When something is dropped without the MOTW it will install without any protection of WDAC, is that correct?
Did you know that smartscreen also tells ISG and SAC to allow stuf when Smartscreen considers this safe? So how would ISG or SAC produce more false positives when an executable was installed using smartscreen compared with your smart solution using the same smartscreen approach?
Are you aware that amateur red hackers often used GitHub and Visual Studio binaries to evade the MOTW? Most really nasty malware does not use regular software to evade MOTW detection anyway. Are you sure you are not underestimating the achilles heel holes (by relying on MOTW and excluding dynamic code)?
