Windows 11's Smart App Control not smart enough yet as it blocked Microsoft's own file

Gandalf_The_Grey

Level 63
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,173
Ever since Windows 11 was announced, Microsoft has maintained that security, alongside the general high quality, is one of the most important aspects of its new OS. Recently, the company also briefed about the various security features and technologies users get on Windows 11 explaining what they bring to the table. One of these new features is Smart App Control which blocks untrusted and unsigned apps that could be potentially malicious. And according to Microsoft, Smart App Control is not just a simple block all unsigned apps feature as it also uses the power of artificial intelligence (AI) to only allow apps that are predicted to be safe:

The firm explains:

Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.

[..] When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run.
However, while it does sound impressive, Smart App Control may not be quite smart enough, at least not yet, as it blocked one of the files developed by Microsoft itself.

Smart App Control is doing well. pic.twitter.com/AYDb5orgrL
— Xeno (@XenoPanther) May 24, 2022

As you can see, the feature blocked the harmless bootstrapper DLL file inside Windows SDK in this case as it may have been unsigned but the Smart App Control feature couldn't quite connect the dots.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,184
Now we know that it can block PE files (EXE, DLLs, etc.). This shows that it is a rebranded ISG from Microsoft Defender Application Control.
The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.

It is possible to implement it on any Windows 10/11 computer (versions supported by Microsoft) by a very simple Application Control Policy. I did this some time ago here:

Unfortunately, ISG-based protection is very restrictive. In my tests, it broke the auto-updates of several applications. The problem is usually related to the blocked DLLs. Even if one could successfully install/update the application, it can be still blocked on execution. Another problem is that submitting the blocked file to Microsoft does not guarantee that the file will be allowed by ISG. For example, all my applications are whitelisted by SmartScreen and Defender (including ASR blocks), but still, most of them are blocked by ISG.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,184
It seems that the applications blocked by Smart App Control can be submitted separately from the normal Defender submissions:

1653476359109.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,184
There is a Microsoft document about Smart App Control:

Some additional information can be found here:

### If I correctly understand the signed applications will be automatically whitelisted (except for known malicious ones).

"How can I tell Smart App Control to let this one specific app through?"​

There is currently no way to bypass Smart App Control protection for individual apps. You can turn Smart App Control off, or (better yet), contact the developer of the app and encourage them to sign their app with a valid signature.

"I'm an app developer, how can I get Smart App Control to not block my app?"​

The simple answer is, sign your app with a valid certificate

### There will be also Evaluation mode available:

Evaluation mode​

We start in evaluation mode. This is a period during which Windows tries to determine if you're a good candidate for Smart App Control. If you are a good candidate for Smart App Control, then it will automatically be turned on. If not, it'll be turned off.

Smart App Control won't block anything while it's in evaluation mode.

Once the evaluation is complete, or if you manually switch Smart App Control on or off, you won't be able to return to evaluation mode unless you reinstall or reset Windows.
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,781

Microsoft improves Windows 11's Smart App Control, but you may not be able to use it​

Microsoft updated Smart App Control recently, according to a message on Twitter by David Weston, Microsoft's VP for Enterprise and OS Security. According to Weston, Smart App Control is blocking specific file types automatically if they come from the Internet.
Windows 11 with smart app control blocks iso and lnk files that have mark of the web just like Macros.
The protective feature copies the protections that Microsoft implemented recently to block the execution of Office files with macros, provided that the Office files came from the Internet zone.

Microsoft plans to update the documentation, which lacks information and clarity. Bleeping Computer got their hands on an extended list of file extensions that Smart App Control blocks by default. Besides iso and lnk, Smart App Control appears to block IMG, VHD, VHDX, .appref-ms, BAT, CMD, CHM, CPL, JS, JSE, MSC, MSP, REG, VBE, VBS and WSF files, provided that they come from an unsafe location.

Smart App Control: Only for new installs and reset devices​

The main caveat when it comes to Smart App Control is that it is only ever active on new installs or machines that have just been reset. Apparently, Microsoft added the limitation to Smart App Control to ensure that no malicious apps or programs are already running on the device.

Only some Windows 11 users will have access to Smart App Control. Even on new installs, Smart App Control may decide to turn itself off during the evaluation phase. In that case, users have no option to turn it on once it has been turned off.
 

WhiteMouse

Level 3
Verified
Well-known
Apr 19, 2017
141
I'm not impressed by SAC after I read more about it. It's just a pre-made WDAC policy by Microsoft (Windows Default + Recommended Block Rules + Microsoft ISG - Constrained Language Mode). Nothing special and you can't even create an exclusion. It might be good for someone who wants good security but don't want to deal with WDAC as it's not user-friendly.
 

EASTER

Level 3
Verified
Well-known
May 9, 2017
147
Workaround??
you can create a system restore before turning it on, then turn it on, restart, see which programs are affected, if you can live without them then keep it on, if you can't, use restore point to go back to evaluation mode.

Guess one may assume an image backup/restore beforehand might serve to preserve that setting as well.
Interesting technique. MS with 11 series is fairly determined to tighten the screws. Wonder how this new feature will be taken by users.

My own Dell (it's a 10 version) had S-mode by default which seems vaguely similar- Of course i opted out of it. It was permanently either S-Mode or no S-Mode.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,184
Last edited:
  • Like
Reactions: EASTER

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,137
Smart App Control cannot be enabled if you update the OS from Win 10 to Win11

Mine cannot since I updated my OS from Win 10 Pro to Win 11 Pro