Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
After the 22H2 update i get a bar at the bottom of the screen asking me to deny or allow some exe:s or programs i start that is not usuall, what is that all about?
SAC was not going to be active if a fresh install was not done, and it is not, so what is this bar coming from. This is something i have not read about.
What security do you use? This issue is not related to SAC.
 
  • Like
Reactions: Digmor Crusher

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
WDAC is far too cumbersome to deploy at this time. Just getting it set up to test requires an admin to spend days of reading and prep work. Too much logistics involved and, therefore, not practical.
One can use Wdac Policy Wizard (made by Microsoft):
It has got three predefined policies (works on Windows Pro). One can modify the policy, although not all possibilities are included.
 
F

ForgottenSeer 95367

One can use Wdac Policy Wizard (made by Microsoft):
It has got three predefined policies (works on Windows Pro). One can modify the policy, although not all possibilities are included.
The WDAC Policy Wizard is buggy in my experience. You still have to prep every system for WDAC by installing the WDAC Policy Refresh Tool and install the policy. Admins do not like all that required work.

I suppose you are testing WDAC by installing it via Group Policy?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
The WDAC Policy Wizard is buggy in my experience. You still have to prep systems for WDAC and install the policy. Admins do not like all that required work.
The predefined policies work well. The installation can be done in a simple way by copying the binary policy file to the right Windows subfolder. Anyway, one can have some knowledge about WDAC to modify the policy file.
 
F

ForgottenSeer 95367

The predefined policies work well. The installation can be done in a simple way by copying the binary policy file to the right Windows subfolder. Anyway, one can have some knowledge about WDAC to modify the policy file.
I am talking about using WDAC in an enterprise environment. Not on test or personal systems.

The enterprise WDAC procedure is too cumbersome. That is why admins do not like it and WDAC is not popular in enterprise security. Until Microsoft makes WDAC more user-friendly, WDAC will not see the same level of deployment as AppLocker or "classic" SRP.

Also, a general complaint about the WDAC policies is that they are not comprehensive enough yet. Admins struggling to craft WDAC policies in a way that works for their employer networks.
 
Last edited by a moderator:
F

ForgottenSeer 95367

The installation can be done in a simple way by copying the binary policy file to the right Windows subfolder.
You are talking about the Code Integrity Folder, correct?

$DestinationFolder = $env:windir+"\[B]System32\CodeIntegrity\CIPolicies\Active[/B]\"
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
You are talking about the Code Integrity Folder, correct?

$DestinationFolder = $env:windir+"\[B]System32\CodeIntegrity\CIPolicies\Active[/B]\"
Mostly. Some policy files can work also in the Codeintegrity folder.
 
F

ForgottenSeer 95367

Mostly. Some policy files can work also in the Codeintegrity folder.
Would you please be a bit more clear or detailed in sharing infos?

Which policy files are you talking about? (Are you referring to the raw XML WDAC policy file or after it has been converted to a WDAC policy binary using)?:

ConvertFrom-CIPolicy [-XmlFilePath] <String> [-BinaryFilePath] <String> [<CommonParameters>]
The WDAC policy needs to be converted to a binary file, and that is the operational policy file that is "dropped" into CodeIntegrity per the official WDAC documentation.

Is there a different way using different policy files? (outside the official documentation?) The way you phrase your previous reply, in English it can be taken as meaning there are multiple ways to activate the WDAC policy on an endpoint using a WDAC policy file other than the binary.
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful
F

ForgottenSeer 95367

Important notice regarding SAC Evaluation Mode:

1663958541999.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
Would you please be a bit more clear or detailed in sharing infos?
...
Are you sure that this is the right thread? I will answer your questions in a private thread tomorrow. :)
 
Last edited:
F

ForgottenSeer 95367

Are you sure that this is the right threat?
There is some misunderstanding happening here. I do not understand what you are saying regarding "threat". I'm just asking for clarification of your prior explanation. I, in turn, explained why the answer you provided could mean multiple things within the context of our discussion.

Are we not sharing security infos and methods on MT? Is it not proper etiquette to ask for a detailed explanation when things are not clear?

I, as well as others, are always interested in undocumented methods. Just not enough time to find and figure them all out.

I will answer your questions in a private thread tomorrow. :)
Thank you.
 
Last edited by a moderator:
F

ForgottenSeer 95367

I notice, SAC ON takes control of:

1. Reputation-Based Protection
  • Check Apps and Files (not user configurable with SAC ON)
2. Potentially Unwanted App Blocking
  • Block Apps (not user configurable with SAC ON)
  • Block Downloads (user can still enable\disable with SAC ON)

In a very short very simple test, I enabled SAC and installed the following - allowed or blocked as noted:

FINDING = Only signed files can be installed from Microsoft Store with SAC ON.
SAC blocks unsigned uninstallers (same as installer as SAC can't tell if installing or uninstalling; the process is the same).


1. 7zip (BLOCKED BY SAC due to UNSIGNED)
1663964716297.png

1.1 Selected "Get Apps from Store"
1.2 Attempted install of 7zip version by ZEEIS on Microsoft Store (BLOCKED BY SAC due to UNSIGNED):
1663964779971.png

1.3 Installed SIGNED 7zip by HAUKE HASSELBERG via MICROSOFT STORE.
1663965150327.png

2. UltraSearch (SIGNED)
3. GitHub Desktop (SIGNED)
4. PowerShell Core 7.2.6 (using the MSI installer; SIGNED)

SAC has remained ON for hours. (I think it will change to OFF if too much gets blocked).
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
There is some misunderstanding happening here. I do not understand what you are saying regarding "threat".
You understand. I made the required correction (it should be of course "thread").

There is nothing unusual in your question and my answer. Simply, I created this thread to investigate SAC (no need to create policies). All that I posted about WDAC is well documented by Microsoft and I have also some useful links about making WDAC policies. Tomorrow I will post about WDAC in another (more appropriate thread):
https://malwaretips.com/threads/application-control-on-windows-10-home.89753/
 
Last edited:
F

ForgottenSeer 95367

I n
You understand. I made the required correction (it should be of course "thread").

There is nothing unusual in your question and my answer. Simply, I created this thread to investigate SAC (no need to create policies). All that I posted about WDAC is well documented by Microsoft and I have also some useful links about making WDAC policies. Tomorrow I will post about WDAC in another (more appropriate thread):
https://malwaretips.com/threads/application-control-on-windows-10-home.89753/

Thanks
 

eXDj

Level 10
Verified
Aug 2, 2015
451
22622.601 BETA insiders build i dont have SAC,i use Eset Smart Security Premium beta 16.0.14.0 now with "dark theme" !
install with official ISO beta clean
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,379
From what I could experience in a short time, it is less restrictive than SWH which leads me to doubt how it will defend users against malware.
That was my initial impression as well, although I have not spent enough time with it to say for sure.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
For software developers:

This document also includes details on how to configure SAC to any setting (Evaluate, ON, OFF) even if it is not possible from Security Center - no need to refresh the Windows.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top