Monday, May 26, 2008

Vista UAC Better At Rootkits Than AV

Vista has been the favorite punchbag of the blogosphere, but I have to say that I think some of the features that are part of Vista are really interesting and useful. UAC is one of those useful features of Vista that's been brought in from the Unix world of superuser/sudo. PCWorld reports that Vista's UAC (User-Access Protection) does a better job at detecting rootkits than antivirus products. I do not completely agree with their comparison of UAC vs Antivirus products, but it does highlight a very important point.

Windows Vista's UAC shows a dialog box every time something important is being changed in the system. It tries to warn the user about some system settings are being changed. But like most other good things, it has a side-effect. Vista's UAC screen comes up on the screen too many times and feels like its a nag-screen. But in reality, after some initial days, the Vista UAC screen doesn't come up often and Vista learns what operations are allowed by the user as non-malicious. So, UAC is a good feature...right?? Yes, it is, but then patience is a virtue rarely found in computer users. Instead, most people I know turn off UAC as soon as its Vista is installed.


On the other hand antivirus products sit on the system and observe files and downloads. They compare the files with virus signatures that are downloaded regularly off the internet. Whenever some file or behavior matches to that of a virus signature, the antivirus product shows a red flag! But rootkits are a lot more difficult to inspect, especially after your system has been infected with one. PCWorld reports:

Of 30 rootkits thrown at XP anti-malware scanners, none of the seven AV suites found all 30, a similar story to the six web-based scanners assessed. Only four of the 14 specialized anti-rootkit tools managed a perfect score.  The results for Vista products were harder to assess because only six rootkits could run on the OS, but the testers had to turn off UAC to get even this far. Vista's UAC itself spotted everything thrown in front of it.Only three of the 17 AV tools for Vista managed to both detect and successfully remove them, F-Secure Anti-Virus 2008, Panda Security Antivirus 2008, and Norton Antivirus 2008.

Rootkits look so similar to Operating System files, that most antivirus can't accurately detect them and its even harder to remove them considering that some incorrect detection may make the system instable. Rootkits are also not specifically only a threat to Windows, but are across every major operating system. Although with UAC, Vista gets the same ideology of protection that Linux or other UNIXs get. The only major problem with it is that the user has to be vigilent enough to realize the rootkit is being installed on the system and stop that operation from happening.

Thus, it is important to note that UAC does provide good security, but its upon the user to understand what is happening in the system. Another lesson is to realize that antiviruses cannot save you from everything. You have an intellect...use it!!

No comments: