Run by Smartscreen utility

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I noticed that 'Run By SmartScreen' covers the 'shortcut with command' execution.
Shortcuts with commands written in 'Target' input area, can run scripts and some other file types, using sponsors located in the System Space (wscript.exe, cscript.exe, regedit.exe, mshta.exe, mmc.exe, hh.exe, etc.). This is sometimes a weak point of whitelisting protection.
'Run By Smartscreen' is activated through explorer context menu, so it does not have to run files with command line parameters. Actually, only the legitimate sponsor is executed, but not the file argument in the command line.
For example a shortcut carrying the command: 'c:\Windows\hh.exe %TEMP%\malicious.chm' , cannot open malicious.chm file (only hh.exe will be executed).:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Today I had an example how Windows Defender Heuristics work. I tested a new version of 'Run By Smartscreen' that threw in a short time several files to check. The great deal of them was not recognized as safe by SmartScreen filter. Among them were some not signed, legitimate system files copied from C:\Windows\System32 to C:\z\ folder (mshta.exe, hh.exe, mmc.exe, control.exe, wscript.exe). Suddenly I saw the Defender alert, that it found a malware (trojan). After that in quarantine landed RunBySmartscreen(x64).exe . In this way I created my first trojan, and successfully infected my own computer.:)
So now, I have to test 'Run By Smartscreen' with disabled Windows Defender to not make it nervous.

I submitted the file RunBySmartscreen_1.0.3.zip to Microsoft as the false positive. They have kindly informed me that it is clean.
Submission History Details
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
@Wave
Your new avatar is a good guy or a bad one?
 
  • Like
Reactions: Wave

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I simplified the installation process, so if you unzip the file RunBySmartscreen_2.0.1.zip, and execute RunBySmartscreen(x64).exe (for 64Bit OS) from unpacked folder, the old file (in C:\Windows) will be replaced by the new one.
 
  • Like
Reactions: Av Gurus and Wave

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I was curious how 'Run By SmartScreen' + Windows Defender (Windows 10) + Edge was going to manage 28-11-2016 #20 malware pack. I have could run/open only 3 files: 'ssylka na battlefield 1.exe' , and 2 pdf's. The PDF files have got url links, but they have failed to open in Edge. The executable 'ssylka na battlefield 1.exe' according to Kaspersky is 'not-a-virus:WebToolbar.Win32.Codiby.igr' (but has many heuristic detections).
Not bad.:) But of course, 'Run By SmartScreen' is not real-time protection, so it is hard to compare it with software tested on Malware Hub.:(
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
'Run By Smartscreen' stable version 2.0.1 released.

What is new?

1. The bug with SCR extension check was corrected.
2. The PIF extension was removed (not supported in Windows 8+).
3. The URL extension was removed (not supported by Explorer context menu).
4. Explorer context menu option for WSH extension was added.
5. Alerts for DLL and OCX files were added - those files cannot be run directly, so only 'Mark of Web' is added. If some program is going to open them, then SmartScreen check will be triggered.
6. Shortcuts with command line in 'Target' area are always blocked, and the program shows an alert.
7. The installation process was simplified.

GitHub - AndyFul/Run-By-Smartscreen
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I pushed the new version 3.0.0.0 of 'Run By SmartScreen' tool. It is whitelisted by Avast, Emsisoft, Microsoft, and Symantec AV vendors. It will be added soon to the new version of Hard_Configurator.
  1. For 64-bit Windows: AndyFul/Run-By-Smartscreen
  2. For 32-bit Windows: AndyFul/Run-By-Smartscreen

The main idea of 'Run By SmartScreen' did not change. This program is intended to help the users to safely open all new files. There are some changes as compared to previous versions. The new version works as follows:
  1. Executables (COM, EXE, MSI, and SCR files) located in the System Space (= inside 'C:\Windows', 'C:\Program Files', 'C:\Program Files (x86)') are opened normally, without SmartScreen check.
  2. The above executables located in the User Space (= outside 'C:\Windows', 'C:\Program Files', 'C:\Program Files (x86)') are checked by SmartScreen before running them by the user.
  3. Files located in the User Space with potentially dangerous extensions (scripts, most MS Office files, etc.), are not allowed to open (similarly to Software Restriction Policies), and the program shows an alert.
  4. Shortcuts with a command line in the 'Target' area, are always blocked and the program shows an alert.
  5. Compressed archives not supported by Windows build-in unpacker (.7z, .arj, .rar, .zipx) are not opened - only the short instruction is displayed.
  6. Popular formats related to MS Office and Adobe Acrobat Reader (DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) are opened with the warning instruction, and the MOTW is added to the file.
  7. During the installation, 'Run By SmartScreen' changes the Adobe Reader 10+/DC 'Protected View' setting, similarly to the default 'Protected View' setting in MS Office 2010+. So, 'Protected View' is applied when MS Office and Adobe Acrobat Reader 10+/DC are used for opening the popular documents (DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF). Other MS Office documents are considered as unsafe (see point 3).
  8. Other files (ZIP archives, media, photos, etc.) are opened normally without warnings.

The program has hardcoded list of unsafe (potentially dangerous) file extensions:
ACCDA, ACCDE, ACCDR, ACCDT, ACM, AD, ADE, ADN, ADP, AIR, APP, APPLICATION, APPREF-MS, ARC, ASA, ASP, ASPX, ASX, AX, BAS, BAT, BZ, BZ2, CAB, CDB, CER, CFG, CHI, CHM, CLA, CLASS, CLB, CMD, CNT, CNV, COM, COMMAND, CPL, CPX, CRAZY, CRT, CRX, CSH, CSV, DB, DCR, DER, DESKLINK, DESKTOP, DIAGCAB, DIF, DIR, DLL, DMG, DOCB, DOCM, DOT, DOTM, DOTX, DQY, DRV, EXE, FON, FXP, GADGET, GLK, GRP, GZ, HEX, HLP, HPJ, HQX, HTA, HTC, HTM, HTT, IE, IME, INF, INI, INS, IQY, ISP, ITS, JAR, JNLP, JOB, JS, JSE, KSH, LACCDB, LDB, LIBRARY-MS, LOCAL, LZH, MAD, MAF, MAG, MAM, MANIFEST, MAPIMAIL, MAQ, MAR, MAS, MAT, MAU, MAV, MAW, MAY, MCF, MDA, MDB, MDE, MDF, MDN, MDT, MDW, MDZ, MHT, MHTML, MMC, MOF, MSC, MSH, MSH1, MSH1XML, MSH2, MSH2XML, MSHXML, MSI, MSP, MST, MSU, MUI, MYDOCS, NLS, NSH, OCX, ODS, OPS, OQY, OSD, PCD, PERL, PI, PIF, PKG, PL, PLG, POT, POTM, POTX, PPAM, PPS, PPSM, PPSX, PPTM, PRF, PRG, PRINTEREXPORT, PRN, PS1, PS1XML, PS2, PS2XML, PSC1, PSC2, PSD1, PSDM1, PST, PSTREG, PXD, PY, PY3, PYC, PYD, PYDE, PYI, PYO, PYP, PYT, PYW, PYWZ, PYX, PYZ, PYZW, RB, REG, RPY, RQY, RTF, SCT, SEA, SEARCH-MS, SEARCHCONNECTOR-MS, SETTINGCONTENT-MS, SHB, SHS, SIT, SLDM, SLDX, SLK, SPL, STM, SWF, SYS, TAR, TAZ, TERM, TERMINAL, TGZ, THEME, TLB, TMP, TOOL, TSP, URL, VB, VBE, VBP, VBS, VSMACROS, VSS, VST, VSW, VXD, WAS, WBK, WEBLOC, WEBPNP, WEBSITE, WS, WSC, WSF, WSH, XBAP, XLA, XLAM, XLB, XLC, XLD, XLL, XLM, XLSB, XLSM, XLT, XLTM, XLTX, XLW, XML, XNK, XPI, XPS, Z, ZFSENDTOTARGET, ZLO, ZOO

The above list is based on SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader file extension blacklists.
The files with extensions: BAT, CMD, CPL, DLL, JSE, OCX, and VBE are supported by SmartScreen Application Reputation. But, their SmartScreen detection is not good, so they are added to the list of unsafe file extensions. Even if they are accepted by SmartScreen, then will be blocked with notification.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
One thing that can maybe irritate the experienced user is an alert that is shown while opening popular documents via "Run By SmartScreen". It contains some warnings about dangerous user actions, related to the active content, enabling all functions, etc. But, experienced users can simply use "Run By SmartScreen" to run executables only (COM, EXE, MSI, SCR).
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
So I installed the new version, and when I opened H_C, it complained that run as smartscreen is not enabled. So I re-enabled it. Did that switch me back to the older version?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
So I installed the new version, and when I opened H_C, it complained that run as smartscreen is not enabled. So I re-enabled it. Did that switch me back to the older version?
The standalone version of "Run By SmartScreen" is not integrated with H_C ver. 4.0.0.0. The previous "Run By SmartScreen" will be applied. The integrated version is in C:\Windows\Hard_Configurator folder.
If H_C is closed , then you can install and use the standalone version of "Run By SmartScreen".
The standalone executable is in C:\Windows folder. You cannot replace those executables, because some features of the new version will not work. If you open H_C then the standalone version is automatically wiped out from the Registry by the H_C setting.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,609
The standalone version of "Run By SmartScreen" is not integrated with H_C ver. 4.0.0.0. The previous "Run By SmartScreen" will be applied. The integrated version is in C:\Windows\Hard_Configurator folder.
If H_C is closed , then you can install and use the standalone version of "Run By SmartScreen".
The standalone executable is in C:\Windows folder. You cannot replace those executables, because some features of the new version will not work. If you open H_C then the standalone version is automatically wiped out from the Registry by the H_C setting.

I was wondering generally if this was the case. My understanding increases in small increments! :LOL:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top