I noticed that people on other forums have a problem with understanding how SmartScreen works.
First, it is not generally true that if the archive has Mark OF The Web (MOTW) after downloading from the Internet, then the extracted EXE file will have MOTW too. This is not true, for example, when the file was extracted by 7-ZIP.
Furthermore, one member noticed that:
The member's conclusion ---> "looks like a bug".
- After running (from the Explorer) the downloaded file.exe, the Mark OF The Web is removed from the file by the SmartScreen.
- When running the downloaded file.exe via the command prompt, the Mark OF The Web is not removed from the file by the SmartScreen.
But, in fact it is not, because running the file.exe from the command prompt is equal to the command: cmd.exe /k file.exe. The file is run by cmd shell that does not trigger the SmartScreen. SmartScreen checks only cmd.exe and ignores file.exe. That is why the MOTW is not removed - simply the file is not checked by SmartScreen, so SmartScreen cannot remove MOTW.
If one uses the "start" command in the cmd console, then it is equal to:
cmd.exe /k start file.exe. The SmartScreen is now triggered (like from Explorer) by using the start command. In this case, the MOTW will be removed (if the file.exe is accepted by SmartScreen).
Thanks.I took the liberty of posting Andy's explanation...
Keep focused on what you need to do, if you start trying to educate the whole world, it will zap your energy.Thanks.
This topic required the correction. I like other forums too (especially WildersSecurity), because there is sometimes useful information to learn. Maybe I should open the special thread on MT about SmartScreen, if I will have some time. For now, I am too busy with testing H_C and firewall hardening tool.
This is the main reason why I post only to MT.Keep focused on what you need to do, if you start trying to educate the whole world, it will zap your energy.
@askalan @Andy Ful It's looking good and it has me thinking. Have you thought about incorporating separate pages or at least links for ConfigureDefender and RunBySmartscreen into the website? Maybe a short section on the Downloads page? This might be useful for those unwilling to take the plunge into the full H_C package?
Adding the separate links in the download section for ConfigureDefender and RunBySmartSreen seems a good idea.If I'm not mistaken, ConfigureDefender and RunBySmartscreen are included with Hard_Configurator. If you only need these two tools, then you can install Hard_Configurator, but you don't have to use it then, just what you need.
But if there is a big interest, I can do that of course. @Andy Ful
Both Chromium Edge versions install differently.Today the Canary Build had an update but I was unable to get the update with Hard_Config enabled. I tried to enable path rules for several Edge folders within the C/User/Local/Microsoft/ folder but it did not work. Must be other locations needing path rules at this point. Update successful without Hard_Config enabled.
To install Microsoft Edge Canary with active H_C, the below folder should be whitelisted:
The installation is untypical because even when the installer MicrosoftEdgeSetup.exe is "Run As SmartScreen", then the final update executable is run with standard rights anyway, So, it is blocked by SRP (can be seen via <Blocked Events / Security Logs>).
From the security reasons, it is not recommended to use the Canary builds, except when for testing purpose. To run the Canary build, the simplest method is whitelisting the application folder:
Andy,Thanks Andy for looking into the issue. I had already whitelisted these after looking further into the Edge Canary install. I will let you know how it goes.
Could you maybe post a log showing the blocks? Hopefully, a better solution can be found than whitelisting that whole temp folder.
How do you update Edge Canary? Is this automatic update?Andy,
After a couple more days of use of Edge Canary with Hard_Configurator, I have found there are three folders that must be whitelisted from SRP so that Edge Canary will successfully complete it's daily version update. Two of the folders you have mentioned previously, C:\Users\AppData\Local\Microsoft\Edge\SxS and C:\Users\AppData\Local\Microsoft\EdgeUpdate.
In my experience a third folder C:\Users\AppData\Local\Temp must also be whitelisted or Canary Edge will not complete the update process totally to a new version.
I open Canary Settings tab, click About Microsoft Edge, this starts a check for any available update. If one is present it downloads in same manner as Chrome and when it reaches 100% it calls for a restart of Edge. Without Temp folder whitelisted, update will download and run to 100% and then throw up an error page with the update failing. Whitelisted TEMP it completes successfully.How do you update Edge Canary? Is this automatic update?
Whitelisting anything into the ...\Appdata\Local\Temp would be a bad idea. It is better to temporarily switch OFF default-deny. But, the last time I installed Edge Canary, this was not required. I will check it.
As I indicated earlier, the CR_????? folder is not visible in Explorer and thus cannot be whitelisted. I am of the belief that a new CR_????? is created at the time of each update and then deleted with the reboot. I have used SRP for 12+ years and know the weakness of broad whitelisting a folder like TEMP. Simply looking for way to update safely with Hard_Conf enabled.@Andy Ful and @Reldel1 why not whitelist it like this:
That should be safe enough as few people are using Edge Canary. It's not like Chrome stable.
Edit: you could make the rule stronger, like this: