Security News Dismantling Smart App Control

Gandalf_The_Grey

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Content source
https://www.elastic.co/security-labs/dismantling-smart-app-control
Introduction

Reputation-based protections like Elastic’s reputation service can significantly improve detection capabilities while maintaining low false positive rates. However, like any protection capability, weaknesses exist and bypasses are possible. Understanding these weaknesses allows defenders to focus their detection engineering on key coverage gaps. This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.
Click to expand...
Key Takeaways:
  • Windows Smart App Control and SmartScreen have several design weaknesses that allow attackers to gain initial access with no security warnings or popups.
  • A bug in the handling of LNK files can also bypass these security controls
  • Defenders should understand the limitations of these OS features and implement detections in their security stack to compensate
Click to expand...
Conclusion

Reputation-based protection systems are a powerful layer for blocking commodity malware. However, like any protection technique, they have weaknesses that can be bypassed with some care. Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.
Click to expand...

Dismantling Smart App Control — Elastic Security Labs

This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.
www.elastic.co www.elastic.co
 
  • Like
  • +Reputation
  • Thanks
Reactions: Zartarra, Trident, silversurfer and 11 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
Thanks for posting this article. :)(y)
For most readers, this fragment can be important:

Conclusion​

Reputation-based protection systems are a powerful layer for blocking commodity malware. However, like any protection technique, they have weaknesses that can be bypassed with some care.
Click to expand...

In my opinion, SAC is a practical solution intended to support the AV and cannot be considered a panacea.
Until standard attack vectors (well-blocked by SAC) are very effective in the wild, SAC can be a powerful protection layer. Sooner or later this happy picture will change and Windows built-in security must evolve to be still powerful.
 
  • Like
  • +Reputation
Reactions: simmerskool, Trident, Jonny Quest and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
The privacy aspect of SAC is probably the last thing to worry about. Each of us has compromised our privacy to a much greater extent by simply browsing the web. Do we configure the cookie permissions on every website? Our data stored in databases used in health care, social security, state institutions, etc. are not safe. All of this is far more dangerous for our privacy than using SAC.
 
  • Like
  • +Reputation
Reactions: simmerskool, flutek, Digmor Crusher and 3 others
A

aftech

Level 1
Dec 6, 2023
23
zidong said:
You have optional diagnostic data in Windows turned off. If you want to turn Smart App Control on, you'll need to reset this PC, or reinstall Windows, and select Send optional diagnostic data during the setup process.

Thanks, but no thanks.
Click to expand...
I have SAC available after Windows install even with turning off optional diagnostic data.
It was in evaluation mode; I turned it into on mode manually before Windows decide to turn it off if it is considered not suitable for the software I install.
 
  • Like
Reactions: simmerskool, Andy Ful and oldschool
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,577
zidong said:
You have optional diagnostic data in Windows turned off. If you want to turn Smart App Control on, you'll need to reset this PC, or reinstall Windows, and select Send optional diagnostic data during the setup process.
Click to expand...
aftech said:
I have SAC available after Windows install even with turning off optional diagnostic data.
It was in evaluation mode; I turned it into on mode manually before Windows decide to turn it off if it is considered not suitable for the software I install.
Click to expand...
I select Optional Diagnostic Data after a reset or clean install, then check Windows Update, install programs, etc., enable SAC and finally turn off ODD. SAC works fine with it off. Beautiful, built in protection. 👍 👍 :cool:
 
  • Like
  • +Reputation
Reactions: simmerskool, Gandalf_The_Grey, aftech and 1 other person

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,095
Video Reviews - Security and Privacy
tofargone
tofargone
Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Malware News Infostealer malware bypasses Chrome’s new cookie-theft defenses
Replies
0
Views
1,798
Security News
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • Like
    • +Reputation
    • Applause
Security News BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Replies
2
Views
2,362
Security News
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top