App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra
Shadowra said:
ZoneAlarm (paid version only) , Bitdefender (both free and paid versions) and Eset :)
Click to expand...
Wow! That was the last thing I expected you to say.

I thought people here at MWT thought Zonealrm was trash...

Can you expound on why, ZoneAlarm has gained your attention, and what version of ZoneAlarm you recommend. I don't mind paying for a good product.
 
  • Like
Reactions: Sorrento, franz and Shadowra
tofargone said:
Wow! That was the last thing I expected you to say.

I thought people here at MWT thought Zonealrm was trash...

Can you expound on why, ZoneAlarm has gained your attention, and what version of ZoneAlarm you recommend. I don't mind paying for a good product.
Click to expand...

CheckPoint has improved its ability to detect unknown malware and has integrated engines that were previously reserved for the Enterprise version (the version I use, by the way :) ).

In my last test, ZoneAlarm rendered a machine totally clean :) the Sophos engine can be a nuisance, but as it integrates emulation systems + Cloud/ML, Sophos is not a nuisance.

As for the version, go for the most complete version, which is NextGen Extreme Security. The free version is useless and I haven't tested the other versions.
 
  • Like
  • Thanks
  • Applause
Reactions: Sorrento, franz, roger_m and 3 others
Shadowra said:
CheckPoint has improved its ability to detect unknown malware and has integrated engines that were previously reserved for the Enterprise version (the version I use, by the way :) ).

In my last test, ZoneAlarm rendered a machine totally clean :) the Sophos engine can be a nuisance, but as it integrates emulation systems + Cloud/ML, Sophos is not a nuisance.

As for the version, go for the most complete version, which is NextGen Extreme Security. The free version is useless and I haven't tested the other versions.
Click to expand...
Thank You for sharing info and time with me.
 
  • Like
  • Thanks
Reactions: Sorrento, franz, Jonny Quest and 1 other person
Andy Ful said:
Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.
So, mainly the malicious shortcut will be blocked as an initial attack vector, but will not be blocked when used in lateral movement or as a persistence method.
The EXE, DLL, and MSI files are blocked by SAC independently of MotW.
Click to expand...
SAC is blocking shortcut on desktop for mp4 file downloaded inside a folder; in order to play the file from desktop, I had to unblock the file from properties to remove motw.

The same scenario could undermine the protection provided by SAC; the user can see a shortcut to a pdf file with Adobe icon, he/she thinks it is just a legitimate file (such as the mp4 file in my case), unblock it, and then SAC will let it run.
 
  • Like
Reactions: Sorrento, Andy Ful and oldschool
cartaphilus said:
We are not talking about the multiverse entity called Webroot
Click to expand...


The one everyone is afraid to ask for...

Panda VS Webroot. Default settings, premium product, newest version.

It reminds me of the "King of Beers"... It will be the test of the century... Might even appear on the front page of the Times... It's that big.
 
  • Like
Reactions: Sorrento
Parkinsond said:
SAC is blocking shortcut on desktop for mp4 file downloaded inside a folder; in order to play the file from desktop, I had to unblock the file from properties to remove motw.
Click to expand...

Yes and No.
Removing MOTW by the user is probably as rare as turning off the AV real-time protection. It is also as dangerous as turning off the AV real-time protection.

The files blocked by SAC via MOTW are mainly malware, except when the user intentionally downloads scripts for some reason. Such users, should be knowledgeable enough to know the danger. They should also know that safe file types are not blocked by SAC via MOTW.

Average users (even many MT members) do not realize that such blocks are related to SAC and can be unblocked. The SAC's MOTW-related blocks are rare compared to other SAC blocks (EXE and DLL files, which cannot be unblocked because they do not depend on MOTW).
 
  • Like
Reactions: oldschool and Parkinsond
Parkinsond said:
SAC is not "smart"; it blocks MP4 files desktop shortcut just for having MOTW (downloaded from internet).
Click to expand...

It does not have to be smart for LNK files. If you download something that contains a shortcut that mimics an MP4 file, then this is most probably malware.
 
  • Like
Reactions: roger_m, oldschool and Parkinsond
Parkinsond said:
I does not; but the file for which the shortcut is created have motw; that is why I call SAC "not smart".
Click to expand...

In your example, the shortcut is not a problem - it is not blocked by SAC.
If the file opened by a shortcut were an MP4 with MOTW, it also would not be blocked by SAC.

I was wrong. SAC has a bug. Confirmed in my next post.
malwaretips.com

App Review - Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)

I've noticed that it only does this on certain files (like scripts), otherwise MS Defender detects as usual. (We're not at Avira's level yet :p ) So with Kaspersky "Gone" (Thanks Politicians!!!!).... What do you recommend now, if someone doesn't want to use MD, paid or free Thank You.
malwaretips.com malwaretips.com
 
Last edited:
  • Like
Reactions: oldschool
Andy Ful said:
In your example, the shortcut is not a problem - it is not blocked by SAC.
If the file opened by a shortcut were an MP4 with MOTW, it also would not be blocked by SAC.
Click to expand...
Running the downloaded mp4 file directly is Okay for SAC, but when I try to run it through a shortcut I created on desktop, it get blocked by SAC.
The only way to run the mp4 file from desktop shortcut is to manually remove motw by "unblock" from file properties.
SAC is not samrt as it blocks all shortcuts of any downloaded file (with motw), even if it is not a common malicious vector.
 
  • Like
Reactions: oldschool and Andy Ful
Parkinsond said:
Running the downloaded mp4 file directly is Okay for SAC, but when I try to run it through a shortcut I created on desktop, it get blocked by SAC.
The only way to run the mp4 file from desktop shortcut is to manually remove motw by "unblock" from file properties.
SAC is not samrt as it blocks all shortcuts of any downloaded file (with motw), even if it is not a common malicious vector.
Click to expand...

You are right. SAC blocks shortcuts (even with no MOTW) when the target file has got MOTW. The target file can be anything, also plain TXT. (y)

This is probably a bug. Shortcuts are usually created by users for executables (EXE files), and SAC manages EXE files without using MOTW. Shortcuts are often created during the application installations, but then the targets have no MOTW.
Microsoft overlooked the possibility that one may want to create shortcuts to files downloaded from the Internet.
 
Last edited:
  • Thanks
Reactions: oldschool and Parkinsond
For now, the solution is creating a shortcut to the folder with files downloaded from the Internet (media files, documents, etc.).
 

You may also like...