Security News Dismantling Smart App Control

Gandalf_The_Grey

Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,082
Introduction

Reputation-based protections like Elastic’s reputation service can significantly improve detection capabilities while maintaining low false positive rates. However, like any protection capability, weaknesses exist and bypasses are possible. Understanding these weaknesses allows defenders to focus their detection engineering on key coverage gaps. This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.
Key Takeaways:
  • Windows Smart App Control and SmartScreen have several design weaknesses that allow attackers to gain initial access with no security warnings or popups.
  • A bug in the handling of LNK files can also bypass these security controls
  • Defenders should understand the limitations of these OS features and implement detections in their security stack to compensate
Conclusion

Reputation-based protection systems are a powerful layer for blocking commodity malware. However, like any protection technique, they have weaknesses that can be bypassed with some care. Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Thanks for posting this article. :)(y)
For most readers, this fragment can be important:

Conclusion​

Reputation-based protection systems are a powerful layer for blocking commodity malware. However, like any protection technique, they have weaknesses that can be bypassed with some care.

In my opinion, SAC is a practical solution intended to support the AV and cannot be considered a panacea.
Until standard attack vectors (well-blocked by SAC) are very effective in the wild, SAC can be a powerful protection layer. Sooner or later this happy picture will change and Windows built-in security must evolve to be still powerful.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
The privacy aspect of SAC is probably the last thing to worry about. Each of us has compromised our privacy to a much greater extent by simply browsing the web. Do we configure the cookie permissions on every website? Our data stored in databases used in health care, social security, state institutions, etc. are not safe. All of this is far more dangerous for our privacy than using SAC.
 

aftech

Level 1
Dec 6, 2023
23
You have optional diagnostic data in Windows turned off. If you want to turn Smart App Control on, you'll need to reset this PC, or reinstall Windows, and select Send optional diagnostic data during the setup process.

Thanks, but no thanks.
I have SAC available after Windows install even with turning off optional diagnostic data.
It was in evaluation mode; I turned it into on mode manually before Windows decide to turn it off if it is considered not suitable for the software I install.
 

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,515
You have optional diagnostic data in Windows turned off. If you want to turn Smart App Control on, you'll need to reset this PC, or reinstall Windows, and select Send optional diagnostic data during the setup process.
I have SAC available after Windows install even with turning off optional diagnostic data.
It was in evaluation mode; I turned it into on mode manually before Windows decide to turn it off if it is considered not suitable for the software I install.
I select Optional Diagnostic Data after a reset or clean install, then check Windows Update, install programs, etc., enable SAC and finally turn off ODD. SAC works fine with it off. Beautiful, built in protection. 👍 👍 :cool:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top