New Update Smart App Control - Windows 11 22H2 feature promises significant protection from malware

[Andrezj]

sac is certainly a good idea

there are some issues with it:

• sac database and algorithms are obviously not quite ready for prime-time given that sac blocks even microsoft files
• microsoft is not very forthcoming in explaining expected behaviors or configuration of system to have sac permanently enabled - for example, enable windows subsystem for linux and sac blocks it or sac turns itself off
• the requirement of a clean install makes perfect sense, but most users will not accept this - microsoft appears unwilling to budge on this
• there is no way to create "allow" exceptions, and again, most users will not accept this requirement - again microsoft is not going to budge on this
• the microsoft database (e.g. the databases queried by microsoft defender\smartscreen) already includes reputation scores of all the most popular software already - and yet sac blocks many of such software - because the real strategy microsoft is trying to implement with sac is all files, including dlls and updaters (including created .tmp files in the install sequence) are signed with authenticode
• windows defender\smartscreen can block signed files from authenticode signed files from publishers that are already in the microsoft databases - if those files do not meet criteria such as prevelance and age; it is a guess but sac is probably doing the same ( no details from microsoft)
• given microsoft's handling of many initiatives - of starting something to only complete it partially and then either stop or just put into maintenance - does not inspire confidence because sac is one of those microsoft intitiatives that appears susceptible to the "microsoft method"

 

[oldschool]

For software developers:

Test your app's signature with Smart App Control - Windows apps

Enable Smart App Control and verify your app is signed correctly

learn.microsoft.com

This document also includes details on how to configure SAC to any setting (Evaluate, ON, OFF) even if it is not possible from Security Center - no need to refresh the Windows.

I see this warning on the MS page you referenced:

Important

Smart App Control can be manually configured via the Registry for testing purposes only. Editing Smart App Control settings in this way could compromise the protection it provides.

Have you tested it to check its protection?

 

[Andy Ful]

I see this warning on the MS page you referenced:

Have you tested it to check its protection?

Testing is not necessary. After changing the ON mode to OFF/Evaluate mode (via the Registry) and restarting the system, your computer is not protected by SAC. So, in this way, you can compromise the protection it provides. That is why such a modification is not available from Security Center.
Anyway, this is not a consistent view because Microsoft allows the user to turn off the Defender real-time protection from Security Center, but protects such a change via Registry by Tamper Protection.

The more secure way would be to protect the SAC Registry entries by Tamper Protection.

 

[oldschool]

I often test unsigned, non-prevalent installers with SAC. Lately I've taken to using RunBySmartscreen (with right-click + Shift thanks to @Andy Ful) for some installations which previously were blocked completely or in part by SAC and these were allowed with not a peep from SAC. One example is the new Ungoogled Chromium release which is unsigned and brand new. I believe that Smartscreen and SAC work together but I don't know if my recent experience using RBS can be taken as a direct correlation but it is surprising.

 

[Freki123]

For me SAC was a mixed bag. Most of the time it was ok. Sometimes I really hated it.
From memory: Got an online banking program installed without problems. Weeks later SAC started complaining that the dlls were not singed. Reported dlls as safe to MS they said they fixed it. Now SAC complains another dlls is not signed > report to MS. Told the developer of the problem and they fixed it later with a new full signed version.
Tldr: Why let me install a program and then not let me start it because of unsigned dll weeks later after already using it.

 

[ForgottenSeer 97327]

I had a simular experience (like @Freki123) on my wife's laptop with a photobook application. Reverted back to Microsoft Defender on MAX with H_C in SWH mode also blocking sponsors. To prevent the confusing messages of MD protected folders I set it to block disk modification only and installed AVAST free ransomware protection and Avast firewall. Although early days, this setup runs perfectly since july this year.

 

[oldschool]

I had a simular experience (like @Freki123) on my wife's laptop with a photobook application.

I suppose my use case is unique and also conducive to SAC as I have only browsers, NanaZip, Aomei Backupper Pro, Epson printer and no other 3rd party software.

 

[ForgottenSeer 97327]

I suppose my use case is unique and also conducive to SAC as I have only browsers, NanaZip, Aomei Backupper Pro, Epson printer and no other 3rd party software.

No it actually is a good trick to install something with smartcreen. Your experiences matches mine when playing with WDAC ISG (sort of simular to SAC but you can add rules like in SRP/Applocker). When smartscreen allows it, then WDAC ISG seemed to "losen up" and allows it also.

 

[oldschool]

@Andy Ful @Shadowra @SeriousHoax Do you know if SAC generates generic (Windows system) splash alerts like "This app can't run on your PC"? When I run an elevated command for one of my apps I get this but not the usual Defender SAC blocking notification.

 

[Andy Ful]

@Andy Ful @Shadowra @SeriousHoax Do you know if SAC generates generic (Windows system) splash alerts like "This app can't run on your PC"? When I run an elevated command for one of my apps I get this but not the usual Defender SAC blocking notification.

Some apps are designed to run only with lower rights.
Does it run with standard rights?
Do you use SUA?

 

[oldschool]

Does it run with standard rights?

Yes.

Do you use SUA?

Yes.

I can run the command standard or elevated and still get the same result.

 

[Andy Ful]

Yes.

Yes.

I can run the command standard or elevated and still get the same result.

From the first "Yes" I have understood that the app runs (works well) with standard rights on SUA ??? Your last comment suggests that it does not.

If the app works with standard rights on SUA, it can still refuse to run elevated. This can happen when the app is installed on SUA in the user's AppData folder. The elevated process started from SUA does not run on SUA but on the Admin account. So it does not see the application installation folder on SUA.
Such a problem does not occur when the app is installed on the Admin account.

What "elevated command" did you use?

 

[oldschool]

From the first "Yes" I have understood that the app runs (works well) with standard rights on SUA ??? Your last comment suggests that it does not.

Yes, it runs on SUA. I tried the command both elevated and not. "Access denied" result both ways in terminal with the code below:

startallbackcfg.exe /magic

 

[Andy Ful]

Yes, it runs on SUA. I tried the command both elevated and not. "Access denied" result both ways in terminal with the code below:

startallbackcfg.exe /magic

Understand.
Installed StartAllBack on Admin account (Windows 11 22H2 SAC ON) from https://www.startallback.com/download.php. I chose the installation for the current user.
It worked for me as follows:

1. Run Terminal (Admin).
2. Run the CMD console in Terminal and follow points 3 and 4 from it.
3. Change the path to the application installation folder:
   cd \
   cd %LocalAppData%\StartAllBack
4. Run the CmdLine
   startallbackcfg.exe /magic

No SAC blocks. So, the issue is not related to SAC.
I will try it on SUA and let you know.

Post updated.
Installed on SUA - works well.

 

[Andy Ful]

@oldschool,

On SUA, one has to use the application path explicitly, for example:
cd c:\Users\user_name\AppData\Local\StartAllBack

If the %LocalAppData% is used, one gets the path in the Admin account, because the CMD console runs with Admin rights.

 

[oldschool]

On SUA, one has to use the application path explicitly, for example:
cd c:\Users\user_name\AppData\Local\StartAllBack

Yes, I figured that out after trying the path from your previous post. Thanks for the help.

 

[Bill W]

I just installed Office 365 again after a break for awhile, and noticed that when I launch Word or Excel I no longer get a SAC notification telling me that part of this app is blocked. Nice.

 

[oldschool]

I just installed Office 365 again after a break for awhile, and noticed that when I launch Word or Excel I no longer get a SAC notification telling me that part of this app is blocked. Nice.

Ironic that SAC blocks MS stuff, but even when you do get an alert an app may still function just fine. My guess is that some of these alerts are SAC protecting some vulnerable process of the app, e.g. from MS Recommended Block List, but it's just a guess.