Avast and Session 0 isolation in Vista

[4u3u]

Hello,

Probably this has been reported already, but just in case it wasn't - it appears Avast is not aware of Session 0 isolation in Vista. When I'm trying to update definitions, Vista shows a message in attached screenshot. Not a blocking issue but still a serious one.

More info on what is Session 0 isolation and how it affects services in Vista here:
http://www.microsoft.com/whdc/system/vista/services.mspx

Avast 4.7.892 Home Edition
Vista Ultimate RC2 (build 5744)

[Vlk]

We're well aware of the issue, but it won't be solved for now. What we'll probably do is disable the progress dialog for Vista... Not ideal - but probably a feasible workaround.

The next version of avast will have this solved (because of a planned architectural change).

Thanks
Vlk

[jamesvaul]

because of a planned architectural change.

 

[Lisandro]

What do you mean with  ? 

[jamesvaul]

What do you mean with  ? 

I like avast changes architecture to follow the new Windows Vista architecture (Session 0 isolation, Windows Service Hardening, LUA and UAC, etc.)

Windows Service Hardening restricts critical Windows services from making unauthorized changes in the file system, registry, network, or other resources that could be used to allow malware to install itself or to attack other computers.

So I expect avast services to be restricted from replacing system files or modifying the registry.

[igor]

In my opinion, this UAC thing will be major pain for many users and will be - what else would you want to do with it - turned off by many.

avast! doesn't replace system files or modify registry without a reason. If an infected file is found, for example, then it's necessary to act accordingly, Vista or not.

[Lisandro]

In my opinion, this UAC thing will be major pain for many users and will be - what else would you want to do with it - turned off by many.

I have to agree with you... the minimum time I've used Vista this feature made me crazy... each connection, each time you've opening a configuration 

avast! doesn't replace system files or modify registry without a reason. If an infected file is found, for example, then it's necessary to act accordingly, Vista or not.

Hope Vista get smarter in the future 

[4u3u]

In my opinion, this UAC thing will be major pain for many users

It only will if developers will continue to ignore Windows applicatons design guidelines.

Majority of users shouldn't see UAC much if at all during day-to-day life. Me, for example. I'm working on Vista under standard user account with UAC on, and you know what - I like that! No more "Access Denied" messages even if I want to perform an administrative task because UAC will elevate me after I enter admin password. I have no problem with requirement to enter administrative password to perform administrative task. Linux crowd is doing that for years.

Now, if I see UAC prompt when I work with something that doesn't look like administrative utility, I know that it's either malicious program or dev's fault/lazyness/lack of knowledge. I will avoid such a program in the future since if doesn't really follow OS design in terms of security, who knows what other errors it may contain...

[jamesvaul]

In my opinion, this UAC thing will be major pain for many users and will be - what else would you want to do with it - turned off by many.

I totally disagree with you! UAC is the best Windows Vista feature.

avast! doesn't replace system files or modify registry without a reason. If an infected file is found, for example, then it's necessary to act accordingly, Vista or not.

you don't know what "Windows Service Hardening" means!
I try to explain it with an example: In Windows XP, if a flaw is discovered in an avast service this could be used to write system files or to access to system resources; under Windows Vista this is not possible if avast service is well configured.
For example, the "avast update service" runs as SYSTEM and it can potentially destroy everything in Windows XP :'( ; instead in Windows Vista this service could be restricted using the new Vista settings for the services.
In Vista, "avast real time protection" service could be restricted from access to the network, etc.

[Vlk]

Majority of users shouldn't see UAC much if at all during day-to-day life. Me, for example. I'm working on Vista under standard user account with UAC on, and you know what - I like that! No more "Access Denied" messages even if I want to perform an administrative task because UAC will elevate me after I enter admin password. I have no problem with requirement to enter administrative password to perform administrative task. Linux crowd is doing that for years.

Now, if I see UAC prompt when I work with something that doesn't look like administrative utility, I know that it's either malicious program or dev's fault/lazyness/lack of knowledge. I will avoid such a program in the future since if doesn't really follow OS design in terms of security, who knows what other errors it may contain...

Unfortunately, this is not the case... The principal problem is that unlike in Unix/Linux, an already running process cannot be elevated. Ie. the elevation can only occur during process startup. This makes it a very limited, and (from a developer's point of view) hard to use feature.

I understand the technical difficulties related to making this possible - but still, by making UAC so inflexible and still making this ON by default was a bad design decision IMHO.

On a side note, even most security people inside Microsoft (whom I've spoken with) think that the main goal of UAC was to force developers to not make their programs dependent on running under admin only (i.e. make them work under standard user). UAC is not a feature that will protect you against malware.

you don't know what "Windows Service Hardening" means!
I try to explain it with an example: In Windows XP, if a flaw is discovered in an avast service this could be used to write system files or to access to system resources; under Windows Vista this is not possible if avast service is well configured.
For example, the "avast update service" runs as SYSTEM and it can potentially destroy everything in Windows XP  ; instead in Windows Vista this service could be restricted using the new Vista settings for the services.

Of course we know very well what service hardening in Vista is. However, again, you're too influenced by Microsoft PR...

It is not that simple (I don't want to tire you with details - unless you want me to).

In Vista, "avast real time protection" service could be restricted from access to the network, etc.

Not a very good example, is it, unless you want avast to NOT scan remote files.


Cheers
Vlk

[Lisandro]

Unfortunately, this is not the case... The principal problem is that unlike in Unix/Linux, an already running process cannot be elevated. Ie. the elevation can only occur during process startup. This makes it a very limited, and (from a developer's point of view) hard to use feature.
I understand the technical difficulties related to making this possible - but still, by making UAC so inflexible and still making this ON by default was a bad design decision IMHO.

Fully agree... This option is not that boring in Linux... but in Vista 

[4u3u]

Unfortunately, this is not the case... The principal problem is that unlike in Unix/Linux, an already running process cannot be elevated. Ie. the elevation can only occur during process startup.

Take a look at NTFS permissions properties or task manager under standard user. They deal with it qute well, so why can't you?

This makes it a very limited, and (from a developer's point of view) hard to use feature.

I was talking about users, not developers. Specifically, I was replying to following:

In my opinion, this UAC thing will be major pain for many users and will be - what else would you want to do with it - turned off by many.

I understand that UAC may be difficult to deal with from developer standpoint. But that doesn't mean that it is the same for user experience. And sending a message to users that UAC is bad is IMO wrong thing to do. One could say the same about just every security feature.
"Bah, antiviruses... They are reactive, they slow down your system... Just work under standard user account, have firewall, good backup, patch periodically, be careful about any files that came from outside - and you will not need an antivirus. Well, at least real time protection."
"Bah, NTFS..."
"Bah, standard user..."
"Bah, firewall..."
"Bah, updates..."

On a side note, even most security people inside Microsoft (whom I've spoken with) think that the main goal of UAC was to force developers to not make their programs dependent on running under admin only (i.e. make them work under standard user).

Totally agree with that. Because this is one of the main reasons most of the Windows world works under admin. Which is one of biggest Windows problems security-wise.

UAC is not a feature that will protect you against malware.

Well, while UAC will not protect you alone (neither will antivirus protect you alone. Remember remote buffer overflow attacks? Boom, shutdown countdown. What? I have antivirus, how is that possible?! Well... antivirus is useless here as no file operations performed at this point. It will prevent local infection but you still will be rebooting every time remote zombie attacks you), so while it can't protect you alone, it can really help figting malware. Consider user working with admin rights on computer without antivirus. User receives an e-mail message with attachment that looks like a picture but actually is an malicious executable in disguise. If user tries to open this message, without UAC computer is owned. With UAC user will see confirmation prompt. "Hmm... why does this thing need to make system-wide change if it supposed to be just a picture..."

[igor]

Unfortunately, this is not the case... The principal problem is that unlike in Unix/Linux, an already running process cannot be elevated. Ie. the elevation can only occur during process startup.

Take a look at NTFS permissions properties or task manager under standard user. They deal with it qute well, so why can't you?

Your examples are "simple" applications - meaning that they do what they do in a fraction of a second. So, if you decide that you want to see all the processes, you click the button, the program restarts itself (elevated) and builds the process list (and other stuff it displays) again from scratch - you won't really notice.
If an antivirus, after scanning your hard disk for an hour, finds out that it needs elevation... you probably wouldn't be very happy if it restarted itself and scanned the drives again to reach the previous point - elevated.
I'm not saying there aren't solutions to this problem (and I admit my example is slightly exaggerated), but they require significant design changes for complex programs (so also a lot of new bugs)... just because of this unfortunate UAC design.

This makes it a very limited, and (from a developer's point of view) hard to use feature.

I was talking about users, not developers. Specifically, I was replying to following:

In my opinion, this UAC thing will be major pain for many users and will be - what else would you want to do with it - turned off by many.

I understand that UAC may be difficult to deal with from developer standpoint. But that doesn't mean that it is the same for user experience. And sending a message to users that UAC is bad is IMO wrong thing to do.

I didn't "send a message" - I said that in my opinion, many users will be bothered with it. That is my opinion (I hope I can have one, right?).

Because this is one of the main reasons most of the Windows world works under admin. Which is one of biggest Windows problems security-wise.

...

User receives an e-mail message with attachment that looks like a picture but actually is an malicious executable in disguise. If user tries to open this message, without UAC computer is owned. With UAC user will see confirmation prompt. "Hmm... why does this thing need to make system-wide change if it supposed to be just a picture..."

And you really expect the users to think about it that way?? A tiny fraction of them, maybe... (probably those who are not using the administrator account for ordinary work anyway already)... most users, however, click anything they see - and since they will be bothered by the frequent UAC requests (because of existing software, which won't be updated accordingly for a few years) quite enough already, they will click it away (read "confirm the execution") as quickly as possible.

Well, as usually, just my opinion. We'll see... in a few months.

[4u3u]

If an antivirus, after scanning your hard disk for an hour, finds out that it needs elevation... you probably wouldn't be very happy if it restarted itself and scanned the drives again to reach the previous point - elevated.

I'm not sure it works the way you described. But I'm not programmer so I may be wrong here. Anyway, probapbly it is a good idea to always start scans elevated.
 

I didn't "send a message" - I said that in my opinion, many users will be bothered with it. That is my opinion (I hope I can have one, right?).

Well, if you have an influence or authority, it's never just your opinion. Having "moderator" and "avast Evangelist" tags on official avast forum... If I was an average Joe user and I was scrolling through this forum, I'd thought "Oh, I had doubts about if it is a good idea to turn UAC off and if I'll lose much protection but if Avast says it's OK then it might be OK".
BTW, above is my opinion. I can have one, right?

User receives an e-mail message with attachment that looks like a picture but actually is an malicious executable in disguise. If user tries to open this message, without UAC computer is owned. With UAC user will see confirmation prompt. "Hmm... why does this thing need to make system-wide change if it supposed to be just a picture..."

And you really expect the users to think about it that way??

Yes, in my sample scenario it is most obvious course of action.

most users, however, click anything they see - and since they will be bothered by the frequent UAC requests (because of existing software, which won't be updated accordingly for a few years) quite enough already, they will click it away (read "confirm the execution") as quickly as possible.

That's why education is important. That's why all we security ISVs and IT pros should educate users instead of bashing other's security solutions. Old application can be configured to alwys run elevated so you'll see one prompt per app launch or file system/registry virtualisation and/or compatibility mode will kick in and you will not see UAC at all. Other than that, there are NO frequent UAC prompts for average user. It's power users who will be bothered by UAC because they change system-wide settings often and would therefore consider turning UAC off. But they are usually more mature in terms of security so they aren't primary consern.

[jamesvaul]

Unfortunately, this is not the case... The principal problem is that unlike in Unix/Linux, an already running process cannot be elevated. Ie. the elevation can only occur during process startup.

This is TOTALLY false! UAC is fully programmable and it's better than linux' SUDO!
You can start to study it from here: long url 1
An example of this is IE7 protected mode, where a process is elevated with Windows Vista Integrity Levels
long url 2