- Sep 2, 2021
- 2,303
Smart App Control - Windows 11 22H2 feature promises significant protection from malware
- Thread starter Andy Ful
- Start date
Why would you test a feature that is basically still at the alpha stage of development?And if I test it? :3
- Apr 13, 2013
- 3,147
- Sep 2, 2021
- 2,303
Because I'm crazy!
On a more serious note, I've always loved Microsoft's new features. Of course, I'll give it a little time before, I don't have time to deal with SAC right now.
The test results would produce practically useless results. Yes. That's one example of crazy behavior.Because I'm crazy!
Give it a year or so. Then SAC will be ready for preliminary testing.
- Mar 16, 2019
- 3,633
Just to make it clear, I didn't reinstall Windows to get SAC. I always reinstall when a new feature update comes out.
You might not have, but it appears others went all-in on alpha SAC. Now they're disappointed.
Mr Makey's First Rule of New Windows Features, Especially Windows Security Features: "Do not install. Do not be the guinea pig. Let others do it. Save yourself a lot of pain. MKAY?"
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,129
Although I agree with @Furyo about SAC, the test would not be a bad idea. But, testing SAC with random malware cannot bring anything interesting. Even Defender on default settings can give a very good result.Because I'm crazy!
On a more serious note, I've always loved Microsoft's new features. Of course, I'll give it a little time before, I don't have time to deal with SAC right now.
When testing EXE or MSI samples, all unknown & unsigned samples are blocked by SAC. So the test should include signed malware (EXE, MSI) and scripting malware.
It would be interesting to compare such results with @askalan's tests on SmartScreen for Explorer (Malware Hub samples). In his tests (no AV only SmartScreen), after a few months of testing (EXE and MSI malware with MOTW), only one sample bypassed SmartScreen and infected the system (another one did not infect the system).
Last edited:
- Aug 19, 2019
- 1,020
Good to see that MD is following suit with other default-deny unknowns. Something the likes of Comodo started many years ago and Avast/KIS etc followed that. Comodo takes a lot of tweaking if your wanting to set specific rules for applications/vendors but great at just blocking untrusted files which is why so many people go for the @cruelsister setup. Avast's is a little more user friendly but is a paid feature or at least it was years ago. Lets hope the development happens quickly.
The defining feature (and test) of SAC will be the AI-managed reputation allow\block list. That shall be the real test. To see if Microsoft gets it right and makes a true "hands-off" default-deny.Although I agree with @Furyo about SAC, the test would not be a bad idea. But, testing SAC with random malware cannot bring anything interesting. Even Defender on default settings can give a very good result.
When testing EXE or MSI samples, all unknown & unsigned samples are blocked by SAC. So the test should include signed malware (EXE, MSI) and scripting malware.
Of course SAC is nowhere near ready for such testing.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,129
Another good (and free) option would be Defender with ASR rules + Comodo Firewall.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,129
I am afraid that it is kinda true.
SAC comes from WDAC (ISG enabled), and this setup is promoted by Microsoft in businesses for a few years.
Now, Microsoft wants probably to achieve some objectives.
- Microsoft says to the customers:
Hey guys, we offer you modern and very strong protection, but it will work flawlessly with properly signed applications (including DLLs). Please use Microsoft Store and Microsoft software to be sure. - Microsoft says to the software developers:
Hey guys, please use code signing. If not then your applications will be blocked by SAC. If you are angry, then please submit the applications to Microsoft via the Smart App Control channel - we will check it, and then it can possibly be added to allow list.
Last edited:
@Andy Ful , I wonder to what extent Intelligence Security Graph (ISG) for WDAC overlaps or is one-in-the-same as "Defender Reputation AI" to be used in Smart Application Control?
Microsoft is surely playing word games for marketing purposes as it normally does - calling the same thing by different names. Also, Microsoft is relabeling old tech (ML analytics) as something new (AI array). Same trickery as "Next Gen" this or that, when in fact, it's just the same thing that has been used for a long time.
After reading this very closely multiple times, I'm convinced of it:
NOTE how Microsoft might try to solve the DLL hell problem...
"If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer."
It makes sense now that Microsoft would want a long period of SAC running in evaluation mode to collect the required telemetry and set policies for all files written to disk for known good application installers.
Microsoft is surely playing word games for marketing purposes as it normally does - calling the same thing by different names. Also, Microsoft is relabeling old tech (ML analytics) as something new (AI array). Same trickery as "Next Gen" this or that, when in fact, it's just the same thing that has been used for a long time.
After reading this very closely multiple times, I'm convinced of it:
NOTE how Microsoft might try to solve the DLL hell problem...
"If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer."
It makes sense now that Microsoft would want a long period of SAC running in evaluation mode to collect the required telemetry and set policies for all files written to disk for known good application installers.
After the 22H2 update i get a bar at the bottom of the screen asking me to deny or allow some exe:s or programs i start that is not usuall, what is that all about?
SAC was not going to be active if a fresh install was not done, and it is not, so what is this bar coming from. This is something i have not read about.
SAC was not going to be active if a fresh install was not done, and it is not, so what is this bar coming from. This is something i have not read about.
You are not going read about a lot of things when it comes to SAC. It is an early release feature with a lot of bugs and unexpected behaviors.
The whole point of the current SAC release for people to alpha-beta test it in its current state for Microsoft; SAC was not released to be used for production.
When SAC blocks a file, a toaster (Windows 10\11 desktop notification) appears that some files were being blocked.
There is no way for the user to allow or deny files in SAC at this time. Microsoft has not implemented such a feature yet. So you are misinterpreting what you saw.
It asks me if i want to deny or allow, not that it blocked anything. 1 exe did not start when i did not do anything with the bar, so i tried a second time. That time i allowed and all went through. So this is real!
Please provide an image of the notification that asks you to allow or deny files.
Microsoft has not yet implemented user-allow or deny of files in SAC yet. They clearly state this in their SAC release notes. Such a feature has been requested by users to the Windows Insiders' Program, but M$ said "No, for now."
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,129
In my tests, WDAC + ISG on Windows 10 worked slightly differently from SAC on Windows 11. I made my tests with SAC in Windows Insider. For example, Hard_Configurator was blocked by ISG but allowed by SAC and Defender ASR rules. SAC also allowed the installation of signed applications and then some of them were partially blocked on execution (DLL blocking).
When using WDAC + ISG on Windows 10 you can still see the SmartScreen alert. On Windows 11 with SAC set to ON, there is no SmartScreen alert, but files that would be blocked by SmartScreen on Windows 10 are now blocked by SAC.
I think that more tests must be done. It is also possible that WDAC on Windows 11 could get some new features.
False alarm! I installed DefenderUI Pro after 22H2 so it was it who made it`s presens known for the 1 time. SAC is set to OFF in W. Security
WDAC and ISG progress at Microsoft have been disappointingly slow. A contact at Microsoft stated to me that it has to do with limitations of their internal teams (staff leaving) and coordination between work group problems.
WDAC is far too cumbersome to deploy at this time. Just getting it set up to test requires an admin to spend days of reading and prep work. Too much logistics involved and, therefore, not practical.
Similar threads
