Windows 11's Smart App Control not smart enough yet as it blocked Microsoft's own file

[Gandalf_The_Grey]

Ever since Windows 11 was announced, Microsoft has maintained that security, alongside the general high quality, is one of the most important aspects of its new OS. Recently, the company also briefed about the various security features and technologies users get on Windows 11 explaining what they bring to the table. One of these new features is Smart App Control which blocks untrusted and unsigned apps that could be potentially malicious. And according to Microsoft, Smart App Control is not just a simple block all unsigned apps feature as it also uses the power of artificial intelligence (AI) to only allow apps that are predicted to be safe:

The firm explains:

Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.

[..] When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run.
However, while it does sound impressive, Smart App Control may not be quite smart enough, at least not yet, as it blocked one of the files developed by Microsoft itself.

Smart App Control is doing well. pic.twitter.com/AYDb5orgrL
— Xeno (@XenoPanther) May 24, 2022

As you can see, the feature blocked the harmless bootstrapper DLL file inside Windows SDK in this case as it may have been unsigned but the Smart App Control feature couldn't quite connect the dots.

Windows 11's Smart App Control not smart enough yet as it blocked Microsoft's own file

Windows 11 has several new security-related features. One of these features called Smart App Control that intelligently blocks suspicious apps and files blocked one of Microsoft's own files.

www.neowin.net

 

[Andy Ful]

Now we know that it can block PE files (EXE, DLLs, etc.). This shows that it is a rebranded ISG from Microsoft Defender Application Control.

The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.

Authorize reputable apps with the Intelligent Security Graph (ISG) - Windows Security

Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.

docs.microsoft.com

It is possible to implement it on any Windows 10/11 computer (versions supported by Microsoft) by a very simple Application Control Policy. I did this some time ago here:

New Update - Application Control on Windows 10 Home

Is it possible to use WD Application Control (WDAC) on Windows 10 Home, with disabled WD? The answer is somewhat surprising. Why? WDAC is the Windows 10 security feature, which was introduced for Windows Enterprise editions. It can be used only on the computers with UEFI. The working WDAC (WD...

malwaretips.com

Unfortunately, ISG-based protection is very restrictive. In my tests, it broke the auto-updates of several applications. The problem is usually related to the blocked DLLs. Even if one could successfully install/update the application, it can be still blocked on execution. Another problem is that submitting the blocked file to Microsoft does not guarantee that the file will be allowed by ISG. For example, all my applications are whitelisted by SmartScreen and Defender (including ASR blocks), but still, most of them are blocked by ISG.

 

[Andy Ful]

It seems that the applications blocked by Smart App Control can be submitted separately from the normal Defender submissions:

 

[Andy Ful]

There is a Microsoft document about Smart App Control:

What is Smart App Control? - Microsoft Support

Smart App Control is a feature of Windows 11 that helps to block malicious, untrusted, or potentially unwanted apps from running on your device.

support.microsoft.com

Some additional information can be found here:

Smart App Control in Windows 11 explained - gHacks Tech News

Smart App Control is a new security feature of Microsoft's Windows 11 operating system. Here is how it works!

www.ghacks.net

### If I correctly understand the signed applications will be automatically whitelisted (except for known malicious ones).

​

"How can I tell Smart App Control to let this one specific app through?"​

There is currently no way to bypass Smart App Control protection for individual apps. You can turn Smart App Control off, or (better yet), contact the developer of the app and encourage them to sign their app with a valid signature.

​

"I'm an app developer, how can I get Smart App Control to not block my app?"​

The simple answer is, sign your app with a valid certificate

### There will be also Evaluation mode available:

Evaluation mode​

We start in evaluation mode. This is a period during which Windows tries to determine if you're a good candidate for Smart App Control. If you are a good candidate for Smart App Control, then it will automatically be turned on. If not, it'll be turned off.

Smart App Control won't block anything while it's in evaluation mode.

Once the evaluation is complete, or if you manually switch Smart App Control on or off, you won't be able to return to evaluation mode unless you reinstall or reset Windows.

 

[silversurfer]

Microsoft improves Windows 11's Smart App Control, but you may not be able to use it​

Microsoft updated Smart App Control recently, according to a message on Twitter by David Weston, Microsoft's VP for Enterprise and OS Security. According to Weston, Smart App Control is blocking specific file types automatically if they come from the Internet.

Windows 11 with smart app control blocks iso and lnk files that have mark of the web just like Macros.

The protective feature copies the protections that Microsoft implemented recently to block the execution of Office files with macros, provided that the Office files came from the Internet zone.

Microsoft plans to update the documentation, which lacks information and clarity. Bleeping Computer got their hands on an extended list of file extensions that Smart App Control blocks by default. Besides iso and lnk, Smart App Control appears to block IMG, VHD, VHDX, .appref-ms, BAT, CMD, CHM, CPL, JS, JSE, MSC, MSP, REG, VBE, VBS and WSF files, provided that they come from an unsafe location.

Smart App Control: Only for new installs and reset devices​

The main caveat when it comes to Smart App Control is that it is only ever active on new installs or machines that have just been reset. Apparently, Microsoft added the limitation to Smart App Control to ensure that no malicious apps or programs are already running on the device.

Only some Windows 11 users will have access to Smart App Control. Even on new installs, Smart App Control may decide to turn itself off during the evaluation phase. In that case, users have no option to turn it on once it has been turned off.

Microsoft improves Windows 11's Smart App Control, but you may not be able to use it - gHacks Tech News

Microsoft has improved the Windows 11 security feature Smart App Control. It blocks certain file extensions from unsafe locations automatically now.

www.ghacks.net

 

[upnorth]

 

[WhiteMouse]

I'm not impressed by SAC after I read more about it. It's just a pre-made WDAC policy by Microsoft (Windows Default + Recommended Block Rules + Microsoft ISG - Constrained Language Mode). Nothing special and you can't even create an exclusion. It might be good for someone who wants good security but don't want to deal with WDAC as it's not user-friendly.

 

[EASTER]

Workaround??

you can create a system restore before turning it on, then turn it on, restart, see which programs are affected, if you can live without them then keep it on, if you can't, use restore point to go back to evaluation mode.

Guess one may assume an image backup/restore beforehand might serve to preserve that setting as well.
Interesting technique. MS with 11 series is fairly determined to tighten the screws. Wonder how this new feature will be taken by users.

My own Dell (it's a 10 version) had S-mode by default which seems vaguely similar- Of course i opted out of it. It was permanently either S-Mode or no S-Mode.

 

[Andy Ful]

Some useful information about SAC:

Microsoft Answers Some Windows 11 Security Questions -- Redmondmag.com

Microsoft's coming Windows 11 security improvements, announced last week, may be available for Windows 10 machines as well.

redmondmag.com

Smart App Control Internals (Part 1) :: Up is Down and Black is White — n4r1b

Deep dive into the internals of the latest Windows Security feature: "Smart App Control"

n4r1b.com

 

[HarborFront]

Smart App Control cannot be enabled if you update the OS from Win 10 to Win11

Mine cannot since I updated my OS from Win 10 Pro to Win 11 Pro