New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

[Andy Ful]

I noticed that SAC now blocks Start Menu shortcuts for @Andy Ful 's apps and some other executables, which means there have been under-the-hood improvements that may not be documented by MS.

Has anyone else noticed changes or found new documentation?

I think that the shortcut is to the executable with MOTW. You can try running this executable once without the shortcut to remove MOTW.

 

[Andy Ful]

I have faced a similar scenario when pinned some portable programs to the start menu; SAC dislikes portability.

It is unrelated to portability, but most probably follows from the executable having MOTW.

 

[Parkinsond]

It is unrelated to portability, but most probably follows from the executable having MOTW.

Removing mark of the web with laser without pain

 

[oldschool]

I can also run most of portable programs, but from windows explorer, not the start menu.

I could run all portables from the start menu, but not all of them now.

@Andy Ful, except running it from Start it's still blocked after running directly from the executable. My gut still says something changed under the hood.

 

[Parkinsond]

I could run all portables from the start menu, but not all of them now.

Andy stated it is the fault of MOTW, inspite of getting MOTW is supposed to give preference for SS (more permissive) to kick in before SAC!

 

[oldschool]

Andy stated it is the fault of MOTW, inspite of getting MOTW is supposed to give preference for SS (more permissive) to kick in before SAC!

See my edited post above.

 

[Andy Ful]

I could run all portables from the start menu, but not all of them now.

@Andy Ful, except running it from Start it's still blocked after running directly from the executable.

I am not sure. Is the executable blocked by SAC when the shortcut is not used?

 

[oldschool]

I am not sure. Is the executable blocked by SAC when the shortcut is not used?

No.

 

[Andy Ful]

@Andy Ful, except running it from Start it's still blocked after running directly from the executable.

Sorry, I forgot that MotW is not removed on execution when SAC is ON. You have to unblock the executable manually (right click >> Properties >> Unblock).

 

[oldschool]

Sorry, I forgot that MotW is not removed on execution when SAC is ON. You have to unblock the executable manually (right click >> Properties >> Unblock).

But that doesn't seem to explain why previously I could run them from Start, in particular your CD and FWH apps.

 

[Andy Ful]

But that doesn't seem to explain why previously I could run them from Start, in particular your CD and FWH apps.

This SAC's bug is new (@Parkinsond noted it recently):

App Review Post in thread 'Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)'

Sep 3, 2025

Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.
So, mainly the malicious shortcut will be blocked as an initial attack vector, but will not be blocked when used in lateral movement or as a persistence method.
The EXE, DLL, and MSI files are blocked by SAC independently of MotW.

SAC is blocking shortcut on desktop for mp4 file downloaded inside a folder; in order to play the file from desktop, I had to unblock the file from properties to remove motw.

The same scenario could...

• Parkinsond

• 

 

[Parkinsond]

Microsoft says to the customers:
Hey guys, we offer you modern and very strong protection, but it will work flawlessly with properly signed applications (including DLLs). Please use Microsoft Store and Microsoft software to be sure.

Customers say to MS: Hi Bill, as you cannot use AV without exclusions, the same applies to default-deny-solutions; we will use MS app control instead of your "smart" one.

 

[Parkinsond]

I made my tests with SAC in Windows Insider. For example, Hard_Configurator was blocked by ISG but allowed by SAC and Defender ASR rules

Looks WDAC is lacking some heuristic analysis provided by SAC, inspite of using the same ISG.

 

[Andy Ful]

Customers say to MS: Hi Bill, as you cannot use AV without exclusions, the same applies to default-deny-solutions; we will use MS app control instead of your "smart" one.

Yes, but this is only an alternative for advanced users. SAC can use everyone, and it has fewer false positive detections, especially for software autoupdates.

 

[Andy Ful]

Looks WDAC is lacking some heuristic analysis provided by SAC, inspite of using the same ISG.

Not in this case. H_C is signed, so automatically allowed by SAC, even if unknown to ISG.
WDAC ISG blocked H_C because this was a new installer with low prevalence among users. The test was done for the installer with no MotW.
ASR rule allowed H_C because the installer was known in the MS cloud for more than 24h. It would be blocked as a fresh installer.

This shows some differences between SAC, WDAC, and the ASR "prevalence and time criteria" rule.

 

[Parkinsond]

Yes, but this is only an alternative for advanced users. SAC can use everyone, and it has fewer false positive detections, especially for software autoupdates.

But one false positive by SAC can render my PC useless if it involves a core program, while WDAC can falsely flag as much programs as it likes, which will be excluded and functionality is preserved.

 

[Parkinsond]

Not in this case. H_C is signed, so automatically allowed by SAC, even if unknown to ISG.
WDAC ISG blocked H_C because this was a new installer with low prevalence among users. The test was done for the installer with no MotW.
ASR rule allowed H_C because the installer was known in the MS cloud for more than 24h. It would be blocked as a fresh installer.

This shows some differences between SAC, WDAC, and the ASR "prevalence and time criteria" rule.

WDAC is more protective against signed malware than SAC.

 

[ForgottenSeer 114717]

This chicken can handle default deny far better than the typical hooman user that attempts to use default deny.

When Smart Application Control (SAC) blocks something, I reach out to the developer and/or report the block directly to Microsoft. In all instances the block is fixed within days. Sometimes automatically by SAC within minutes or hours.

I can live with an application being blocked for days. It causes me no mental or emotional discomfort. "Mind over matter. I don't mind because it don't matter." Yoda essentially taught this incredibly effective coping skill.

ezpz

 

[Parkinsond]

I can live with an application being blocked for days

Can you live with blocked the main program for productivity (your bread and butter)?

 

[ForgottenSeer 114717]

Can you live with blocked the main program for productivity (your bread and butter)?

Yes. I don't require "Applications or programs on-demand with 0% downtime." Most enterprises don't have the need either. The sysadmins and cybersec crews are accustomed to outages of various types.

Those that have a "0% downtime" requirement build architecture with redundancy to cope with the issue.

Unless a person is a "one-man shop" fully dependent upon certain applications and programs, then the issue is moot. For them, they have easy workaround solutions - if they know what they're doing. Being "fixated" on only one way of doing things is fatal.

In any case, the example of "a one-man shop dependent upon specific applications and programs" is rare enough that Microsoft need not change to accommodate anybody.

Microsoft has long been aware of the SAC issues and limitations, and it's message which is loud and clear from what it does and does not do is: "We don't care."