Windows Security Blog - All Comments

Weekly Industry Round-up: Week of 11/16 « Hyperguarding your Web Applications

Weekly Industry Round-up: Week of 11/16 « Hyperguarding your Web Applications — Fri, 20 Nov 2009 19:54:35 GMT

Pingback from Weekly Industry Round-up: Week of 11/16 « Hyperguarding your Web Applications

McAfee Security Insights Blog » Blog Archive » Does Windows 7 Change The Security Equation?

Tue, 17 Nov 2009 01:57:41 GMT

Pingback from McAfee Security Insights Blog » Blog Archive » Does Windows 7 Change The Security Equation?

re: Secure Your Windows and Office 2007 Installations

dinle — Mon, 16 Nov 2009 17:19:38 GMT

I am grateful for the information you provide is really Waiting for More

Windows 7 vulneravel a 8 de cada 10 virus? « Nataniel. Notes about IT in Angola

Windows 7 vulneravel a 8 de cada 10 virus? « Nataniel. Notes about IT in Angola — Sun, 15 Nov 2009 22:03:39 GMT

Pingback from Windows 7 vulneravel a 8 de cada 10 virus? « Nataniel. Notes about IT in Angola

Microsoft: Windows 7 Malware Threat 'Sensationalized' « The IT Juggler

Microsoft: Windows 7 Malware Threat 'Sensationalized' « The IT Juggler — Sun, 15 Nov 2009 07:04:49 GMT

Pingback from Microsoft: Windows 7 Malware Threat 'Sensationalized' « The IT Juggler

re: Windows 7 Vulnerability Claims

prafulkapadia — Sat, 14 Nov 2009 20:57:44 GMT

Thanks for the explanation, n4cer.

Does the Attachment Execution Service (AES), therefore, prompt when any malware that gets onto your computer from the internet tries to execute? Is there a way to bypass having the origin tag put on a file from the internet?

The malware you mentioned in your first reply (that infects your files in your Documents folder ) would also trigger a propmpt if it has been downloaded from the internet. Is that correct?

Praful

Windows 7: Still Vulnerable to Viruses | Robin Ferianto's blog

Windows 7: Still Vulnerable to Viruses | Robin Ferianto's blog — Fri, 13 Nov 2009 11:21:32 GMT

Pingback from Windows 7: Still Vulnerable to Viruses | Robin Ferianto's blog

Windows 7 UAC default settings insecure - Page 2 - Raymond.CC Forum

Windows 7 UAC default settings insecure - Page 2 - Raymond.CC Forum — Fri, 13 Nov 2009 04:03:42 GMT

Pingback from Windows 7 UAC default settings insecure - Page 2 - Raymond.CC Forum

K??rnel de Windows requiere parche urgente | Netmedia.info

K??rnel de Windows requiere parche urgente | Netmedia.info — Wed, 11 Nov 2009 16:11:48 GMT

Pingback from K??rnel de Windows requiere parche urgente | Netmedia.info

K??rnel de Windows requiere parche urgente | bSecure

K??rnel de Windows requiere parche urgente | bSecure — Wed, 11 Nov 2009 16:11:24 GMT

Pingback from K??rnel de Windows requiere parche urgente | bSecure

re: Windows 7 Vulnerability Claims

n4cer — Wed, 11 Nov 2009 03:07:36 GMT

BTW, the Attachment Execution Service would prompt you when attempting to run an unsigned executable, particularly if originating from untrusted locations such as the Internet. This is another detail Sophos omits, and unless they manually unblocked the executable (thus removing the origin tag), they would've encountered this prompt on any computer upon which they installed the malware.

Code Integrity would do the same for kernel mode components.

re: Windows 7 Vulnerability Claims

n4cer — Wed, 11 Nov 2009 02:42:40 GMT

There's no indication that the malware bypasses UAC. UAC elevation is only triggered when performing privileged actions on the system. If the malware was engineered to run within the constraints of the standard user account, UAC would not be triggered, however the malware could still affect files the standard user account may access, such as those within the Documents folder of that account.

As stated in this blog, Sophos bypassed many of the features that could protect the user in a realistic use case (SmartScreen, Protected Mode, etc.) when they actively installed the malware on the system rather than going through normal vectors.

Sophos' implication that UAC should act as a barrier to malware is rediculous -- that's not its goal. Any protection gained from UAC is a side-effect of enabling the user to be productive without giving applications full-time, full system access. There's still a lot that can be done in the user's context, you just can't affect the entire system (barring exploitable vulnerabilities).

re: Windows 7 Vulnerability Claims

prafulkapadia — Tue, 10 Nov 2009 21:44:02 GMT

The article about vulnerabilities says that the viruses run even with UAC enabled. Whilst there's no doubt that anti-virus (AV) software should be installed, shouldn't UAC at least tell you that an unauthorised program is about to run?

The problem with relying just on AV software is that you could have a virus on your PC before your AV vendor has worked out (and issued) its antidote. On the other hand the OS always knows its about to execute a program.

If programs can bypass UAC that pretty much renders it useless. It's a bit like an umbrella with holes, which admittedly gives you some protection but no one would buy one.

Is this an instance where MS has favoured convenience for the user over security? If so, I would rather have the option of always being told a program is being executed (at least once) and approving it. Let those who don't care except a lower UAC setting.

I'd appreciate some clarification.

Praful

You still need an antivirus software in Windows 7 (like a hole in the head?) · Digital explorations

Tue, 10 Nov 2009 20:30:37 GMT

Pingback from You still need an antivirus software in Windows 7 (like a hole in the head?) · Digital explorations

re: Windows 7 Vulnerability Claims

HunterA3 — Tue, 10 Nov 2009 19:15:46 GMT

I love how the author of the Sophos article points out the number of insecure Windows systems that are currently spreading the latest big ugly worms and viruses, but fails to acknowledge that most of those installs--if not the vast majority--are from pirated versions of windows being uses mainly in SE Asian countries where piracy is out of Microsoft's ability to control and shouldn't be held accountable for.