Comments on: FREE: Symantec NUAC – a UAC extension for Windows Vista

By: Ronin Vladiamhe

Ronin Vladiamhe — Mon, 12 Jan 2009 16:11:10 +0000

NUAC sounds good on paper, but since it’s still in beta development, I’ll wait until a “stable” version is released. Let us see if the option to send metadata to Symantec remains an option, and not a requirement.

By: Michael Pietroforte

Michael Pietroforte — Fri, 02 Jan 2009 01:02:35 +0000

Claus, great post. Thanks. I think the point is that UAC will always warn you before you can install such tools. Thus malware can’t disable UAC without triggering an UAC alert. Microsoft also allow you to replace Vista’s built-in firewall. If they didn’t allow it, they would probably sued by security vendors.

Rick, in what sense can’t Symantec be trusted? You mean their software is not reliable?

goomer, I think the advantage of using third party security software is that malware often only targets Windows.

By: goomer

goomer — Thu, 01 Jan 2009 19:23:58 +0000

I’m inclined to agree with Rick. My experiences with Symantec products are quite horrible. Also, I don’t really like the idea of something so tied to the OS to be handled by a third pary product.

By: Rick

Rick — Thu, 01 Jan 2009 03:11:32 +0000

I would rather have normal UAC than anything from Norton or symantec on my pc.
They can’t be trusted in my experience.

By: Claus Valca

Claus Valca — Wed, 31 Dec 2008 18:56:19 +0000

Michael,

Great post and it is a very interesting approach at taming UAC on Vista.

I covered it also on my blog but what I wanted to draw your attention to is the way it actually works which I sorted out there.

Speak of the devil: Norton’s UAC Tool – http://grandstreamdreams.blogspot.com/2008/10/speak-of-devil-nortons-uac-tool.html

“Looks like the tool executes the “symconsent.exe” process which does an intercept point (hook) to the official UAC executable “consent.exe”. According to Smallfrogs, when UAC is triggered, Vista attempts to load UAC’s consent.exe file. Norton’s UAC tool installs a filter driver file called “SymARF.sys”. That one intercepts the Vista UAC image file call and does a load image of the “symconsent.exe” instead. Based on the user’s response to the Norton UAC prompt intercept, the choice/data get logged (and reported) and set up for next time handling (if requested) and turns operations back over to “consent.exe.”

“If the “cancel” option is chosen, then a new/different “symconsent.exe” process gets fired off to create the XML handling rule document that Asuka points out in his post. ”

What surprises me here is that the UAC process is allowed by Microsoft to be hooked.

By extension, if that can be done by a legit security operation, I would think there would be the chance to have this done by rogue software as well.

Anyway…great post from 4sysops…as always!

Cheers!