Microsoft SmartScreen

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Microsoft SmartScreen is a phishing and malware filter implemented in several Microsoft products including Internet Explorer, Microsoft Edge, Outlook.com, and the Windows operating system. It is designed to help protect users against attacks that utilize social engineering and drive-by downloads to infect a system by scanning URLs accessed by a user against a blacklist of websites containing known threats. A detailed FAQ by Microsoft on the SmartScreen filter is available at this link.

SmartScreen in Internet Explorer[edit]

Internet Explorer 7: Phishing Filter[edit]

SmartScreen was first introduced in Internet Explorer 7 then known as the Phishing Filter. Phishing Filter does not check every website visited by the user, only those that are known to be suspicious.[1]

Internet Explorer 8: SmartScreen Filter[edit]

With the release of Internet Explorer 8, the Phishing Filter was renamed to SmartScreen and extended to include protection from socially engineered malware. Every website and download is checked against a local list of popular legitimate websites; if the site is not listed, the entire address is sent to Microsoft for further checks.[2] If it has been labeled as an impostor or harmful, Internet Explorer 8 will show a screen prompting that the site is reported harmful and shouldn't be visited. From there the user can either visit their homepage, visit the previous site, or continue to the unsafe page.[3] If a user attempts to download a file from a location reported harmful, then the download is cancelled. The effectiveness of SmartScreen filtering has been reported to be superior to socially engineered malware protection in other browsers.[4]

According to Microsoft, the SmartScreen technology used by Internet Explorer 8 was successful against phishing or other malicious sites and in blocking of socially engineered malware.[5]

Beginning with Internet Explorer 8, SmartScreen can be enforced using Group Policy.

Internet Explorer 9: Application Reputation[edit]

Building on top of the SmartScreen filter introduced in Internet Explorer 8, Internet Explorer 9 includes protection against malware downloads is extended with SmartScreen Application Reputation.[6] This warns downloaders if they are downloading an application without a safe reputation from a site that does not have a safe reputation.

The dual-pronged approach by Internet Explorer 9 by blocking access to malicious URLs through the SmartScreen Filter and Application Reputation to detect untrustworthy executables, provides the best socially engineered malware blocking of any stable browser version.

Internet Explorer 10: SmartScreen on Internet Explorer Mobile[edit]

Internet Explorer Mobile 10 was the first release of Internet Explorer Mobile to support the SmartScreen Filter.[7]

SmartScreen in Windows[edit]

SmartScreen filtering at the desktop level, performing reputation checks by default on any file or application downloaded from the Internet, was introduced in Windows 8[8][9][10] Similar to the way SmartScreen works in Internet Explorer 9, if the program has a bad reputation, the user is alerted that running the program may harm their computer.

When SmartScreen is left at its default settings, the Administrator needs to launch and run the program.

Microsoft faced concerns surrounding the privacy, legality and effectiveness of the new system; suggesting that the automatic analysis of files (which involves sending a cryptographic hash of the file and the user's IP address to a server) could be used to build a database of users' downloads online, and that the use of the outdated SSL 2.0 protocol for communication could allow an attacker to eavesdrop on the data. In response, Microsoft later issued a statement noting that IP addresses were only being collected as part of the normal operation of the service and would be periodically deleted, that SmartScreen on Windows 8 would only use SSL 3.0 for security reasons, and that information gathered via SmartScreen would not be used for advertising purposes or sold to third parties.[11]

SmartScreen in Outlook.com[edit]

Outlook.com uses SmartScreen to protect users from unsolicited email messages (spam), fraudulent emails (phishing) and malware spread via e-mail. The system mainly controls the used e-mail, the hyperlinks and attachments.

Junk mail (spam)[edit]

To filter spam, the SmartScreen filter uses machine learning from Microsoft Research which learns from known spam threats and user feedback when emails are marked as "Spam" by the user.

Overtime, these preferences help SmartScreen Filter to distinguish between the characteristics of unwanted and legitimate e-mail and can also determine the reputation of senders by a number of emails from having checked this. Using these algorithms and the reputation of the sender is an SCL rating (Spam Confidence Level score) assigned to each e-mail message (the lower the score, the more desirable). A score of -1, 0, or 1 is considered not spam, and the message is delivered to the recipient's inbox. A score of 5 or 6 or 7,8,9 is considered spam and is delivered to the recipient's Junk Folder. Scores of 5 or 6 are considered to be suspected spam, while a score of 9 is considered certainly spam.[12] The SCL score of an email can be found in the various x-headers of the received email.

Phishing[edit]

The SmartScreen Filter also analyses email messages from fraudulent and suspicious Web links. If such suspicious characteristics are found in an email, the message is either directly sent to the Spam folder with a red information bar at the top of the message which warns of the suspect properties. SmartScreen also protects against spoofed domain names (spoofing) in emails to verify whether an email is sent by the domain which it claims to be sent. For this, it uses the technology Sender ID and DomainKeys(DKIM). The SmartScreen Filter also ensures that one email from authenticated senders can distinguish more easily by putting a green shield icon for the subject line of these emails.[13][14]

SmartScreen in other products[edit]

SmartScreen is also included in Microsoft Outlook and Microsoft Exchange Server.[15]

Effectiveness[edit]

In late 2010, the results of browser malware testing undertaken by NSS labs were published.[16] The study looked at the browser's capability to prevent users following socially engineered links of a malicious nature and downloading malicious software. It did not test the browser's ability to block malicious web pages or code.

According to NSS, Internet Explorer 9 blocked 99% of malware downloads compared to 90% for Internet Explorer 8 that does not have SmartScreen Application Reputation feature as opposed to the 13% achieved by Firefox, Chrome, and Safari; which all use a malware filter provided by Google.Bringing up the rear was Opera 11, blocking just 5 percent of malware.[17][18][19] The SmartScreen filter was also noted for quickly adding legitimate sites to its blocklists almost instantaneously, as opposed to the several hours it took for blocklists to be updated on other browsers.

In early 2010, similar tests gave Internet Explorer 8 an 85% passing grade, the 5% improvement being attributed to "continued investments in improved data intelligence".[20] By comparison, the same research showed that Chrome 6, Firefox 3.6 and Safari 5, which all rely on Google's Safe Browsing Service, scored 6%, 19% and 11%, respectively. Opera 10 scored 0%, failing to "detect any of the socially engineered malware samples".[21]

Manufacturers of other browsers criticized the test, focusing upon the lack of transparency of URLs tested and the lack of consideration of layered security additional to the browser, with Google commenting that "The report itself clearly states that it does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves",[22] and Opera commenting that the results appeared "odd that they received no results from our data providers" and that "social malware protection is not an indicator of overall browser security".[23]

In July 2010, Microsoft claimed that SmartScreen on Internet Explorer had blocked over a billion attempts to access sites containing security risks.[24]

According to Microsoft, the SmartScreen Filter included in Outlook.com blocks 4.5 billion unwanted e-mails daily from reaching users. Microsoft also claims that only 3% of incoming email is junk mail but a test by Cascade Insights says that just under half of all junk mail still arrives in the inbox of users.[25][26]

In a September 2011 blog post, Microsoft stated that 1.5 billion attempted malware attacks and over 150 million attempted phishing attacks have been stopped.[27]

Criticism[edit]

Users cannot report phishing URLs via an online form. Rather, users must click the suspicious URL and visit the website using Internet Explorer's "report this website" feature.[28] This exposes the user to drive-by downloads or other malicious content to be able to report the phishing website. Users cannot use non-Microsoft web browsers to report phishing URLs to Microsoft.

SmartScreen filters can be bypassed. Some phishing attacks use a phishing email linking to a front-end URL not in the Microsoft database; clicking this URL in the email redirects the user to the malicious site.[29] The "report this website" option in Internet Explorer only reports the currently-open page; the front-end URL in the phishing attack cannot be reported to Microsoft and remains accessible.

SmartScreen Filters create a problem for small software vendors when they distribute an updated version of installation or binary files over the internet. Whenever an updated version is released, SmartScreen responds by stating that the file is not commonly downloaded and can therefore install harmful files on your system. A common distribution trick to bypass SmartScreen warnings is to pack the installation package (Setup.exe) into a ZIP-archive and distribute it that way, which can confuse non-expert users.

See also[edit]

References[edit]

  1. ^ "Phishing Filter to be Available in Internet Explorer 7". Help Net Security. Help Net Security. 30 September 2005. Retrieved 3 August 2016. 
  2. ^ "Please upgrade your browser - Microsoft Windows". Microsoft.com. Retrieved January 25, 2013. 
  3. ^ Lawrence, Eric (July 2, 2008). "IE8 Security Part III: SmartScreen Filter". Retrieved September 2, 2008. 
  4. ^ "The Q3 Socially Engineered Malware Test Report" (PDF). August 14, 2009. 
  5. ^ Marius Oiaga (2010-07-24). "IE8 Blocked Over 1 Billion Malware Download Attempts". Softpedia.com. 
  6. ^ Ryan Colvin(Microsoft) (2011-03-10). "Internet Explorer 9: Protection from Socially Engineered Attacks with SmartScreen URL Reputation". 
  7. ^ O'Brien, Terrence (June 20, 2012). "Microsoft unveils Internet Explorer 10 for Windows Phone, very similar to the desktop". Engadget. Retrieved August 26, 2012. 
  8. ^ Tung, Liam. "Win8 SmartScreen nudges software sellers to buy code signing certs". CSO. IDG. Retrieved September 12, 2012. 
  9. ^ Tung, Liam (16 August 2012). "Win8 SmartScreen nudges software sellers to buy code signing certs". CSO. IDG Communications. Retrieved 12 September 2012. 
  10. ^ Larramo, Mika. "Windows SmartScreen - Anti-Malware Protection in Windows 8". SamLogic. SamLogic. Retrieved 11 January 2013. 
  11. ^ Bright, Peter (25 August 2012). "Windows 8 privacy complaint misses the forest for the trees". Ars Technica. Condé Nast. Retrieved 12 September 2012. 
  12. ^ "Spam confidence levels: Exchange Online Help". technet.microsoft.com. Retrieved 2016-08-18. 
  13. ^ "Security features in Outlook.com". Microsoft Corporation. 
  14. ^ "Security Upgrades in the new Hotmail". Microsoft Corporation. 
  15. ^ "Spam Email Filtering | Junk Mail Filter | Prevent Spam". www.microsoft.com. Retrieved 2016-08-07. 
  16. ^ Web Browser Group Test Socially-Engineered Malware Q3 2010, nsslabs.com 
  17. ^ Bright, Peter (2011-07-16). "Internet Explorer 9 utterly dominates malware-blocking stats". ArsTechnica. Retrieved 2011-07-16. 
  18. ^ "Web Browser Group Test Socially-Engineered Malware". NSS Labs. 2011-07-16. 
  19. ^ Dunn, John E. (18 July 2011). "Internet Explorer 9 hammers rivals in download blocking test". InfoWorld. IDG Enterprise. Retrieved 12 September 2012. 
  20. ^ Enhanced Protection with IE9’s SmartScreen Filter, microsoft.com 
  21. ^ Rubenking, Neil J. (2010-12-14), NSS Labs: Internet Explorer 9 Offers Best Protection, pcmag.com 
  22. ^ Rubenking, Neil (2010-12-15). "Google Responds to NSS Labs Browser Security Report". PC Mag. Retrieved 2011-01-16. 
  23. ^ Bakke, Kurt (2010-12-17). "Opera Also Questions IE Security Test Results". ConceivablyTech.com. Archived from the original on December 28, 2010. Retrieved 2011-01-16. 
  24. ^ James, Martin (26 July 2010). "IE8 SmartScreen filter racks up a billion malware blocks". IT Pro. Dennis Publishing. Retrieved 12 September 2012. 
  25. ^ "Effectiviteit SmartScreen-filter in Hotmail/Oulook.com". Microsoft Corporation. 
  26. ^ "E-mailfiltervergelijking". Cascade Insights. 
  27. ^ "Protecting you from malware". Microsoft Corporation. 
  28. ^ "SmartScreen Filter: frequently asked questions". Microsoft. Microsoft. Retrieved 21 November 2013. 
  29. ^ Aggarwal, Anupama; Rajadesingan, Ashwin; Kumaraguru, Ponnurangam (29 January 2013). "PhishAri: Automatic Realtime Phishing Detection on Twitter". Social and Information Networks. Cornell University. arXiv:1301.6899free to read.