New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
I am curious how it will work in practice.:)


It will probably use Microsoft ISG, so many false positives are expected. Anyway, it can be some solutions for children and happy clickers.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542

How does Smart App Control work?​

When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety. If the service believes the app to be safe, Smart App Control will let it run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it.

If the security service is unable to make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature. If the app has a valid signature, Smart App Control will let it run. If the app is unsigned, or the signature is invalid, Smart App Control will consider it untrusted and block it for your protection.

--------------------------------

“This feature creates an AI model using intelligence, based on the 43 trillion security signals gathered daily, to predict if an app is safe,” explained David Weston, Vice President, Enterprise and Operating System Security. “Windows 11 uses the power of AI to generate a continually updated app control policy which allows common and known safe apps to run while blocking unknown apps often associated with new malware.”

--------------------------------
...
So, when users get an application that millions of others are using -- regardless of whether it's from the Store or a website -- it will "work like normal," Weston said. But if someone sends an application as an attachment that they recently generated to bypass antivirus protection, that won't run because it's not on the allow-list.

"Most of the applications we use today are used by millions of other people. Most malware is seen on only a couple of machines. We plumbed into the core of the operating system [with] this enforcement mechanism. Prior to Windows 11 22H2, this was a policy you had to write up yourself in an XML file. You can imagine, that's pretty tricky in the enterprise knowing which applications everyone needs to run," Weston said.

Windows 11 22H2 also blocks "most of the script vectors from the internet." It's partly informed by the Office team's decision to block untrusted macros from the internet by default.

"Windows 11 22H2 took that idea further. We said no PowerShell, no LNK files, no Visual Basic from the internet. Anyone with an eye on the threat landscape knows that these are some of the favorites. Windows 11 in Smart App Control mode blocks those threats," he said.

Microsoft will roll out the security feature gradually to users. There will be a one-click option for users to leave Smart App Control, which requires a reboot to exit it. Over time Microsoft will release more granular policies, for example, to enable a nominated app to run while the feature has otherwise been enabled.
 
F

ForgottenSeer 95367

"We (MICROSOFT) said no PowerShell, no LNK files, no Visual Basic from the internet. Anyone with an eye on the threat landscape knows that these are some of the favorites. Windows 11 in Smart App Control mode blocks those threats," he said."
Microsoft implementing highest-level security by blocking at the application and technique levels.
The Microsoft AI security model blocking by process and file type.


I think I have seen this functionality in other software. Not a criticism but, would it be a copy of Kaspersky's application control and maybe OSarmor as well? 🤔
By the time Microsoft markets something, it has been working on it behind the scenes for years and it has been silently shipped, partially completed in Windows images without you knowing it. Smart App Control is not a rip-off of Kaspersky KSN nor Application Control. Both use stochastics and other statistical (incidence) methods.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
I think I have seen this functionality in other software. Not a criticism but, would it be a copy of Kaspersky's application control and maybe OSarmor as well? 🤔
It is an important enhancement of the well known Windows built-in features (SRP + SmartScreen). The idea of SRP was started in the era of Windows XP and was continued/enhanced via Applocker and WDAC (MDAC). SmartScreen was introduced with Windows 8.
A similar approach was implemented many years ago in the Comodo AV, except that untrusted files were not blocked but contained in the Sandbox. I am not sure when this idea was implemented in Kaspersky products, but this is also a very comprehensive smart-default-deny (advanced tweaks are required).
Several years ago I made Hard_Configurator for home users, which is a realization of the same idea as Smart App Control (I took the idea from Comodo and used SRP+SmartScreen).

If I correctly recall, OSArmor does not use file reputation lookup. If so, then it is another kind of security.
 
Last edited:

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
480
It is an important enhancement of the well known Windows built-in features (SRP + SmartScreen). The idea of SRP was started in the era of Windows XP and was continued/enhanced via Applocker and WDAC (MDAC). SmartScreen was introduced with Windows 8.
A similar approach was implemented many years ago in the Comodo AV, except that untrusted files were not blocked but contained in the Sandbox. I am not sure when this idea was implemented in Kaspersky products, but this is also a very comprehensive smart-default-deny.
Several years ago I made Hard_Configurator for home users, which is a realization of the same idea as Smart App Control (I took the idea from Comodo and used SRP+SmartScreen).

If I correctly recall, OSArmor does not use file reputation lookup. If so, then it is another kind of security.

So for H_C users, the Smart App Control does not do anything new?
 
  • Like
Reactions: Jack and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
So for H_C users, the Smart App Control does not do anything new?
The security idea is almost the same. But, there are many important differences on the technical level.
The H_C and SAC are also differently integrated with Windows. Furthermore, the classic SRP used by H_C does not work on Windows 11 with the newest update. I am not sure if this is a bug or if finally, Microsoft decided to replace the classic SRP with SAC on Windows 11.
So, home users that prefer Windows built-in features can use H_C on Windows 10 (and prior versions) and SAC on Windows 11. Others can use tweaked Comodo, tweaked Kaspersky, etc. for a similar type of protection.
 
Last edited:
F

ForgottenSeer 95367

"Smart App Control is aimed at Windows 11 for consumers and small businesses."

"(Smart App Control) It will be on by default for Windows 11 in enterprises, but Microsoft doesn't expect them to deploy it because many enterprise have their line of business apps. Microsoft expects them to use Windows Defender Application Control instead, Weston said."

"(Smart) application control relies on artificial intelligence to define the allow-list. Microsoft tried an allow-list approach in locked-down Windows 10 S in "tens of millions of devices" and saw "no malware" on them thanks to it, says Weston."

"Smart App Control relies on the same Windows features (e.g. SRP) as Windows Defender Application Control, which allows policies to be manually defined." As Microsoft noted, WDAC is SRP.

Windows 11 22H2: These are the big new security features

The new Config Lock should also be welcomed by admins.
 
F

ForgottenSeer 95367

classic SRP
SRP is a security method, but Microsoft uses the term SRP interchangeably to refer to both the method and its own implementation of SRP (with its own feature set as opposed to other SRP implementations such as Comodo, Kaspersky, Symantec).

As Microsoft personnel have stated over the years, AppLocker, WDAC\MDAC, and Group Policy are SRP.
 
  • Like
Reactions: Jack

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
My goodness, this is seriously some good news. Actually worth posting back in MalwareTips after being in the shadows since like forever.

Once this is live and working fine (talking about both the module and the Windows version), I might switch to Windows 11. This makes it worth it IMO. :cool:
 
F

ForgottenSeer 95367

My goodness, this is seriously some good news. Actually worth posting back in MalwareTips after being in the shadows since like forever.

Once this is live and working fine (talking about both the module and the Windows version), I might switch to Windows 11. This makes it worth it IMO. :cool:
Microsoft probably will not implement Smart App Control to its fullest possible extent (such as it did with Windows 10 S which was superb security) for consumer and small businesses. It knows that it can't block too much otherwise there will be consumer backlash. Afterall, Windows is nothing but a conduit to supply profitable media to consumers. More money to be made (by orders of magnitude) selling entertaining stuff to consumers than protecting them for, basically, free or very little cost to them. But I would expect there to be tweaks or manual configuration (e.g. SAC XML) possible for those users inclined to enforce the highest possible security using SAC. Yet it remains a guessing game. We're dealing with Microsoft, where features come-and-go, some stick, some fade-away (remember Desired State Configuration?). It's anybody's guess.

We already know that users are screaming for a way to whitelist programs and files in Smart App Control as they see fit (look at the SAC feature requests submitted to Windows Insider's) - because SAC is blocking stuff that those users shouldn't be doing or using. So the cracks created in security by users themselves are already afoot where SAC is concerned.

Microsoft has been telling developers for a while that SAC might block their unsigned programs, and the only workaround Microsoft is willing to provide is for the developer to purchase and apply a digital certificate. Microsoft has postured and drawn such lines in the sand before, only to relent every single time once the backlash reached enough of a threshold.

For those intent on implementing mighty security, Microsoft will leave the manual methods of AppLocker, Group Policy, MDAC\WDAC and SRP. Since enterprise is so dependent upon these, and the fact that Windows is a unified OS image, we can expect these to be shipped by Microsoft for a long, long time.
 
Last edited by a moderator:

n8chavez

Level 20
Well-known
Feb 26, 2021
961
As nice as this sounds, it's supremely dumb that you cannot turn it on unless your system is brand new or has just been reset. That tells me a lot more about it. I guess their "evaluation" mode cannot be trusted.
 
F

ForgottenSeer 95367

As nice as this sounds, it's supremely dumb that you cannot turn it on unless your system is brand new or has just been reset. That tells me a lot more about it. I guess their "evaluation" mode cannot be trusted.
SAC is still in alpha\early beta testing in the Windows Insider's Program. It is not yet a general availability (GA) = stable release. The quirky install requirement for SAC activation is not unusual for its stage of development.

Going forward, Microsoft might do as it typically does and make only modest, incremental improvements to SAC when it is "released to stable." That means security enthusiasts will be disappointed and those that don't know any better will just tilt and scratch their heads. A number of years down the line Microsoft will stop development of SAC. I doubt Microsoft will throw "all-in" on SAC and try to make it a highly refined and polished security feature - and the reason for that doubt is the target market for SAC = consumers and small businesses. For Microsoft that market segment is its least profitable and relegated to a "best effort."
 
Last edited by a moderator:
  • Like
Reactions: [correlate]

n8chavez

Level 20
Well-known
Feb 26, 2021
961
SAC is still in alpha\early beta testing in the Windows Insider's Program. It is not yet a general availability (GA) = stable release. The quirky install requirement for SAC activation is not unusual for its stage of development.

Going forward, Microsoft might do as it typically does and make only modest, incremental improvements to SAC when it is "released to stable." That means security enthusiasts will be disappointed and those that don't know any better will just tilt and scratch their heads. A number of years down the line Microsoft will stop development of SAC. I doubt Microsoft will throw "all-in" on SAC and try to make it a highly refined and polished security feature - and the reason for that doubt is the target market = consumers and small businesses.

Makes sense, I guess. But if that's the case why include it with something that's available on Windows update, non-insider build, for home users?
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 95367

Makes sense, I guess. But if that's the case why include it with something that's available on Windows update, non-insider build, for home users?
It is not yet available via Windows Update; it is only tentatively scheduled for release. And knowing how Microsoft does things, it will likely include SAC with basic improvements in that forthcoming W11 22H2 release, but SAC will still be a work-in-progress product with limited features, bugs and who-knows-what-blemishes. More than a few will decry SAC as half-baked in its current state, if not unusable.

Who knows, Microsoft could pull SAC from the release or just release it in its current state. One never knows what the Big M will do. I do know they are hyping SAC a bit, so it will be picked-apart and serious flaws will get lambasted in the security news community.

Disappointment with Windows is first and foremost directly proportional to one's expectations; if you expect Microsoft to pump out a refined & polished feature, then you're very likely to be disappointed.

I'll be properly ecstatic if SAC works - and Microsoft designs SAC to block files and processes from USB FAT drives and network area storage. My instinct tells me SAC is gonna follow the absurd Mark-of-the-Web (MotW) system of automatically allowing files from such drives.
 
Last edited by a moderator:
  • Like
Reactions: [correlate]

n8chavez

Level 20
Well-known
Feb 26, 2021
961
It is not yet available via Windows Update; it is only tentatively scheduled for release. And knowing how Microsoft does things, it will likely include SAC with basic improvements in that forthcoming W11 22H2 release, but SAC will still be a work-in-progress product with limited features, bugs and who-knows-what-blemishes. More than a few will decry SAC as half-baked in its current state, if not unusable.

Who knows, Microsoft could pull SAC from the release or just release it in its current state. One never knows what the Big M will do. I do know they are hyping SAC a bit, so it will be picked-apart and serious flaws will get lambasted in the security news community.

Disappointment with Windows is first and foremost directly proportional to one's expectations; if you expect Microsoft to pump out a refined & polished feature, then you're very likely to be disappointed.

I'll be properly ecstatic if SAC works - and Microsoft designs SAC to block files and processes from USB FAT drives and network area storage. My instinct tells me SAC is gonna follow the absurd Mark-of-the-Web (MotW) system of automatically allowing files from such drives.

Really? I grabbed it from Update this morning.
 
  • Like
Reactions: [correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top