New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

Andrezj

Level 6
Nov 21, 2022
249
sac is certainly a good idea

there are some issues with it:
  • sac database and algorithms are obviously not quite ready for prime-time given that sac blocks even microsoft files
  • microsoft is not very forthcoming in explaining expected behaviors or configuration of system to have sac permanently enabled - for example, enable windows subsystem for linux and sac blocks it or sac turns itself off
  • the requirement of a clean install makes perfect sense, but most users will not accept this - microsoft appears unwilling to budge on this
  • there is no way to create "allow" exceptions, and again, most users will not accept this requirement - again microsoft is not going to budge on this
  • the microsoft database (e.g. the databases queried by microsoft defender\smartscreen) already includes reputation scores of all the most popular software already - and yet sac blocks many of such software - because the real strategy microsoft is trying to implement with sac is all files, including dlls and updaters (including created .tmp files in the install sequence) are signed with authenticode
  • windows defender\smartscreen can block signed files from authenticode signed files from publishers that are already in the microsoft databases - if those files do not meet criteria such as prevelance and age; it is a guess but sac is probably doing the same ( no details from microsoft)
  • given microsoft's handling of many initiatives - of starting something to only complete it partially and then either stop or just put into maintenance - does not inspire confidence because sac is one of those microsoft intitiatives that appears susceptible to the "microsoft method"
 

oldschool

Level 78
Verified
Top Poster
Well-known
Mar 29, 2018
6,745
For software developers:

This document also includes details on how to configure SAC to any setting (Evaluate, ON, OFF) even if it is not possible from Security Center - no need to refresh the Windows.
I see this warning on the MS page you referenced:
Important

Smart App Control can be manually configured via the Registry for testing purposes only. Editing Smart App Control settings in this way could compromise the protection it provides.
Have you tested it to check its protection? 🤔
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,771
I see this warning on the MS page you referenced:

Have you tested it to check its protection? 🤔
Testing is not necessary. After changing the ON mode to OFF/Evaluate mode (via the Registry) and restarting the system, your computer is not protected by SAC. So, in this way, you can compromise the protection it provides. That is why such a modification is not available from Security Center.
Anyway, this is not a consistent view because Microsoft allows the user to turn off the Defender real-time protection from Security Center, but protects such a change via Registry by Tamper Protection.

The more secure way would be to protect the SAC Registry entries by Tamper Protection.
 
Last edited:

oldschool

Level 78
Verified
Top Poster
Well-known
Mar 29, 2018
6,745
I often test unsigned, non-prevalent installers with SAC. Lately I've taken to using RunBySmartscreen (with right-click + Shift thanks to @Andy Ful) for some installations which previously were blocked completely or in part by SAC and these were allowed with not a peep from SAC. One example is the new Ungoogled Chromium release which is unsigned and brand new. I believe that Smartscreen and SAC work together but I don't know if my recent experience using RBS can be taken as a direct correlation but it is surprising.
 

Freki123

Level 14
Verified
Top Poster
Aug 10, 2013
665
For me SAC was a mixed bag. Most of the time it was ok. Sometimes I really hated it.
From memory: Got an online banking program installed without problems. Weeks later SAC started complaining that the dlls were not singed. Reported dlls as safe to MS they said they fixed it. Now SAC complains another dlls is not signed > report to MS. Told the developer of the problem and they fixed it later with a new full signed version.
Tldr: Why let me install a program and then not let me start it because of unsigned dll weeks later after already using it.
 
F

ForgottenSeer 97327

I had a simular experience (like @Freki123) on my wife's laptop with a photobook application. Reverted back to Microsoft Defender on MAX with H_C in SWH mode also blocking sponsors. To prevent the confusing messages of MD protected folders I set it to block disk modification only and installed AVAST free ransomware protection and Avast firewall. Although early days, this setup runs perfectly since july this year.
 
F

ForgottenSeer 97327

I suppose my use case is unique and also conducive to SAC as I have only browsers, NanaZip, Aomei Backupper Pro, Epson printer and no other 3rd party software.
No it actually is a good trick to install something with smartcreen. Your experiences matches mine when playing with WDAC ISG (sort of simular to SAC but you can add rules like in SRP/Applocker). When smartscreen allows it, then WDAC ISG seemed to "losen up" and allows it also.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top