App Review Microsoft Defender (Config MAX) + Smart App Control

[Andrezj]

do the sponsors already include Microsoft recommended blocks?

from microsoft, government agencies, security industry research:

lolbin and abused process list in txt file attached

Thanks, guys for your kind words.
The setup used by @Shadowra can be used to protect many home users on Windows 11. But, only a few MT members will like it. The main problem will be software updates, except for UWP (signed) apps and very popular or digitally signed applications (including signed DLLs).

microsoft intends sac for home users who will adhere to a full-microsoft-approved application stack as enforced on windows s mode

 

[Freki123]

=> SAC (Smart App Control) is a new system that will automatically block applications that are considered untrustworthy or potentially malicious.

Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.
Thanks for your test Shadowra they are always nice to watch

 

[Andrezj]

Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.

microsoft designed it to be like windows s mode - which is basically a windows restricted mode with microsoft as the security administrator

 

[Andy Ful]

Windows S-mode is far more restrictive (and safer) as compared to SAC. In S-mode users can only download, install and use applications that are verified and available from the Microsoft Store. On the contrary, SAC allows any digitally signed (EXE + DLLs) application except for blacklisted ones. Windows in S-mode can be installed only on some computers (due to driver restrictions).

Windows 10 in S Mode Driver Requirements - Windows drivers

Windows 10 in S mode Driver Requirements

learn.microsoft.com

 

[Andy Ful]

Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.
Thanks for your test Shadowra they are always nice to watch

You probably use one or more applications that are incompatible with SAC. Many popular applications are signed on the EXE level but still can use some unsigned DLLs. You can see in the Windows Event Viewer many Audit alerts.

 

[Andrezj]

Windows S-mode is far more restrictive (and safer) as compared to SAC. In S-mode users can only download, install and use applications that are verified and available from the Microsoft Store. On the contrary, SAC allows any digitally signed (EXE + DLLs) application except for blacklisted ones. Windows in S-mode can be installed only on some computers (due to driver restrictions).

Windows 10 in S Mode Driver Requirements - Windows drivers

Windows 10 in S mode Driver Requirements

learn.microsoft.com

yes this is true, but at the same time microsoft has openly stated that S mode was its most secure operating system with very few infections and that they hope to make sac an alternative based upon strong restrictions
however, "users want to use stuff" so microsoft is giving those kinds of users the option so they can go ahead and infect themselves and others

 

[monkeylove]

I think it basically checks apps against a list, and that's not good enough will check for valid signatures.

 

[Andy Ful]

I think it basically checks apps against a list, and that's not good enough will check for valid signatures.

It is list + AI.
SAC uses ISG to check/predict if the file can be trusted:

The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change.

https://learn.microsoft.com/en-us/w...ation-control-with-intelligent-security-graph

Digital signatures are used when ISG cannot decide if the file can be trusted.
SAC has got also some other important features:

1. The vulnerable driver blocklist is enforced.
2. Potentially malicious macros are blocked.
3. Some potentially dangerous file types are blocked if they were downloaded from the Internet (LNK, ISO, IMG, VHD, VHDX, etc.).

 

[legendcampos]

Taking advantage of the post any solution for this? Smart App Control is blocking .Net runtime optimization causing spam

 

[Moonhorse]

Taking advantage of the post any solution for this? Smart App Control is blocking .Net runtime optimization causing spam

View attachment 272347

I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on

 

[legendcampos]

I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on

Yes, by turning on silent mode I don't get any other notifications. About the Smart Control App only has On/Off the evaluation option has no way to mark. This lock I suspect it is firefox, uninstalled and I will test to see if they keep alerting.

 

[Andy Ful]

Taking advantage of the post any solution for this? Smart App Control is blocking .Net runtime optimization causing spam

View attachment 272347

You can submit this DLL to Microsoft:

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.

www.microsoft.com

It is necessary to use your Microsoft account.

 

[legendcampos]

You can submit this DLL to Microsoft:

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.

www.microsoft.com

View attachment 272358


It is necessary to use your Microsoft account.

I have uninstalled firefox since my last comment so far I have not had Dll related alerts. I will continue to monitor

 

[piquiteco]

@Shadowra Thanks for the test, you did a great job.

 

[Andrezj]

I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on

evaluation mode does not whitelist files
there is no way to whitelist exe, dll, and others, not even microsoft files, within smart app control itself

 

[Andy Ful]

I guess you should just give SAC time to settle down little, might take a week maybe longer. You can always disable notifications by setting silent mode / focus mode on

Unfortunately, SAC does not have a typical learning mode. The Evaluate mode is rather for auditing. If the audit results are OK, then SAC is turned ON.
For now, the user must submit false positives to Microsoft. The same is true for false positives related to ASR rules.

General submission channel (including SAC):

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.

www.microsoft.com

ASR + Network Protection:

Microsoft Defender Advanced Threat Protection

Report problems, such as incorrect detections, with Microsoft Defender ATP attack surface reduction rules and network protection

www.microsoft.com

 

[legendcampos]

I passed here just to add that after uninstalling firefox solved the problem of dll, I was all day monitoring and did not receive any related blocking alerts. I think microsoft is boycotting third-party products

 

[Andy Ful]

I passed here just to add that after uninstalling firefox solved the problem of dll, I was all day monitoring and did not receive any related blocking alerts. I think microsoft is boycotting third-party products

We cannot exclude some boycotting and also the possibility that the vendors of some 3rd party products do not bother to submit unsigned DLLs to Microsoft. Maybe Microsoft and software vendors wait until the customers will do this.

 

[oldschool]

Sadly if MS doesn't like you it also auto disables SAC on your pc even when you run 99% software that's common and signed (just not from the ms store). I'm pretty annoyed about that.
Thanks for your test Shadowra they are always nice to watch

I'm not having any problems with it, and I turned it on myself, after a short run with evaluation mode enabled.

As a side note: I tested SAC installing both Eloston Ungoogled Chromium and Marmaduke versions, both being the latest release, both unsigned and probably not prevalent. SAC notified that parts of the former were blocked and might not work, and the installation proceeded without any problem, with everything apparently working. SAC blocked Marmaduke outright and threw a prompt with an option to use the Feedback Hub.

I'm actually OK that MS has provided 2 ways for users to deal with blocked files: via submission through Windows Security and through the Feedback Hub.

 

[nickstar1]

Microsoft needs to make it so that you can turn off and on the smart app protection why do we have to "re-install the operating system to change settings"? Microsoft what the heck ..... are you doing? you have what's called "engineers" for a reason. Why cant you just make things easy and simple?