Here's a comparison of a system with the default SmartScreen "Check apps and files" enabled (left) and with it disabled (right). Having SmartScreen enabled has the value add of automatically running the JS when it's clicked on, whereas w/ it disabled it gives the user a warning.
2
3
25
The SmartScreen behavior seems a touch nondeterministic. For me, corrupt Authenticode == no prompt, *ALMOST* 100% of the time. If I'm lucky, I *might* get a MotW prompt. Procmon doesn't have enough visibility to see what happens differently. Enter Time-Travel Debugging and "wt":
1
1
1
20
If reverting a VM snapshot and pressing "Enter" results in one behavior (no prompt) virtually 100% of the time, but occasionally some other behavior (MotW prompt), that sort of becomes a tricky thing to nail down. Race condition perhaps? CryptMsgOpenToDecode is only w/ no-prompt.
2
9
I was looking within smartscreen.exe for where the flaw might be, the trick was to go one level up to the shdocvw.dll library that calls it. As it turns out, the default value for the user answer is "Run", and an Authenticode error skips the prompt. 🤦‍♂️ blog.0patch.com/2022/10/free…
1
7
1
30
Let's take the corrupt-authenticode bug out of the picture. I can't tell how Windows decides how to scan/prompt downloads. In a VM with no network (so we clearly see the SS warning), we have calc.exe from XP in a zip: Extract first: SmartScreen Warning. Run from Zip: Just run! 🤷‍♂️
3
3
2
15
GIF
What if I just have a simple, unsigned .JS file that runs calc.exe. This VM has internet connectivity. Extract the .JS file from the zip and try to run it: Warning that JS files can harm my computer. Run the .JS file directly from the ZIP: YOLO.
2
4
2
24
GIF
Note that the prior two screen recordings of Windows not warning before running things directly from a zip are from a Windows 11 22H2 system. I've not been able to reproduce this behavior on older Windows systems.
2
13
And just to be clear here: If you're running Windows 11 22H2 and Smart App Control (SAC) isn't enabled for any of various reasons, things like .LNK files in a ZIP will open without prompting or SmartScreen scanning. No .ISO or other CVE-TBD ZIP trickery involved.
1
5
34
GIF
So to summarize, we've got 3 different MotW bypasses: 1) "Special" ZIP contents - Works on all versions of Windows 2) Corrupt Authenticode - Works on all Windows versions prior to Win11 22H2 3) Just open from ZIP directly - Works on Win11 22H2 Take your pick. Or hedge your bets!
3
37
2
102
For the ZIP files, have you tested Deny Execute NTFS permissions for the user's temporary folder? This is sure to have ramifications for some userland installations and such, but many of us are already doing similar with AppLocker :)
1
4
Replying to @NathanMcNulty
2 problems: 1) NTFS-level no-exec perms catch EXE and friends. But not other things like JS, HTA... 2) Path-based Software Restriction Policies work way better for blocking things that run. The kicker: Starting with Win11 22H2, newly-created policies don't work. Bugs everywhere!

Nov 5, 2022 · 5:19 AM UTC

4
7
3
25
GIF
Here's the same demo, but with a policy created in Win11 22H2. The same sort of Software Restriction Policy that worked fine on 21H2 simply doesn't do anything with 22H2. It's becoming hard to keep track of all the things that are broken. 😕
2
5
1
11
GIF
As it is right now, if you're on Win11 22H2, your best bet is probably to disable SmartScreen until all of this is fixed. At least one person has implied that this is dangerous, but I struggle to understand how it's more dangerous than Win11 22H2 as it is.
Replying to @wdormann
Disabling SmartScreen probably only makes sense on Win11 22H2, as this vulnerability doesn't need an attacker to consciously target it. Compare the default behavior (SmartScreen enabled) vs. with SmartScreen disabled. You decide which behavior seems safer for yourself.
Show this thread
1
5
Nothing useful there that I can see. But Software Restriction Policies are completely unrelated to Defender, no?
1
1
Do you need me to push on the execute thing?
1
1
4
In my experience, documented behaviors are often what MS originally had in mind for a feature, not necessarily what ACTUALLY happens. Per learn.microsoft.com/en-us/an… "Read & execute: Allows users to view and run executable files, including scripts." But this is definitely false. 🤷‍♂️
4
9
42
GIF
Replying to @wdormann
Ahh darn... I should have tested a bit more but had to run out. The downside to SRP/AppLocker is familiarity for admins and licensing. Was hoping for something like icacls/Set-Acl that would be more doable for admins.
2