Often, attackers will attempt to prevent security software from interfering with their attack chains by abusing a vulnerable driver to kill or otherwise disable the system’s security software (antivirus/edr/etc). Because drivers run in highly-privileged OS Kernel mode, it is difficult to prevent attackers from achieving their goals if they manage to achieve code execution in the kernel.
To ensure that only legitimate code gets to run in the kernel, Windows requires that the driver code bear an Authenticode signature from a particular certificate authority. Microsoft signs these drivers only after verifying their provenance and running through various driver-verification suites to help ensure their robustness.
However, even if all of the drivers on a system are legitimate, attackers have had success in finding vulnerabilities in legitimate drivers that allow them to abuse the driver to achieve their goals. Like any code, some drivers have bugs that allow them to corrupt memory, leak data that needs to be secret, or otherwise perform functions unintended by the original author. These vulnerable drivers represent a critical attack surface that attackers abuse to achieve their own ends.
Beyond abusing drivers already present on a victim device, in a BYOVDattack (Bring your own vulnerable driver) an attacker drops a vulnerable driver onto the device, then abuses it with their malware.
To address this threat vector, Microsoft has three main mechanisms:
Exploitable driver blocklist – Enforced by the Windows kernel itself, allows blocking the load of drivers known to be vulnerable.
Microsoft Defender Attack Surface Reduction rule – Enforced by Microsoft Defender, prevents writing of known vulnerable drivers to the system. By preventing the write of the driver before it loads, the risk of compatibility problems is somewhat reduced (because in a legitimate scenario, the installer for the device will fail at install time rather than at runtime).
Microsoft Defender Signatures – Enforced by Microsoft Defender Antivirus, blocks vulnerable drivers directly using the AV engine. This approach is appropriate only for drivers under active exploitation and with little legitimate use.
Users of modern versions of Windows 11 have a powerful security feature for keeping their devices secure, known as Smart App Control.
I’ve talked about this feature a few times over the last year, but in April 2026, a powerful improvement landed. Previously, Smart App Control could not be turned back on if you ever turned it off. That limitation has been removed in Windows 11 version 25H2 (Windows Security App v1000.29554+), making the feature far more practical to use and try out.
What is Smart App Control?
While Windows’ SmartScreen AppRep feature only checks the reputation of the entry point program (typically a .exe file) from an untrusted origin (like the Internet), Windows 11’s Smart App Control goes further than SmartScreen and evaluates trust/signatures of all code (DLLs, scripts, etc) that is loaded by the Windows OS Loader and script engines. This provides a broader range of protection (somewhat akin to Gatekeeper on MacOS) and addresses AppRep bypasses like DLL hijacking. If a code file is unsigned, Windows will consult the Microsoft Defender Intelligent Security Graph in the cloud to see whether the file is known to be trustworthy and permit it to load only if so.
Beyond trust evaluation, when Smart App Control is enabled, many dangerous file types are blocked from ShellExecute() entirely if a file is from an untrusted origin.
End-users can enable Smart App Control in the Windows Security App.
Automatic Enablement
By default, Smart App Control starts in Evaluation mode, meaning that it watches as you use your device to determine whether SAC’s protections are a good match for your use cases. While SAC works great for the majority of consumers, it tends to cause too much friction on devices used by Developers and within Enterprises, because these devices commonly interact with unsigned code or code that is not broadly used by the public.
Other file types
One of the most exciting features of Smart App Control is that it blocks the Windows Shell from opening files of certain types if they originate from untrusted locations.
As of April 2026, the list of SAC-blocked-if-MotW extensions is .appref-ms, .appx, .appxbundle, .bat, .chm, .cmd, .com, .cpl, .dll, .drv, .gadget, .hta, .iso, .js, .jse, .lnk, .msc, .msp, .ocx, .pif, .ppkg, .printerexport, .ps1, .rdp, .reg, .scf, .scr, .settingcontent-ms, .sys, .url, .vb, .vbe, .vbs, .vhd, .vhdx, .vxd, .wcx, .website, .wsf, .wsh.
If you attempt to open one of these potentially dangerous files from an untrusted source, you’ll encounter the following block dialog:
Notably, this dialog box does not offer an override. If you’re confident that the file is from a trusted source, you could remove the MotW or temporarily disable SAC before opening it.
When SAC is enabled, Microsoft Defender Antivirus enters a special “Hybrid” mode (similar to its passive mode). In Hybrid mode, Defender’s real-time protection feature is less-active, reducing the monitoring (BM and file open/close scans) for processes unless the system determines that the process is one that is particularly interesting (e.g. a script engine host).
Unfortunately, SAC’s dangerous file type list is baked into the feature and is not extensible. It does not respect the HighRiskFileTypes list from the registry or the EditFlags of the file type.
Developer Guidance
For software publishers, the best way to avoid problems with SAC blocking your app is to sign your code, already a longstanding best practice. Importantly, unlike SmartScreen AppRep (which only verifies the reputation files with an Internet origin), SAC verifies signatures on all code modules, including DLLs and packages like MSIs. That means that tricks like using a signed stub installer to drop unsigned code will not be good enough.
One early problem with Smart App Control is that the Code Integrity codepath didn’t support ECC signatures. That’s being addressed, but for broadest compatibility and least friction, you should still avoid ECC for code-signing.
Nitty Gritty – Nearly four years ago, @n4r1B posted an amazingly low-level exploration of the underlying implementation of SAC and the Windows code integrity technology that implements it.
After you sign up on the Social Security Administration’s website, they’ll send you a yearly email inviting you to check out your benefits. Flipping through my Junk Mail folder this afternoon, I found the following email:
It looks reasonably plausible, except for the return address (cuonlineedu.in, a university in India). I’m always game to look at an attack, so I naturally clicked the “View my statement” link the bad guy hopes I’d click. This navigation results in redirecting through a page on the University’s website to go to a Spanish TLD:
GET http://delivery.cuonlineedu.in/UDFEKT?id=28719=c0oCVAtaBQlfGAQDA1YCAl4BAwZSBQVYUFwFAloGVgNRUFRTDFcHDAUAA1YMVgcFDA5LBj1cVhYRXFpXXXZcCkRbUw1VTFFXCxgBUQNVU1IBDQBXUgQCV1sKA0hQQkAVChkdAFwOW04DFklIVxYMDVRRWQYHVEJPClcbYXxwcS5kCVsARRQB&fl=WEJGFEpYHRcEAUMSXQcGCllLVREXXlhPAFZZGl1FGw==
302 Redirect to https://bestideiasbruno.com.es/
GET https://bestideiasbruno.com.es/download.php?url=aHR0cHM6Ly9hcm9taXNiZC5jb20vd3AtY29udGVudC9nZW4ubXNp&name=eStatement455378357_pdf.msi
200 (application/octet-stream)
GET https://www.ssa.gov/myaccount/statement.html
200 (text/html)
When that page loads, it claims that your “statement is being prepared” and a file download appears. The file download, named (eStatement####_pdf.msi) is an Windows Installer package named to make it look like a PDF file.
For contrast, the legitimate download would’ve looked like this:
Okay, so the fake site dropped a file hoping we’d open it, and we can be pretty sure that a file delivered this way is going to be some form of malware. But it’s very concerning that neither SmartScreen or Microsoft Defender Antivirus complained about the file. Let’s take a closer look.
The MSI file is signed by a legitimate company and after uploading it, we see that it’s “Clean” on VirusTotal. (Update: Shortly after this post, the attackers changed to a new installer, also “Clean” on VirusTotal).
Hrm. Maybe the company got hacked and someone stole their certificate to sign malware? Looking more closely at the file information, we see that it was signed on April 13th and the file information looks legitimate “This installer database contains the logic and data required to install AteraAgent.” rather than what an attacker might pick (e.g. “You’re Social Security Info is inside. Open me hurry hurry hurry.”)
At this point, I had a strong hint that I knew what was going on, but in this AI-hyped world, I wondered whether Copilot would give me good advice.
Microsoft Copilot correctly recognizes that it’s a scam, but it gets the details wrong:
Let’s ask Google’s Gemini:
Gemini gets it right — the file is legitimate, but it’s being abused by an attacker. The Altera Agent is a piece of software that is categorized as a Remote Monitoring and Management (RMM) tool, which might be referred to by another name: a backdoor.
If you run the file (in a sandbox, obviously), you just get a simple install screen:
After the install has proceeded for a while, the following dialog box is shown:
If you hit the big blue Continue button, the service is started:
…and your device immediately sets up connections to the infrastructure that will allow the attacker to take control of your device:
This attack demonstrates one of the most challenging parts of cybersecurity: many tools can be turned into weapons simply by using them maliciously. The dominant use of the AteraAgent is legitimate, but in the hands of an attacker, the impact on the victim is the same as if they had installed malware on their device.
Now, what can Atera do about the abuse of their tool? They’ve done at least the bare minimum thing (added a notification screen during the install), but they could do more. For example, the screen doesn’t clearly explain the threat, and there’s no button to “Report Abuse to Atera.” An unanswered two year old thread on Reddit suggests these Atera-powered attacks have been going on for quite some time, and there have been high-profile attacks in the past. Hopefully they are keeping a close eye on their “Trial” customers — attackers love to abuse free trials to attack victims.
What can a normal computer user do to protect against this attack? Not a ton. Certainly, they should take care when interacting with their PC: aka don’t be me. Don’t go trolling around in the Junk Mail folders to click on links, take care with file downloads, keep an eye out when asked to make decisions, be paranoid.
A security-conscious Enterprise might block an attack like this by using Application Control software to block all (or unexpected) RMM tools on their devices. Beyond protecting against campaigns like this one, such protections can also help inhibit Tech Scams where users are enticed to download a legitimate RMM tool to give an attacker access to their PC.
-Eric
PS: Note that Windows itself ships with an RMM tool called “QuickAssist”, and sadly it has nothing to say about scams in its UI:
Microsoft Defender Antivirus Defender is intended to operate silently in the background, without requiring any active attention from the user. Because Defender is included for free as a component of Windows, it doesn’t need to nag or otherwise bother the user for attention in an attempt to “prove its value”, unlike some antivirus products that require subscription fees.
The default mode for Defender is called “Real-time Protection” (RTP) and in that mode, Defender will automatically scan files for malicious content as they are opened and closed. This means that, even if you did have a malicious file on your PC, the instant it tries to load, the threat is blocked.
If you use the Windows Security App’s toggle to turn RTP off, it will turn itself back on whenever you reboot, or after a variable interval (controlled by various factors including management policies and signature updates).
Given the default real-time scanning behavior, you may wonder why the File Explorer’s legacy context menu offers a “Scan with Microsoft Defender…” menu item. Note that this is the Legacy Context menu, shown when Shift+RightClicking on a file. The Default context menu shown by a regular right-click does not offer the Scan command.
Confusion around this command is especially common because, in most cases, the item doesn’t seem to do anything: the Windows Security app just opens to the “Virus & threat protection” page:
The scan you’ve asked for typically executes so quickly, that you have to look closely to realize that your requested scan actually completed– see the text “1 file scanned” at the bottom.
🤔 So, in a world of Real-time Protection, why does this command exist at all? Is there ever a need to use it?
The one scenario where the “Scan” menu item does more than nothing is the case of archive files (Zip, 7z, CAB, etc). Defender doesn’t scan these files on open/close for a few reasons (performance: decompressing data can take a long time, functionality: a password may be needed to decompress).
However, if a user actually tries to use a file from within an archive, that file is extracted and scanned at that time:
If you wanted to scan the contents of an unencrypted archive without actually extracting it, the Scan with Microsoft Defender… menu item will do just that and recognize the threat inside the archive:
Therefore, the only meaningful use of the “Scan” option in Defender is to scan an archive file that you plan to give someone else to open on a different computer, although it’s extremely likely that their device would also be running Defender and would also scan any files extracted from the archive.
Unfortunately, there’s lots of bad/outdated advice out there about the need for manual AV scanning, but I’m happy to see that both Microsoft Copilot and Google Gemini understand the very limited usefulness of this command. I was also happy to see Gemini offered the following:
Pro Tip: If you ever suspect a file is malicious but Defender insists that it’s clean, try uploading it to VirusTotal (an awesome service I’ve blogged about before). VirusTotal will scan the file using over 70 different antivirus engines simultaneously to give you a second (and 3rd,4th,5th,6th,7th…) opinion.
Other Scans
You may’ve noticed other options on the Scan options page, including “Quick scan”, “Full scan”, “Custom scan”, and “offline scan”.
Quick Scan scans a small set of locations where malware commonly tries to hide, including startup locations.
Full scan is self-explanatory: it scans all of your files on your disks.
Custom scan is self-explanatory: it scans the location you choose. The menu item discussed above kicks off a custom-scan for a single file or folder.
All of these scans are basically redundant in a world of RTP: files are scanned on access, so manual scans are not required for protection. The final option, Microsoft Defender Antivirus (offline scan) is different than the others. This scan is a special one that reboots your system and begins a scan before Windows boots. This scan type can find certain types of malware that might otherwise try to hide from Defender. Note that you may be prompted for your BitLocker recovery key:
Modern versions of Windows offer a setting named “Choose where to get apps” which can reduce attack surface by limiting the locations from which applications can be installed. Internally, we’ve called this feature “Smart Install”.
By default, this option is set to “Anywhere“, which means that Windows will allow an executable downloaded from the Internet to run.
Beyond the default, there are three other options.
Option: Let me know or Warn
The verbosely-named options:
Anywhere, but let me know if there’s a comparable app in the Microsoft Store
Anywhere, but warn me before installing an app that’s not from the Microsoft Store
…mean the SmartScreen Application Reputation call is sent specifying either appControl/level=preferStore (Warn) or appControl/level=recommendations (LMK) values:
After the AppRep call, a followup query is sent to a webservice (at sfdataservice.microsoft.com/smartinstall) to determine whether there’s a Store app available that might satisfy the user’s needs.
If the Warn option is selected, the user is shown a prompt regardless of whether a Store-hosted equivalent of the app is available:
If the Let me know option is selected, a notice is shown only if a Store app is available. Note: I don’t know how well this option works. The Microsoft Store is lacks the majority of apps. The only app I know that’s available via the Store and a traditional EXE download (Paint.NET) does not result in Windows showing the Store suggestion.
Option: The Microsoft Store only
The simplest option is the “The Microsoft Store only” option. It means that after attempting to launch a downloaded app from Explorer, following the web service calls, Windows will show the following prompt:
Attempting to run such a file by calling ShellExecute with SEE_MASK_FLAG_NO_UI results in a silent failure (no prompt); the function will return an error code of ACCESS_DENIED.
Surprise #1 – Plumbed into extra surfaces!
One truly wild aspect of this is that it means it behaves differently than most features powered by the Mark of the Web.
When any option other than Anywhere is enabled, the SmartScreen Application Reputation service can1 be consulted even when running a binary from the Command Prompt:
…and if the execution is disallowed by the setting, execution can be blocked:
When run from PowerShell, no UI is shown but the execution is blocked:
Surprise #2 – Blocking Dangerous File types!
Another interesting surprise is the behavior in Windows when the filetype is a “Dangerous” one but not an “App.” Those dangerous file types may be specified in the registry by an application’s developer, or manually using the HighRiskFileTypes registry key:
Normally, attempting to use Explorer to open a downloaded file of a dangerous extension would result in a legacy Attachment Execution Services prompt like this:
However, if Windows is configured to Get Apps fromStore Only, the opening of an Internet Zone MotW-bearing file is blocked silently, providing a kludgy version of one of the most exciting aspects of the Smart App Control feature.
Troubleshooting Smart Install UI
In some cases, users complain that this feature isn’t working as described above.
This can happen if the Microsoft.StorePurchaseApp is not installed, because that package contains the warning prompts.
Normally, running Get-AppxPackage *purchase* from PowerShell should show this:
…but when the package isn’t installed, the command will return no packages.
When the UI application is not installed, Windows falls back to showing the legacy (XP-era) Attachment Execution Services security prompts.
Relationship to Smart App Control
As of April 2026, in Windows 11 25H2, if you enable Smart App Control, the “Choose where to get apps” setting behaves as if it’s set to “Anywhere”.
-Eric
PS: On subtle behavior is that the Microsoft offers “Portable Store Installer” executables to allow apps to “download” from websites (e.g. this one for ClipChamp). Such PSI installers have an Original filename of StoreInstaller.exe and they are signed with a specific Microsoft certificate chain. The “Choose Where to Get Apps” feature recognizes these installers and allow-lists them as if they came from the store (because, logically, they do).
1 The decision of whether the SmartInstall restrictions are enforced in the command prompt is an subtle one. If you download a simple executable and run it from the Command Prompt (cmd.exe) there’s no block or prompt. But if you rename that executable to setup.exe, then the prompt and block appear. Windows has a variety of code that attempts to recognize installers, and I’m guessing that code is responsible for the difference.
text/plain 