The US has banned Kaspersky software — should you worry?

Topic

New Reply

ISSUE 21.42 • 2024-10-14 PUBLIC DEFENDER By Brian Livingston The popular Kaspersky antivirus program quietly disabled itself on computers in the US la
[See the full post at: The US has banned Kaspersky software — should you worry?]

13 users thanked author for this post.

windbg, WSGeo, Norio, rc primak, teuhasn2, DLivesInTexas, Dennis Page, cesmart4122, SueW, Cesar, fisher75, 280park, lmacri

Reply | Quote

Replies

Public/free version of this article isn’t available

3 users thanked author for this post.

cesmart4122, Will Fastie, b

Reply | Quote

I know I’m getting the free version of Ask Woody, but this item is today’s (10/14/2024) featured item for the free version, and when I click the link to read online, I get a “Not Found” error message. I simply think you should know,

Ernie

1 user thanked author for this post.

Will Fastie

Reply | Quote

WSbrisbaneroad wrote:

Public/free version of this article isn’t available

Fixed.

1 user thanked author for this post.

cesmart4122

Reply | Quote

I saw that, so why is it the featured item in my free Ask Woody newsletter?

Ernie

Reply | Quote

Interestingly, after posting my previous reply, I received a new Ask Woody Newsletter, and this time, the link to this item worked as expected.

First, I want to thank you for making it available.

Second, I think Kaspersky’s response to the United States Government’s action indicates one reason why it was necessary, not only as a security protection for the government itself, bur also as a protection for the people of the United States. For any Ask Woody readers outside the U.S.A., I strongly recommend you very carefully reconsider your decision about using any Kaspersky software. Such a response quite clearly indicates that Kaspersky has absolutely no interest in the security of their users, but, like most corporations, are most interested in their bottom line, and perhaps in following any (possible) Russian government mandates that may have been issued (I have no evidence of this last supposition, but it makes sense to me).

Ernie

3 users thanked author for this post.

Cybertooth, teuhasn2, cesmart4122

Reply | Quote

Why is Malwarebytes not mentioned as a leading Anti Virus program?

1 user thanked author for this post.

Fred

Reply | Quote

Richard,

{Snark ON}
You’ll notice that a lot of very good programs like MalwareBtyes, RoboForm, etc. don’t show up in these comparisons. Personally, I think it’s a pay to play issue, i.e. are they advertisers on the platform doing the comparisons. You be the judge.
{Snark Off}

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

Fred, WSbobby-p, cesmart4122

Reply | Quote

RetiredGeek wrote:

Personally, I think it’s a pay to play issue, i.e. are they advertisers on the platform doing the comparisons.

That has long been my suspicion, @RetiredGeek.  Having never used Kaspersky, I haven’t been/won’t be affected.  I have long had full confidence in the combination of Microsoft Defender and Malwarebytes Pro (unregistered in the Security center) playing nice together, I’ve never had a desire to pursue any other AV/AM.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

4 users thanked author for this post.

Fred, TechTango, rc primak, WSbobby-p

Reply | Quote

Retired Geek, my favorite sites for reviews of antivirus  are AV=test and AV-comparatives.  These are occasionally mentioned in publications like PC-World.  Both of them include more recommendations than the typical article in a computer magazine.

Reply | Quote

Richard Shaw wrote:

Why is Malwarebytes not mentioned as a leading Anti Virus program?

Malwarebytes is mentioned in all six of the linked reviews.

1 user thanked author for this post.

rc primak

Reply | Quote

Israel’s national security agency hacked into Kaspersky’s corporate systems in 2014
…
The Russian agents gleaned secrets from multiple sources, the Times said, “by turning the Kaspersky software into a sort of Google search for sensitive information.”
…
Kaspersky Lab didn’t detect Israel’s eavesdropping on its server until mid-2015

Either Kaspersky knew and allowed the Russian hackers in or Kaspersky knew nothing about their own servers being hacked for this length of time. Either way (dishonest or inept) that doesn’t sound like a company I want protecting my system or doing business with.

HTH, Dana:))

6 users thanked author for this post.

rc primak, Cybertooth, WSbobby-p, cesmart4122, SueW, Lars220

Reply | Quote

Bad actors’ malicious use of an AV program’s update mechanism to remotely execute hacker code is a potential danger for every security company.

“Antivirus is the ultimate back door,” the Times quoted Blake Darché of Area 1 Security as saying. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

Couldn’t any software with an update mechanism (operating systems, web browsers, etc) be used in a similar way? For me, it’s a potential danger for any software company, not only for security ones.

César

1 user thanked author for this post.

windbg

Reply | Quote

Couldn’t any software with an update mechanism (operating systems, web browsers, etc) be used in a similar way?

Different software vendors have different specifics about how they provide updates. But for security software,  a breach of this sort is very serious business. If any other vendor had experienced such a massive and persistent breach, I would think the whole world would know about it by now, unless it happened very recently.

So no, this sort of breach has not (to my knowledge) been reported with other security vendors.

Reason enough to avoid Kaspersky and their successors.

-- rc primak

2 users thanked author for this post.

Cesar, Cybertooth

Reply | Quote

Thanks for this timely article on Kaspersky.

As Russia has parked an explosive-laden fertilizer cargo ship off the coast of Great Britain, has kidnapped thousands of Ukrainian children, and has begun  shooting Ukrainian POWs; it’s a darned good idea to ban Kaspersky antivirus.  I also trust the Israeli intelligence agency more than I  trust Putin’s puppets.

[Moderator edit] less inflammatory rhetoric please.

Reply | Quote

If you formerly used Kaspersky AV, my recommendation is that you choose a different, highly rated antivirus program

I use Kaspersky A/V and will continue to use.
I don’t believe any of US’s paniced hallucinated… propaganda.
Nothing has ever been proved. No alligations has been put against Kaspersky in court. Its the 50’s anti-communism years, again.

2 users thanked author for this post.

Fred, Jay B.

Reply | Quote

You’re entitled to your opinion, but it’s not Kaspersky that I don’t trust as much as I don’t trust the Putin Russian government. How do we know that Kaspersky’s not being pressured into not disclosing any nefarious activity their government may be conducting in the background? This may sound as if I’m going into conspiracy theory territory, but I won’t put anything past Putin, and his cronies.

My2Cents,

Ernie

4 users thanked author for this post.

WSGeo, wavy, SueW, Cybertooth

Reply | Quote

I moved away from Kaspersky over a year ago. I did not (and still do not) have a view on Eugene Kaspersky’s motives, nor any other of his staff. However, what a person might do when told “we have your wife/daughter in a gulag” is a totally different mater. There is plenty of evidence of this kind of a thing in China and Russia. Hence, without judgment or emotion, I moved to another AV supplier.

Chris
Win 10 Pro x64 Group A

Reply | Quote

I’ve had my doubts about Kaspersky for many years. I used it around 2010, until I learned that it’s a Russia-based corporation. Because I then had, and still d0 not have, any trust n the ethics of the Russian government, and what pressures they may put on Kaspersky, and members of its staff, I switched to a free alternative. Then, in 2015, when I started testing Windows 10 as a Microsoft Insider, I started using Windows Defender. As time passed, it became known as Microsoft Defender, and improved in performance, so today, it’s poses perhaps the lightest load on Windows, and provides protection that’s equal to, or better than, the best AV suites available. My thinking is that if I can get AV protection that’s as good as anything else available, for free, why pay for anything ese?

My2Cents,

Ernie

Reply | Quote

Does anyone use the free KRVT tool? I never used the full paid version of Kaspersky. I used the TDSS Killer to take out a rootkit once, but that product is deprecated.

Reply | Quote

Are there any unnamed other AV applications that use the Kaspersky AV engine on their backends..??

1 user thanked author for this post.

cesmart4122

Reply | Quote

Alex5723 wrote:

Nothing has ever been proved. No alligations has been put against Kaspersky in court.

No need to prove in court when Kaspersky admitted (months latter) that they had been hacked and private info was taken (see the PDF link in the article). The fact that Kaspersky admitted being hacked is not any “propaganda” but a documented fact. Even if you put aside any Russian connection, the fact that Kaspersky has proven it can be hacked (and maybe will be hacked again) makes it unsafe to be used for anyone including Russians. I would say the same thing about any AV software that has been proven to be hacked and expose your private info no matter its home country and that is not propaganda.

Also, if the allegations in that Time article are wrong and considering the damage to Kaspersky that article has caused why hasn’t Kaspersky sued the Times or even post a reply to that article in their defense.

HTH, Dana:))

1 user thanked author for this post.

rc primak

Reply | Quote

Drcard:)) wrote:

when Kaspersky admitted (months latter) that they had been hacked and private info was taken

Hundreds of companies have been hacked and private info was taken this year and none has been ordered to shut down.

1 user thanked author for this post.

Jay B.

Reply | Quote

Alex5723 wrote:

Hundreds of companies have been hacked, and private info was taken this year, and none has been ordered to shut down.

No one, including the U.S. government, has ordered Kaspersky to shut down. The U.S. government has only ordered Kaspersky to cease doing business within our borders. Context, and accuracy matter.

My2Cents,

Ernie

Reply | Quote

No one, including the U.S. government, has ordered Kaspersky to shut down. The U.S. government has only ordered Kaspersky to cease doing business within our borders. Context, and accuracy matter.

So how is telling them to stop doing business and to stop providing updates within the US not shutting them down here? Your comment seems self-contradicting.

-- rc primak

2 users thanked author for this post.

Alex5723, Jay B.

Reply | Quote

Alex5723 wrote:

Hundreds of companies have been hacked and private info was taken this year and none has been ordered to shut down.

I doubt the number is “hundreds” but none were AV software companies.
Those hacks involved the personal info you had stored at that company. The Kaspersky hack was way different and much more serious. Reread this quote

“Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs,” the Times journalists explained

The hack in Kaspersky servers allowed the hackers access to each Kaspersky customers PC thru the AV update service of Kaspersky to search, find and take info on that PC that was not even in Kaspersky’s data base. That is way more serious and dangerous than obtaining only that personal info that is stored on some business servers that was hacked. This is way more serious than many of the other software that are banned.

HTH, Dana:))

3 users thanked author for this post.

SueW, RetiredGeek, rc primak

Reply | Quote

Thank you for the article, but just wanted to point out that the sequence you posted:

“Confirm that Defender is in control by opening Settings, searching for “Virus” and clicking on Virus & threat protection, and then clicking on Manage providers under Who’s protecting me? Microsoft Defender should be shown under Antivirus.”

does not seem correct for Windows 10, at least for me.

I can get to it by going to Control Panel/Security and Maintenance/Security dropdown/Virus Protection/View in Windows Security/Virus & threat protection/Who’s protecting me/Manage providers.  I just can’t get to “Virus & threat protection” under “Settings”.

Reply | Quote

In the Security dialog, you need to enter virus in the search box. That is what reveals Virus & threat protection as a choice.

Reply | Quote

rc primak wrote:

So how is telling them to stop doing business and to stop providing updates within the US not shutting them down here?

It is, but they are still free to do business elsewhere. The U.S.A. isn’t the only tech market in the world. Kaspersky’s still free to do business elsewhere, if they choose. Besides, the U.S. government doesn’t have the power to shut them down worldwide, even if we wanted to. On the other hand, other nations have the right to take similar action, if they feel that Kaspersky’s a threat to their national security, as we do.

Ernie

Reply | Quote

Just out of curiosity, how does the US government enforce this edict, good or bad?   Kaspersky seems to have been told to stop sending updates and to have complied.  What if they hadn’t?

Reply | Quote

“Kaspersky then remotely installed on US computers a little-known antivirus alternative called UltraAV.”

That to me is a big enough worry having that done to unsuspected peoples computers.
I have seen this product, and would not want, or would install it on any of my PC’s

2 users thanked author for this post.

wavy, NaNoNyMouse

Reply | Quote

Cesar wrote:

Couldn’t any software with an update mechanism (operating systems, web browsers, etc) be used in a similar way? For me, it’s a potential danger for any software company, not only for security ones.

The OS has multiple protection rings – like concentric moats of castles – to safeguard its contents.

The problem is that AV software needs kernel access – the innermost OS ‘core’ (ring 0) – to be effective, which other software like browsers don’t.

Microsoft has to keep the keys to the castle safe, especially its innermost protection ring.

I am more than happy to be proved wrong but, for me, this suggests that Kaspersky was appararently able to just substitute an unknown alternative – with the keys to the castle – to get around a US government ban.

Hmm… IMO this suggests a SNAFU.

2 users thanked author for this post.

Cesar, NaNoNyMouse

Reply | Quote

Bob Coleman wrote:

Just out of curiosity, how does the US government enforce this edict, good or bad? Kaspersky seems to have been told to stop sending updates and to have complied. What if they hadn’t?

At a guess, Kaspersky’s software products’ ‘signing’ keys (i.e. security certificates) could have been revoked by either Microsoft itself or by Microsoft appealing against Kaspersky’s top-level signing authority, i.e. asking for revocation of an appropriate validation.

(See What’s the difference between DV, OV & EV SSL certificates? for more info.)

Apparently this didn’t happen… as Kaspersky was still able to remotely install an alternative almost-unknown AV product.

Hmm… I expect we’ll hear more about this soon.

1 user thanked author for this post.

NaNoNyMouse

Reply | Quote

I haven’t used Kaspersky in years, relying on MS Windows Security (plus standalone versions of Malwarbytes and a few other offline scanners).

Irrespective of whether they are in cahoots with Putin or not, the fact that Kaspersky fumbled the communication, ignored the idea that customers might want to choose their AV replacement themselves and, in general, fumbled the hand-off to UltraAV and UltraVPN, I’d say “Nope. Not on my computer, thank you very much.”

At the bare minimum, this speaks to incompetence or lack of concern for the customer….

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

2 users thanked author for this post.

wavy, Cybertooth

Reply | Quote

ernie wrote:

and provides protection that’s equal to, or better than, the best AV suites available.

That has never happened. Defender never was equal or better than the best A/Vs on A/Vs tests, and surly not better than Kaspersky.

3 users thanked author for this post.

Jay B., Fred, windbg

Reply | Quote

Alex5723 wrote:

Defender never was equal or better than the best A/Vs on A/Vs tests, and surly not better than Kaspersky.

I beg to differ. To validate my assertion, I googled “How does Microsoft Defender compare to other AV suites based on test ratings”, and received this response:

“According to independent testing organizations like AV-Test and SE Labs, Microsoft Defender <mark class=”QVRyCf”>generally performs very well compared to other antivirus suites</mark>, often receiving top marks for protection, with scores consistently near the highest possible rating, sometimes even achieving a perfect score in protection categories while maintaining good performance and usability; however, some premium third-party antivirus solutions may offer slightly more advanced features or a wider range of security tools.”

Even though premium AV suites may offer a few slightly more advanced features, and/or a wider range of security tools, they still do not offer significantly better protection, ovreall. For home users, Microsoft Defender is entirely suitable/adequate, not to mention, free.

Ernie

2 users thanked author for this post.

Noel Carboni, b

Reply | Quote

It’s the same problem as tiktok it’s just too much of a risk.

Whether or not all the fear is warranted, why take the chance?

2 users thanked author for this post.

Charlie, Cybertooth

Reply | Quote

Brian,

I haven’t used Kaspersky, so I don’t have to worry about those happenings–I hope!

But I do have a question/comment about the next-to-last page of your article where several reviews are given.  I note that Norton and McAfee are both mentioned more than once.  My training is that these should be avoided because they are “memory hogs.”  Perhaps the recommending folks are not really unbiased??

MS Defender is not mentioned once; but on the next page you seem to indicate that it is OK.  But I’ll have to wait until later this month to see your article on MS Defender.  That’s what I’m using at this time.

Thanks.

Reply | Quote

But I do have a question/comment about the next-to-last page of your article where several reviews are given. I note that Norton and McAfee are both mentioned more than once. My training is that these should be avoided because they are “memory hogs.” Perhaps the recommending folks are not really unbiased??

Exactly what I was thinking about. Also, an AV product from Avast is among the recommendations, but Avast was at the center of controversy a few years ago over sales of customers’ data they apparently made to third parties and it was recent news Avast is facing a huge fine at the FTC for those sale. As such, if I’m not to trust Kaspersky after they apparently admitted getting hacked, I’m not trusting Avast either because my data isn’t safe with them too.

1 user thanked author for this post.

ernie

Reply | Quote

The popular security blogs that I linked to often give anti-malware products high ratings for things like “user-friendly interface” and “quality of customer support.” The reviewers may also consider the drag on performance that an AV product places on Windows processes, but not all reviewers do so.

In my Oct. 21 follow-up column, all of the international testing organizations that I listed tend to ignore user-friendliness. They concentrate mainly on 100% malware detection, lack of false-positive warnings, performance drag, and other highly technical qualities. This makes those ratings quite valuable. I wish the two columns could have been in a single piece, but both articles were already rather long.

Reply | Quote

[Fred]

Alex5723 wrote:

ernie wrote:

and provides protection that’s equal to, or better than, the best AV suites available.

That has never happened. Defender never was equal or better than the best A/Vs on A/Vs tests, and surly not better than Kaspersky.

So, Kaspersky is the only thing you have to worry about, perhaps?
Peculiar that “Bitdefender” isn’t mentioned; it comes in various ‘tastes’ and sure is at the top of the protection suites, and even has a free version that is good as just an anti-virus protection.
(by default it takes over MsDefender)
ps: B has a free antivirus app for the smartphone

* _ ... _ *

• This reply was modified 4 months, 3 weeks ago by Fred.
• This reply was modified 4 months, 3 weeks ago by Fred.

Reply | Quote

Fred wrote:

Peculiar that “Bitdefender” isn’t mentioned;

Bitdefender is listed five times in the article (and in all six linked reviews)

1 user thanked author for this post.

Fred

Reply | Quote

Still peculiar nobody ever mentions this outstanding product

* _ ... _ *

Reply | Quote

I have been using Bitdefender for a couple of years and am generally happy with it. However, I do get quite a lot of false positives, which can be frustrating getting to a site (often on my own network) that I know is safe.

Chris
Win 10 Pro x64 Group A

1 user thanked author for this post.

Cybertooth

Reply | Quote

ernie wrote:

Even though premium AV suites may offer a few slightly more advanced features, and/or a wider range of security tools, they still do not offer significantly better protection, ovreall. For home users, Microsoft Defender is entirely suitable/adequate, not to mention, free.

You should watch this test done with a unknown ransomware, right at the beginning of the video he tells how Microsoft Defender poorly performed!

https://www.youtube.com/watch?v=3co-80OeHQE&t=316s 

Reply | Quote

Microsoft Defender’s Ransomware Protection (Controlled Folder Access) was not enabled.

Reply | Quote

BLUF: No US government agency has stated Kaspersky software is safe to use.

The AskWoody Kaspersky article should not be a surprise. The history of Eugene Kaspersky and what happened to Kaspersky Lab software is documented via “https://en.wikipedia.org/wiki/Eugene_Kaspersky”. Not stated is Eugene Kaspersky’s return to work for Russian intelligence focusing on collection of military information.

FCC Section 1.50002 of the Commission’s rules direct the requirement to publish a list of communications equipment and services (Covered List) that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons, etc. In early 2022, Kaspersky Lab was first added to the FCC published list. The website is “https://www.fcc.gov/supplychain/coveredlist”. The Kaspersky entry was reaffirmed with “clarification” in July 2024.

Now we find installed Kaspersky software was suddenly replaced by UltraAV software, which is offered by US based Pango Group. Interesting that Pango is supposed to help Kaspersky software, via UltraAV, meet US regulatory requirements. To date, the FCC and Department of Homeland Security Kaspersky software ban remains in place. It will be interesting to see if Pango UltraAV software stays off or gets included in the FCC Covered List.

Reply | Quote

b wrote:

Microsoft Defender’s Ransomware Protection (Controlled Folder Access) was not enabled.

No it was enabled, check it here: https://www.youtube.com/watch?v=2R033fex8D8

 

Reply | Quote

Nothing there says it was enabled for the Desktop folder where the encryption took place. If it had been then a notification would have appeared when the malicious app was blocked from accessing that folder. A user’s Desktop folder is not included in the protected folders by default when Controlled Folder Access is enabled:

Controlled folder access is especially useful in helping to protect your documents and information from ransomware. In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder.
…
Windows system folders are protected by default, along with several other folders:

The protected folders include common system folders (including boot sectors), and you can add additional folders. You can also allow apps to give them access to the protected folders. The Windows systems folders that are protected by default are:

c:\Users\<username>\Documents
c:\Users\Public\Documents
c:\Users\<username>\Pictures
c:\Users\Public\Pictures
c:\Users\Public\Videos
c:\Users\<username>\Videos
c:\Users\<username>\Music
c:\Users\Public\Music
c:\Users\<username>\Favorites

Protect important folders with controlled folder access

Reply | Quote

In an earlier video, The PC Security Channel mentions Controlled Folder Access:

Controlled Folder Access is a very important feature and I highly recommend that you turn this on and set up all your important folders as protected. I’m not a false optimist, I’m gonna be honest here: if you turn this on, this is going to cause false positives—applications will have trouble accessing files in these locations…

If he did not use CFA in the 2024 test, this may help to explain why.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Both videos taken together show that he knew well which folders were protected by Microsoft Defender’s Ransomware Protection, and then deliberately ran his ransomware test in an unprotected folder (contrary to his own advice).

Reply | Quote

Sophos stopped the ransomware encryption, or in some cases undid its effects, without the user’s needing to enable protection for the Desktop folder specifically.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Jay B.

Reply | Quote

Cybertooth wrote:

Sophos stopped the ransomware encryption, or in some cases undid its effects, without the user’s needing to enable protection for the Desktop folder specifically.

 

As Sophos costs $60 per year I’d rather store my files in folders protected by Microsoft Defender’s free Ransomware Protection.

Reply | Quote

A Sophos Home Premium license covers 10 devices, making the cost as little as $6/year for each.

The element of Sophos that intercepted the ransomware is HitmanPro.Alert. (I know their notification style that takes over the whole screen.) Standalone HMP.A is available for $34.95 for one year.

In any event, there is no need for users of Sophos/HMP.A to go adding folders to protect from ransomware attack, as the program intercepts malicious processes wherever they’re trying to do their thing:

Risk Reduction, has a ton of features that are applied globally to the machine.

• CryptoGuard, protection against crypto-ransomware attacks.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Here’s another test on CFA, and it shows how easily it was bypassed by the ransomware.

https://www.youtube.com/watch?v=PEQ7G3XQsIA

 

Reply | Quote

Why did his “ransomware simulation” (cfa.exe) not trigger a UAC prompt?

(Its author has confirmed that it does require running as administrator.)

Reply | Quote

b wrote:

Why did his “ransomware simulation” (cfa.exe) not trigger a UAC prompt?

If he has set the UAC settings to Never Notify, no UAC window will open and no user authorization is needed for the software to run. This is the most insecure setting there is and most users would never set the UAC to Never Notify because something could install without their knowledge. I would consider any test that does not test the environment of the majority of users as meaningless.

HTH, Dana:))

Reply | Quote

Regarding UAC, at one point in the discussion below the video a commenter identifying as the author of the test malware writes that

It would check if you gave it admin, if you didn’t it will request it. Most users would just click yes UNLESS they are aware this is ransomware. So it doesn’t really matter if you have UAC at the top. It will exit if you don’t give it admin. Hope this helped.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Jay B.

Reply | Quote

Cybertooth wrote:

It would check if you gave it admin, if you didn’t it will request it. Most users would just click yes UNLESS they are aware this is ransomware. So it doesn’t really matter if you have UAC at the top. It will exit if you don’t give it admin.

I totally disagree with the author. All the sudden software that you don’t know ask to make changes to your PC and you would just OK without checking first? Not anyone I know that includes a lot of less knowable users. Maybe years ago, but now a days even non technical user checks before opening an email attachment or granting some software OK to change system files. As the author points out the attack would fail if the UAC is on and not OKed, so that defense would work against the attack.
The only way he could get this attack to work is to deactivate the UAC security step.

HTH, Dana:))

Reply | Quote

In reply to the comment I quoted, the author gets asked a question similar to yours:

…If a ransomware comes in a pdf or docx (masked as being them, me familiar with obfuscated file names and extensions), there is no reason giving these admin privileges. It WILL be a malware by what you say. Any other software I generally vet via virustotal and I don’t just pick a software randomly, it is usually on a recommendation of somebody and usually from trusted sources.

To this question, the author describes a plausible scenario where a user (especially a younger, less-experienced one) might easily approve the UAC elevation:

That is a true point there, but generally given it requires admin permissions, it would rather come masked as a installer/game or whatever realistically requires admin.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Cybertooth wrote:

To this question, the author describes a plausible scenario where a user (especially a younger, less-experienced one)

That is the basis of most and oldest of malware attacks…trick you to to allow the blocked malware in past your security.  Yes there may be a few inexperienced users out there, but at the age the young start on PCs, it would be very few and definitely not the majority of users and not enough to make the statement:

Most users would just click yes UNLESS they are aware this is ransomware. So it doesn’t really matter if you have UAC at the top.

Most users would NOT click such malware until they checked it out. So it DOES matter if you have UAC at the top.   If most (majority) of users would bypass the UAC there would be a lot more infected PCs out there than they are now as majority means over half, which would mean multi millions of users.  The author has to back his statement of not using UAC, otherwise his whole test would not work.  If he wanted to be up front he would have left the UAC on and clicked OK stating that most users would click OK.  The users that would just click OK would not be the type of user that would change the default setting of the UAC to not display at all.  So his setup does NOT represent what most users have.  BTW:  Does this same group of Users that would click anyway read articles about security in the first place?  To me this is a test how you can get infected when you turn your security off which most already know.

I think the best defense from Ransomware (besides my firewall and AV software) is detached backups. I keep copies of my backups on external drives that are not connected to the PC. If ransomware infects my entire system including attached drives I still have untouched backups to restore to all the encrypted drives.

HTH, Dana:))

Reply | Quote

As for the two first video, all antivirus have been tested under the same criteria. The author even mentioned (second video), that all protection settings were enabled in Windows Defender, so that it would not reduce its effectiveness. Some antiviruses have succeeded in detecting, countering and repairing the damages done to the files, while Windows Defender and others failed. There was nothing unfair about it!

1 user thanked author for this post.

Cybertooth

Reply | Quote