Raiden

Level 18
Verified
Content Creator
I noticed that people on other forums have a problem with understanding how SmartScreen works.
First, it is not generally true that if the archive has Mark OF The Web (MOTW) after downloading from the Internet, then the extracted EXE file will have MOTW too. This is not true, for example, when the file was extracted by 7-ZIP.

Furthermore, one member noticed that:
  1. After running (from the Explorer) the downloaded file.exe, the Mark OF The Web is removed from the file by the SmartScreen.
  2. When running the downloaded file.exe via the command prompt, the Mark OF The Web is not removed from the file by the SmartScreen.
The member's conclusion ---> "looks like a bug".

But, in fact it is not, because running the file.exe from the command prompt is equal to the command: cmd.exe /k file.exe. The file is run by cmd shell that does not trigger the SmartScreen. SmartScreen checks only cmd.exe and ignores file.exe. That is why the MOTW is not removed - simply the file is not checked by SmartScreen, so SmartScreen cannot remove MOTW.

If one uses the "start" command in the cmd console, then it is equal to:
cmd.exe /k start file.exe. The SmartScreen is now triggered (like from Explorer) by using the start command. In this case, the MOTW will be removed (if the file.exe is accepted by SmartScreen).

You may have to join said forum and set the record straight.:p
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
I took the liberty of posting Andy's explanation...
Thanks.:giggle:
This topic required the correction. I like other forums too (especially WildersSecurity), because there is sometimes useful information to learn. Maybe I should open the special thread on MT about SmartScreen, if I will have some time. For now, I am too busy with testing H_C and firewall hardening tool.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Thanks.:giggle:
This topic required the correction. I like other forums too (especially WildersSecurity), because there is sometimes useful information to learn. Maybe I should open the special thread on MT about SmartScreen, if I will have some time. For now, I am too busy with testing H_C and firewall hardening tool.
Keep focused on what you need to do, if you start trying to educate the whole world, it will zap your energy.
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
Keep focused on what you need to do, if you start trying to educate the whole world, it will zap your energy.
This is the main reason why I post only to MT.
My explanation can be simply tested by running the EXE file that triggers SmartScreen and using the commands I posted (do not bypass SmartScreen while testing). I think that this can be useful for some readers who use SmartScreen.:giggle:
 
Last edited:

askalan

Level 16
Verified
Malware Hunter
@askalan @Andy Ful It's looking good and it has me thinking. Have you thought about incorporating separate pages or at least links for ConfigureDefender and RunBySmartscreen into the website? Maybe a short section on the Downloads page? This might be useful for those unwilling to take the plunge into the full H_C package? :unsure:

If I'm not mistaken, ConfigureDefender and RunBySmartscreen are included with Hard_Configurator. If you only need these two tools, then you can install Hard_Configurator, but you don't have to use it then, just what you need.

But if there is a big interest, I can do that of course. @Andy Ful
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
If I'm not mistaken, ConfigureDefender and RunBySmartscreen are included with Hard_Configurator. If you only need these two tools, then you can install Hard_Configurator, but you don't have to use it then, just what you need.

But if there is a big interest, I can do that of course. @Andy Ful
Adding the separate links in the download section for ConfigureDefender and RunBySmartSreen seems a good idea.
Link for RunBySmartScreen:
AndyFul/Run-By-Smartscreen
Links for Configuredefender:
Download ConfigureDefender - MajorGeeks
Download ConfigureDefender 2.0.0.0
AndyFul/ConfigureDefender

(y)
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
From another thread:
Today the Canary Build had an update but I was unable to get the update with Hard_Config enabled. I tried to enable path rules for several Edge folders within the C/User/Local/Microsoft/ folder but it did not work. Must be other locations needing path rules at this point. Update successful without Hard_Config enabled.
Both Chromium Edge versions install differently.
Microsoft Edge Canary installs in UserSpace:
C:\Users\Admin\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe
Microsoft Edge Dev installs in SystemSpace:
C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe

To install Microsoft Edge Canary with active H_C, the below folder should be whitelisted:
C:\Users\your_user_name\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
The installation is untypical because even when the installer MicrosoftEdgeSetup.exe is "Run As SmartScreen", then the final update executable is run with standard rights anyway, So, it is blocked by SRP (can be seen via <Blocked Events / Security Logs>).
From the security reasons, it is not recommended to use the Canary builds, except when for testing purpose. To run the Canary build, the simplest method is whitelisting the application folder:
C:\Users\your_user_name\AppData\Local\Microsoft\Edge SxS\Application

It is recommended to use the Dev compilation. The installation of Microsoft Edge Dev is pretty standard. Also, no whitelisting is required to run it. We will see how Chromium Edge will update itself.
 
Last edited:

Reldel1

Level 1
To install Microsoft Edge Canary with active H_C, the below folder should be whitelisted:
C:\Users\Admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
The installation is untypical because even when the installer MicrosoftEdgeSetup.exe is "Run As SmartScreen", then the final update executable is run with standard rights anyway, So, it is blocked by SRP (can be seen via <Blocked Events / Security Logs>).
From the security reasons, it is not recommended to use the Canary builds, except when for testing purpose. To run the Canary build, the simplest method is whitelisting the application folder:
C:\Users\Admin\AppData\Local\Microsoft\Edge SxS\Application

Thanks Andy for looking into the issue. I had already whitelisted these after looking further into the Edge Canary install. I will let you know how it goes.
 

Reldel1

Level 1
Thanks Andy for looking into the issue. I had already whitelisted these after looking further into the Edge Canary install. I will let you know how it goes.
Andy,
After a couple more days of use of Edge Canary with Hard_Configurator, I have found there are three folders that must be whitelisted from SRP so that Edge Canary will successfully complete it's daily version update. Two of the folders you have mentioned previously, C:\Users\AppData\Local\Microsoft\Edge\SxS and C:\Users\AppData\Local\Microsoft\EdgeUpdate.

In my experience a third folder C:\Users\AppData\Local\Temp must also be whitelisted or Canary Edge will not complete the update process totally to a new version.
 

Reldel1

Level 1
Could you maybe post a log showing the blocks? Hopefully, a better solution can be found than whitelisting that whole temp folder.

Shmu26, Here are temp log events, FYI the specific temp sub-folders are not visible within Explorer. I'm to early in my Canary Edge experience to be certain but I believe a new CR_ subfolder is used with each update and thus whitelisting may not be possible at that level. I believe the temp folder is deleted after the update completes. Just hypothesis at this point.


Event Time Record ID Event ID Level Channel Provider Description Opcode Task Keywords Process ID Thread ID Computer User
4/12/2019 6:54:32 AM.483 637 865 Warning Application Microsoft-Windows-SoftwareRestrictionPolicies Access to C:\Users\relde\AppData\Local\Temp\CR_5B2E1.tmp\setup.exe has been restricted by your Administrator by the default software restriction policy level. 0x8000000000000000 12868 10208 DESKTOP-HSDO7FL DESKTOP-HSDO7FL\relde
4/12/2019 6:54:22 AM.276 636 865 Warning Application Microsoft-Windows-SoftwareRestrictionPolicies Access to C:\Users\relde\AppData\Local\Temp\CR_A801A.tmp\setup.exe has been restricted by your Administrator by the default software restriction policy level. 0x8000000000000000 11460 8948 DESKTOP-HSDO7FL DESKTOP-HSDO7FL\relde
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
Andy,
After a couple more days of use of Edge Canary with Hard_Configurator, I have found there are three folders that must be whitelisted from SRP so that Edge Canary will successfully complete it's daily version update. Two of the folders you have mentioned previously, C:\Users\AppData\Local\Microsoft\Edge\SxS and C:\Users\AppData\Local\Microsoft\EdgeUpdate.

In my experience a third folder C:\Users\AppData\Local\Temp must also be whitelisted or Canary Edge will not complete the update process totally to a new version.
How do you update Edge Canary? Is this automatic update?

Edit.
Whitelisting anything into the ...\Appdata\Local\Temp would be a bad idea. It is better to temporarily switch OFF default-deny. But, the last time I installed Edge Canary, this was not required. I will check it.
 
Last edited:

Reldel1

Level 1
How do you update Edge Canary? Is this automatic update?

Edit.
Whitelisting anything into the ...\Appdata\Local\Temp would be a bad idea. It is better to temporarily switch OFF default-deny. But, the last time I installed Edge Canary, this was not required. I will check it.
I open Canary Settings tab, click About Microsoft Edge, this starts a check for any available update. If one is present it downloads in same manner as Chrome and when it reaches 100% it calls for a restart of Edge. Without Temp folder whitelisted, update will download and run to 100% and then throw up an error page with the update failing. Whitelisted TEMP it completes successfully.
 

shmu26

Level 85
Verified
Trusted
Content Creator
@Andy Ful and @Reldel1 why not whitelist it like this:
C:\Users\*\AppData\Local\Temp\CR_*.tmp\setup.exe

That should be safe enough as few people are using Edge Canary. It's not like Chrome stable. :)

Edit: you could make the rule stronger, like this:
C:\Users\*\AppData\Local\Temp\CR_?????.tmp\setup.exe
 
Last edited:

Reldel1

Level 1
@Andy Ful and @Reldel1 why not whitelist it like this:
C:\Users\*\AppData\Local\Temp\CR_*.tmp\setup.exe

That should be safe enough as few people are using Edge Canary. It's not like Chrome stable. :)

Edit: you could make the rule stronger, like this:
C:\Users\*\AppData\Local\Temp\CR_?????.tmp\setup.exe
As I indicated earlier, the CR_????? folder is not visible in Explorer and thus cannot be whitelisted. I am of the belief that a new CR_????? is created at the time of each update and then deleted with the reboot. I have used SRP for 12+ years and know the weakness of broad whitelisting a folder like TEMP. Simply looking for way to update safely with Hard_Conf enabled.