Here's a comparison of a system with the default SmartScreen "Check apps and files" enabled (left) and with it disabled (right). Having SmartScreen enabled has the value add of automatically running the JS when it's clicked on, whereas w/ it disabled it gives the user a warning.

The SmartScreen behavior seems a touch nondeterministic. For me, corrupt Authenticode == no prompt, *ALMOST* 100% of the time. If I'm lucky, I *might* get a MotW prompt. Procmon doesn't have enough visibility to see what happens differently. Enter Time-Travel Debugging and "wt":

If reverting a VM snapshot and pressing "Enter" results in one behavior (no prompt) virtually 100% of the time, but occasionally some other behavior (MotW prompt), that sort of becomes a tricky thing to nail down. Race condition perhaps? CryptMsgOpenToDecode is only w/ no-prompt.

I was looking within smartscreen.exe for where the flaw might be, the trick was to go one level up to the shdocvw.dll library that calls it. As it turns out, the default value for the user answer is "Run", and an Authenticode error skips the prompt. 🤦‍♂️ blog.0patch.com/2022/10/free…

Let's take the corrupt-authenticode bug out of the picture. I can't tell how Windows decides how to scan/prompt downloads. In a VM with no network (so we clearly see the SS warning), we have calc.exe from XP in a zip: Extract first: SmartScreen Warning. Run from Zip: Just run! 🤷‍♂️

What if I just have a simple, unsigned .JS file that runs calc.exe. This VM has internet connectivity. Extract the .JS file from the zip and try to run it: Warning that JS files can harm my computer. Run the .JS file directly from the ZIP: YOLO.

Note that the prior two screen recordings of Windows not warning before running things directly from a zip are from a Windows 11 22H2 system. I've not been able to reproduce this behavior on older Windows systems.

And just to be clear here: If you're running Windows 11 22H2 and Smart App Control (SAC) isn't enabled for any of various reasons, things like .LNK files in a ZIP will open without prompting or SmartScreen scanning. No .ISO or other CVE-TBD ZIP trickery involved.

So to summarize, we've got 3 different MotW bypasses: 1) "Special" ZIP contents - Works on all versions of Windows 2) Corrupt Authenticode - Works on all Windows versions prior to Win11 22H2 3) Just open from ZIP directly - Works on Win11 22H2 Take your pick. Or hedge your bets!

For the ZIP files, have you tested Deny Execute NTFS permissions for the user's temporary folder? This is sure to have ramifications for some userland installations and such, but many of us are already doing similar with AppLocker :)