Serious Discussion Benefits of Smart App control (SAC) and Core Isolation on Windows 11

[BSONE]

I currently have both enabled. SAC was a fail for me before on a previous install, but everything works fine for now.
I would be interested in other peoples opinions.

 

[Bot]

That's great to hear! Both SAC and Core Isolation provide enhanced security. SAC allows you to control your apps remotely, while Core Isolation provides hardware-based security features. They might cause some compatibility issues, but if they're working fine for you, that's a plus. Looking forward to hearing from others too.

 

[Andy Ful]

SAC allows you to control your apps remotely,

Nonsense. Please update your post:: SAC is a Smart App Control on Windows 11:

Smart App Control Frequently Asked Questions - Microsoft Support

Frequently asked questions (FAQs) about Smart App Control, a Windows feature designed to block malicious, untrusted, or potentially unwanted apps from running on your device.

support.microsoft.com

 

[Andy Ful]

I currently have both enabled. SAC was a fail for me before on a previous install, but everything works fine for now.
I would be interested in other peoples opinions.

Here is what David Weston ( Vice President Enterprise and OS Security at Microsoft.) writes about SAC:

Using an AI model based on the 78 trillion security signals Microsoft collects each day, this feature can predict if an app is safe. The policy keeps common, known-to-be-safe apps running while unknown, malware-connected apps are blocked. This is incredibly effective protection against malware.

It is a strong protection at home, hybrid work, or very small businesses. It will not be so effective against targeted attacks, because the attacker can intentionally use a properly signed 0-day malware or MotW bypass (for scripts) to skirt around SAC. Anyway, such attacks are rare at home, because the successful attack would often require properly signed or fileless payloads.

 

[oldschool]

I use SAC with MS Defender and both work just fine here. If you find SAC is blocking an application you use and it has become non-functional, post specifics on the Feedback Hub and follow the on-screen instructions to upload the file. They won't reply to you, but you may find the app is no longer blocked after some time has passed.

 

[kailyn]

I currently have both enabled. SAC was a fail for me before on a previous install, but everything works fine for now.
I would be interested in other peoples opinions.

You will be fine with it until it blocks and breaks something for you because "users want to use stuff."

 

[Andy Ful]

Yes, it is probably not a good choice for users who "want to use stuff". Even popular and signed software can be partially blocked due to using some unsigned DLLs.
But many people use computers for simple tasks like web browsing, watching videos, listening to music, email management, reading documents, shopping, etc. Many adults have no time and inclination to do more computer tasks. I think that for them, SAC can be a good choice.

 

[oldschool]

In fact, I just submitted an installer for a Samsung app, probably not signed, that was blocked by SAC. We'll see if it's allowed to run after some time has passed.

 

[Andy Ful]

In fact, I just submitted an installer for a Samsung app, probably not signed, that was blocked by SAC. We'll see if it's allowed to run after some time has passed.

Is it available in Microsoft Store?

 

[oldschool]

Is it available in Microsoft Store?

Not that particular one. The Store version wasn't compatible with my machine.

 

[kailyn]

Yes, it is probably not a good choice for users who "want to use stuff".

That is a people problem that cannot be solved with software.

Even popular and signed software can be partially blocked due to using some unsigned DLLs.

Microsoft should, once and for all, lay down the rules and not waiver. Unsigned DLLs are a pariah and the only correct and effective way to deal with them is to block them while at the same time create some mechanism where widely used, long-standing unsigned DLLs are signed for the greater common good.

Many adults have no time and inclination to do more computer tasks.

That is another people problem. Microsoft should not have to deal with people and their problems. Their ignorance and bad behaviors.

Security is not software. It is a process. (And that process has to be handled entirely and properly by the user side, and not the developer side.)

The world is changing and the old models that cater to "users want to use stuff" have been obsolete for a long time by now. The reason nobody wants to tackle all those user issues is because dealing with people is such an awful task. However, with the ascendancy of AI moving forward, things that people really are not going to like is going to have to be done. The rules about users and what they are allowed and not allowed to do is going to have to change otherwise sticking to dinosaur thinking of "users want to use stuff" shall be bring down entire societies via malicious campaigns. There are attack models being studied at top world universities regarding how future malware campaigns will unfold and it is a really ugly picture. A single home user "that wants to use stuff" will be the genesis of an attack that brings down an entire national electrical grid.

In that future, SAC will not nearly be enough. Going forward, Microsoft is going to have to become much more authoritarian with its operating systems and software to protect society. If it does not then mass global disruption of the worst kind shall proceed like clock-work.

I know people here at MT cannot cope with this. Lots of people here are stuck in the past of "users want to use stuff and they must be allowed to do so."

Lots of people here at MT stuck in the past are just dead wrong. They can be forgiven because they cannot help themselves. They are stuck in their belief that a "user that wants to use stuff" must always come first. Well, catering to user whims is the reason we're at where we're at as far as the malware problem. That model never has worked because it never could work - ever.

 

[BSONE]

Thank's for the comments folks. I will stick with SAC until it breaks something important to me. It is much better now than it was in the the early days where it even blocked Office 365 DLL's.

 

[Andy Ful]

The rules about users and what they are allowed and not allowed to do is going to have to change otherwise sticking to dinosaur thinking of "users want to use stuff" shall be bring down entire societies via malicious campaigns.

But the changes can be a challenge. The motto "users want to use stuff" is built into the economy of most countries (since the rise of capitalism). This motto helped to create the world with an expanding amount of goods and offers. The probable cons are resource shortage and possible climate change. Similarly, in the IT world, we have cyber-criminals and malicious campaigns.

 

[EstrellaRhodes]

Great to hear SAC is working well for you now! I’ve found Smart App Control to be pretty helpful in enhancing security by blocking untrusted apps, which is especially handy if you download software from various sources. Core Isolation is also a solid feature, adding an extra layer of protection by isolating critical processes. I’ve had a good experience with both enabled, feeling more secure overall. It’d be interesting to hear how others find these features, too, especially if they've encountered any issues or noticed performance impacts.

 

[BSONE]

I had a SAC block today with an in-app upgrade of Windscribe. First SAC intervention in months. Almost forgot that it was there.

 

[BSONE]

I am finding that Microsoft are becoming much more responsive with their whitelisting of unknown apps. I think that they are finally serious about the future of Smart App Contol going forward.
For example this week I downloaded AnythingLLM and SAC blocked the installation.I did a VT scan and it had only one warning, so I decided to do a Norton Power Eraser rootkit scan which flagged the app as suspicious because it was new with zero reputation. I then tried to install the app about an hour later and it installed perfectly.
Another example was today when I upgraded my Windsribe client from stable to beta within the app. Result: blocled by SAC. Dowloaded the .exe from Windscribe and and installation was also blocked. I tried the same file 20 minutes later and it worked perfectly.
In both instances, I did not manually send the files to Microsoft for Analysis.

 

[bazang]

I currently have both enabled. SAC was a fail for me before on a previous install, but everything works fine for now.
I would be interested in other peoples opinions.

I use Smart App Control (SAC) on multiple personal, company, and government systems. Once in a while it will block an unsigned DLL. However, the blocking is rarely more than 24 hours even when unsigned due to the use of Microsoft's globally vast file reputation system integrated into the security functionality stack, of which SAC benefits from integration with it.

There are users out there that will drop SAC if it blocks anything, even if the block does not obviously break any functionality. With them, the problem is not SAC but their mental inability to cope with block events. They are intolerant and/or ignorant - which Microsoft is partly to blame because it does not properly explain expected behaviors and train users. Microsoft documentation is not adequate nor sufficient for users. That said, Microsoft's official position in its EULA is that users that don't know are expected to figure it out.

99.9% of the time, when SAC blocks an unsigned DLL, that DLL will not be blocked after 24 hours or less and functionality will be restored. In the corner cases where low reputation unsigned files remain blocked, I always get the publisher to digitally sign the blocked file or ensure that their updaters are properly replacing old, unsigned libraries and other executable files.

Most people that complain about SAC blocking stuff don't know what they're doing.

 

[bazang]

Another example was today when I upgraded my Windsribe client from stable to beta within the app. Result: blocled by SAC. Dowloaded the .exe from Windscribe and and installation was also blocked. I tried the same file 20 minutes later and it worked perfectly.

This is correct, expected behavior that Microsoft does not properly explain so many users think SAC does not work correctly or does not work well.

For files blocked by SAC, Windows performs a file check (prevalence and reputation, and probably some other checks) and widely-known, prevalent files from trusted vendors (unsigned files that are traceable to the trusted vendor) are permitted so as to unblock the files after a period of time.

Other times the files continue to be blocked, but there is no functionality breakage - and the user is deliberately not told so as not to trigger them. It is better not to tell users much of anything when it comes to default deny. The sysadmin should handle the problems and the user not allowed to do anything.

Problem is, Windows for Home is a hand-me-down OS that is very minimally managed by Microsoft - and Microsoft does not want to be bothered with non-enterprise and non-government users.

SAC was not developed for home users/consumers. It was developed for enterprises and governments. Every single time that Microsoft tries to roll-out one of these robust default deny type of protections (for example, Windows S Mode), it is the users that destroy the security through their constant whining, complaining, and the problems that they create because they do not know what they're doing. In the end, Microsoft withdraws the protections or makes it only minimally available to the home user base.

 

[BSONE]

Excellent reply by Bazang. Thank You.

 

[BSONE]

99.9% of the time, when SAC blocks an unsigned DLL, that DLL will not be blocked after 24 hours or less and functionality will be restored.

This was my main gripe when SAC was first relaesed. I was amazed how it consistently flagged MS Office DLL's as dodgy when I Launched Word or Excel. The apps still worked, but it took about 6 months for Microsoft to whitelist the DLL's as safe. Absurd!