Tiamati

Level 3
Ty @Andy Ful . As @oldschool once said:

@Andy Ful offers the best customer service in the industry. :D
I'll make those changes and test.

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts
which is not whitelisted by default in H_C.(y)
The shortcut was there indeed. Strangely, i've set only one profile for Brave! ¯¯\_(ツ)_/¯¯
 

Tiamati

Level 3
When the user applied H_C's Allow EXE setup, the SmartScreen check can be done via 'Run By SmartScreen' option on the Explorer right-click context menu. This option allows checking and opening any file which is located in an untrusted location
That is what i've been doing with the default recommended settings. It's only annoying when i forget it and try to run directly trough "download" tab from the Browser. So SRP blocks it and i have to find the file directly in explorer environment and then right click and set "Run By SmartScreen". When i face a file that i have to constantly use - like Emisoft Emergency Scanner.exe - i'm white-listing them by path.


"Run By SmartScreen" will show the alert with some instructions and two buttons <Cancel> and <Run anyway>:
This advice would be show only with the default recommended settings and if the file was hijacked? For example, if i allow .exe and .tmp in the whitelist, that message would still be showed in the mentioned case?

Do not run the initial EXE file without using 'Run By SmartScreen', until you are sure that these DLL files are clean.
@Andy Ful. Sometimes, when i found a suspicious .dll i try to run it in Virustotal.com and if it's free, i usually trust on them. Anyway, this week i tried to open a dll with Jet Brains Dot Peek and check what was inside. The problem is that i could not understand 99% of the language hahah
Any tips about this matter?
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
That is what i've been doing with the default recommended settings. It's only annoying when i forget it and try to run directly trough "download" tab from the Browser. So SRP blocks it and i have to find the file directly in explorer environment and then right click and set "Run By SmartScreen". When i face a file that i have to constantly use - like Emisoft Emergency Scanner.exe - i'm white-listing them by path.
I use open file location from the web browser and then "Run As SmartScreen" - that is probably that you do, too.
In H_C's Recommended Settings, you do not use "Run By SmartScreen" but "Run As SmartScreen". For "Run As SmartScreen" there will be another alert. I will post about it later.

For example, if i allow .exe and .tmp in the whitelist, that message would still be showed in the mentioned case?
This alert was exactly for the Allow EXE and TMP case.(y):giggle:

Sometimes, when i found a suspicious .dll i try to run it in Virustotal.com and if it's free, i usually trust on them. Anyway, this week i tried to open a dll with Jet Brains Dot Peek and check what was inside. The problem is that i could not understand 99% of the language hahah
Any tips about this matter?
In most cases when it was an email attachment or something similarly suspicious, there is no need to investigate. Just delete it.
You can also pack all files located in the suspicious folder, or take the unpacked email attachment and send it to online analysis. I often use any.run (requires registration Interactive Online Malware Analysis Sandbox - ANY.RUN)
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
RunAsSmartScreen and DLL hijacking.

The purpose of using "Run As SmartScreen" is slightly different from "Run By SmartScreen". The second is intended for opening/running all files which are located in an unsafe location (like USB drives, Download folder, etc.). The first is intended for:
  • running safely the EXE or MSI installers which are located in unsafe locations,
  • running already installed applications to update them without turning off the H_C default-deny protection,
  • running Windows administrative tools with admin rights.
So, "Run As SmartScreen" is prepared to work with default-deny setup (EXE not allowed) and "Run By SmartScreen" works with "Allow EXE and TMP".

The "Run As SmartScreen" will automatically allow EXE files from whitelisted locations and will show the below alert in the case of detected DLLs:

"This file cannot be Run As SmartScreen from the current location. One or more DLL files are in the same location, and this can bypass SmartScreen via DLL hijacking.
The file will be executed from another location, without loading the DLL files from the current location.

Warning.
Do not run this file from the current location without using 'Run As SmartScreen' or 'Run By SmartScreen', until you are sure that DLL files in the current location are clean. Please note, that they can be often hidden, except when Windows Explorer is set to show hidden files.
"
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
"Run As SmartScreen" is intended for the H_C default-deny setup to run:
  • EXE or MSI installers which are located in unsafe (not whitelisted) locations,
  • already installed applications to update them without turning off the H_C default-deny protection,
  • Windows administrative tools with admin rights.
"Run By SmartScreen" is intended for the H_C Allow EXE and TMP setup (for example when Windows_10_MT_Windows_Security_hardening profile is used) or unrestricted setup (no SRP). It allows opening/running safely any file located in unsafe locations (USB drives, Download folder, etc.).
It can be also used as a standalone application to apply on-demand forced SmartScreen.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
"Run As SmartScreen" is intended for the H_C default-deny setup to run:
  • EXE or MSI installers which are located in unsafe (not whitelisted) locations,
  • already installed applications to update them without turning on the H_C default-deny protection,
  • Windows administrative tools with admin rights.
"Run By SmartScreen" is intended for the H_C Allow EXE and TMP setup (for example when Windows_10_MT_Windows_Security_hardening profile is used) or unrestricted setup (no SRP). It allows opening/running safely any file located in unsafe locations (USB drives, Download folder, etc.).
It can be also used as a standalone application to apply on-demand forced SmartScreen.
How do I access "run by smartscreen"?

You wrote:
"already installed applications to update them without turning on the H_C default-deny protection, "
but I think you meant to say:
without turning off the H_C default-deny protection

Correct?
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
How do I access "run by smartscreen"?

You wrote:
"already installed applications to update them without turning on the H_C default-deny protection, "
but I think you meant to say:
without turning off the H_C default-deny protection

Correct?
Thanks - post corrected.:giggle:
Set <Run As SmartScreen> = Standard User.
See also, the help for H_C option <Run As SmartScreen>. (y)

Post edited.
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
RunBySmartScreen and DLL hijacking.

When the user applied H_C's Allow EXE setup, the SmartScreen check can be done via 'Run By SmartScreen' option on the Explorer right-click context menu. This option allows checking and opening any file which is located in an untrusted location (like USB drive, Download folder, etc.), without knowing if the file is a photo, document, video clip, script, shortcut, or executable.
Suppose now that the user wants to check the file, and it happened to be the LegalApp.exe with hijacked DLL. Then in the new H_C version, using "Run By SmartScreen" will show the alert with some instructions and two buttons <Cancel> and <Run anyway>:

"This is an executable EXE file (*.exe) - it cannot be Run By SmartScreen from the current location. One or more DLL files are in the same location, and this can bypass SmartScreen via DLL hijacking.

Press the <Cancel> button, if you are not sure what to do. Next, check if all the DLL files are clean and necessary in the current location. Please note, that they can be often hidden, except when Windows Explorer is set to show hidden files. Do not run the initial EXE file without using 'Run By SmartScreen', until you are sure that these DLL files are clean.

Press the <Run anyway> button only if you are sure that the initial EXE file is a standalone application installer or portable application executable. The file will be executed from another location, without loading the DLL files from the current location."


Please let me know if something can be improved in the alert text.:giggle:
I am still not sure about the text of the alert. Maybe the below will be better?

"This is an executable EXE file (*.exe) and it should not be run from the current location.
SmartScreen can be bypassed here, because some DLL files have been found in the same location.

Press the <Cancel> button if you are not sure what to do. This will cancel the file execution and these DLLs will not execute, too.

Press the <Run anyway> button to run the file from the safe location while skipping these DLLs. Please note, that the file will execute successfully, only if it is an application installer or portable application.

Warning.
Do not run any file from the current location without using 'Run By SmartScreen' until you are sure that these DLLs are clean. Please note, that they can be often hidden, except when Windows Explorer is set to show hidden files.
"
 

shmu26

Level 83
Verified
Trusted
Content Creator
Thanks - post corrected.:giggle:
Set <Run As SmartScreen> = Basic User.
See also, the help for H_C option <Run As SmartScreen>. (y)
Thanks. I think you mean <Run As SmartScreen> = Standard User
Correct?

If I understand right, changing <Run As SmartScreen> to the "standard user" setting will change it to run BY smartscreen. And the difference is that run BY smartscreen does not automatically elevate privileges. Please correct if I am wrong.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Thanks. I think you mean <Run As SmartScreen> = Standard User
Correct?

If I understand right, changing <Run As SmartScreen> to the "standard user" setting will change it to run BY smartscreen. And the difference is that run BY smartscreen does not automatically elevate privileges. Please correct if I am wrong.
Ha, ha. Yes, the correct name is "Standard User".:giggle:

Both "Run As SmartScreen" and "Run By SmartScreen" cannot automatically elevate privileges. "Run As SmartScreen" can only allow the user to run the executable elevated via UAC prompt. The UAC prompt is caused by the elevation request.

"Run By SmartScreen" cannot force the executable to request the elevation of privileges, but the executable can still request it via the proper entry in the manifest. Yet, the file execution and this request will be blocked by SRP in the H_C default-deny setup (no UAC prompt).

"Run As SmartScreen" forces any executable to request elevation and this request will bypass SRP (the user will see the UAC prompt).

In my opinion, there is another important difference between "Run By SmartScreen" and "Run As SmartScreen". The first is intended to open/run all files in unsafe locations. The user does not have to think about what file type is going to be opened. If it is a photo, then it will be opened without any alert. If it is a script, then it will be blocked with alert. If it is a native executable or MSI installer, then it will be blocked or allowed to run depending on the SmartScreen check. If it is an Office document, then the alert with some instructions will be displayed and the user will be able to open the file.
"Run By SmartScreen" can alert/block in this way over 250 file types (unsafe file types), the rest are allowed to open without any alert (safe file types).
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
So most installers will fail, correct? What's the recommended way to run installers in a default-deny setup with EXE and TMP allowed?
They will fail in default-deny setup (not in Allow EXE and TMP setup) if not executed via "Run As SmartScreen" - that is an idea of default-deny.
That is also why in default-deny setup the "Run As SmartScreen" is used by default, which allows the user to safely bypass SRP and run the installer with elevated privileges.

In Allow EXE and TMP setup, the EXE installers are allowed (won't be blocked). The MSI installers will be still blocked, but they can be run via "Run As Administrator" option available on the Explorer context menu.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
They will fail in default-deny setup (not in Allow EXE and TMP setup) if not executed via "Run As SmartScreen" - that is an idea of default-deny.
That is also why in default-deny setup the "Run As SmartScreen" is used by default, which allows the user to safely bypass SRP and run the installer with elevated privileges.

In Allow EXE and TMP setup, the EXE installers are allowed. The MSI installers will be still blocked, but they can be run via "Run As Administrator" option available on the Explorer context menu.
Yup, it works like you said. No prob.
 

Tiamati

Level 3
"This is an executable EXE file (*.exe) and it should not be run from the current location.
SmartScreen can be bypassed here, because some DLL files have been found in the same location.

Press the <Cancel> button if you are not sure what to do. This will cancel the file execution and these DLLs will not execute, too.

Press the <Run anyway> button to run the file from the safe location while skipping these DLLs. Please note, that the file will execute successfully, only if it is an application installer or portable application.

Warning.
Do not run any file from the current location without using 'Run By SmartScreen' until you are sure that these DLLs are clean. Please note, that they can be often hidden, except when Windows Explorer is set to show hidden files.
"
I'm not a native english speaker and was able to understand fully, so i liked!

until you are sure that these DLLs are clean.
Maybe someone in the forum could make a guide here explaining some ways to check if a dll is clean. I've been using VIrustotal and that site you linked another day @Andy Ful, but i'm not sure how use the last option. There are other options like Hybrid Analysis that seems to do a good job to. Idk how use them exactly, so maybe a guide would be as useful for me as like other people on that matter. Later, the link to the guide could be added to the alert. It's just an idea.

"Run By SmartScreen" cannot force the executable to request the elevation of privileges, but the executable can still request it via the proper entry in the manifest. Yet, the file execution and this request will be blocked by SRP in the H_C default-deny setup (no UAC prompt).

"Run As SmartScreen" forces any executable to request elevation and this request will bypass SRP (the user will see the UAC prompt).
Maybe changing the name or adding a code in front of the option could help to identify the difference. Like Run By SmartScreen (RbS) and Run As SmartScreen (RaS)
 

floalma

Level 3
Verified
You said
"Run As SmartScreen" is intended for the H_C default-deny setup to run:
EXE or MSI installers which are located in unsafe (not whitelisted) locations.

Are the same unsafe locations that you specified it for "Run by Smartscreen' ?

'Run as SmartScreen' is it like you force to run it with UAC prompt, it it more or less secure than 'Run by Smartscreen' ? So depending on the HC setup, either 'Default Deny' or either Allow, we choose 'Run as Smartscreen' or 'Run by Smartscreen', right ?
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
You said
"Run As SmartScreen" is intended for the H_C default-deny setup to run:
EXE or MSI installers which are located in unsafe (not whitelisted) locations.

Are the same unsafe locations that you specified it for "Run by Smartscreen' ?

'Run as SmartScreen' is it like you force to run it with UAC prompt, it it more or less secure than 'Run by Smartscreen' ? So depending on the HC setup, either 'Default Deny' or either Allow, we choose 'Run as Smartscreen' or 'Run by Smartscreen', right ?
Both "Run As SmartScreen" and "Run By SmartScreen" are parts of different H_C setups. One cannot be simply replaced by another. So, they should not be compared. If you had to do it, then using the "Run By SmartScreen" would be safer. But, then you could not install/update anything from the UserSpace in the H_C default deny setup (all would be blocked by SRP).(y)
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
But, then you could not install/update anything from the UserSpace in the H_C default deny setup (all would be blocked by SRP)
I am confused about the exact definition of "H_C default deny setup". I remember a time when we were saying that "allow EXE and TMP" is a variation of default/deny. But it seems that now we are calling such a setup "default allow". Correct?