New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

[Andy Ful]

That's the excuse lazy developers use to not optimize their code, is why despite having faster computers, software is still slow.

It is not an excuse, but rather an opportunity. Microsoft guys are not altruists. They have no motivation to optimize their code (like most programmers), except when they are forced to do it. I suspect that most of the Windows code is rather poorly optimized. The only motivation for Microsoft is probably the competition in the market and as we know, they do not complain.

Anyway, SAC has got more important issues than impacting the performance of modern computers (Windows 11 is not intended for older machines).

 

[Andy Ful]

Any tips to enable Smart App Control without a clean re-install?

Microsoft clearly stated that it is currently impossible.

 

[ForgottenSeer 95367]

After I reinstalled about 15 applications (took me a full day), SAC automatically turned off itself .

Microsoft might have programmed this released version of SAC to run only for up to 15 application installs. So as not to generate too much telemetry from any single system. We do not know if this is true, but it makes sense.

 

[Andy Ful]

Readers of this thread, please post about the concrete problems related to SAC or refer to articles that can bring here some new information. Some facts are already established:

1. SAC is intended for home users and small businesses on fresh installed Windows 11 (2022 update).
2. For most users, SAC is hardly useful in its current form. Microsoft announced that some new features will be added soon. For now, something like KIS with @harlan4096 settings is a far better option.
3. It can be useful for people who only use popular & digitally signed applications or applications from Microsoft Store.
4. Most problems with SAC will be related to blocking DLLs.
5. It can have an impact on performance. This can happen on computers with HDD (less visible with SSD).
6. SAC starts in the evaluation mode (does not block anything, logs events). If the user installs applications that would be blocked by SAC, then after some time the SAC will be automatically turned off.

 

[wat0114]

Microsoft clearly stated that it is currently impossible.

This seems like such a stupid implementation of this so called security feature:

The way it works is that it needs to be enabled from the moment you install Windows, or you simply can’t use it. As such, if you want to use SAC, you either need to perform a clean install of the Windows 11 2022 Update or reset your PC after installing the update.

Since Smart App Control works mostly in the background, all you can really do is enable or disable it. Once it’s on, you’ll only notice it if it blocks an app you try to run, and that shouldn’t happen very often. If it does, you might need to turn it off so it doesn’t prevent you from getting work done.

How to use Smart App Control in Windows 11

www.xda-developers.com

First they make the user re-install or reset Windows 11 before it can even be activated, then they hamstrung the user by eliminating them from making any kind of informed decisions about which apps to allow and which ones to block. The user can only turn it off to install an app that's getting unjustifiably blocked by SAC.

I get it that's it's some sort of AI-based security feature that we're apparently supposed to trust to know what's best and do all the decision making, but to take the user out that equation except to disable it completely to get an app installed just seems stupid.

Maybe I'm misunderstanding something, but at least that's the impression I'm getting from what I've briefly read about it.

I really miss Applocker available in Windows 7 Ultimate.

 

[Andy Ful]

This seems like such a stupid implementation of this so called security feature:

Yes, it is stupid from our point of view, especially the Microsoft argumentation.
But, it is logical from Microsoft's viewpoint. On most computers, SAC will be automatically turned off after some evaluation period, because most users will not use the applications fully allowed by SAC. It is simpler to throw out such users (to reduce telemetry) and focus on those who do not use problematic applications.

 

[oldschool]

I get it that's it's some sort of AI-based security feature that we're apparently supposed to trust to know what's best and do all the decision making, but to take the user out that equation except to disable it completely to get an app installed just seems stupid.

In part, this is because M$ is targeting the 'average' user so of course they want it to be set-and-forget. Members and lurkers of forums make up only an infinitesimal fraction of users overall.

 

[ForgottenSeer 95367]

Maybe I'm misunderstanding something, but at least that's the impression I'm getting from what I've briefly read about it.

SAC is still alpha\early beta release. In its current state it is obviously not intended for a production system.

I get it that's it's some sort of AI-based security feature that we're apparently supposed to trust to know what's best and do all the decision making,

Microsoft wants SAC to be a broader system-wide implementation of the Windows 10 S Mode security concept (extended to all processes and file types):

Windows 10 and Windows 11 in S mode FAQ - Microsoft Support

Get answers to common questions about Windows 11 and Windows 10 in S mode.

support.microsoft.com

The AI part of that model is the massive sensor array and telemetry, the analysis and classification. The AI part is to tell you what is malicious or potentially malicious (warn). Because Microsoft literally owns the entire Windows ecosystem, SAC is driven by a giant AI-driven file and process reputation system.

SAC target market are those who are not inclined to make decisions and\or create manual allow-block decisions. But whatever solid security SAC would offer will be undone by user demands of full control over SAC and they'll simply turn off SAC and install whatever they wish - no different than current security. Done with security first and foremost, SAC would deliver superb security just like S Mode. But that's not going to happen because of users being users. Microsoft will eventually relent and give-into users. It has already stated it expects those that want best security to utilize MDAC\WDAC (and implicitly GPO, AppLocker, SRP).

In the end, Microsoft will implement SAC in a way that will leave the fringey app installers to their own devices, which is as it should be.

The observed expectations coming from people about this SAC release is rather entertaining. For whatever reason I expected people to know how M$ does it - Microsoft introduces "the next best thing in security" with all of the typical M$ hooplah and poor execution.

 

[wat0114]

But whatever solid security SAC would offer will be undone by user demands of full control over SAC and they'll simply turn off SAC and install whatever they wish - no different than current security.

Which is what makes it mostly stupid, imho. MS could easily add a sort of "Advanced mode" if they wanted to, allowing those users who wish to exercise some granular control over SAC to do so. Who knows, because it is so early in development as you mentioned, maybe this type of option or similar controls will be put in place in mature releases. Hopefuly.

 

[WhiteMouse]

Comodo is much smarter. It automatically trust files created by trusted installers. I used to use both Microsoft ISG and Comodo, had almost no issues with Comodo while Microsoft ISG blocks some safe files when install newly released apps or update an app to a new version.

 

[ForgottenSeer 95367]

Which is what makes it mostly stupid, imho. MS could easily add a sort of "Advanced mode" if they wanted to, allowing those users who wish to exercise some granular control over SAC to do so. Who knows, because it is so early in development as you mentioned, maybe this type of option or similar controls will be put in place in mature releases. Hopefuly.

Users turn off protection all the time when they want the perceived benefits of what they know is risky behavior or programs. It doesn't matter what default-deny they use. They ignore alerts or turn off protection to accomplish what they want.

Windows 10 S Mode delivers superb security because users can't get around it. They can't create over-rides. In short, they couldn't do whatever they wanted. Yet you and I know this type of protection or device only works for users with a certain mentality, attitude and inclination.

I think SAC will ultimately be opt-in for those users who are inclined to lock down their systems. More so for the small businesses that will run Pro editions of Windows (just like S Mode required Pro). For Windows Home, SAC will offer some form of bare minimum boiler-plate protection.

 

[Andy Ful]

Comodo is much smarter. It automatically trust files created by trusted installers. I used to use both Microsoft ISG and Comodo, had almost no issues with Comodo while Microsoft ISG blocks some safe files when install newly released apps or update an app to a new version.

Comodo is much smarter, but trusting files used by trusted installers is an open highway to DLL hijacking. That is why SAC currently does not do it.
Furthermore, I noticed in my tests with SAC that ISG is more restrictive. For example, the H_C installers were allowed by SAC (also by SmartScreen and ASR rules), but still blocked by ISG in WDAC. When using WDAC with ISG, you can still see the SmartScreen alert. On the contrary, when SAC was ON in my tests, I could only see the SAC alert.

 

[Andy Ful]

Which is what makes it mostly stupid, imho. MS could easily add a sort of "Advanced mode" if they wanted to, allowing those users who wish to exercise some granular control over SAC to do so. Who knows, because it is so early in development as you mentioned, maybe this type of option or similar controls will be put in place in mature releases. Hopefuly.

From some articles, it follows that Microsoft thinks about exclusions. The problem is how to introduce this ability for users, but not for the attackers. For now, the attackers cannot turn OFF the SAC even with administrative rights. Of course, the problem of exclusions can be solved by using Defender's Tamper Protection. So, the advanced users could temporarily disable Tamper Protection, add some exclusions, and turn it ON again.
It is possible that Microsoft waits to see how many users can use SAC without exclusions. As was mentioned, many users are infected, because of the exclusions.
Several years ago, Bitdefender tried to forbid exclusions in the free version of AV. But, the users were very unhappy, so finally the exclusions were allowed.

 

[Local Host]

It is not an excuse, but rather an opportunity. Microsoft guys are not altruists. They have no motivation to optimize their code (like most programmers), except when they are forced to do it. I suspect that most of the Windows code is rather poorly optimized. The only motivation for Microsoft is probably the competition in the market and as we know, they do not complain.

Anyway, SAC has got more important issues than impacting the performance of modern computers (Windows 11 is not intended for older machines).

That is false, Microsoft been working hard for years to optimize their Software, and most of the complains come from the Enterprise. They even changed languages and APIs entirely in multiple of their Software over the years exactly for this purpose.

So claiming Microsoft doesn't care about optimization is not true, they haven't even touched Windows requirements since Windows Vista, besides forcing "modern" security features (that have been available for over a decade) on Windows 11.

Same way blaming HDDs for every performance mishap is not smart either, HDDs are not as slow as everyone pictures it, and yes we all aware SSDs are faster, but HDDs are more than enough for Windows 11.

This seems like such a stupid implementation of this so called security feature:

How to use Smart App Control in Windows 11

www.xda-developers.com

First they make the user re-install or reset Windows 11 before it can even be activated, then they hamstrung the user by eliminating them from making any kind of informed decisions about which apps to allow and which ones to block. The user can only turn it off to install an app that's getting unjustifiably blocked by SAC.

I get it that's it's some sort of AI-based security feature that we're apparently supposed to trust to know what's best and do all the decision making, but to take the user out that equation except to disable it completely to get an app installed just seems stupid.

Maybe I'm misunderstanding something, but at least that's the impression I'm getting from what I've briefly read about it.

I really miss Applocker available in Windows 7 Ultimate.

Applocker is still part of Windows and is vastly superior to this trash, which is why Microsoft won't bother to push it on big companies.

Andy is the only person here selling this as the holy grail of security, but is not changing anything in the Windows Ecosystem, especially in its current state.

 

[ForgottenSeer 95367]

From some articles, it follows that Microsoft thinks about exclusions. The problem is how to introduce this ability for users, but not for the attackers. For now, the attackers cannot turn OFF the SAC even with administrative rights. Of course, the problem of exclusions can be solved by using Defender's Tamper Protection. So, the advanced users could temporarily disable Tamper Protection, add some exclusions, and turn it ON again.
It is possible that Microsoft waits to see how many users can use SAC without exclusions. As was mentioned, many users are infected, because of the exclusions.
Several years ago, Bitdefender tried to forbid exclusions in the free version of AV. But, the users were very unhappy, so finally the exclusions were allowed.

Smart Application Control is to prevent:

1. scripting attacks (undoubtedly Microsoft intends that this category also includes Office macros)
2. running untrusted (or unsigned) applications OFTEN ASSOCIATED WITH MALWARE OR ATTACK TOOLS

These are very specific, targeted block choices made by Microsoft that are currently being blocked by default in one form or another. Macros are blocked by Office Trust Center settings while hack tools are detected and blocked by Microsoft Defender.

With SAC it appears that these block choices or "policies" shall be done so under a unified file reputation system pulled from the Windows ecosystem and managed by AI.

• Category 1 will include script and other executable file types with their associated processes (sponsors).
• Category 2 will include hack tools such as, but not limited to, archivers and PSEXEC utility (as a single example). We already know this category can quickly become gargantuan as the AI model fully leverages the Windows ecosystem.

SAC compares favorably to Windows 10\11 S Mode, which is a small allow list\large block list. The SAC block list will end up being larger than KSN.

 

[ForgottenSeer 95367]

Andy is the only person here selling this as the holy grail of security, but is not changing anything in the Windows Ecosystem, especially in its current state.

Andy's posts are just descriptions of how it works. It's just your (incorrect) interpretation that he is "selling [anything at all here at MT] as the holy grail of security."

Your post history reveals a lot about you. Lots of anger, unjustifiably directed at others.

Perhaps you should just ignore @Andy Ful 's posts by blocking them since you have so many problems with them or, better yet, just not participate here at MalwareTips. You bring nothing here to MT except an acrimonious tone and low-brow attacks on well-respected members.

Maybe get out and touch some grass? Rest those fingers by stopping the anger flowing through your keyboard? Be kind to a person in meatspace?

You are definitely a "glass is half-full with concentrated sulfuric acid" type person. The sad part is that you relish that.

 

[Andy Ful]

Andy is the only person here selling this as the holy grail of security, but is not changing anything in the Windows Ecosystem, especially in its current state.

Your post does not deserve any comment. Anyone can read what I think about SAC in its current form:
https://malwaretips.com/threads/sma...t-protection-from-malware.112706/post-1004901

 

[SeriousHoax]

After I reinstalled about 15 applications (took me a full day), SAC automatically turned off itself

Just to give everyone an idea, he's not the only one. I just checked my system, and it happened here for me also. I'm pretty sure last night, before going to bed, I saw it was still in evaluation mode. Today, I installed two games from Steam. Not much of an installation really as the game files were already on my system, but it might have installed some dependencies. Now I see that SAC has auto turned off on my device. So at its current stage, SAC is not viable for most users. So don't reinstall Windows only for SAC.

 

[cruelsister]

As SAC is indeed not viable for most users, one could instead enable Defender for the Cloud lookup and install OSarmor which seems to parallel the basic "protections" afforded by SAC.

 

[ForgottenSeer 95367]

So at its current stage, SAC is not viable for most users. So don't reinstall Windows only for SAC.

People jumped onto the SAC bandwagon without doing their due diligence first (which, for most things newly released by Microsoft via any channels is - don't install it).

It is a newly released feature still in the alpha\early beta stage. Why is everybody trying to use it as production?