New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

[Andy Ful]

Can you live with blocked the main program for productivity (your bread and butter)?

The main problem can be when using unsigned & non-prevalent applications. However, in most cases, there are as good but signed & prevalent alternatives. Of course, SAC can be useless for many users, too.
One can also submit files to Microsoft:

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.

www.microsoft.com

 

[Parkinsond]

SAC​	WDAC​
False positive block: +​	False positive block: +++​
Cloud whitelisting: More rapid​	Cloud whitelisting: More slow​
Bypassed by lack of MoTW for LNK and Reg files, and scripts: Yes​	Bypassed by lack of MoTW for LNK and Reg files: No​
Bypassed by SmartScreen: No​	Bypassed by SmartScreen: Yes​
Script block: strict​	Script block: less strict (constrained language mode)​
Exclusions: No​	Exclusions: Yes​
OS impact: +​	OS impact: ++​

 

[Andy Ful]

​

SAC​	WDAC​
False positive block: +​	False positive block: +++​
Cloud whitelisting: More rapid​	Cloud whitelisting: More slow​
Bypassed by lack of MoTW for LNK and Reg files, and scripts: Yes​	Bypassed by lack of MoTW for LNK and Reg files: No​
Bypassed by SmartScreen: No​	Bypassed by SmartScreen: Yes​
Script block: strict​	Script block: less strict (constrained language mode)​
Exclusions: No​	Exclusions: Yes​
OS impact: +​	OS impact: ++​

Some positions are incorrect.
SAC can block many file types (like .reg, .lnk, .chm, .iso, etc.) via MotW, and those files are not blocked by WDAC at all (even with MotW).
Both SAC and WDAC, with the ISG option, primarily allow unsigned files with a good SmartScreen reputation. Additionally, SAC permits signed files with an unknown SmartScreen reputation.

 

[Parkinsond]

Both SAC and WDAC, with the ISG option, primarily allow unsigned files with a good SmartScreen reputation

I have faced files unsigned files with a good SmartScreen reputation blocked by WDAC if unblocked (removed motw) before execution; both are unpredictable; it is hit and try until you know which one will pass.

 

[Parkinsond]

SAC can block many file types (like .reg, .lnk, .chm, .iso, etc.) via MotW

Just manually remove motw (unblock) and SAC will allow to pass, even reg files modifying Windows explorer context menu.

 

[Andy Ful]

I have faced files unsigned files with a good SmartScreen reputation blocked by WDAC if unblocked (removed motw) before execution; both are unpredictable; it is hit and try until you know which one will pass.

I referred to those two entries SAC vs. WDAC:

Bypassed by SmartScreen: No

Bypassed by SmartScreen: Yes

This category is incorrect because SAC and WDAC use SmartScreen reputation differently.
SAC most probably uses positive SmartScreen reputation even when EXE/MSI files have no MotW, but only for unsigned files. Signed EXE/MSI files with unknown reputation in SmartScreen and ISG are allowed.
WDAC ISG uses SmartScreen reputation only when EXE/MSI files (signed and unsigned) have MotW.

 

[Andy Ful]

Just manually remove motw (unblock) and SAC will allow to pass, even reg files modifying Windows explorer context menu.

Yes. That is how it works for such files. However, WDAC totally ignores such files (with or without MotW).
WDAC and SAC work differently. SAC is designed to protect home users.

 

[Parkinsond]

I referred to those two entries SAC vs. WDAC:

​

Bypassed by SmartScreen: No

Bypassed by SmartScreen: Yes

This category is incorrect because SAC and WDAC use SmartScreen reputation differently.
SAC most probably uses positive SmartScreen reputation even when EXE/MSI files have no MotW, but only for unsigned files. Signed EXE/MSI files with unknown reputation in SmartScreen and ISG are allowed.
WDAC ISG uses SmartScreen reputation only when EXE/MSI files (signed and unsigned) have MotW.

"Bypassed by SmartScreen: Yes" for WDAC means, as you already know of course, if I try to execute a file after removing motw, WDAC blocks it, but if I try execution without removing motw, it executes, because motw provoked smartscreen which allowed it, and consequently WDAC did not block.

 

[Parkinsond]

Yes. That is how it works for such files. However, WDAC totally ignores such files (with or without MotW).
WDAC and SAC work differently. SAC is designed to protect home users.

so only SAC is bypassable regarding those files, as WDAC does not deal with, and removing motw does not make a difference (no bypassable)

 

[Andy Ful]

so only SAC is bypassable regarding those files, as WDAC does not deal with, and removing motw does not make a difference (no bypassable)

Yes. SAC is sometimes bypassable, and WDAC does not protect against those files.

 

[Parkinsond]

Yes. SAC is sometimes bypassable, and WDAC does not protect against those files.

I do not find it a bad feature, on the contrary, it may be considered as a partial "exclusion" feature which SAC lacks compared to WDAC.
As long as all donwloaded files have MoTW, then removing it manually is not bad, as malware cannot do that, or it can?

 

[Andy Ful]

I do not find it a bad feature, on the contrary, it may be considered as a partial "exclusion" feature which SAC lacks compared to WDAC.

WDAC "automatically makes exclusions" for such files.

As long as all donwloaded files have MoTW, then removing it manually is not bad, as malware cannot do that, or it can?

Yes and No.
It is not bad, because many web-based attacks can be prevented. Such attacks mainly start from files with MotW.
However, if you run a signed EXE malware with an unknown reputation, it can download script payloads with no MotW, and SAC will not block either the EXE malware or the script payloads.

 

[Parkinsond]

WDAC "automatically makes exclusions" for such files.



Yes and No.
It is not bad, because many web-based attacks can be prevented. Such attacks mainly start from files with MotW.
However, if you run a signed EXE malware with an unknown reputation, it can download script payloads with no MotW, and SAC will not block either the EXE malware or the script payloads.

Of course I will not remove motw except when dead sure the file is safe; previously SAC was blocking 7-zip exe downloaded from the official website; it is not smart all the time.

 

[oldschool]

Dismantling Smart App Control — Elastic Security Labs

This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.

www.elastic.co

 

[Andy Ful]

Dismantling Smart App Control — Elastic Security Labs

This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.

www.elastic.co

The article is slightly outdated, although it still contains some useful information. We also talked about this here:

Thread 'Dismantling Smart App Control'

Aug 6, 2024

Introduction

Reputation-based protections like Elastic’s reputation service can significantly improve detection capabilities while maintaining low false positive rates. However, like any protection capability, weaknesses exist and bypasses are possible. Understanding these weaknesses allows defenders to focus their detection engineering on key coverage gaps. This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.

Key...

• Gandalf_The_Grey

• 
• 
• 

If the attacker wants to bypass SAC, it will be bypassed. However, most of the techniques used in non-targeted attacks are covered.
The simplest bypass is using signed FUD.

 

[Parkinsond]

The article is slightly outdated, although it still contains some useful information. We also talked about this here:

Thread 'Dismantling Smart App Control'

Aug 6, 2024

Introduction

Reputation-based protections like Elastic’s reputation service can significantly improve detection capabilities while maintaining low false positive rates. However, like any protection capability, weaknesses exist and bypasses are possible. Understanding these weaknesses allows defenders to focus their detection engineering on key coverage gaps. This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.

Key...

• Gandalf_The_Grey

• 
• 
• 

If the attacker wants to bypass SAC, it will be bypassed. However, most of the techniques used in non-targeted attacks are covered.
The simplest bypass is using signed FUD.

SAC has two blind spots, signature and MotW.

 

[caleche]

I'm not worried about SAC being bypassed, because it's just one layer of the security net.
What's hard to imagine is that it can't be configured to exclude items or be freely turned on and off.

 

[Parkinsond]

What's hard to imagine is that it can't be configured to exclude items or be freely turned on and off

to make bypass harder.

 

[Andy Ful]

SAC has two blind spots, signature and MotW.

It is more complex. The signatures are unimportant here. Furthermore, MotW is used by SAC only when the initial attack vector is fileless. This happens rarely, and if it does, it is rarely bypassed, resulting in very sporadic infection events.
The intentional blind spot is fresh, properly signed malware.

 

[caleche]

to make bypass harder.

But it reduces usability, doesn't it? And it can still be bypassed.