Love or hate its nagging prompts, Vista's Account Control feature (UAC) has a security feature that marks it out from any other type of Windows security programme -- it can spot rootkits before they install.

This is one finding buried in a report published in two German computer magazines some months ago after testing by the respected AV-Test.org, which set out to find out how well antivirus programs fared against known rootkits.

The answer was not particularly well at all, either for Windows XP, or Vista-oriented products. Of 30 rootkits thrown at XP anti-malware scanners, none of the seven AV suites found all 30, a similar story to the six web-based scanners assessed. Only four of the 14 specialized anti-rootkit tools managed a perfect score.

View: Full Article
News source: PC World

Great news! Finally a +1 in the I love UAC camp.

Too bad it is annoying as hell.

Having a bloated "Security" app cripple your computer's performance by 20%+ is annoying. Especially when the app is ineffective under attack.

I don't mind clicking OK now and then, considering (at least) that happens quickly.

How needs a root kit when you can do this to windows vista security.

Well sure, no computer is secure when you have access to the physical machine. That's totally unrelated to UAC.

I find it strange that UAC can't detected when a file is corrupted at system level. Because it is quite easy to replace a file in windows during a reboot (just with a simple startup command).

Well, that's not UAC's job. And if Windows scanned its files before it ran them, then that would slow it down. Besides, an application would be unable to modify system files or add startup commands unless it had Administrator access. That's why UAC can kill every attempt of a rootkit installing.

The key is to be careful about which applications you give Administrator access. That's the only downside of UAC. People may get in a habit of just clicking OK for everything.

A database of SAH-1 or MD5 sums would be good enough to keep the files healthy and make sure that they are not tampered with.

SFC anyone? (It checks the signature of all the system files)

UAC is an Access control e.g. It checks Authorization, it does no Authentication or target validation...it's not for that.

I'd like to see them try that with BitLocker enabled.

It's a simple physical access issue, by the time they'd renamed the file they already had access to all the data on the machine...which makes backing up (or out...) to access the "box" a rather pointless exercise.

Remember the rename explorer.exe to login.scr trick back in the Win2k days? ...This stunt is (a variation of it) hardly new.

(As Chugg hinted above) R00TK1tz don't require Physical Access to the box.

Come back with a RootKit that can bypass UAC and we'll talk ...You can drop a *niX box with a physical access "attack" (of course most folks just call it data recovery...).

And, you need to remember that ANY operating system is vulnerable to a file replacement from a physical connection. You can recompile the kernel with a password snooper built in and replace the install on a Linux box, and the OS sure as hell wouldn't tell you about it. That's why physical security is the first layer of any security plan. How hard would it be to swap your burned Ubuntu install disks with ones that have code built in that will steal all your personal info if someone got access to your disks?

Unless I'm mistaking, SFC isn't realtime. Or perhaps the reason why it missed the above "attack" was because the file did have a valid signature. I must admit, it is surprising to see that Explorer still loads with the login screen in the background. But as we have all made clear, if the attacker has physical access to your machine, then you're toast.

Unless you have BitLocker of course. Good point.

Indeed Chug, SFC can take awhile to run on a system.

But in order to do that you would need to patch the kernel at the source level. That might not be so simple to do, since stuff like kernel source is checked with md5-sum before it is installed with a installer. Linux root kits however can do a lot of damage to a system if a security hole is used.