Vista Home Premium...

Sorry if my ignorance of Vista security etc. makes these sound like very
dumb questions...



Defender persistently blocks at startup a number of applications* I trust (I
can run them OK manually, but more about that in a moment).

Because there is no "Alert" dialog (just the balloon notification about
blocked items) I cannot add these programs to the Allowed list.

How can one manually add programs to the Allowed List? (I'd be surprised if
simple registry editing would fix it, because I could see that such a way of
recording allowed apps might itself open a security hole.)

* my trusted apps include: RegRun Secure Start, RegRun Watchdog, AVG Free
antivirus.

Regarding UAC, even when I do run these programs manually I get the UAC
dialog; I have set these programs to run as Administrator (as they typically
require) but I still always get the dialog. Is there no way to say "I trust
this app - Admin set the permissions" and ideally, query it if it only if it
has changed?

Finally, some of my other trusted apps (Steganos Safe for example) have
auto-updaters - they to also cause a UAC dialog every time I run the main
program... how can this behaviour be prevented?

May wealth and happiness rain on you if you can resolve these issues!

Thanks - Julian

> Because there is no "Alert" dialog (just the balloon notification about
> blocked items) I cannot add these programs to the Allowed list.
>
> How can one manually add programs to the Allowed List? (I'd be surprised if
> simple registry editing would fix it, because I could see that such a way of
> recording allowed apps might itself open a security hole.)

Click the balloon itself, or if you miss it, click the Defender icon. It
will give you an option to permit the apps then.

> Regarding UAC, even when I do run these programs manually I get the UAC
> dialog; I have set these programs to run as Administrator (as they typically
> require) but I still always get the dialog. Is there no way to say "I trust
> this app - Admin set the permissions" and ideally, query it if it only if it
> has changed?

No. If you set the programs to run as administrator you just told the OS
that you want to get the UAC dialog and elevate them each time they run. If
you unset that switch and they still prompt then the programs are written to
be elevated and you will get the UAC dialog each time. You need to unset the
switch. If any programs still prompt they are either not designed for Vista,
or not designed to auto-start, or poorly designed, or some combination
thereof.

> Finally, some of my other trusted apps (Steganos Safe for example) have
> auto-updaters - they to also cause a UAC dialog every time I run the main
> program... how can this behaviour be prevented?
>
> May wealth and happiness rain on you if you can resolve these issues!
>
> Thanks - Julian

> Finally, some of my other trusted apps (Steganos Safe for example) have
> auto-updaters - they to also cause a UAC dialog every time I run the main
> program... how can this behaviour be prevented?

Forgot this one.

The only ways to prevent it is for the application to be refactored into a
service that does the updating without prompting, or using the Windows
Installer, which does not require elevation for signed patches/installers.
This is something the vendor needs to do.

Thanks Jesper - very helpful...

I also found this link on the Microsoft Vista Forums website under the topic
"Living with UAC" (http://thevistaforums.com/index.php?showtopic=10056) - I
think it is also relevant and of interest to potentially very wide audience
as it explains the how and why of an installation method to minimise UAC
issues

http://www.techwrighter.com/index.ph...d=68&Itemid=27

But again - many thanks

Julian

> I also found this link on the Microsoft Vista Forums website under the topic
> "Living with UAC" (http://thevistaforums.com/index.php?showtopic=10056) - I

I wouldn't put too much stock in that. The part about "Run as administrator"
is wrong, and the rest of the thread is about how to disable either all of
UAC or one important component of it.

> http://www.techwrighter.com/index.ph...d=68&Itemid=27

This one is much better, but it misunderstands the job of UAC. The purpose
is not to warn you when something bad is about to happen. The purpose is:
http://msinfluentials.com/blogs/jesp...really-is.aspx

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...SIN=0470101555

The 'Warn you when something bad is about to happen", Jesper, is merely a
reference to one of the purposes of the feature, from the viewpoint of the
end user. The article isn't intended to be a technical dissertation on UAC,
but instead merely an accurate guide to a technique which will make life with
UAC more comfortable for the end user.

When the technique is followed UAC prompts will be kept to a minimum, and
when one appears the end-user will, indeed, be 'warned' if it is not in
response to something the end-user has initiated and is aware of.

But thanks for the compliment paid to the article!

Cheers,
Terry

"Jesper" wrote:
>
> > http://www.techwrighter.com/index.ph...d=68&Itemid=27
>
> This one is much better, but it misunderstands the job of UAC. The purpose
> is not to warn you when something bad is about to happen. The purpose is:
> http://msinfluentials.com/blogs/jesp...really-is.aspx
>
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...SIN=0470101555
>

> The 'Warn you when something bad is about to happen", Jesper, is merely a
> reference to one of the purposes of the feature, from the viewpoint of the
> end user. The article isn't intended to be a technical dissertation on UAC,
> but instead merely an accurate guide to a technique which will make life with
> UAC more comfortable for the end user.

Understand, but the problem is that UAC is not only not capable of warning
you when anything bad is about to happen, it was not designed to do that. The
primary design purpose of UAC was to enable more people to run as a
non-admin. The misconception that it was is what has lead to the vast
majority of the criticism about UAC. In fact, that misconception is what
Apple capitalized on in their ludicrous commercials poking fun at UAC (in
spite of the fact that (a) Mac OS X has exactly the same feature, (b) except
that in Mac OS X it is disabled by default, like all their security, and (c)
Vista has process separation to make driving the UI harder, which Mac OS X
does not).

As long as people are told that UAC is a protection layer from bad code the
user chose to execute people will not only fail to act with the proper amount
of care but they will also become extremely dismayed when the bad guys figure
out how to circumvent UAC and attack their computers. At that point it is
likely that a lot of bad things could happen, starting with disabling UAC,
which will disable the protections that it DOES afford. It will also mean
that we will never end up in a truly bifurcated world as software developers,
lazy as we are, will never start writing code designed to run as a non-admin.

> When the technique is followed UAC prompts will be kept to a minimum, and
> when one appears the end-user will, indeed, be 'warned' if it is not in
> response to something the end-user has initiated and is aware of.

I agree that you can keep the prompts to a minimum, and that doing so is
valuable. Your technique works well for installers that UAC does not
auto-detect.

"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:23FAB332-92D8-4789-AD9C-2C24277B191D@microsoft.com...
>> The 'Warn you when something bad is about to happen", Jesper, is merely a
>> reference to one of the purposes of the feature, from the viewpoint of
>> the
>> end user. The article isn't intended to be a technical dissertation on
>> UAC,
>> but instead merely an accurate guide to a technique which will make life
>> with
>> UAC more comfortable for the end user.
>
> Understand, but the problem is that UAC is not only not capable of warning
> you when anything bad is about to happen, it was not designed to do that.
> The
> primary design purpose of UAC was to enable more people to run as a
> non-admin. The misconception that it was is what has lead to the vast
> majority of the criticism about UAC. In fact, that misconception is what
> Apple capitalized on in their ludicrous commercials poking fun at UAC (in
> spite of the fact that (a) Mac OS X has exactly the same feature, (b)
> except
> that in Mac OS X it is disabled by default, like all their security, and
> (c)
> Vista has process separation to make driving the UI harder, which Mac OS X
> does not).

I have Mac OS X machine and I can tell you for sure that I get prompted only
once during multiple OS upgrades or any other installations. I am running
as non-admin which is a default configuration. So, I am not sure were you
are coming from with Apple has the feature disabled. As far as I am
concerned Apple feature does the same and annoy me a lot less. Apple add
is completely justified.

(SNIP)
>
>"This one is much better, but it misunderstands the job of UAC. The purpose
> is not to warn you when something bad is about to happen. The purpose is:
> http://msinfluentials.com/blogs/jesper/archive/2007/03/01/confusion-about-vista-features-what-uac-really-is.aspx"
>
Jesper,
> Would you please clarify how to accomplish each of the following from your
> blog:

Good: Run in admin-approval mode
Better: Run as standard user and elevate to separate admin account
Best: Run as standard user and switch user to a separate admin account
instead of using UAC to elevate

My desktop runs XP SP1 and I have installed just about every malware tool I
can get my hands on. Whenever I do something that causes an alert(s) 1) I
pay attention because I see what anti-malware program is alerting 2) it
usually gives me options, usually details 3) usually I become used to the
kinds of alerts from different tools and can easily click on an appropriate
intention, and often there is no action required as it is just an alert. I
know what to expect.

My laptop has Vista. UAC just keeps bugging me about unexpected things and I
just offhandedly click "continue" as I'll bet most people do. So I am in the
process of installing the anti-malware I am used to so my laptop becomes
transparent to me as is my desktop, I can then turn off UAC, and I can then
focus on doing some work.

My question: Why couldn't MS have learned from some of the bread-and-butter
security apps and modeled UAC after them, or offer a package of them (fat
chance), or some such trustworthy approach, instead of conforming to their
proprietary policies without consideration for any intelligence on the part
of many of their users, i.e. offering intelligent options.? Any system that
requires four separate clicks to get online is written by somebody who
thinks I have all day to hang around the PC waiting to make the next click.
How could I expect that dufass to write UAC so I could use it and trust it
for protection (it is not a security app, but when it asks me to consider
whether or not I have made a safe choice by asking if I wish to continue it
pretends to be one).

Unlike many others I won't change my laptop to XP, I will just change the
security methods to operate the same way.

frogman

> I have Mac OS X machine and I can tell you for sure that I get prompted only
> once during multiple OS upgrades or any other installations. I am running
> as non-admin which is a default configuration. So, I am not sure were you
> are coming from with Apple has the feature disabled. As far as I am
> concerned Apple feature does the same and annoy me a lot less. Apple add
> is completely justified.

On my Mac I had to enable the prompting. For example, I could manage user
accounts by simply clicking on the little lock icon in the control panel. It
did not prompt me for anything.

There is no desktop separation between the prompts and the users desktop on
the Mac either. That means that a malicious program can trivially automate
the elevation process, or read the password you type.