New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Forum Veteran
Dec 23, 2014
10,108
1
66,962
8,398
65
Poland
I am curious how it will work in practice.:)

www.windowslatest.com

Windows 11 22H2 feature promises significant protection from malware

Windows 11 Sun Valley 2 (version 22H2) is set to launch in a few months and it’s shaping up to be a fantastic update that brings back removed features, improves the user interface, and adds new features to the operating system. One of the new addition is a new security tool that will prevent...
www.windowslatest.com

It will probably use Microsoft ISG, so many false positives are expected. Anyway, it can be some solutions for children and happy clickers.
 
  • Like
  • Wow
  • Thanks
Reactions: Dave Russo, Parkinsond, vtqhtr413 and 18 others

How does Smart App Control work?​

When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety. If the service believes the app to be safe, Smart App Control will let it run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it.

If the security service is unable to make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature. If the app has a valid signature, Smart App Control will let it run. If the app is unsigned, or the signature is invalid, Smart App Control will consider it untrusted and block it for your protection.
Click to expand...

Smart App Control Frequently Asked Questions - Microsoft Support

Frequently asked questions (FAQs) about Smart App Control, a Windows feature designed to block malicious, untrusted, or potentially unwanted apps from running on your device.
support.microsoft.com support.microsoft.com

--------------------------------

“This feature creates an AI model using intelligence, based on the 43 trillion security signals gathered daily, to predict if an app is safe,” explained David Weston, Vice President, Enterprise and Operating System Security. “Windows 11 uses the power of AI to generate a continually updated app control policy which allows common and known safe apps to run while blocking unknown apps often associated with new malware.”
Click to expand...
petri.com

Windows 11 Gets Smart App Control and More Security Features

The just-released Windows 11 2022 Update is bringing several new security features to the OS. The first major update for Windows 11 brings a new Smart App Control feature that lets users automatically block potentially dangerous apps from running on Windows 11 PCs. “This feature creates an AI mo ...
petri.com petri.com

--------------------------------
...
So, when users get an application that millions of others are using -- regardless of whether it's from the Store or a website -- it will "work like normal," Weston said. But if someone sends an application as an attachment that they recently generated to bypass antivirus protection, that won't run because it's not on the allow-list.

"Most of the applications we use today are used by millions of other people. Most malware is seen on only a couple of machines. We plumbed into the core of the operating system [with] this enforcement mechanism. Prior to Windows 11 22H2, this was a policy you had to write up yourself in an XML file. You can imagine, that's pretty tricky in the enterprise knowing which applications everyone needs to run," Weston said.

Windows 11 22H2 also blocks "most of the script vectors from the internet." It's partly informed by the Office team's decision to block untrusted macros from the internet by default.

"Windows 11 22H2 took that idea further. We said no PowerShell, no LNK files, no Visual Basic from the internet. Anyone with an eye on the threat landscape knows that these are some of the favorites. Windows 11 in Smart App Control mode blocks those threats," he said.

Microsoft will roll out the security feature gradually to users. There will be a one-click option for users to leave Smart App Control, which requires a reboot to exit it. Over time Microsoft will release more granular policies, for example, to enable a nominated app to run while the feature has otherwise been enabled.
Click to expand...
www.zdnet.com

Windows 11 22H2: These are the big new security features

Windows 11's new release brings some new settings to keep attackers at bay. Here's a quick tour.
www.zdnet.com www.zdnet.com
 
  • Like
  • +Reputation
Reactions: EASTER, vtqhtr413, SeriousHoax and 4 others
Andy Ful said:
"We (MICROSOFT) said no PowerShell, no LNK files, no Visual Basic from the internet. Anyone with an eye on the threat landscape knows that these are some of the favorites. Windows 11 in Smart App Control mode blocks those threats," he said."
Click to expand...
Microsoft implementing highest-level security by blocking at the application and technique levels.
The Microsoft AI security model blocking by process and file type.

Guilhermesene said:
I think I have seen this functionality in other software. Not a criticism but, would it be a copy of Kaspersky's application control and maybe OSarmor as well? 🤔
Click to expand...
By the time Microsoft markets something, it has been working on it behind the scenes for years and it has been silently shipped, partially completed in Windows images without you knowing it. Smart App Control is not a rip-off of Kaspersky KSN nor Application Control. Both use stochastics and other statistical (incidence) methods.
 
Last edited by a moderator:
  • Like
Reactions: Dave Russo, vtqhtr413, Andy Ful and 2 others
Guilhermesene said:
I think I have seen this functionality in other software. Not a criticism but, would it be a copy of Kaspersky's application control and maybe OSarmor as well? 🤔
Click to expand...
It is an important enhancement of the well known Windows built-in features (SRP + SmartScreen). The idea of SRP was started in the era of Windows XP and was continued/enhanced via Applocker and WDAC (MDAC). SmartScreen was introduced with Windows 8.
A similar approach was implemented many years ago in the Comodo AV, except that untrusted files were not blocked but contained in the Sandbox. I am not sure when this idea was implemented in Kaspersky products, but this is also a very comprehensive smart-default-deny (advanced tweaks are required).
Several years ago I made Hard_Configurator for home users, which is a realization of the same idea as Smart App Control (I took the idea from Comodo and used SRP+SmartScreen).

If I correctly recall, OSArmor does not use file reputation lookup. If so, then it is another kind of security.
 
Last edited:
  • Like
  • +Reputation
Reactions: Dave Russo, Parkinsond, kylprq and 7 others
Andy Ful said:
It is an important enhancement of the well known Windows built-in features (SRP + SmartScreen). The idea of SRP was started in the era of Windows XP and was continued/enhanced via Applocker and WDAC (MDAC). SmartScreen was introduced with Windows 8.
A similar approach was implemented many years ago in the Comodo AV, except that untrusted files were not blocked but contained in the Sandbox. I am not sure when this idea was implemented in Kaspersky products, but this is also a very comprehensive smart-default-deny.
Several years ago I made Hard_Configurator for home users, which is a realization of the same idea as Smart App Control (I took the idea from Comodo and used SRP+SmartScreen).

If I correctly recall, OSArmor does not use file reputation lookup. If so, then it is another kind of security.
Click to expand...

So for H_C users, the Smart App Control does not do anything new?
 
  • Like
Reactions: Jack and Andy Ful
pxxb1 said:
So for H_C users, the Smart App Control does not do anything new?
Click to expand...
The security idea is almost the same. But, there are many important differences on the technical level.
The H_C and SAC are also differently integrated with Windows. Furthermore, the classic SRP used by H_C does not work on Windows 11 with the newest update. I am not sure if this is a bug or if finally, Microsoft decided to replace the classic SRP with SAC on Windows 11.
So, home users that prefer Windows built-in features can use H_C on Windows 10 (and prior versions) and SAC on Windows 11. Others can use tweaked Comodo, tweaked Kaspersky, etc. for a similar type of protection.
 
Last edited:
  • Like
  • +Reputation
Reactions: Divine_Barakah, Parkinsond, kylprq and 5 others
"Smart App Control is aimed at Windows 11 for consumers and small businesses."

"(Smart App Control) It will be on by default for Windows 11 in enterprises, but Microsoft doesn't expect them to deploy it because many enterprise have their line of business apps. Microsoft expects them to use Windows Defender Application Control instead, Weston said."

"(Smart) application control relies on artificial intelligence to define the allow-list. Microsoft tried an allow-list approach in locked-down Windows 10 S in "tens of millions of devices" and saw "no malware" on them thanks to it, says Weston."

"Smart App Control relies on the same Windows features (e.g. SRP) as Windows Defender Application Control, which allows policies to be manually defined." As Microsoft noted, WDAC is SRP.

Windows 11 22H2: These are the big new security features

The new Config Lock should also be welcomed by admins.
 
  • +Reputation
  • Like
Reactions: kylprq, SeriousHoax, Jack and 3 others
Andy Ful said:
classic SRP
Click to expand...
SRP is a security method, but Microsoft uses the term SRP interchangeably to refer to both the method and its own implementation of SRP (with its own feature set as opposed to other SRP implementations such as Comodo, Kaspersky, Symantec).

As Microsoft personnel have stated over the years, AppLocker, WDAC\MDAC, and Group Policy are SRP.
 
  • Like
Reactions: Jack
My goodness, this is seriously some good news. Actually worth posting back in MalwareTips after being in the shadows since like forever.

Once this is live and working fine (talking about both the module and the Windows version), I might switch to Windows 11. This makes it worth it IMO. :cool:
 
  • Like
Reactions: Andy Ful, simmerskool, Guilhermesene and 2 others
RoboMan said:
My goodness, this is seriously some good news. Actually worth posting back in MalwareTips after being in the shadows since like forever.

Once this is live and working fine (talking about both the module and the Windows version), I might switch to Windows 11. This makes it worth it IMO. :cool:
Click to expand...
Microsoft probably will not implement Smart App Control to its fullest possible extent (such as it did with Windows 10 S which was superb security) for consumer and small businesses. It knows that it can't block too much otherwise there will be consumer backlash. Afterall, Windows is nothing but a conduit to supply profitable media to consumers. More money to be made (by orders of magnitude) selling entertaining stuff to consumers than protecting them for, basically, free or very little cost to them. But I would expect there to be tweaks or manual configuration (e.g. SAC XML) possible for those users inclined to enforce the highest possible security using SAC. Yet it remains a guessing game. We're dealing with Microsoft, where features come-and-go, some stick, some fade-away (remember Desired State Configuration?). It's anybody's guess.

We already know that users are screaming for a way to whitelist programs and files in Smart App Control as they see fit (look at the SAC feature requests submitted to Windows Insider's) - because SAC is blocking stuff that those users shouldn't be doing or using. So the cracks created in security by users themselves are already afoot where SAC is concerned.

Microsoft has been telling developers for a while that SAC might block their unsigned programs, and the only workaround Microsoft is willing to provide is for the developer to purchase and apply a digital certificate. Microsoft has postured and drawn such lines in the sand before, only to relent every single time once the backlash reached enough of a threshold.

For those intent on implementing mighty security, Microsoft will leave the manual methods of AppLocker, Group Policy, MDAC\WDAC and SRP. Since enterprise is so dependent upon these, and the fact that Windows is a unified OS image, we can expect these to be shipped by Microsoft for a long, long time.
 
Last edited by a moderator:
  • Like
  • +Reputation
  • Applause
Reactions: SBMan, vtqhtr413, RoboMan and 4 others
As nice as this sounds, it's supremely dumb that you cannot turn it on unless your system is brand new or has just been reset. That tells me a lot more about it. I guess their "evaluation" mode cannot be trusted.
 
  • Like
Reactions: vtqhtr413 and brambedkar59
n8chavez said:
As nice as this sounds, it's supremely dumb that you cannot turn it on unless your system is brand new or has just been reset. That tells me a lot more about it. I guess their "evaluation" mode cannot be trusted.
Click to expand...
SAC is still in alpha\early beta testing in the Windows Insider's Program. It is not yet a general availability (GA) = stable release. The quirky install requirement for SAC activation is not unusual for its stage of development.

Going forward, Microsoft might do as it typically does and make only modest, incremental improvements to SAC when it is "released to stable." That means security enthusiasts will be disappointed and those that don't know any better will just tilt and scratch their heads. A number of years down the line Microsoft will stop development of SAC. I doubt Microsoft will throw "all-in" on SAC and try to make it a highly refined and polished security feature - and the reason for that doubt is the target market for SAC = consumers and small businesses. For Microsoft that market segment is its least profitable and relegated to a "best effort."
 
Last edited by a moderator:
  • Like
Reactions: [correlate]
Furyo said:
SAC is still in alpha\early beta testing in the Windows Insider's Program. It is not yet a general availability (GA) = stable release. The quirky install requirement for SAC activation is not unusual for its stage of development.

Going forward, Microsoft might do as it typically does and make only modest, incremental improvements to SAC when it is "released to stable." That means security enthusiasts will be disappointed and those that don't know any better will just tilt and scratch their heads. A number of years down the line Microsoft will stop development of SAC. I doubt Microsoft will throw "all-in" on SAC and try to make it a highly refined and polished security feature - and the reason for that doubt is the target market = consumers and small businesses.
Click to expand...

Makes sense, I guess. But if that's the case why include it with something that's available on Windows update, non-insider build, for home users?
 
  • Like
Reactions: [correlate]
n8chavez said:
Makes sense, I guess. But if that's the case why include it with something that's available on Windows update, non-insider build, for home users?
Click to expand...
It is not yet available via Windows Update; it is only tentatively scheduled for release. And knowing how Microsoft does things, it will likely include SAC with basic improvements in that forthcoming W11 22H2 release, but SAC will still be a work-in-progress product with limited features, bugs and who-knows-what-blemishes. More than a few will decry SAC as half-baked in its current state, if not unusable.

Who knows, Microsoft could pull SAC from the release or just release it in its current state. One never knows what the Big M will do. I do know they are hyping SAC a bit, so it will be picked-apart and serious flaws will get lambasted in the security news community.

Disappointment with Windows is first and foremost directly proportional to one's expectations; if you expect Microsoft to pump out a refined & polished feature, then you're very likely to be disappointed.

I'll be properly ecstatic if SAC works - and Microsoft designs SAC to block files and processes from USB FAT drives and network area storage. My instinct tells me SAC is gonna follow the absurd Mark-of-the-Web (MotW) system of automatically allowing files from such drives.
 
Last edited by a moderator:
  • Like
Reactions: [correlate]
Furyo said:
It is not yet available via Windows Update; it is only tentatively scheduled for release. And knowing how Microsoft does things, it will likely include SAC with basic improvements in that forthcoming W11 22H2 release, but SAC will still be a work-in-progress product with limited features, bugs and who-knows-what-blemishes. More than a few will decry SAC as half-baked in its current state, if not unusable.

Who knows, Microsoft could pull SAC from the release or just release it in its current state. One never knows what the Big M will do. I do know they are hyping SAC a bit, so it will be picked-apart and serious flaws will get lambasted in the security news community.

Disappointment with Windows is first and foremost directly proportional to one's expectations; if you expect Microsoft to pump out a refined & polished feature, then you're very likely to be disappointed.

I'll be properly ecstatic if SAC works - and Microsoft designs SAC to block files and processes from USB FAT drives and network area storage. My instinct tells me SAC is gonna follow the absurd Mark-of-the-Web (MotW) system of automatically allowing files from such drives.
Click to expand...

Really? I grabbed it from Update this morning.
 
  • Like
Reactions: [correlate]

You may also like...