Your app installation is 100% SAC compatible with Advanced Installer
With the release of Windows 11 Insider Preview Build 22567, Microsoft added a new security feature called Smart App Control (or SAC in short).
Smart App Control (SAC) blocks untrusted or potentially dangerous applications to better secure Windows devices. How does this affect Windows installers? Let's find out.
What is Smart App Control?
Smart App Control blocks apps that could potentially harm or slow down your device by displaying unexpected ads, offering extra software or making unexpected changes to your system. We can think of SAC as a combination between SmartScreen and Defender.
The way it works is that when you run an app on Windows, SAP checks to see if the system’s cloud-powered security service can provide a prediction on whether an application is safe. If the cloud service considers the app to be safe, Smart App Control will let it run.
If the security service will not provide a prediction, the SAP will check if the app has a valid signature. If there is a valid signature, SAP will let the app run. If not, the Smart App Control will block it.
Since SAP is currently a cloud service and it hasn't been rolled out to all users, we should expect its predictions to become more accurate with time.
We can expect to see some false flagging, as happens with the Defender. For instance, our team at Advanced Installer got a few false flags with the Defender over the years, but we have the possibility to bring this up to Microsoft to investigate the false flag and eliminate it from the cloud, so that our users are not affected.
At this time, we're not sure how false flagging will be handled with Smart App Control.
How to enable Smart App Control (SAC)?
You can find the settings for Smart App Control in the App & browser control panel of the Windows Security app.
SAC will only run on clean installations of Windows 11. If you have an old installation of Windows 11, or upgraded from Windows 10 to Windows 11, then SAC will not be available. The reason why SAC works only on clean installations is to make sure there aren't already untrusted apps running on the device when we turn Smart App Control on.
SAC is designed to scan every application that you install after a clean installation. Once an application is installed, SAC cannot control what it does. That is more of a job for the Microsoft Defender.
Apart from the ON and OFF switches, Smart App Control does not let you whitelist individual applications. For example, if an application is deemed vulnerable, you cannot control SAC in any way to allow it to be installed. The only way to make it work on your system is to reach out to the software vendor.
After turning SAC on, SAC begins the evaluation session. This determines if you are a "candidate" to use SAC. After completion, it either stays on or turns off. During evaluation, no blocking happens. You have no control over the evaluation results. The result is based on your day to day of activity on the machine.
How does SAC influence your installers?
When we have SAC enabled on a Windows 11 machine, it seems to currently block DLL/EXE/PowerShell files when used as Custom Actions.
According to MSFT statements, SAC should be able to flag an application as malicious based either on the presence of a digital signature or on its usage (because there are many free tools that are not digitally signed and we don't think these will be blocked).
As previously mentioned, we need to wait and see how SAC will improve their detection in the future, but for the moment, the safest way to eliminate the risk of falsely flagged installation is to sign the DLLs/EXE/PowerShell scripts that you are using in your installer.
Advanced Installer added full support for Smart App Control (SAC)
We are happy to announce that Advanced Installer is currently 100% SAC compatible.
Starting with the 19.7 version of Advanced Installer, we've decided to sign with our own certificate all the binary DLLs that we include in the customer setup package. This way, we ensure that all the binary files that we include in the Advanced Installer package kit are SAC compatible.
This makes it much easier for you to build your installer without having to worry about digitally signing each custom action.
In addition to that, we recommend you include only digitally signed files in your setup package. This means you need to make sure your own custom actions are digitally signed too. You need to use your own certificate for that.
As we write this, the Advanced Installer team is implementing a dedicated GUI that will enable you to sign any files you want to include in your setup package. Keep an eye on the Monthly Product Updates.
Thoughts and conclusion
It is obvious that Microsoft is pushing for more digital signing, which also makes sense from a security point of view. What is a bit unclear at the moment is how Smart App Control handles other types of custom actions, for example VBScript or JScript, as these types of custom actions cannot be digitally signed.
From my experience, VBScript is still very popular and used intensively amongst the IT Pro community, especially software packaging engineers who are handling either repackaging or transformation tasks for the installers, so let's see how Smart App Control manages these types of files.
What is your take on this matter? How do you think it will impact your installers?
Subscribe to Our Newsletter
Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.