App Review Microsoft Defender (Config MAX) + Smart App Control

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,673
Microsoft needs to make it so that you can turn off and on the smart app protection why do we have to "re-install the operating system to change settings"? Microsoft what the heck ..... are you doing? you have what's called "engineers" for a reason. Why cant you just make things easy and simple?
It would defeat the whole purpose of SAC, I presume.
 
  • Like
Reactions: Dave Russo
F

ForgottenSeer 98186

why do we have to "re-install the operating system to change settings"?
Because the whole point of SAC is to ensure that the system is clean and that SAC will only permit installs of what Microsoft has determined to be "non-malicious" or "non-PUA."

Microsoft is trying to put a stop to "users who want to use stuff" from downloading and executing whatever they want. It is an unpopular position, but at the same time catering to "users who want to use stuff" with default-allow absurdity is a primary cause of the out-of-control malware problem. Permitting unmanaged users to do what they want is an ideology that is both obsolete and asinine in this day and age.

In short, with SAC, Microsoft is trying to implement a "softer and easier way" to enforce Windows S mode.
 
  • Like
Reactions: oldschool

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,673
An update to my post #39 above:

It seems that SAC allows some non-prevalent, unsigned software after a bit of time has passed, not unlike nor exactly like Smartscreen. In my previous post, I could install Eloston Ungoogled Chromium but couldn't install the Marmaduke version. Today, I was able to install the Marmaduke version, which is about 2 weeks since its release. I guess ISG changed its mind about Marmaduke. SAC may be bit more subtle and friendly than some first thought.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
An update to my post #39 above:

It seems that SAC allows some non-prevalent, unsigned software after a bit of time has passed, not unlike nor exactly like Smartscreen. In my previous post, I could install Eloston Ungoogled Chromium but couldn't install the Marmaduke version. Today, I was able to install the Marmaduke version, which is about 2 weeks since its release. I guess ISG changed its mind about Marmaduke. SAC may be bit more subtle and friendly than some first thought.

SAC uses both ISG and SmartScreen.
The Marmaduke version still triggers a SmartScreen alert on my computer, but it is allowed by the Defender ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" which is also based on ISG. So you are right that ISG AI decided after some time to consider the installer safe.

Edit.
The most probable scenario is that someone (maybe the developer) has submitted the installer to Microsoft to remove the false positive.
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
"Block executable files from running unless they meet a prevalence, age, or trusted list criteria"
This ASR rule is ineffective for those falsely inflated large sized malware (like 700 MB). Same for SmartScreen. Would SAC be able to block those? Cloud based hash checking doesn't work because of the size. Many of the samples are also signed using leaked/stolen certificates.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
This ASR rule is ineffective for those falsely inflated large sized malware (like 700 MB). Same for SmartScreen. Would SAC be able to block those? Cloud based hash checking doesn't work because of the size. Many of the samples are also signed using leaked/stolen certificates.
Defender and SmartScreen can have sometimes a problem. Are you sure that the ASR rule is ineffective too?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
Yeah, I'm sure. I have tested multiple times on a Windows 10 VM.
Edit: Let me know if you need a sample to test.
Yes. I would like to investigate this a little. :)
But, I believe you. This ASR rule does not block new files (never executed before on the particular computer) if you disconnect the computer from the Internet. But, if the file was once executed and blocked, then the flag is added to this file and it will be blocked also when offline.
SAC works differently - it will block the new file even without an Internet connection.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top