Poll Do you use Smart App Control? I know, not many of you!

Do you use Smart App Control? Why? Why not? WTF?


  • Total voters
    51
F

ForgottenSeer 97327

Voted OTHER: using the slightly dumber but easy to customize and control sibling of SAC called ISG (Windows Defender Application Control)

I am still on Windows 10 (old desktop PC) and am using ISG (Intelligent Security Graph) which shares the same backend with SmartScreen and Smart Application Control.

When I am moving to Windows 11 (next year when I buy new CPU+Mobo) I will remain on WDAC - ISG because I can make allow exceptions on signer, hash and file/folder similar to SRP and AppLocker. Improvement of WDAC over AppLocker is that it has ISG (sort of similar to SAC). With ISG you can li decide to include or exclude dynamic code (dotNet and DLL's) and scripts

Good think about WDAC is that when you have a WINDOWS PRO version in your household, you can create a WDAC-policy for any another Windows 10 or 11 machine. I created a WDAC for my wife's Windows11 Home laptop and it works flawlessly. Microsoft released a WDAC wizard (link) to create you own policies. Anyone who has used Hard_Configurator should be able to create one.

Some tips
1. Choose signed and reputable mode
2. Create explicit (redundant) allow rule for Program Files (also x86) folders ***
3. Enable the 'boot audit on failure' AND 'advanced boot options menu' option, to prevent locking you out.
4. Include scripts (runs powershell in Constrained Language Mode, blocks mshta, msxml, vbscript, cscript, jscript and only allows a few 'safe' COM-objects)
5. Include Store Apps

WDAC like SAC works along side your third-party anti-virus, so when you add SimpleWindowsHardening to block risky file extensions in user folders, you have created a strong second safety net for your computer to be used alongside your favourite security software.

NOTE ***
2. When Core Isolation is disabled because of incompatible drivers also add Windows folder to redundant allow
 
Last edited by a moderator:

B-boy/StyLe/

Level 3
Verified
Well-known
Mar 10, 2023
147
I would if I could, but there's too many software which doesn't work with it. And game mods too, like skyrim .dll based mods which are not signed.
This reminds me of when they introduced DEP. I had to add gta-vc.exe to the exclusions in order to get it to run.
Btw, I am still having this game and this exclusion LMAO. And it's the only exclusion I currently have.
Image-519.png

Probably The Definitive Edition is ok and the exclusion will now be needed, but I can't verify myself.
I hope the bad guys wouldn't see this and create a malicious EXE with the same name to bypass my setup. 🤣:ROFLMAO:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
I voted Other, because I must test some applications compiled by me. Otherwise, I would use SAC - it worked well in my tests.
I worth mentioning that security solutions mentioned in this thread cannot replace SAC protection.
But, it is also true that SAC will allow some digitally signed malware, that can be blocked by those security solutions.

Edit.
I am (positively) surprised that so many MalwareTips members use SAC (currently almost 20%). It is really a very good security solution at home, but surely can be improved to be more usable.
 
Last edited:
F

ForgottenSeer 97327

I worth mentioning that security solutions mentioned in this thread cannot replace SAC protection.
That is really nonsense when you are hinting on WDAC - ISG (n) Microsoft even advises system admins to use WDAC over SAC :rolleyes:

Microsoft said:
WDAC will check the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC.

Microsoft said:
When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety. If the service believes the app to be safe, Smart App Control will let it run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it.
 
Last edited by a moderator:
  • Like
Reactions: Nevi and oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
That is really nonsense when you are hinting on WDAC - ISG (n) Microsoft even advises system admins to use WDAC over SAC :rolleyes:

By "replaced" I did not mean worse. Both SAC and your setup "WDAC + ISG" cover slightly different attack surfaces.

"WDAC + ISG" is vulnerable to some popular attack vectors that SAC covers. These attack vectors have become more dangerous since the year 2023 due to some improvements in transferring MOTW from disk images (ISO, IMG, VHD, VHDX) to their content. Similar improvements will be applied soon to archives (7-Zip, Gz, and RAR). As we know, ISG and SmartScreen are vulnerable to the attack vector via benign/vulnerable EXE + malicious DLL, when the EXE has got MOTW. It is a very simplistic attack when EXE + DLL is contained in the disk image or archive.

SAC can be "bypassed" by some signed malware samples, that can be blocked by "WDAC + ISG".

WDAC without ISG is more comprehensive than SAC and "WDAC + ISG". So yes, Microsoft advises Administrators to use WDAC over SAC. Another reason is that SAC cannot use Managed Installer which automatically allows applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune. WDAC does have several convenient features for Administrators - SAC does not.

Both SAC and "WDAC + ISG" cannot be strong protection against targeted attacks and lateral movement, but can be good protection at home and small business.
The setup "WDAC + ISG" can be improved by blocking execution in folders where users download files from the Internet, and by blocking execution from removable drives.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top