- Mar 29, 2018
- 7,118
Do you use Smart App Control? Why? Why not?
Gotta have some fun, right?
Gotta have some fun, right?
Do you use Smart App Control? I know, not many of you!
- Thread starter oldschool
- Start date
- Apr 16, 2017
- 1,878
- Jan 29, 2017
- 1,201
- Mar 10, 2023
- 144
No, because I am still on Win 10 and this is a feature for Win 11 only.
Smart app control... Is this where you are intelligent and do not go on a app collecting spree?
No windows 11 for me thank you very much!
No windows 11 for me thank you very much!
I don't use it because I prefer my apps to be dumb and obedient. 
- Oct 16, 2022
- 110
Voted OTHER: using the slightly dumber but easy to customize and control sibling of SAC called ISG (Windows Defender Application Control)
I am still on Windows 10 (old desktop PC) and am using ISG (Intelligent Security Graph) which shares the same backend with SmartScreen and Smart Application Control.
When I am moving to Windows 11 (next year when I buy new CPU+Mobo) I will remain on WDAC - ISG because I can make allow exceptions on signer, hash and file/folder similar to SRP and AppLocker. Improvement of WDAC over AppLocker is that it has ISG (sort of similar to SAC). With ISG you can li decide to include or exclude dynamic code (dotNet and DLL's) and scripts
Good think about WDAC is that when you have a WINDOWS PRO version in your household, you can create a WDAC-policy for any another Windows 10 or 11 machine. I created a WDAC for my wife's Windows11 Home laptop and it works flawlessly. Microsoft released a WDAC wizard (link) to create you own policies. Anyone who has used Hard_Configurator should be able to create one.
Some tips
1. Choose signed and reputable mode
2. Create explicit (redundant) allow rule for Program Files (also x86) folders ***
3. Enable the 'boot audit on failure' AND 'advanced boot options menu' option, to prevent locking you out.
4. Include scripts (runs powershell in Constrained Language Mode, blocks mshta, msxml, vbscript, cscript, jscript and only allows a few 'safe' COM-objects)
5. Include Store Apps
WDAC like SAC works along side your third-party anti-virus, so when you add SimpleWindowsHardening to block risky file extensions in user folders, you have created a strong second safety net for your computer to be used alongside your favourite security software.
NOTE ***
2. When Core Isolation is disabled because of incompatible drivers also add Windows folder to redundant allow
I am still on Windows 10 (old desktop PC) and am using ISG (Intelligent Security Graph) which shares the same backend with SmartScreen and Smart Application Control.
When I am moving to Windows 11 (next year when I buy new CPU+Mobo) I will remain on WDAC - ISG because I can make allow exceptions on signer, hash and file/folder similar to SRP and AppLocker. Improvement of WDAC over AppLocker is that it has ISG (sort of similar to SAC). With ISG you can li decide to include or exclude dynamic code (dotNet and DLL's) and scripts
Good think about WDAC is that when you have a WINDOWS PRO version in your household, you can create a WDAC-policy for any another Windows 10 or 11 machine. I created a WDAC for my wife's Windows11 Home laptop and it works flawlessly. Microsoft released a WDAC wizard (link) to create you own policies. Anyone who has used Hard_Configurator should be able to create one.
Some tips
1. Choose signed and reputable mode
2. Create explicit (redundant) allow rule for Program Files (also x86) folders ***
3. Enable the 'boot audit on failure' AND 'advanced boot options menu' option, to prevent locking you out.
4. Include scripts (runs powershell in Constrained Language Mode, blocks mshta, msxml, vbscript, cscript, jscript and only allows a few 'safe' COM-objects)
5. Include Store Apps
WDAC like SAC works along side your third-party anti-virus, so when you add SimpleWindowsHardening to block risky file extensions in user folders, you have created a strong second safety net for your computer to be used alongside your favourite security software.
NOTE ***
2. When Core Isolation is disabled because of incompatible drivers also add Windows folder to redundant allow
Last edited by a moderator:
- Aug 12, 2015
- 967
SAC works for me most of the time. What I don't quite understand is that even today in September 2023 I still get a partial SAC block when I launch an Office 365 document such as a common .doc file. Quite daft if you ask me.
- May 13, 2017
- 2,489
Smart, give me a break, MS made signed apps mandatory and thus improved security at no cost for them, but many devs can not afford the certificate. When I hear smart, my skin crawls.
I would if I could, but there's too many software which doesn't work with it. And game mods too, like skyrim .dll based mods which are not signed.
- Sep 2, 2021
- 2,312
No, because it's disabled and I can't reactivate it... and I don't need it because I have CyberLock.
Atm I'm using it and since my system is quite static after a few annoying problems it is ok (for now).
Sadly win 11 runs not as stable as win 10 on my pc (all requirements met). So I will probably go back to win 10 till I get a new pc
Sadly win 11 runs not as stable as win 10 on my pc (all requirements met). So I will probably go back to win 10 till I get a new pc
- Mar 10, 2023
- 144
This reminds me of when they introduced DEP. I had to add gta-vc.exe to the exclusions in order to get it to run.
Btw, I am still having this game and this exclusion LMAO. And it's the only exclusion I currently have.
Probably The Definitive Edition is ok and the exclusion will now be needed, but I can't verify myself.
I hope the bad guys wouldn't see this and create a malicious EXE with the same name to bypass my setup.
- Aug 19, 2019
- 1,023
Disabled by default on my new laptop I got earlier this year. I just don't fancy having to fresh install everything and lose out on ASUS pre-installed software.
One day though...
One day though...
- Dec 23, 2014
- 8,145
I voted Other, because I must test some applications compiled by me. Otherwise, I would use SAC - it worked well in my tests.
I worth mentioning that security solutions mentioned in this thread cannot replace SAC protection.
But, it is also true that SAC will allow some digitally signed malware, that can be blocked by those security solutions.
Edit.
I am (positively) surprised that so many MalwareTips members use SAC (currently almost 20%). It is really a very good security solution at home, but surely can be improved to be more usable.
I worth mentioning that security solutions mentioned in this thread cannot replace SAC protection.
But, it is also true that SAC will allow some digitally signed malware, that can be blocked by those security solutions.
Edit.
I am (positively) surprised that so many MalwareTips members use SAC (currently almost 20%). It is really a very good security solution at home, but surely can be improved to be more usable.
Last edited:
That is really nonsense when you are hinting on WDAC - ISG
Microsoft even advises system admins to use WDAC over SAC Microsoft said:
Microsoft said:
Last edited by a moderator:
- Dec 23, 2014
- 8,145
That is really nonsense when you are hinting on WDAC - ISG
By "replaced" I did not mean worse. Both SAC and your setup "WDAC + ISG" cover slightly different attack surfaces.
"WDAC + ISG" is vulnerable to some popular attack vectors that SAC covers. These attack vectors have become more dangerous since the year 2023 due to some improvements in transferring MOTW from disk images (ISO, IMG, VHD, VHDX) to their content. Similar improvements will be applied soon to archives (7-Zip, Gz, and RAR). As we know, ISG and SmartScreen are vulnerable to the attack vector via benign/vulnerable EXE + malicious DLL, when the EXE has got MOTW. It is a very simplistic attack when EXE + DLL is contained in the disk image or archive.
SAC can be "bypassed" by some signed malware samples, that can be blocked by "WDAC + ISG".
WDAC without ISG is more comprehensive than SAC and "WDAC + ISG". So yes, Microsoft advises Administrators to use WDAC over SAC. Another reason is that SAC cannot use Managed Installer which automatically allows applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune. WDAC does have several convenient features for Administrators - SAC does not.
Both SAC and "WDAC + ISG" cannot be strong protection against targeted attacks and lateral movement, but can be good protection at home and small business.
The setup "WDAC + ISG" can be improved by blocking execution in folders where users download files from the Internet, and by blocking execution from removable drives.
Last edited:
- Mar 29, 2018
- 7,118
MS tells users this directly somewhere in the documentation.
Similar threads
