Microsoft SmartScreen

Last updated

SmartScreen (officially called Windows SmartScreen, Windows Defender SmartScreen and SmartScreen Filter in different places) is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

Contents

SmartScreen as a business unit includes the intelligence platform, backend, serving frontend, UX, policy, expert graders, and closed-loop intelligence (machine learning and statistical techniques) designed to help protect Microsoft customers from safety threats like social engineering and drive-by downloads.

SmartScreen in Internet Explorer

Internet Explorer 7: Phishing Filter

SmartScreen was first introduced in Internet Explorer 7, then known as the Phishing Filter. Phishing Filter does not check every website visited by the user, only those that are known to be suspicious. [1]

Internet Explorer 8: SmartScreen Filter

With the release of Internet Explorer 8, the Phishing Filter was renamed to SmartScreen and extended to include protection from socially engineered malware. Every website and download is checked against a local list of popular legitimate websites; if the site is not listed, the entire address is sent to Microsoft for further checks. [2] If it has been labeled as an impostor or harmful, Internet Explorer 8 will show a screen prompting that the site is reported harmful and shouldn't be visited. From there the user can either visit their homepage, visit the previous site, or continue to the unsafe page. [3] If a user attempts to download a file from a location reported harmful, then the download is cancelled. The effectiveness of SmartScreen filtering has been reported to be superior to socially engineered malware protection in other browsers. [4]

According to Microsoft, the SmartScreen technology used by Internet Explorer 8 was successful against phishing or other malicious sites and in blocking of socially engineered malware. [5]

Beginning with Internet Explorer 8, SmartScreen can be enforced using Group Policy.

Internet Explorer 9: Application Reputation

In Internet Explorer 9, SmartScreen added protection against malware downloads by launching SmartScreen Application Reputation to identify both safe and malicious software. The system blocked known malware while warning the user if an executable was not yet known to be safe. The system took into account the download website’s reputation based on SmartScreen’s phishing filter launched in prior web browser versions Internet Explorer 7 and Internet Explorer 8. [6]

Internet Explorer Mobile 10

Internet Explorer Mobile 10 was the first release of Internet Explorer Mobile to support the SmartScreen Filter. [7]

Microsoft Edge

Microsoft Edge was Microsoft's new browser beginning in Windows 10, originally built on the same Windows web platform powering Internet Explorer, later rebuilt on Google's Chromium browser stack to go cross-platform onto macOS and down-level into Windows 8.1 and below. SmartScreen shipped with each version of Microsoft Edge, mostly with Internet Explorer parity, in progressive versions adding protection improvements targeting new consumer threat classes like tech support scams or adding new enterprise configurability features.

Addressed criticisms

In October 2017, criticisms regarding URL submission methods were addressed with the creation of the Report unsafe site URL submission page. Prior to 2017, Microsoft required a user to visit a potentially dangerous website to use the in-browser reporting tool, potentially exposing users to dangerous web content. In 2017, Microsoft reversed that policy by adding the URL submission page, allowing a user to submit an arbitrary URL without having to visit the website.

SmartScreen Filter in Microsoft Outlook was previously bypassable due to a data gap in Internet Explorer. Some phishing attacks use a phishing email linking to a front-end URL unknown to Microsoft; clicking this URL in the inbox opens the URL in Internet Explorer; the loaded website then, using client-side or server-side redirections, redirects the user to the malicious site. [8] In the original implementation of SmartScreen, the "Report this website" option in Internet Explorer only reported the currently-open page (the final URL in the redirect chain); the original referrer URL in the phishing attack was not reported to Microsoft and remained accessible. This was mitigated beginning in early versions of Microsoft Edge by sending the full redirection chain to Microsoft for further analysis.

SmartScreen in Windows

Windows 8 and Windows 8.1

In Microsoft Windows 8, SmartScreen added built-in operating system protections against web-delivered malware performing reputation checks by default on any file or application downloaded from the Internet, including those downloaded from email clients like Microsoft Outlook or non-Microsoft web browsers like Google Chrome. [9] [10]

Windows SmartScreen functioned inline at the Windows shell directly prior to execution of any downloaded software.

Whereas SmartScreen in Internet Explorer 9 warned against downloading and executing unsafe programs only in Internet Explorer, Windows SmartScreen blocked execution of unsafe programs of any Internet origin.

With SmartScreen left at its default settings, administrator privilege would be required to launch and run an unsafe program.

Reactions

Microsoft faced concerns surrounding the privacy, legality and effectiveness of the new system, suggesting that the automatic analysis of files (which involves sending a cryptographic hash of the file and the user's IP address to a server) could be used to build a database of users' downloads online, and that the use of the outdated SSL 2.0 protocol for communication could allow an attacker to eavesdrop on the data. In response, Microsoft later issued a statement noting that IP addresses were only being collected as part of the normal operation of the service and would be periodically deleted, that SmartScreen on Windows 8 would only use SSL 3.0 for security reasons, and that information gathered via SmartScreen would not be used for advertising purposes or sold to third parties. [11]

Windows 10 and Windows 11

Beginning in Windows 10, Microsoft placed the SmartScreen settings into the Windows Defender Security Center. [12] Smartscreen plays important role in blocking malicious apps. [13]

Further Windows 10 and Windows 11 updates have added more enterprise configurability as part of Microsoft's enterprise endpoint protection product.

SmartScreen in Outlook

Outlook.com uses SmartScreen to protect users from unsolicited e-mail messages (spam/junk), fraudulent emails (phishing) and malware spread via e-mail. After its initial review of the body text, the system focuses on the hyperlinks and attachments.

Junk mail (spam)

To filter spam, SmartScreen Filter uses machine learning from Microsoft Research which learns from known spam threats and user feedback when emails are marked as "Spam" by the user.

Over time, these preferences help SmartScreen Filter to distinguish between the characteristics of unwanted and legitimate e-mail and can also determine the reputation of senders by a number of emails having had this checked. Using these algorithms and the reputation of the sender is an SCL rating (Spam Confidence Level score) assigned to each e-mail message (the lower the score, the more desirable). A score of -1, 0, or 1 is considered not spam, and the message is delivered to the recipient's inbox. A score of 5, 6, 7, 8, or 9 is considered spam and is delivered to the recipient's Junk Folder. Scores of 5 or 6 are considered to be suspected spam, while a score of 9 is considered certainly spam. [14] The SCL score of an email can be found in the various x-headers of the received email.

Phishing

SmartScreen Filter also analyses email messages from fraudulent and suspicious Web links. If such suspicious characteristics are found in an email, the message is either[ clarification needed ] directly sent to the Spam folder with a red information bar at the top of the message which warns of the suspect properties. SmartScreen also protects against spoofed domain names (spoofing) in emails to verify whether an email is sent by the domain which it claims to be sent. For this, it uses the technology Sender ID and DomainKeys Identified Mail (DKIM). SmartScreen Filter also ensures that one email[ clarification needed ] from authenticated senders can distinguish more easily by placing a green-shield icon for the subject line of these emails. [15] [16]

Effectiveness

Browser social engineering protection

In late 2010, the results of browser malware testing undertaken by NSS Labs were published. [17] The study looked at the browser's capability to prevent users following socially engineered links of a malicious nature and downloading malicious software. It did not test the browser's ability to block malicious web pages or code.

According to NSS Labs, Internet Explorer 9 blocked 99% of malware downloads compared to 90% for Internet Explorer 8 that does not have the SmartScreen Application Reputation feature as opposed to the 13% achieved by Firefox, Chrome, and Safari; which all use a Google Safe Browsing malware filter. Opera 11 was found to block just 5% of malware. [18] [19] [20] SmartScreen Filter was also noted for adding legitimate sites to its blocklists almost instantaneously, as opposed to the several hours it took for blocklists to be updated on other browsers.

In early 2010, similar tests had given Internet Explorer 8 an 85% passing grade, the 5% improvement being attributed to "continued investments in improved data intelligence". [21] By comparison, the same research showed that Chrome 6, Firefox 3.6 and Safari 5 scored 6%, 19% and 11%, respectively. Opera 10 scored 0%, failing to "detect any of the socially engineered malware samples". [22]

In July 2010, Microsoft claimed that SmartScreen on Internet Explorer had blocked over a billion attempts to access sites containing security risks. [23] According to Microsoft, the SmartScreen Filter included in Outlook.com blocks 4.5 billion unwanted e-mails daily from reaching users. Microsoft also claims that only 3% of incoming email is junk mail but a test by Cascade Insights says that just under half of all junk mail still arrives in the inbox of users. [24] [25] In a September 2011 blog post, Microsoft stated that 1.5 billion attempted malware attacks and over 150 million attempted phishing attacks have been stopped. [26]

Criticism

Validity of browser protection tests

Manufacturers of other browsers have criticized the third-party tests which claim Internet Explorer has superior phishing and malware protection compared to that of Chrome, Firefox, or Opera. Criticisms have focused mostly on the lack of transparency of URLs tested and the lack of consideration of layered security additional to the browser, with Google commenting that "The report itself clearly states that it does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves", [27] and Opera commenting that the results appeared "odd that they received no results from our data providers" and that "social malware protection is not an indicator of overall browser security". [28]

Windows malware protection

SmartScreen builds reputation based on code signing certificates that identify the author of the software. This means that once a reputation has been built, new versions of an application can be signed with the same certificate and maintain the same reputation.

However, code signing certificates need to be renewed every two years. SmartScreen does not relate a renewed certificate to an expired one. This means that reputations need to be rebuilt every two years, with users getting frightening messages in the meantime. Extended Validation (EV) certificates seem to avoid this issue, but they are expensive and difficult to obtain for small developers. [29]

SmartScreen Filter creates a problem for small software vendors when they distribute an updated version of installation or binary files over the internet. [30] Whenever an updated version is released, SmartScreen responds by stating that the file is not commonly downloaded and can therefore install harmful files on your system. This can be fixed by the author digitally signing the distributed software. Reputation is then based not only on a file's hash but on the signing certificate as well. A common distribution method for authors to bypass SmartScreen warnings is to pack their installation program (for example Setup.exe) into a ZIP-archive and distribute it that way, though this can confuse novice users.

Another criticism is that SmartScreen increases the cost of non-commercial and small scale software development. Developers either have to purchase standard code signing certificates or more expensive extended validation certificates. Extended validation certificates allow the developer to immediately establish reputation with SmartScreen [31] but are often unaffordable for people developing software either for free or not for immediate profit. The standard code signing certicates however pose a "catch-22" for developers, since SmartScreen warnings make people reluctant to download software, as a consequence to get downloads requires first passing SmartScreen, passing SmartScreen requires getting reputation and getting reputation is dependent on downloads.

See also

Related Research Articles

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

<span class="mw-page-title-main">ClamAV</span> Open-source antivirus software

ClamAV (antivirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites, e-mail, or other forms used to accessing data and block the content, usually with a warning to the user. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate websites.

<span class="mw-page-title-main">Internet Explorer 7</span> Web browser for Windows

Windows Internet Explorer 7 (IE7) is a web browser for Windows. It was released by Microsoft on October 18, 2006, as the seventh version of Internet Explorer and the successor to Internet Explorer 6. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser since 2001. It was the default browser in Windows Vista and Windows Server 2008, as well as Windows Embedded POSReady 2009, and can replace Internet Explorer 6 on Windows XP and Windows Server 2003, but unlike version 6, this version does not support Windows 2000, Windows ME, or earlier versions of Windows. It also does not support Windows 7, Windows Server 2008 R2 or later Windows Versions.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

<span class="mw-page-title-main">Internet Explorer 8</span> Web browser for Windows released in 2009

Windows Internet Explorer 8 (IE8) is the eighth and, by now, discontinued version of the Internet Explorer web browser for Windows. It was released by Microsoft on March 19, 2009, as the successor to Internet Explorer 7. It was the default browser in Windows 7 and Windows Server 2008 R2.

<span class="mw-page-title-main">Kaspersky Internet Security</span> Internet security suite developed by Kaspersky Lab

Kaspersky Internet Security was an internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. Kaspersky Internet Security offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. Kaspersky Lab Diagnostics results are distributed to relevant developers through the MIT License.

<span class="mw-page-title-main">Internet Explorer 9</span> Web browser for Windows released in 2011

Internet Explorer 9 or IE9 is the ninth version of the Internet Explorer web browser for Windows. It was released by Microsoft on March 14, 2011, as the ninth version of Internet Explorer and the successor to Internet Explorer 8. Microsoft released Internet Explorer 9 as a major out-of-band version that was not tied to the release schedule of any particular version of Windows, unlike previous versions. It is the first version of Internet Explorer not to be bundled with a Windows operating system, although some OEMs have installed it with Windows 7 on their PCs. Internet Explorer 9 is the last version that is called Windows Internet Explorer. The software was rebranded simply as Internet Explorer starting in 2012 with the release of Internet Explorer 10.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

<span class="mw-page-title-main">Norton Safe Web</span> Software service by Symantec Corporation

Norton Safe Web is a service developed by Symantec Corporation that is designed to help users identify malicious websites. Safe Web delivers information about websites based on automated analysis and user feedback.

<span class="mw-page-title-main">Trend Micro Internet Security</span>

Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

A Highly Evasive Adaptive Threat (HEAT) is a cybersecurity attack type designed to bypass traditional network security defenses. HEAT attacks are designed to find ways around protections that have been in place for years. HEAT attacks are able to bypass typical cybersecurity controls, such as Secure Web Gateways (SWG) and anti-malware capabilities, through malicious links disguised as common URLs that victims assume are safe. HEAT attacks go beyond traditional phishing methods, which have historically been delivered by email, by inserting themselves into links that are not flagged by anti-phishing software. Similar to most cybersecurity threats, the drivers of HEAT attacks are primarily monetary and political. HEAT attacks focus on technical limitations of commonly deployed security tools with the primary target being web browsers. Nation-states and cybercriminals typically use HEAT attacks for phishing attempts or ransomware initial access.

Norton 360 was an "all-in-one" security suite for the consumer market developed by Symantec. Originally released in 2006, it was discontinued in 2014; its features were carried over to its successor, Norton Security. However, in 2019, Symantec released a "NEW Norton 360", as a product replacement for Norton Security.

References

  1. "Phishing Filter to be Available in Internet Explorer 7". Help Net Security . 30 September 2005. Retrieved 3 August 2016.
  2. "Please upgrade your browser - Microsoft Windows". Microsoft.com. Retrieved January 25, 2013.
  3. Lawrence, Eric (July 2, 2008). "IE8 Security Part III: SmartScreen Filter" . Retrieved September 2, 2008.
  4. "The Q3 Socially Engineered Malware Test Report" (PDF). August 14, 2009. Archived from the original (PDF) on December 14, 2010.
  5. Marius Oiaga (2010-07-24). "IE8 Blocked Over 1 Billion Malware Download Attempts". Softpedia.com.
  6. Ryan Colvin(Microsoft) (2011-03-10). "Internet Explorer 9: Protection from Socially Engineered Attacks with SmartScreen URL Reputation".
  7. O'Brien, Terrence (June 20, 2012). "Microsoft unveils Internet Explorer 10 for Windows Phone, very similar to the desktop". Engadget . Retrieved August 26, 2012.
  8. Aggarwal, Anupama; Rajadesingan, Ashwin; Kumaraguru, Ponnurangam (29 January 2013). "PhishAri: Automatic Realtime Phishing Detection on Twitter". Social and Information Networks. Cornell University. arXiv: 1301.6899 . Bibcode:2013arXiv1301.6899A.
  9. Tung, Liam (16 August 2012). "Win8 SmartScreen nudges software sellers to buy code signing certs". CSO. IDG Communications . Retrieved 12 September 2012.
  10. Larramo, Mika. "Windows SmartScreen - Anti-Malware Protection in Windows 8". SamLogic. SamLogic. Retrieved 11 January 2013.
  11. Bright, Peter (25 August 2012). "Windows 8 privacy complaint misses the forest for the trees". Ars Technica . Condé Nast . Retrieved 12 September 2012.
  12. "Change Windows SmartScreen Settings in Windows 10". www.tenforums.com. Retrieved 2017-04-10.
  13. "The Fundamentals of Windows Defender SmartScreen".
  14. "Spam confidence levels: Exchange Online Help". technet.microsoft.com. Retrieved 2016-08-18.
  15. "Security features in Outlook.com". Microsoft Corporation.
  16. "Security Upgrades in the new Hotmail". Microsoft Corporation.
  17. Web Browser Group Test Socially-Engineered Malware Q3 2010, nsslabs.com, archived from the original on 2014-03-06
  18. Bright, Peter (2011-07-16). "404 Not Found Internet Explorer 9 utterly dominates malware-blocking stats". ArsTechnica . Retrieved 2011-07-16.{{cite web}}: Cite uses generic title (help)
  19. "Web Browser Group Test Socially-Engineered Malware". NSS Labs. 2011-07-16. Archived from the original on 2011-07-17.
  20. Dunn, John E. (18 July 2011). "Internet Explorer 9 hammers rivals in download blocking test". InfoWorld . IDG Enterprise . Retrieved 12 September 2012.
  21. Enhanced Protection with IE9's SmartScreen Filter, Microsoft
  22. Rubenking, Neil J. (2010-12-14), NSS Labs: Internet Explorer 9 Offers Best Protection, pcmag.com
  23. James, Martin (26 July 2010). "IE8 SmartScreen filter racks up a billion malware blocks". IT Pro. Dennis Publishing . Retrieved 12 September 2012.
  24. "Effectiviteit SmartScreen-filter in Hotmail/Oulook.com". Microsoft Corporation.
  25. "E-mailfiltervergelijking". Cascade Insights.
  26. "Protecting you from malware". Microsoft Corporation. 15 September 2011.
  27. Rubenking, Neil (2010-12-15). "Google Responds to NSS Labs Browser Security Report". PC Mag. Retrieved 2011-01-16.
  28. Bakke, Kurt (2010-12-17). "Opera Also Questions IE Security Test Results". ConceivablyTech.com. Archived from the original on December 28, 2010. Retrieved 2011-01-16.
  29. "Code signing - Transferring Microsoft SmartScreen reputation to renewed certificate".
  30. Reichl, Dominik. "Additional FAQ - KeePass". keepass.info. Retrieved 2018-05-10.
  31. "Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates". Microsoft. Microsoft. 14 August 2012. Retrieved 3 June 2017.