4

I'm asking this question with the assumption that anything the user can do, so can malware.

I'm using a third party firewall on my system to control which programs are able to access the internet. However I notice that I - as a limited user - am able to change the firewall configuration without elevating through UAC. I notice the user interface is running as my user, but the agent is running as SYSTEM.

When I stop the software through the UI, it seems to block by default (ping blocked), which is of course good behaviour. However I can simply go to the UI and disable the firewall and other aspects without any extra privileges. There is an option to apply a password to the UI, but I'm not sure how secure the implementation is (so will assume it's weak).

So in the event of a malware infection, what's to stop the malware from simply disabling the firewall the same way as the user?

I'd like to find out more about how third party security products implement tamper protection and password protection, but I can't get any good results from my searches. Any pointing in the right direction would be greatly appreciated, thanks.

Synthetic Ascension
  • 141
  • 1
  • 5

2 Answers2

1

So in the event of a malware infection, what's the stop the malware from simply disabling the firewall the same way as the user?

Nothing.

If the malware is coded to do such things (which some samples are to some extent) they absolutely will.

If you are logged in with an account with local admin privileges, then this could explain why you can make changes without elevation. This is a bad security practice and a significant advantage for malware, which most samples are known to absolutely exploit local admin privileges to do make changes and ensure persistence.

Pedro
  • 3,911
  • 11
  • 25
  • I'm logged on as a limited user and I elevate to admin when necessary with a strong password. What's good about Windows Defender is that it requires elevation to make any changes, though if malicious code has privesc'ed then the machine is pretty much stuffed. – Synthetic Ascension May 12 '20 at 11:52
  • May we at least monitor such behavior in some way? – Mobutu Sese Seko Kuku Ngbendu Sep 24 '20 at 18:08
  • elevation is a positive contribution but not a silver bullet. there are ways or situations where achieving elevation without producing a prompt is possible. – Pedro Sep 30 '20 at 13:25
  • monitoring happens. the difficult part is telling apart malicious activity from legitimate activity. it is very difficult to do it consistently and accurately by an automated process. – Pedro Sep 30 '20 at 13:26
0

You are completely right. This at least used to be an attack vector.

Around 2004 I analyzed “advanced“ malware that carried a list of window names of security software (in multiple languages) and keypresses to send (by WM_CHAR) to add exceptions.

Later Microsoft introduced „user interface privilege isolation“ that offers protection against messages from lower integrity processes. Also some security software tries to prevent programmatic use of their UI by various means like blocking messages or making it hard by doing custom rendering and requiring mouse use.

manduca
  • 1,111
  • 7
  • 10