App Review Microsoft Defender (Config MAX) + Smart App Control

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
do the sponsors already include Microsoft recommended blocks?
from microsoft, government agencies, security industry research:

lolbin and abused process list in txt file attached

Thanks, guys for your kind words. :)
The setup used by @Shadowra can be used to protect many home users on Windows 11. But, only a few MT members will like it. The main problem will be software updates, except for UWP (signed) apps and very popular or digitally signed applications (including signed DLLs).
microsoft intends sac for home users who will adhere to a full-microsoft-approved application stack as enforced on windows s mode
 

Attachments

  • windows_lolbins_list.txt
    2.1 KB · Views: 240
Last edited:

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
=> SAC (Smart App Control) is a new system that will automatically block applications that are considered untrustworthy or potentially malicious.
Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.
Thanks for your test Shadowra they are always nice to watch :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Windows S-mode is far more restrictive (and safer) as compared to SAC. In S-mode users can only download, install and use applications that are verified and available from the Microsoft Store. On the contrary, SAC allows any digitally signed (EXE + DLLs) application except for blacklisted ones. Windows in S-mode can be installed only on some computers (due to driver restrictions).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.
Thanks for your test Shadowra they are always nice to watch :)
You probably use one or more applications that are incompatible with SAC. Many popular applications are signed on the EXE level but still can use some unsigned DLLs. You can see in the Windows Event Viewer many Audit alerts.
 

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
Windows S-mode is far more restrictive (and safer) as compared to SAC. In S-mode users can only download, install and use applications that are verified and available from the Microsoft Store. On the contrary, SAC allows any digitally signed (EXE + DLLs) application except for blacklisted ones. Windows in S-mode can be installed only on some computers (due to driver restrictions).
yes this is true, but at the same time microsoft has openly stated that S mode was its most secure operating system with very few infections and that they hope to make sac an alternative based upon strong restrictions
however, "users want to use stuff" so microsoft is giving those kinds of users the option so they can go ahead and infect themselves and others
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I think it basically checks apps against a list, and that's not good enough will check for valid signatures.
It is list + AI.
SAC uses ISG to check/predict if the file can be trusted:

The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change.
https://learn.microsoft.com/en-us/w...ation-control-with-intelligent-security-graph

Digital signatures are used when ISG cannot decide if the file can be trusted.
SAC has got also some other important features:
  1. The vulnerable driver blocklist is enforced.
  2. Potentially malicious macros are blocked.
  3. Some potentially dangerous file types are blocked if they were downloaded from the Internet (LNK, ISO, IMG, VHD, VHDX, etc.).
 
Last edited:

legendcampos

Level 6
Verified
Aug 22, 2014
286
Taking advantage of the post any solution for this? Smart App Control is blocking .Net runtime optimization causing spam

Screenshot_1.png
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Taking advantage of the post any solution for this? Smart App Control is blocking .Net runtime optimization causing spam

View attachment 272347
I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on
 

legendcampos

Level 6
Verified
Aug 22, 2014
286
I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on
Yes, by turning on silent mode I don't get any other notifications. About the Smart Control App only has On/Off the evaluation option has no way to mark. This lock I suspect it is firefox, uninstalled and I will test to see if they keep alerting.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Taking advantage of the post any solution for this? Smart App Control is blocking .Net runtime optimization causing spam

View attachment 272347

You can submit this DLL to Microsoft:

1674500120547.png



It is necessary to use your Microsoft account.
 

legendcampos

Level 6
Verified
Aug 22, 2014
286
You can submit this DLL to Microsoft:

View attachment 272358


It is necessary to use your Microsoft account.
I have uninstalled firefox since my last comment so far I have not had Dll related alerts. I will continue to monitor
 

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on
evaluation mode does not whitelist files
there is no way to whitelist exe, dll, and others, not even microsoft files, within smart app control itself
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on
Unfortunately, SAC does not have a typical learning mode. The Evaluate mode is rather for auditing. If the audit results are OK, then SAC is turned ON.
For now, the user must submit false positives to Microsoft. The same is true for false positives related to ASR rules.

General submission channel (including SAC):
ASR + Network Protection:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I passed here just to add that after uninstalling firefox solved the problem of dll, I was all day monitoring and did not receive any related blocking alerts. I think microsoft is boycotting third-party products (n)
We cannot exclude some boycotting and also the possibility that the vendors of some 3rd party products do not bother to submit unsigned DLLs to Microsoft. Maybe Microsoft and software vendors wait until the customers will do this.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.
Thanks for your test Shadowra they are always nice to watch :)
I'm not having any problems with it, and I turned it on myself, after a short run with evaluation mode enabled.

As a side note: I tested SAC installing both Eloston Ungoogled Chromium and Marmaduke versions, both being the latest release, both unsigned and probably not prevalent. SAC notified that parts of the former were blocked and might not work, and the installation proceeded without any problem, with everything apparently working. SAC blocked Marmaduke outright and threw a prompt with an option to use the Feedback Hub.

I'm actually OK that MS has provided 2 ways for users to deal with blocked files: via submission through Windows Security and through the Feedback Hub.
 

nickstar1

Level 10
Verified
Well-known
Dec 10, 2022
454
Microsoft needs to make it so that you can turn off and on the smart app protection why do we have to "re-install the operating system to change settings"? Microsoft what the heck ..... are you doing? you have what's called "engineers" for a reason. Why cant you just make things easy and simple?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top