Subscribe via e-mail: 
FREE: Symantec NUAC – a UAC extension for Windows Vista
By Michael Pietroforte | 5 Comments | Permalink | Trackback | Previous | Next
Some days ago I reviewed Smart UAC, a replacement for Vista’s UAC (User Account Control). Symantec is working on a similar tool, Norton Labs UAC (NUAC). The tool is currently in beta and I am not sure if this will be its final name. As with Smart UAC, the main feature of NUAC is its ability to suppress future prompts from the same action.
NUAC’s setup asks you if you want to submit UAC prompts. This means that NUAC will send metadata about your actions to Symantec. This metadata contains information such as the filenames and the hashes of the executables and the DLLs involved in the action. Symantec intends to build a white and a black list for UAC prompts. I think this is an interesting idea. This technique works very well for SPAM and I believe it could improve security significantly on Windows PCs. If people know that a UAC alert has never shown up somewhere else, they will be extra careful. Moreover, UAC will be less likely to get on our nerves. Note that the current beta doesn’t use these lists yet.
NUAC is already a useful UAC extension. Its prompts have a “Don’t ask me again” check box, and the dialog box has a details pane which displays the location and the name of the application that caused the prompt.
What I like about Symantec’s solution is that the check box doesn’t just refer to the program that you are about to launch. NUAC will suppress future prompts only if you start the program in the same way. For example, if you launched the application through its desktop icon, NUAC will prompt you again if you start it from the command prompt. More important is that this also includes attempts by other programs that try to launch the application. Thus, disabling UAC for a certain action does not place the corresponding application at risk of unauthorized use by malware.
A downside of NUAC is that it doesn’t have an allow list like Smart UAC. That is, you can’t edit the stored actions. NUAC stores them in the Windows Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SymConsent\Data. Each entry corresponds to a specific action. But the key names are encrypted, so you can’t easily assign actions to them. I tried some well-known hash codes to no avail. Thus if you want to remove a certain action from the allow list later, you have to keep track yourself of the NUAC entries by noting the Registry key names. Of course, you can also delete all keys in the Data folder, which means that you have to train NUAC again.
NUAC’s beta is free, but I fear the final product will cost something. Nevertheless, I prefer NUAC over Smart UAC simply because it impressed me as more reliable. I also like that it doesn’t disable UAC the way Smart UAC does. Instead, NUAC just extends Vista’s UAC.
Norton Labs UAC (NUAC)
(3 votes, average: 4.33 out of 5)
Loading ...
Michael,
Great post and it is a very interesting approach at taming UAC on Vista.
I covered it also on my blog but what I wanted to draw your attention to is the way it actually works which I sorted out there.
Speak of the devil: Norton’s UAC Tool – http://grandstreamdreams.blogspot.com/2008/10/speak-of-devil-nortons-uac-tool.html
“Looks like the tool executes the “symconsent.exe” process which does an intercept point (hook) to the official UAC executable “consent.exe”. According to Smallfrogs, when UAC is triggered, Vista attempts to load UAC’s consent.exe file. Norton’s UAC tool installs a filter driver file called “SymARF.sys”. That one intercepts the Vista UAC image file call and does a load image of the “symconsent.exe” instead. Based on the user’s response to the Norton UAC prompt intercept, the choice/data get logged (and reported) and set up for next time handling (if requested) and turns operations back over to “consent.exe.”
“If the “cancel” option is chosen, then a new/different “symconsent.exe” process gets fired off to create the XML handling rule document that Asuka points out in his post. ”
What surprises me here is that the UAC process is allowed by Microsoft to be hooked.
By extension, if that can be done by a legit security operation, I would think there would be the chance to have this done by rogue software as well.
Anyway…great post from 4sysops…as always!
Cheers!
I would rather have normal UAC than anything from Norton or symantec on my pc.
They can’t be trusted in my experience.
I’m inclined to agree with Rick. My experiences with Symantec products are quite horrible. Also, I don’t really like the idea of something so tied to the OS to be handled by a third pary product.
Claus, great post. Thanks. I think the point is that UAC will always warn you before you can install such tools. Thus malware can’t disable UAC without triggering an UAC alert. Microsoft also allow you to replace Vista’s built-in firewall. If they didn’t allow it, they would probably sued by security vendors.
Rick, in what sense can’t Symantec be trusted? You mean their software is not reliable?
goomer, I think the advantage of using third party security software is that malware often only targets Windows.
NUAC sounds good on paper, but since it’s still in beta development, I’ll wait until a “stable” version is released. Let us see if the option to send metadata to Symantec remains an option, and not a requirement.