Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
After the 22H2 update i get a bar at the bottom of the screen asking me to deny or allow some exe:s or programs i start that is not usuall, what is that all about?
SAC was not going to be active if a fresh install was not done, and it is not, so what is this bar coming from. This is something i have not read about.
What security do you use? This issue is not related to SAC.
 
  • Like
Reactions: Digmor Crusher

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
WDAC is far too cumbersome to deploy at this time. Just getting it set up to test requires an admin to spend days of reading and prep work. Too much logistics involved and, therefore, not practical.
One can use Wdac Policy Wizard (made by Microsoft):
It has got three predefined policies (works on Windows Pro). One can modify the policy, although not all possibilities are included.
 

Furyo

Level 4
Jun 5, 2022
178
One can use Wdac Policy Wizard (made by Microsoft):
It has got three predefined policies (works on Windows Pro). One can modify the policy, although not all possibilities are included.
The WDAC Policy Wizard is buggy in my experience. You still have to prep every system for WDAC by installing the WDAC Policy Refresh Tool and install the policy. Admins do not like all that required work.

I suppose you are testing WDAC by installing it via Group Policy?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
The WDAC Policy Wizard is buggy in my experience. You still have to prep systems for WDAC and install the policy. Admins do not like all that required work.
The predefined policies work well. The installation can be done in a simple way by copying the binary policy file to the right Windows subfolder. Anyway, one can have some knowledge about WDAC to modify the policy file.
 

Furyo

Level 4
Jun 5, 2022
178
The predefined policies work well. The installation can be done in a simple way by copying the binary policy file to the right Windows subfolder. Anyway, one can have some knowledge about WDAC to modify the policy file.
I am talking about using WDAC in an enterprise environment. Not on test or personal systems.

The enterprise WDAC procedure is too cumbersome. That is why admins do not like it and WDAC is not popular in enterprise security. Until Microsoft makes WDAC more user-friendly, WDAC will not see the same level of deployment as AppLocker or "classic" SRP.

Also, a general complaint about the WDAC policies is that they are not comprehensive enough yet. Admins struggling to craft WDAC policies in a way that works for their employer networks.
 
Last edited:

Furyo

Level 4
Jun 5, 2022
178
The installation can be done in a simple way by copying the binary policy file to the right Windows subfolder.
You are talking about the Code Integrity Folder, correct?

$DestinationFolder = $env:windir+"\[B]System32\CodeIntegrity\CIPolicies\Active[/B]\"
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
You are talking about the Code Integrity Folder, correct?

$DestinationFolder = $env:windir+"\[B]System32\CodeIntegrity\CIPolicies\Active[/B]\"
Mostly. Some policy files can work also in the Codeintegrity folder.
 

Furyo

Level 4
Jun 5, 2022
178
Mostly. Some policy files can work also in the Codeintegrity folder.
Would you please be a bit more clear or detailed in sharing infos?

Which policy files are you talking about? (Are you referring to the raw XML WDAC policy file or after it has been converted to a WDAC policy binary using)?:

ConvertFrom-CIPolicy [-XmlFilePath] <String> [-BinaryFilePath] <String> [<CommonParameters>]
The WDAC policy needs to be converted to a binary file, and that is the operational policy file that is "dropped" into CodeIntegrity per the official WDAC documentation.

Is there a different way using different policy files? (outside the official documentation?) The way you phrase your previous reply, in English it can be taken as meaning there are multiple ways to activate the WDAC policy on an endpoint using a WDAC policy file other than the binary.
 
Last edited:
  • Like
Reactions: Andy Ful

Furyo

Level 4
Jun 5, 2022
178
Important notice regarding SAC Evaluation Mode:

1663958541999.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
Would you please be a bit more clear or detailed in sharing infos?
...
Are you sure that this is the right thread? I will answer your questions in a private thread tomorrow. :)
 
Last edited:

Furyo

Level 4
Jun 5, 2022
178
Are you sure that this is the right threat?
There is some misunderstanding happening here. I do not understand what you are saying regarding "threat". I'm just asking for clarification of your prior explanation. I, in turn, explained why the answer you provided could mean multiple things within the context of our discussion.

Are we not sharing security infos and methods on MT? Is it not proper etiquette to ask for a detailed explanation when things are not clear?

I, as well as others, are always interested in undocumented methods. Just not enough time to find and figure them all out.

I will answer your questions in a private thread tomorrow. :)
Thank you.
 
Last edited:

Furyo

Level 4
Jun 5, 2022
178
I notice, SAC ON takes control of:

1. Reputation-Based Protection
  • Check Apps and Files (not user configurable with SAC ON)
2. Potentially Unwanted App Blocking
  • Block Apps (not user configurable with SAC ON)
  • Block Downloads (user can still enable\disable with SAC ON)

In a very short very simple test, I enabled SAC and installed the following - allowed or blocked as noted:

FINDING = Only signed files can be installed from Microsoft Store with SAC ON.
SAC blocks unsigned uninstallers (same as installer as SAC can't tell if installing or uninstalling; the process is the same).


1. 7zip (BLOCKED BY SAC due to UNSIGNED)
1663964716297.png

1.1 Selected "Get Apps from Store"
1.2 Attempted install of 7zip version by ZEEIS on Microsoft Store (BLOCKED BY SAC due to UNSIGNED):
1663964779971.png

1.3 Installed SIGNED 7zip by HAUKE HASSELBERG via MICROSOFT STORE.
1663965150327.png

2. UltraSearch (SIGNED)
3. GitHub Desktop (SIGNED)
4. PowerShell Core 7.2.6 (using the MSI installer; SIGNED)

SAC has remained ON for hours. (I think it will change to OFF if too much gets blocked).
 
Last edited:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
There is some misunderstanding happening here. I do not understand what you are saying regarding "threat".
You understand. I made the required correction (it should be of course "thread").

There is nothing unusual in your question and my answer. Simply, I created this thread to investigate SAC (no need to create policies). All that I posted about WDAC is well documented by Microsoft and I have also some useful links about making WDAC policies. Tomorrow I will post about WDAC in another (more appropriate thread):
https://malwaretips.com/threads/application-control-on-windows-10-home.89753/
 
Last edited:

Furyo

Level 4
Jun 5, 2022
178
I n
You understand. I made the required correction (it should be of course "thread").

There is nothing unusual in your question and my answer. Simply, I created this thread to investigate SAC (no need to create policies). All that I posted about WDAC is well documented by Microsoft and I have also some useful links about making WDAC policies. Tomorrow I will post about WDAC in another (more appropriate thread):
https://malwaretips.com/threads/application-control-on-windows-10-home.89753/

Thanks
 

eXDj

Level 8
Verified
Aug 2, 2015
366
22622.601 BETA insiders build i dont have SAC,i use Eset Smart Security Premium beta 16.0.14.0 now with "dark theme" !
install with official ISO beta clean