I thought that the main issue of the setup based on WD Application Guard + "Trust apps with good reputation" feature, would be the lack of whitelisting in the UserSpace....
In fact, this setup is very similar to the idea I had before creating H_C based on SRP.
There are some differences as compared to the current version of H_C:
- No need to use the right-click Explorer context menu to check if the program is safe and next run the program.
- "Trust apps with good reputation" checks all applications (EXE, MSI) and loaded DLLs in the UserSpace, also those which were not downloaded from the Internet.
- "Trust apps with good reputation" is different from SmartScreen. Some applications can be accepted by SmartScreen but blocked by "Trust apps with good reputation", and vice versa.
- Windows Script Host scripting is restricted, as compared to SRP where it is blocked.
- The protection cannot be bypassed by the user when using "Run as administrator" or elevated shell (elevated CMD, elevated PowerShell, elevated Total Commander, etc.).
- The protection can be bypassed if the file triggered the SmartScreen check and was accepted by SmartScreen or the user bypassed the SmartScreen alert.
It also means that the protection can be bypassed by the user when using RunBySmartScreen, while in SRP the "Run as administrator" or "Run As SmartScreen" must be used.
- Blocked programs and DLLs cannot be whitelisted in UserSpace.
But, it seems that after a few-days of bypassing this protection via forced SmartScreen (see point 6. above), Windows Defender learns (locally) that application is safe, and it can be run normally without blocking by Application Guard. This is usually limited to a particular computer until the application will gain sufficient reputation to be accepted as safe in the cloud.
Applying the above WD Application Guard policies on Windows Home ver. 1903 is very simple. The predefined file SIPolicy.p7b has to be copied with admin rights into the folder C:\Windows\System32\CodeIntegrity, and the computer must be rebooted.
If the user wants to unload the policies, then the file SIPolicy.p7b can be simply renamed or removed and the computer rebooted.