Hi Jimmy,

>
> So, you're saying that UAC should remember what program launched the
> admin program, and then only prompt if a different program tries to
> launch the program?
>
> That's a good idea.
>
> Unfortunately, it 1) still doesn't ensure that *you* are the one
> launching the program, it just ensures that a certain program is doing
> the launching, and 2) it is not yet possible for the system to make that
> assurance.
>

Thanks although the credit goes to the developers of Comodo -- I've
learned about the technologies from them recently.

'It is not yet possible for the system to make that assurance'. -- from what
I've seen on Comodo, it can assure who starts the program and if it's *not*
able to, it detects it as an 'Invisible parent' -- meaning it's not you as
well.

Again, I need to remind you that altho I've done some development a few
years back in C++ VS 6.0, I'm no 'expert' in these matters. What I perceive
as them being able to detect the parent might be different as how I'm
describing it.. the best way for you guys to know for sure would be to test
it yourselves although the Vista version isn't out yet.. only XP (Vista
version is Beta as of now).

> For example, let's say you launch a program from the start menu that you
> want to always elevate without asking.
>
> That's all well and good, and it seems like a reasonable tradeoff
> between security and usability, but in reality it only appears so.
>
> It is trivial to run code in the process of explorer, and really in any
> process that lives in the same privilege level, and its not merely a
> matter of "checksumming the file" to verify it hasn't been changed,
> there are ways to get code to run inside of a process that wouldn't be
> detectable using that method.

- Aye, if they are checksumming to verify the integrity of the file, perhaps
you are right, but from what I've seen, they seem to use something else..
I've tried changing an .exe myself using an hex program and restart it, and
it detected it as changed -- no clue as to how they do that but so far, it
seems to work.

>
> It's not just about you trusting the program, but just as much if not
> more about ensuring that you are the one starting it.
>

- I hear you there... that's the purpose of the security added the Vista and
I'm *all* for security (not a fanatic, but I scan my PC every month, boot
intense scan every 3 months or so -- I even rescan every files I'm
downloading even tho my scanner is scanning them while I download etc).
As I mentionned previously, from what I've seen, I am not able to start a
program other than my double clicking on it without Comodo detecting it..
again, not being an expert, perhaps someone at MS could play around with it
and who knows, find a way to make UAC even better than it already is --
there's always place for improvements. just need to find the correct way to
do it

> I do think it is possible to do this without a prompt; however, the
> problem is much more challenging than it appears at first glance .
>

That I completely agree with you and indeed it *is* challenging, but I
have faith in the team to come up with a solution in the near future --
there's no stopping progress after all

btw, I'd like to thank you for replying.. I think this is a very interesting
subject and who knows, it might lead to some sort of a glimpse of a
solution... who knows

Regards...
--
Rej

btw if you're interested in testing the software in question, I could send
you the link altho I'm sure if it's in the forum rules or not. another easy
way is to search for it using 'comodo firewall pro'.

Just realized that changing a few bytes with an hex program would modify the
checksum of the program

lol, perhaps that's how they do it, I'm just not sure..

Rej

p.s. That's what happens when i try to answers intelligently after an all
nighter ;/ sorry about that.

On Thu, 28 Jun 2007 07:16:01 -0700, Rej

> also Jimmy Brush

>> So, you're saying that UAC should remember what program launched the
>> admin program, and then only prompt if a different program tries to
>> launch the program? That's a good idea.

It's similar to what All-Seeing-Eye and PrevX do, like an "internal
firewall" sort of behavior.

>> Unfortunately, it 1) still doesn't ensure that *you* are the one
>> launching the program, it just ensures that a certain program is doing
>> the launching, and 2) it is not yet possible for the system to make that
>> assurance.

Both of these aren't bulletproof, and (1) is important, because so
many programs can be automated to do different things via CLI
parameters etc. The problems with "has this program changed?" are:
- contents of code file, as checked by MD5, version
- contents of in-memory process, i.e. runtime code injection
- whether it's the file, or an ADS attached to the file
- whether the file is being "glove-puppeted" (i.e. BHOs in IE)

>'It is not yet possible for the system to make that assurance'. -- from what
>I've seen on Comodo, it can assure who starts the program and if it's *not*
>able to, it detects it as an 'Invisible parent' -- meaning it's not you

Not sure how well this works, given the lengths UAC has to go to (e.g.
resetting the display) to prevent automation of its own UI.

The old model was "anything that happens during your logged-in
session, we assume you wanted to do, and you are responsible for", and
that just doesn't work very well (aside from scapegoating the user).

UAC is a step away from that, and towards putting the interactive user
back in (some) charge over automated and remote processes.

>What I perceive as them being able to detect the parent might be
>different as how I'm describing it..

It's not easy... everything's designed to be so open to OLE etc. that
it's hard to maintain contexts such as which user's rights are in
effect, which security zone it is in, etc. and all of those things are
fences rather than walls (i.e. often bypassed in various ways).

>- Aye, if they are checksumming to verify the integrity of the file, perhaps
>you are right, but from what I've seen, they seem to use something else..

OK, as checksumming:
- is "noisy" when code is frequently updated
- misses in-RAM injection, ADS, automation and "glove-puppeting"

>I've tried changing an .exe myself using an hex program and restart it, and
>it detected it as changed -- no clue as to how they do that but so far, it
>seems to work.

Trickier to do, but; try chaning the in-memory image while leaving the
on-HD file alone, and see if that's detected?

Then copy Calc.exe to an ADS on a copy of Notepad.exe (or something
similar) and run the ADS code; is it seen as Notepad, Calc, or other?

>-------------------- ----- ---- --- -- - - - -

"If I'd known it was harmless, I'd have
killed it myself" (PKD)

>-------------------- ----- ---- --- -- - - - -

cquirke,

Thanks for the reply (replies

I've currently moving and I'm about to unplug the PC until I'm at my new
location.. I'll check out your replies more thoroughly once I'm somewhat
setup and be able to answer them then.

Until then

Regards...

--
Rej


"cquirke (MVP Windows shell/user)" wrote:

> On Thu, 28 Jun 2007 07:16:01 -0700, Rej

> > also Jimmy Brush

>

> >> So, you're saying that UAC should remember what program launched the
> >> admin program, and then only prompt if a different program tries to
> >> launch the program? That's a good idea.

>
> It's similar to what All-Seeing-Eye and PrevX do, like an "internal
> firewall" sort of behavior.
>

> >> Unfortunately, it 1) still doesn't ensure that *you* are the one
> >> launching the program, it just ensures that a certain program is doing
> >> the launching, and 2) it is not yet possible for the system to make that
> >> assurance.

>
> Both of these aren't bulletproof, and (1) is important, because so
> many programs can be automated to do different things via CLI
> parameters etc. The problems with "has this program changed?" are:
> - contents of code file, as checked by MD5, version
> - contents of in-memory process, i.e. runtime code injection
> - whether it's the file, or an ADS attached to the file
> - whether the file is being "glove-puppeted" (i.e. BHOs in IE)
>

> >'It is not yet possible for the system to make that assurance'. -- from what
> >I've seen on Comodo, it can assure who starts the program and if it's *not*
> >able to, it detects it as an 'Invisible parent' -- meaning it's not you

>
> Not sure how well this works, given the lengths UAC has to go to (e.g.
> resetting the display) to prevent automation of its own UI.
>
> The old model was "anything that happens during your logged-in
> session, we assume you wanted to do, and you are responsible for", and
> that just doesn't work very well (aside from scapegoating the user).
>
> UAC is a step away from that, and towards putting the interactive user
> back in (some) charge over automated and remote processes.
>

> >What I perceive as them being able to detect the parent might be
> >different as how I'm describing it..

>
> It's not easy... everything's designed to be so open to OLE etc. that
> it's hard to maintain contexts such as which user's rights are in
> effect, which security zone it is in, etc. and all of those things are
> fences rather than walls (i.e. often bypassed in various ways).
>

> >- Aye, if they are checksumming to verify the integrity of the file, perhaps
> >you are right, but from what I've seen, they seem to use something else..

>
> OK, as checksumming:
> - is "noisy" when code is frequently updated
> - misses in-RAM injection, ADS, automation and "glove-puppeting"
>

> >I've tried changing an .exe myself using an hex program and restart it, and
> >it detected it as changed -- no clue as to how they do that but so far, it
> >seems to work.

>
> Trickier to do, but; try chaning the in-memory image while leaving the
> on-HD file alone, and see if that's detected?
>
> Then copy Calc.exe to an ADS on a copy of Notepad.exe (or something
> similar) and run the ADS code; is it seen as Notepad, Calc, or other?
>
>
>

> >-------------------- ----- ---- --- -- - - - -

> "If I'd known it was harmless, I'd have
> killed it myself" (PKD)

> >-------------------- ----- ---- --- -- - - - -

>