New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

[ForgottenSeer 95367]

Really? I grabbed it from Update this morning.

It's an optional update. The update you applied is not a general available (GA) release. Microsoft warns that these optional updates should not be installed on production even though they make them available via Windows Update.

I checked both my W11 Windows Updates and the update that includes SAC is not available; SAC install and activation (only in evaluation mode; not fully functional) requires a clean install of W11 or a clean reset (for my systems at least).

Optional Windows updates are always full of incomplete, unfinished business, especially in the area of security features. Heck, a significant portion of a stable release is not perfected, problem-free, without-issue code.

When it comes to Microsoft, it doesn't matter what users expect or demand. The Big M develops, corrects and releases according to its own whims, and not that of user expectations. That is how Microsoft has always operated. It has complete control over its market and therefore is not influenced much by user sentiment or wishes.

NOTE: If you have to select "Download & Install" an update listed in Windows Update, then that update is an optional update at various stages of development and build-out. Items are expected to be problematic.

 

[brambedkar59]

I read a post where the user has had SAC enabled for 3 months and it's been in evaluation mode the whole time.

I clean installed Win 11 22H2 on first week of July and SAC has been in evaluation mode ever since. With no way to whitelist stuff I wouldn't even consider turning it ON though.

 

[ForgottenSeer 95367]

I clean installed Win 11 22H2 on first week of July and SAC has been in evaluation mode ever since. With no way to whitelist stuff I wouldn't even consider turning it ON though.

That's how Microsoft wants it for the time being, to collect huge amounts of SAC telemetry while running in evaluation mode so that it can study the operational ecosystem from the collected logs and thereby refine SAC policy for a balance between usability and security. They are not doing anything unusual by releasing SAC with only evaluation mode available at this time as SAC is still early in development.

 

[harlan4096]

Kaspersky Security Cloud Free 2019 - Tweaks BTW, MT has a search function.

These tweaks are not default-deny ones, since K. Free product can't have default-deny because no Application Control/Intrusion Prevention module on it.

Here, at the end of the post (additional changes steps) You can get the default-deny settings: KIS/KTS/KSC Cloud - Implementing Protected Folders via Manage Resources

 

[oldschool]

@Scirious

These tweaks are no default-deny ones, since K. Free product can't have default-deny because no Application Control/Intrusion Prevention module on it.

Here, at the end of the post (additional changes steps)You can get the default-deny settings: KIS/KTS/KSC Cloud - Implementing Protected Folders via Manage Resources

 

[pxxb1]

The security idea is almost the same. But, there are many important differences on the technical level.
The H_C and SAC are also differently integrated with Windows. Furthermore, the classic SRP used by H_C does not work on Windows 11 with the newest update. I am not sure if this is a bug or if finally, Microsoft decided to replace the classic SRP with SAC on Windows 11.
So, home users that prefer Windows built-in features can use H_C on Windows 10 (and prior versions) and SAC on Windows 11. Others can use tweaked Comodo, tweaked Kaspersky, etc. for a similar type of protection.

So H_C does not work anymore even though one update to 22H2 instead of fresh install W11 as Ms say is necessary to get the SAP function?

 

[ForgottenSeer 95367]

So H_C does not work anymore even though one update to 22H2 instead of fresh install W11 as Ms say is necessary to get the SAP function?

There are two possibilities. Some aspects of Microsoft SRP might not work temporarily until Microsoft sorts out its security stack problems in W11 22H2 or Microsoft is beginning a permanent ditch of SRP in 22H2 (virtually improbable).

Remember, H_C is merely a front-end for native Windows security. What is "broken" is not H_C but the underlying Microsoft feature, and we don't know if the break is just a bug, other technical issue or done purposefully. H_C is merely "exposing" a problem of which we do not have the full details or any explanation from Microsoft.

 

[Andy Ful]

So H_C does not work anymore even though one update to 22H2 instead of fresh install W11 as Ms say is necessary to get the SAP function?

Hmm.
I really do not know. I cannot test this on my machines. If anyone has made the update (instead of the fresh installation), then please let me know. I did not find any official information about this issue. I reported it to Microsoft some time ago via the Insider channel.

 

[Andy Ful]

The main problem for SAC is blocking untrusted DLLs. This is a very strong security feature, but it is also the most problematic one. Many developers used to sign the .exe files, but not all DLLs loaded by the applications. These DLLs can be for example unsigned open source libraries. The application installation/update can be allowed by SAC, but the application can crash or work as non-functional, due to blocking some unsigned DLLs.
I have seen such behavior when testing SAC and WDAC (with ISG).

 

[ForgottenSeer 95367]

blocking untrusted DLLs

Notwithstanding the real mess of blocking DLLs, the overhead of monitoring DLL loading causes a Windows performance reduction. It is noticeable when using DLL rules in AppLocker.

 

[Andy Ful]

Notwithstanding the real mess of blocking DLLs, the overhead of monitoring DLL loading causes a Windows performance reduction. It is noticeable when using DLL rules in AppLocker.

This issue is less visible on modern computers (SSD and a lot of RAM).

 

[Local Host]

This issue is less visible on modern computers (SSD and a lot of RAM).

That's the excuse lazy developers use to not optimize their code, is why despite having faster computers, software is still slow.

Plus I doubt Microsoft will go that way, considering their target market is companies, and they use ancient computers.

 

[ForgottenSeer 95367]

considering their target market is companies, and they use ancient computers.

Microsoft is marketing Smart Application Control to consumers and small businesses. It expects companies to not use SAC, but WDAC instead.

Half the world still uses ancient computers, regardless of the market demographics to which it belongs.

That's the excuse lazy developers use to not optimize their code, is why despite having faster computers, software is still slow.

Yes. That's just how it is. Nobody wants to expense refactoring and optimization because faster code does not yield meaningfully increased profit. The expense-profit equation does not favor optimization, particularly on systems running on an HDD.

The world gobbles up all the sloppy unwieldy code that publishers supply to it, and keeps on asking for more of the garbage.

 

[pxxb1]

Hmm.
I really do not know. I cannot test this on my machines. If anyone has made the update (instead of the fresh installation), then please let me know. I did not find any official information about this issue. I reported it to Microsoft some time ago via the Insider channel.

Ok.
So how is the future looking for H_C in relation to W11 and 10?

 

[ForgottenSeer 95367]

Ok.
So how is the future looking for H_C in relation to W11 and 10?

Don't know with absolute certainty until Microsoft makes changes in 22H2 more clear. Like said earlier, we don't know if bugs, other technical issues or deliberate changes are being made and the cause of any alleged breakages.

Just have to wait-and-see.

 

[motox781]

Any tips to enable Smart App Control without a clean re-install?

I just setup this new PC and don't feel like going through the hassle of doing it all over.

 

[oldschool]

Any tips to enable Smart App Control without a clean re-install?

I just setup this new PC and don't feel like going through the hassle of doing it all over.

My only advice is not to bother with SAC since it's clearly undeveloped, basically a beta M$ has rolled out and 'enabled' for further testing. Enabling it will only lead to frustration in the end.

Best to stick with what you know works.

 

[ForgottenSeer 95367]

My only advice is not to bother with SAC since it's clearly undeveloped, basically a beta M$ has rolled out and 'enabled' for further testing.

Is the boredom and paranoia so great in userland that people are compelled to mess with alpha\early beta features? Or do they just not understand that anything shipped via Windows Update is a mish-mash of code ranging from completely unfinished to barely usable to ready-for-test to high-level refinements?

It's prescient to keep one's hands off SAC until much further down the line. One would think that people would pick-up that Microsoft is obviously making SAC deliberately vague, cumbersome, problematic to install and activate - and very specifically limited because, the SAC policies, at the very least, are not ready for prime-time.

 

[Andy Ful]

Ok.
So how is the future looking for H_C in relation to W11 and 10?

Microsoft announced that SAC will not be implemented on Windows 10. So, H_C can be still an option for Windows 10. The situation on Windows 11 is currently unclear.

 

[WhiteMouse]

I reinstalled my Windows yesterday. When I installed my first application, SAC blocked a DLL and app failed to install . I decided to reinstall Windows again but this time I left SAC at evaluation mode. After I reinstalled about 15 applications (took me a full day), SAC automatically turned off itself . In the end, I just made my own WDAC policy and not worry about SAC blocks random file anymore.