Avast anti-virus or Microsoft Security Essentials?

Layback Bear said:

Golden said:

Alejandro85 said:

...UAC. Just make sure it is at its highest level (the default has serious bugs that basically lets any program elevate at will),

Where did you find that?

I'm still waiting for the answer to Golden's question.

Sorry Layback Bear, you have to wait until I finally came back from work

Golden, here are just a few links showing that security flaw introduced in Windows 7:
Windows 7 UAC whitelist: Code-injection Issue (and more)
Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code) – istartedsomething
Microsoft dismisses Windows 7 UAC security flaw, continues to insist it is “by design” – istartedsomething

There is a sample program elevating itself (provided the conditions of the default Win7 install) with its full source code and explanations, a lot of discussion and the full explanation of the issue. And some MS employees trying to justify the unjustifiable (that they created a bug and don't admit it).

Long story short, here's how it works:
In the default UAC level, some built-in Windows programs are "white-listed" so they can elevate without a prompt (so it isn't as annoying as in Vista). The trick is that ANY program running with low privileges can leverage that by injecting its own code in one of such allowed programs, then launching it elevated WITHOUT any prompt, basically running as admin any code that the non-admin app wants, without the user knowing.
The very same thing at the highest UAC level (as in Vista) triggers an UAC prompt, as it should (possibly alerting the user with an unexpected elevation request).

Thanks to this, the default Win7 UAC is as effective as no UAC at all, as programs can elevate themselves at will. And yes, there are already viruses out there that take advantage of this. Note that the links date since the betas of Win7.

Therefore, ALWAYS use the highest level for security. Or sacrifice it for convenience and put at the lowest. The middle settings are a complete non-sense.

DustSailor said:

Mate, there have been many patches for windows since that time. However, I agree the safest UAC level is the highest level. But having UAC is better than not. If it doesn't stop all malicious activity, at least it will stop some.

Yes, many updates and patches have appeared since then, nevertheless, the bug I pointed out is still there, and the default UAC level happily lets any program elevate itself by exploiting the white-listed ones. Up to the last patch of Win7 and in Win8 too.
True, even the default is better than nothing at all , but only against unaware viruses unfortunately.

Golden said:

Thanks Alejandro - have you seen this:
Users prevail: Microsoft changes Windows 7 UAC control panel behavior to address security flaw – istartedsomething

No, didn't knew that link, but knew the "solution". But really, it's no solution at all. All it does is prevent a virus from disabling the UAC altogether, but it can anyway elevate itself at will and wreak havoc in every other place like any admin process. It's a little better, but really doesn't solves anything.
Just try the proof-of-concept program there and see how easy is to bypass the default UAC. Still works on a fully patched Win7 and Win8.

UAC I assumed was a stepping stone, it makes app vendors get their software to work in limited mode which allows the next logical step of making people use limited user accounts by default. But this doesnt happen in win8 right thats still admin accounts with UAC?