New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

F

ForgottenSeer 95367

Really? I grabbed it from Update this morning.
It's an optional update. The update you applied is not a general available (GA) release. Microsoft warns that these optional updates should not be installed on production even though they make them available via Windows Update.

I checked both my W11 Windows Updates and the update that includes SAC is not available; SAC install and activation (only in evaluation mode; not fully functional) requires a clean install of W11 or a clean reset (for my systems at least).

Optional Windows updates are always full of incomplete, unfinished business, especially in the area of security features. Heck, a significant portion of a stable release is not perfected, problem-free, without-issue code.

When it comes to Microsoft, it doesn't matter what users expect or demand. The Big M develops, corrects and releases according to its own whims, and not that of user expectations. That is how Microsoft has always operated. It has complete control over its market and therefore is not influenced much by user sentiment or wishes.

NOTE: If you have to select "Download & Install" an update listed in Windows Update, then that update is an optional update at various stages of development and build-out. Items are expected to be problematic.
 
Last edited by a moderator:
  • Like
Reactions: Azure

brambedkar59

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,124
I read a post where the user has had SAC enabled for 3 months and it's been in evaluation mode the whole time.
I clean installed Win 11 22H2 on first week of July and SAC has been in evaluation mode ever since. With no way to whitelist stuff I wouldn't even consider turning it ON though.
 
  • Like
Reactions: Azure and oldschool
F

ForgottenSeer 95367

I clean installed Win 11 22H2 on first week of July and SAC has been in evaluation mode ever since. With no way to whitelist stuff I wouldn't even consider turning it ON though.
That's how Microsoft wants it for the time being, to collect huge amounts of SAC telemetry while running in evaluation mode so that it can study the operational ecosystem from the collected logs and thereby refine SAC policy for a balance between usability and security. They are not doing anything unusual by releasing SAC with only evaluation mode available at this time as SAC is still early in development.
 
Last edited by a moderator:

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
483
The security idea is almost the same. But, there are many important differences on the technical level.
The H_C and SAC are also differently integrated with Windows. Furthermore, the classic SRP used by H_C does not work on Windows 11 with the newest update. I am not sure if this is a bug or if finally, Microsoft decided to replace the classic SRP with SAC on Windows 11.
So, home users that prefer Windows built-in features can use H_C on Windows 10 (and prior versions) and SAC on Windows 11. Others can use tweaked Comodo, tweaked Kaspersky, etc. for a similar type of protection.

So H_C does not work anymore even though one update to 22H2 instead of fresh install W11 as Ms say is necessary to get the SAP function?
 
F

ForgottenSeer 95367

So H_C does not work anymore even though one update to 22H2 instead of fresh install W11 as Ms say is necessary to get the SAP function?
There are two possibilities. Some aspects of Microsoft SRP might not work temporarily until Microsoft sorts out its security stack problems in W11 22H2 or Microsoft is beginning a permanent ditch of SRP in 22H2 (virtually improbable).

Remember, H_C is merely a front-end for native Windows security. What is "broken" is not H_C but the underlying Microsoft feature, and we don't know if the break is just a bug, other technical issue or done purposefully. H_C is merely "exposing" a problem of which we do not have the full details or any explanation from Microsoft.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
So H_C does not work anymore even though one update to 22H2 instead of fresh install W11 as Ms say is necessary to get the SAP function?
Hmm. :unsure:
I really do not know. I cannot test this on my machines. If anyone has made the update (instead of the fresh installation), then please let me know. I did not find any official information about this issue. I reported it to Microsoft some time ago via the Insider channel.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
The main problem for SAC is blocking untrusted DLLs. This is a very strong security feature, but it is also the most problematic one. Many developers used to sign the .exe files, but not all DLLs loaded by the applications. These DLLs can be for example unsigned open source libraries. The application installation/update can be allowed by SAC, but the application can crash or work as non-functional, due to blocking some unsigned DLLs.
I have seen such behavior when testing SAC and WDAC (with ISG).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Notwithstanding the real mess of blocking DLLs, the overhead of monitoring DLL loading causes a Windows performance reduction. It is noticeable when using DLL rules in AppLocker.
This issue is less visible on modern computers (SSD and a lot of RAM).
 
L

Local Host

This issue is less visible on modern computers (SSD and a lot of RAM).
That's the excuse lazy developers use to not optimize their code, is why despite having faster computers, software is still slow.

Plus I doubt Microsoft will go that way, considering their target market is companies, and they use ancient computers.
 
  • Like
Reactions: brambedkar59
F

ForgottenSeer 95367

considering their target market is companies, and they use ancient computers.
Microsoft is marketing Smart Application Control to consumers and small businesses. It expects companies to not use SAC, but WDAC instead.

Half the world still uses ancient computers, regardless of the market demographics to which it belongs.

That's the excuse lazy developers use to not optimize their code, is why despite having faster computers, software is still slow.
Yes. That's just how it is. Nobody wants to expense refactoring and optimization because faster code does not yield meaningfully increased profit. The expense-profit equation does not favor optimization, particularly on systems running on an HDD.

The world gobbles up all the sloppy unwieldy code that publishers supply to it, and keeps on asking for more of the garbage.
 
Last edited by a moderator:

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
483
Hmm. :unsure:
I really do not know. I cannot test this on my machines. If anyone has made the update (instead of the fresh installation), then please let me know. I did not find any official information about this issue. I reported it to Microsoft some time ago via the Insider channel.

Ok.
So how is the future looking for H_C in relation to W11 and 10?
 
F

ForgottenSeer 95367

Ok.
So how is the future looking for H_C in relation to W11 and 10?
Don't know with absolute certainty until Microsoft makes changes in 22H2 more clear. Like said earlier, we don't know if bugs, other technical issues or deliberate changes are being made and the cause of any alleged breakages.

Just have to wait-and-see.
 

motox781

Level 10
Verified
Well-known
Apr 1, 2015
483
Any tips to enable Smart App Control without a clean re-install?

I just setup this new PC and don't feel like going through the hassle of doing it all over.

sac.jpg
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697
Any tips to enable Smart App Control without a clean re-install?

I just setup this new PC and don't feel like going through the hassle of doing it all over.
My only advice is not to bother with SAC since it's clearly undeveloped, basically a beta M$ has rolled out and 'enabled' for further testing. Enabling it will only lead to frustration in the end.

Best to stick with what you know works.
 
F

ForgottenSeer 95367

My only advice is not to bother with SAC since it's clearly undeveloped, basically a beta M$ has rolled out and 'enabled' for further testing.
Is the boredom and paranoia so great in userland that people are compelled to mess with alpha\early beta features? Or do they just not understand that anything shipped via Windows Update is a mish-mash of code ranging from completely unfinished to barely usable to ready-for-test to high-level refinements?

It's prescient to keep one's hands off SAC until much further down the line. One would think that people would pick-up that Microsoft is obviously making SAC deliberately vague, cumbersome, problematic to install and activate - and very specifically limited because, the SAC policies, at the very least, are not ready for prime-time.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Ok.
So how is the future looking for H_C in relation to W11 and 10?
Microsoft announced that SAC will not be implemented on Windows 10. So, H_C can be still an option for Windows 10. The situation on Windows 11 is currently unclear.
 

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
249
I reinstalled my Windows yesterday. When I installed my first application, SAC blocked a DLL and app failed to install :mad: . I decided to reinstall Windows again but this time I left SAC at evaluation mode. After I reinstalled about 15 applications (took me a full day), SAC automatically turned off itself :rolleyes: . In the end, I just made my own WDAC policy and not worry about SAC blocks random file anymore.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top