UAC security question

UsernameIssues · 28 Feb 2014

Once an app has elevated privileges, it can silently change lots of things in the registry - including incoming and outgoing firewall rules.

It would have been nice/better if the offending app had told the user that it was going to lower security settings. If we don't find the offending app, we can try locking down that part of the registry via permissions, But that is a last resort since doing so can cause other issues.

Let your fiancee know to tell you if she sees something other that Always notify if the computer restarts.

andrew129260 · 03 Mar 2014

Username issues you are the man!

Thank to your script I discovered what it was!

Its panda antivirus. :)

1.) Set uac to its highest level, always notify.
2.) Download the test eicar.com file from Download ° EICAR - European Expert Group for IT-Security
3.) When panda detects the threat, it goes down to default uac level.

At least for me. Does it do it for you?

I regularly test my av software to make sure its working and that is why every couple of weeks this happened.

If you confirm it, I will send this data to panda security and inform them. I have confirmed it on virtual machine, but just wanted to make sure.

UsernameIssues · 03 Mar 2014

I tried to download the sample...
...it is deleted by IE11's SmartScreen Filter.

I turn off that filter & download again...
...the sample is deleted by Windows Defender.

I disable Windows Defender...
...now the website stopped responding.
...I'll try the https connection.

I'll test it when I can

UsernameIssues · 03 Mar 2014

As you can see in the video below, I'm using the default settings. Remember when I told you (at least I think that it was you) that Panda Cloud Antivirus (PCA) triggered on cookies and that I did not want those that I support calling me every time that they saw that. PCA lowered the UAC when it found a cookie :-(

The quick scan did not touch the desktop?
(which already had the eicar.com sample on it)

I tested several more times...
...each time ending the Virtual Machine (VM).
The VM is frozen, so it reverted to a clean state.
IE's filter was turned off.
Windows Defender was disabled.
The sample was downloaded to the desktop via https.

For one of those tests, I got this video:
(skip to 2:30 if you are in a hurry)

It is not one of my better videos since I forgot to open the UAC GUI before installing PCA.

PCA was installed.
A quick scan was run.
A cookie was found.
The UAC level was lowered.
I set the UAC to high.

Not shown in the video:
I restarted the VM.
Opened the UAC GUI
Started recording a second video.
Right clicked on the sample.
(figuring that PCA would kick in when I accessed the sample file's properties)
PCA did kick in...
...but alas, the sample file's properties window hid the UAC window
...so the video did not record the UAC level change.
But the UAC level was lowered.
I dumped that video.

I tried a few more times to record PCA killing the eicar.com sample and I saw some things that did not look right. I could not get PCA to kill the eicar.com sample in more than one subsequent test. I'll see if I can get that on video.

edit:
It is possible that I was rushing things. Maybe I checked the properties of the eicar.com sample before PCA's services got started (but I also hope that such is not possible). I could not get the "failure" on video.

I thought about showing a constant ping to one of the many servers that Panda sends submission to - to prove connectivity for the VM... but then I recalled that it only submits unknowns. It does have a local database for some checks. Right?

Here is a video with more detail. The boot at the start is to show that the W7 pro 64bit VM was restarted after setting the UAC to high. However, the move from default to high does not require a restart. I also opted to restart (just for fun) after installing PCA.

andrew129260 · 03 Mar 2014

Great vids thank you for your testing :)

Created a thread in there support forum to let them know:

Panda Security Forum - View topic - Panda cloud AV UAC Issue

By the way, what screen video recorder do you use?

andrew129260 · 04 Mar 2014

UPDATE:

Panda has confirmed this bug. They are going to work on fixing it.

Thanks to username issues and everyone else who has responded to this.

UsernameIssues · 04 Mar 2014

andrew129260 said:

~~~
By the way, what screen video recorder do you use?

Installed in the root of the system drive (instead of the Programs Files folders). I tried a newer version of CamStudio and there was something about it that I did not like. I'm not sure where CamStudio 2.0 can be safely downloaded from... I cannot test right now.

andrew129260 · 31 Mar 2014

The uac issue with panda is a bug, panda confirmed and will be fixed with its new full version release. The whole interface is being redone and will have several performance improvements.

Panda Cloud Antivirus 2.9 Beta

andrew129260 · 02 Jun 2014

Flaw now fully fixed since version 3 is out:

Panda Security Forum - View topic - [03876479] Panda cloud AV UAC Issue

hexaae · 09 Sep 2014

Panda Cloud Antivirus FREE 3.0.1 still has this annoying issue!
It drove me crazy then I realized it was Panda.... a few weeks later I've found this thread to confirm the issue, which has NOT been fixed in the free cloud version.

Not only this, Panda also doesn't allow me to hide drive D: (reg key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives ) always reverting it to default value 0. After reboot randomly I see again drive D: and registry key restored to default (!).