cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JerryYeh
Level 3

InstallShiels can't support Windows11 22H2(SAC) ?

Hi

Windows 11 22H2 add a new significant protection from malware (SAC), and the apps is packaged by InstallShield will be blocked by SAC.

Will you have any schedule to support SAC in the next upgrade?

Thanks.

 

What is Smart App Control

https://support.microsoft.com/en-gb/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003

 

 

Labels (1)
(5) Replies
skrueger
Level 6

Does your application and msi have a digital signature?

Stefan Krueger
InstallSite.org / InstallSite.de
0 Kudos

Yes, my files have the digital signature.

So my files can work if SAC enabled.

But the installation procedure will be blocked by SAC.

And your setup itself is also signed with a trusted signature? According to the document linked in the original post:

If the security service is unable to make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature. If the app has a valid signature Smart App Control will let it run. If the app is unsigned, or the signature is invalid, Smart App Control will consider it untrusted and block it for your protection.

And also:

"I'm an app developer, how can I get Smart App Control to not block my app?"
The simple answer is, sign your app with a valid certificate.

So this might be a bug in the pre-release version of SAC. Please give feedback to Microsoft:

  1. In Windows, go to the Feedback Hub. (from the Start menu or press Windows key + F).

  2. When you get to Step 2 - Choose a category, select Security and Privacy - Smart App Control.

Stefan Krueger
InstallSite.org / InstallSite.de
0 Kudos

Hi

I suppose the blocked issue occured during the app is installing.

Installshield installation procedure will generate some temporary files during installing and these files don't have a valid signature possibly .

Then the installation procedure is blocked by SAC.

kizumitsuhiro
Level 2

I am also facing a similar problem with InstallShield2020 (Installscript Project). I would like to be able to support SAC within InstallShield.

During the installer execution, unsigned DLLs such as setup2Dll.dll and _isres_0x0409.dll are output to the temporary folder and those files are blocked by SAC.

Microsoft offers a workaround using Package Inspector. Using that tool to capture the installer's behavior will output a .cat file. Sign it and copy it to %windir%\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} before running the installer, and SAC will no longer block it. (The above two links are documents about WDAC, and SAC is realized with WDAC technology.)

However, the need to place the files on the system BEFORE running the installer is a serious inconsistency, and the need to generate and sign a .cat file for each build is also very unproductive.

0 Kudos