App Review Microsoft Defender (Config MAX) + Smart App Control

[Shadowra]

Content source

https://odysee.com/@Shadowra:f/Microsoft-Windows-Defender-MAX-+-Smart-Application-Control:3

Hello and welcome to this test!
Today we are going to test Microsoft Defender, but not by default!
We use ConfigureDefender developed by @Andy Ful to set Microsoft Defender to maximum.
We also activate Smart Application Control of Windows 11.

=> SAC (Smart App Control) is a new system that will automatically block applications that are considered untrustworthy or potentially malicious.



The protection provided is very good.
On the Web, with or without Edge, Microsoft Defender blocks all malicious files.
On the fake crack, Microsoft Defender blocks all files dropped by the executable.

On the pack, big worries... Microsoft Defender is unable to delete the elements detected correctly, the interface bugs and deletes only few files.
I don't know if it's related to SAC, but even during the execution, SAC blocked all .exe executables and MS Defender blocked scripts.
Sometimes MS Defender even reacted late (on a malware that had modified RegAsm.exe to install AgentTesla and on a .jar that installed StrRat - even if Microsoft Defender managed to remove the infection, it is not safe that cyber criminals could have got information about the infected user) .

It is excellent, but Microsoft still needs to improve this protection, especially on what I stated above.

Request : @Max90 / @Andy Ful / @danb

 

[Digmor Crusher]

Defender has always done well at blocking malware, not so well at removing it.

 

[ForgottenSeer 97327]

Great thanks Great combo SAC+Defender on MAX

 

[cruelsister]

Excellent video, and your production efforts are awesome!

 

[Andrezj]

Defender has always done well at blocking malware, not so well at removing it.

defender has no problems removing malware in real world scenarios
the removal problem only happens when quick successive executions happen as in unrealistic malware pack testing
microsoft stated a long time ago that it will not fix malware removal to make nice youtube test results

Great thanks Great combo SAC+Defender on MAX

sac and defender outperform others
no need for third party software

 

[ErzCrz]

Great test SAC isn't enabled on my new laptop and not currently planning to do a fresh install to enable it. I wonder how it compares with SmartScreen but seems to be smartscreen combined with other features. Anyway, fantastic to see your test as always

 

[oldschool]

@Shadowra I like that your video is short and sweet. Well done!

 

[Andy Ful]

Thanks for showing how this configuration can work in practice.
SAC can add some protection to MAX settings when non-EXE files are used in the attack (MSI, DLL, CPL, etc.).

Kaspersky found 11 leftovers, but it seems that they were related to the Edge cache:
%LocalAppData%\Microsoft\Edge\User Data\Default\Cache\Cache_Data\
Some malware samples were downloaded via Edge with disabled SmartScreen. Anyway, I can confirm that Defender does not clean some malware leftovers.

As I mentioned a few months ago, it would be interesting to test the configurations with SAC against digitally signed samples. But it would be a hard task because most malware samples are unsigned.

 

[ForgottenSeer 97327]

Sometimes MS Defender even reacted late (on a malware that had modified RegAsm.exe to install AgentTesla and on a .jar that installed StrRat - even if Microsoft Defender managed to remove the infection, it is not safe that cyber criminals could have got information about the infected user) .

[/USER]

Well when @AndyFull finihed makes ApplockerHome it will probably be able to block sponsors for standard users when using Admin and SUA {with AppLocker on SUA account), future looks even more promising

 

[Andy Ful]

I made a light version of HomeApplocker. But I plan to test it thoroughly for several months:

I named it LightWindowsHardening. It can be configured similarly to the setup from the video + some other useful configurations. LWH will not use PowerShell or GPO to configure AppLocker.
I am not going to discuss LWH here (it would unnecessarily bloat this thread).

 

[eonline]

My current security settings. I am quite happy after watching the test video.

 

[Andrezj]

and so, if the setting in app control was set to MS store only, the samples would never download in the first place with Edge?

no, that setting does not prevent downloads from edge
it forces installs from microsoft store only at the time of installer execution and provides a warning

 

[piquiteco]

no, that setting does not prevent downloads from edge
it forces installs from microsoft store only at the time of installer execution and provides a warning

Yes more help, if you install or run something it will show this warning, I just tested it

 

[piquiteco]

Yes I am sorry I meant on execution.

It does not block executable files, only installation of applications outside the store.

 

[ForgottenSeer 97327]

@Andyful

Thanks for the sneek preview of HomeApplocker, really interesting to see how this pans out.

Microsoft should contact you and use your expertise on making Windows PRO security features easy to implement and use.

As an MT-member I hope they don't contact you, because Microsoft would probably disable all those advanced security features for Windows HOME users.


In Dutch we say "Don't look a given horse in the mouth" meaning when you get something from someone (for free) it is very ungrateful/unpolite to give critique on it, but ....

do the sponsors already include Microsoft recommended blocks?

Thanks


P.S.

I noticed new settings "Exploit Protection" of CMD and Powershell

 

[piquiteco]

Microsoft should contact you and use your expertise on making Windows PRO security features easy to implement and use.

I have great respect for @Andy Ful Microsoft should hire him or at least his services. His tools and utilities are excellent and I appreciate them very much.

 

[ForgottenSeer 97327]

@Andy Ful

In Dutch we say "Don't look a given horse in the mouth" meaning when you get something from someone (for free) it is very ungrateful/unpolite to

I have great respect for @Andy Ful Microsoft should hire him or at least his services. His tools and utilities are excellent and I appreciate them very much.

Me too, they are so valuable for security-aware users, that Norton/Avast/Avira/AVG/Bullguard could hire and retire him (because his tools reduce the need for third-party AV's)

 

[piquiteco]

Me too, they are so valuable for security-aware users, that Norton/Avast/Avira/AVG/Bullguard could hire and retire him (because his tools reduce the need for third-party AV's)

If one day we receive news from a big company that Andy was hired, it is because it was well deserved. Many people will not like it, but we will understand his future professional side.

 

[Andrezj]

I have great respect for @Andy Ful Microsoft should hire him or at least his services. His tools and utilities are excellent and I appreciate them very much.

microsoft does not want to provide such security to home users, it is meant only for their paid clients
few people know but windows was not developed for home users, it was developed for domain-joined networks where a sysadmin would have full control over every endpoint and could allow\deny user access to most windows features
that is true to this day, but it is for paid windows users
for example, every enterprise i work with disables user access to control panel, the user is not permitted to install software except that which is approved by the organization, the user cannot change much of anything on the system

microsoft just makes windows home available mostly as an agreement with oems
it is absurd that windows home by default permits children and those who do not know enough about security full access to the entire system with administrative permissions
that is why microsoft openly stated it is developing windows s mode - and it is only available on home version of windows

 

[Andy Ful]

Thanks, guys for your kind words.
The setup used by @Shadowra can be used to protect many home users on Windows 11. But, only a few MT members will like it. The main problem will be software updates, except for UWP (signed) apps and very popular or digitally signed applications (including signed DLLs).