Windows Defender and Your Run key – what do You need to know?

Reading Time: 3 minutes

 

Recently one of my friends who is running small (but very good – <ad word>If You need serious security guys, just call them</ad word>) security company sent me a link to some document. This document described simple experiment with security features made on Windows Vista (Beta2). What its author did was creating simple program which did few things:

  • looks like Security Center element 🙂
  • copies itself onto hard drive
  • at an entry to current user registry, to be run at next logon
  • connects to IRC channel and listen for instructions.

So basically it mimics behavior of many Internet bots. As a conclusion author of this document pointed that this test didn't fired any of protection \ security mechanism present in Vista. What we may expect is that this will trigger at least two of them:

  • User Account Control: new Vista's feature which was created to keep system in a good shape and control privileged actions in system
  • Windows Defender: anti spywaresoftware installed in Vista by default (available also for Windows XP)

Bug?? Security issue?? I tried to investigate it a little and ask few people about it. But first, before I will come to some conclusions, lets try to think what this program actually did in the system.

User (not admin) got a program (e-mail?? WWW??) and run it in the system. This program :

  • wrote some file onto file system, and user has a right to do this as NTFS permissions allows him to do this
  • wrote an entry in user portion of registry, to which user has full right
  • got connected to IRC service on the Internet, which is legitimate service, but sometimes used in a bad way.

Any of those actions required administrative privileges, so should we expect UAC to fired up on these events? What is a role of UAC? To keep integrity of the system and notify\request for confirmation from user about every  action in the system which will require admin privileges or can affect system integrity (which in most cases is the same). So should UAC fire an event on this one – despite discussion if UAC should also watch some special keys in registry we can say that "no", it wasn't its job.

So we still have Windows Defender – it looks like dealing with such things is a task for this piece of software. So I done a little investigation and talks with different peoples and came to some conclusions.

First, action which may fire an event from Windows Defender in this test is  writing something to Run key in user's portion of registry under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

We can easily repeat this test using reg.exe to add something to this key:

C:\>reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Data /t REG__SZ /d aaaa.exe

The operation completed successfully.

Wow .. nothing from Defender.  Why?  It turned out that by default Defender will not rise any alert for software which haven't been classified yet. To make it to do so You have to go to Tools -> Options,  and then under "Choose if Windows Defender should notify You about" turn on "Software that has not been yet classified for risk". 

 

 

If You will enable this option, doing the same operation will fire up a nice Windows Defender pop-up:

 

It's worth to mention that even after enabling this option You will not get Defender pop-up for every possible entry in this key – for example putting there notepad.exe shouldn't give You pop-up. That's because Defender is considering properly signed files as safe. When I learn this, first thing which came to my mind was … rundll32.exe, signed, known, possible dangerous.

But it turned out (obviously, people who are writing this software also knows the system, probably better then I am) , that this is being checked and putting there rundll32.exe with call to not signed DLL file will also rise and event.

So  … I think that it's good to know that such option exists and that it isn't enabled by default. But You can (should??) turn it on, what You may expect is a little more pop-ups then in standard Defender installation.

But it's good to know that such option exists and that You may turn it on … which is main reason why I wrote this article.

And to make it a little more AD related … maybe I will write an ADM to put this option in GPO .. someday :).

 

BTW – am I writing too long entries?