablets), not even from companies that are less than 5 years ago.

    What's is with this layout? doesn't IE have a built-in spell-checker?

    January 10, 2007 7:59 PM
  • Bryan said:

    I still think my main point is essentially correct:

    Since OSX has been available, it has had strong default security and permission settings, and so any developer wanting to write an application for OSX had to take that into account from the begining of development/porting.

    In contrast, Windows has traditionally given applications more flexibiliy. Although NT had the necessary infrastructure, Microsoft hasn't enforced it due to compatibility concerns. They've certainly encouraged developers to make programs that can work in limited accounts, but there's been little incentive to do work that wasn't absolutely necessary--including, frankly, for other product groups within Microsoft.

    With UAC, Microsoft is finally begining to lock Windows down in a manner similar to OSX. Problem is, in doing so, the negligence of these developers has been made much more visible, hence many pop up elevation prompts where it wouldn't otherwise be necessary.

    Over time, more developers will take limited priviledges into account when targeting Vista (it may actually be a logo requirement), and the number of prompts should be comperable to what you see in OSX.

    January 10, 2007 8:22 PM
  • Graham Fluet said:

    In other words, for Vista to be bug-free, it would have to be COMPLETELY rewritten, and run apps for XP in a virtual machine that is included in the OS.

    January 10, 2007 8:58 PM
  • List244 said:

    Graham, nothing is bug-free. lol Also, in response to your travel question.. First, if you are traveling with a computer, you should be an admin. Second, even if you are not, you can change the time-zone, which should be enough.

    January 10, 2007 9:38 PM
  • Bryan Fennell said:

    Graham,

    Isn't that a bit of a leap? It isn't a matter of Vista having bugs--though I'm sure they're there--but rather there are still a large number of applications written without regard for the constraints of limited user file rights. With UAC in place, the hope is that this will provide a strong enough penalty to push most developers to make their apps work in limited accounts. The only ones that should run with admin rights are those that genuinely need it.

    It's misleading to try to characterize this as a matter of Vista being broken compared to OSX.  OSX apps are, on the whole, much better citizens. This is, as I've mentioned earlier, largely a result of the "clean break" approach they took. They could get away way with this because, prior to the release of OSX, Apple's market share was dwindling and the most important thing was to put Apple back in a technologically strong position (and they've certainly succeeded). In contrast, there are over half a billion Windows users on Earth, and that market has high expectations of compatibility, especially in the corporate market (where Apple, particularly prior to the release of OSX, had negligible presence). The result is that Microsoft can't make the same kind of clean break, but must evolve the platform over time.

    Think about a large city: If you wanted to make the buildings more green / energy efficient, you wouldn't just level everything and rebuild--it would be too expensive, and disenfranchise too many people--rather you'd make changes in an opportunistic manner, perhaps making other improvements on the way. That's Windows. OSX is more like a planned community: it's well designed and well manicured, but you wouldn't try to apply the same design approach to the scale of say, New York City.

    It isn't so much a value judgment as it is a difference of scope and context.

    January 10, 2007 10:52 PM
  • On www.windows-now.com Robert McLaws writes about an Idea Symantec has on disabling UAC. I must say I

    January 11, 2007 3:18 AM
  • Sigurdur G. said:

    I've been a user of Norton Antivirus for many years, but after all the recent fuss from Symantec the last year or so, I will not be buying their products anymore.  I'm going to be looking at other solutions for my Vista antivirus needs.

    January 11, 2007 4:40 AM
  • Ljuvefreya said:

    I am a Mac fan(atic), but I have also been running Vista since Beta 2 and now RTM (We're an MS Gold Partner).

    I think of myself as somewhat of a power user, but I run without Admin rights on my normal account, on both systems. Doing normal tasks I don't need to elevate on either system, ever.

    While Vista may ask for admin rights more often than OS x, its often a topic of setting rights correctly. It may be a hazzle... once. But just spend a little time configuring security on your computer or your parents computer correctly, and it won't be asking you.

    On most typical tasks I haven't needed to elevate, not even moving files between disks.

    I agree with the sentiment that Symantecs moves are bad. I tend to think Symantec makes easy to use products, but I feel they're making blunders now. They're actually, scarily enough, arguing that everyone should be able to make security products for the OS? Having cleaned computers of the "WinSafe Antivirus 2005" product all too many times (its a pure scam, localized into many languages including norwegian, that makes you pay for it by VISA to "unlock" it after it "finds viruses", only to get a happy message, reboot, and it resets... You can't unlock it, just pay and pay and pay. And of course you can't uninstall it, and it seems to register with the Windows XP Security centre. *ugh*

    As to changing the time: you CAN use local computer policy to adjust who does that, even grant it to lower rights users, but there's actually no need. Just adjust the time zone, works like a charm.

    January 11, 2007 3:52 PM
  • Anyone that has used Windows Vista at all will be familiar with User Account Control (UAC) prompts. The

    January 12, 2007 10:30 AM
  • January 18, 2007 3:18 AM
  • Myles said:

    I agree! Vista does ask for confirmation a lot but as someone who knows what they are doing i hardly see it, The good news with the UAC is that unless you click it it seems to just sit in the back ground waiting for you to press it before the security continues.

    Someone else already raised the point but "However, I do not think that a normal user really has any need to change the time. This should be something managed by administration. Especially since you can have it synchronized. With the synchronization, they should have no need for changing it." You just do not travel!

    As for symantec trying to get some action from it, i would give symantec another penny if i could help it! unfortunately MSBackup is *** so you are basically left with Veritas, any other actual GOOD software for backing up out there?

    I  hate symantec and luckily i removed two copies of its existance yesterday and installed www.nod32uk.com much much much better software! The fastest and smallest scan engine in the world with the best VB100% rating ever!

    January 18, 2007 12:22 PM
  • List244 said:

    Ugh, Myles... I do travel... with my own computer, where I am the administrator. Also, on Windows Vista you can change the time-zone. If you can change the time-zone, what need is there to change the actual "time?"

    January 23, 2007 5:25 PM
  • Symantec Anti-UAC Product is a Very Bad Idea - Robert McLaws: Windows Edition

    September 16, 2014 2:06 PM