IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Hello, I’m Alex Glover and I’m the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen Filter helps protect IE8 users against phishing scams and sites distributing malware. In a previous post, Eric described the SmartScreen features and improvements over the Phishing Filter in IE7, such as anti-malware support, new user interface, and better performance. Today I’m going to talk about how SmartScreen works with other features to combat malware, and describe the changes we’ve made in the IE8 Release Candidate to help keep you safe.

Real-World Malware Attacks
Malware authors are always trying to come up with new ways to infect your computer, and one common method is by tricking you into downloading what you think is a legitimate program. We recently saw an interesting example of such a trick, as reported by the SANS Internet Storm Center and the Grand Forks Herald. Fake parking tickets placed on cars around a city directed users to a website where they would need to install a toolbar to view pictures of their violation; the toolbar turned out to be malware. The database used by the SmartScreen Filter was immediately updated, and any user who tried to download this malware toolbar would have had it blocked, if they were running IE8 with the SmartScreen Filter enabled.

Malware Attacks in the Browser
Generally speaking, there are two ways malicious sites can attempt to infect your computer. One way is to exploit vulnerabilities in a web browser to automatically install malware without any user interaction, also known as a drive-by download. The other way is to lure or trick the user into choosing to download and run a program that is in fact malware, as in the example above. For complete protection, we must guard against both avenues of attack.

Several other features of IE8 and Windows Vista help protect against drive-by attacks that attempt to run without the user’s knowledge or consent. These features include DEP/NX memory protection, ActiveX security improvements, and User Account Control combined with IE’s Protected Mode. But none of these can protect the user from a program that they choose to download and give permission to run. That’s where the SmartScreen Filter is important, as a defense against malware “coming in through the front door”.

Improved Blocking Page
A common piece of feedback on the SmartScreen Filter in IE8 Beta 2, especially from the security community, was that it’s too easy for users to click through the SmartScreen blocking page and end up at a dangerous website. We’ve acted on this feedback in IE8 RC1 and changed the SmartScreen blocking page to better protect and inform users. We want to encourage people encountering this page to make the safe choice, and also help them find additional information. Here’s a screenshot of the new version:

SmartScreen blocking page in IE8 RC

By default, the blocking page has a single “Go to my home page instead” link. This makes the recommended next step clear, instead of presenting several options at once and forcing the user to read through them all and decide. Those users who are interested can click “More information”:

SmartScreen blocking page after clicking More Information

After you click “More information”, additional details and links appear. The “Learn more about phishing”/”Learn more about malicious software” link takes you to a page where you can find information about these risks and how you can protect yourself (that page is still in development, so currently the link points to the SmartScreen Filter FAQ).

You can still choose to ignore the SmartScreen warning by clicking the “Disregard and continue” link. By hiding this link initially, moving it to the bottom of the page, and requiring two clicks in total to get to the unsafe website, we hope to reduce the number of accidental or casual click-throughs. While some people may be curious to see the blocked site, the safe action is to simply go someplace else. Domain administrators can also use Group Policy to remove the “Disregard and continue” link and prevent users from overriding the SmartScreen warning.

Redesigned Unsafe Download Dialog
In IE8 Beta 2, we added protection against malware, malicious software that attacks your computer or steals personal information. If you start to download a file from a site known to distribute malware, the SmartScreen Filter will block the download and display a dialog warning you of the threat. Here’s what that looked like in Beta 2:

Unsafe download dialog in IE8 Beta 2

While this dialog served the purpose of blocking the download, it didn’t communicate the risk as effectively as it could have. In IE8 RC1, we’ve redesigned the dialog to be bolder, as you can see in this screenshot:

Unsafe download dialog in IE8 RC

The new dialog has a red banner and one-line summary at the top to make the danger easy to understand at a glance. Below that, we added an explanation of what it means for a download to be unsafe. As with the blocking page, domain administrators can remove the “Disregard and download unsafe file” link using Group Policy.

The SmartScreen Filter plays a critical role in keeping you safe online. As we see in news reports like the one I mentioned, malware authors are constantly thinking up new ways to attempt to get their code on to your computer. We’ve made changes to protect our users even better by making the risks of malicious sites clearer and discouraging people from clicking past the warnings. I encourage you to turn on the SmartScreen Filter in the IE8 Release Candidate, and continue giving us your feedback. Thanks!

Alex Glover
Software Development Engineer in Test

Comments (26)

  1. Jereck says:

    Please, give an option (Internet Settings, Advanced tab) to allow advanced users to have the "Disregard and continue" directly visible.

    Everyday I have to use "unsafe websites" like web-based VPN, secured with SSL certificates issued by my customers’ organisations.

  2. AlexGl [MSFT] says:

    @Jereck: It sounds like you’re referring to the invalid/expired/self-signed certificate warning page. That page is still the same. The changes I described only apply to the SmartScreen Filter warning page.

  3. 8675309 says:

    why was protect mode for ie7 removed from default for trusted sites

  4. frymaster says:

    "Everyday I have to use "unsafe websites" like web-based VPN, secured with SSL certificates issued by my customers’ organisations."

    In that situation I’d install the certificates in your trusted certificate store.  Otherwise you can’t tell the difference between an untrusted certificate (self-signed by the customer) and an untrusted certificate (because of a man-in-the-middle attack)

  5. WindowsFanboy says:

    IE 8 RC1 doesn’t show a progress bar during installation with many third-party themes (ones where the progress bar is solid instead of segmented). Here’s an example theme:

    Maybe you can change the installer so that the progress bar will go all the way across once, instead of a few segments going across many times.


  6. Rob Parsons says:


    Using XP SP3/IE8 RC1 virtual image.

    (Don’t do this with your production machines)

    I just whent to and I was amazed to find that I could continue to the Cursor Mainier installation page

    – This page installs the MyWebSearch toolbar as a downloaded ActiveX component, circumventing the unsafe download prompts (Smart Screen Filter is turned on). Only the ActiveX Download Info bar appears.

    Setting a killbit for the ActiveX UID will not work as a COM Toolbar is actually installed which has a differnt CLSID.

    Their products may not be considered as Malware (by some, but they do use a Search Hook hijack that over-rides the built-in IE SearchHook), but I certainly feel that they are abusive of IE and considerable degrade its performance.

    Funwebproducts and cursormania are domains that are included in the’s Untrusted Sites entries, but apparently not in the MS Smart Screen Filter database.

    I would like you to give the funwebproducts site some thought, and consider how the Smart Screen Filter and the unsafe download prompt can be applied to the installation of downloaded ActiveX controls.

    I know that Funwebproducts may have strong commercial relationships with reputable vendors, but perhaps you can use the threat of including their sites in the Safe Screen Filter database as an incentive for them to improve thier products and remove their browser hijacks.

    Regards. Rob ^_^

  7. travis says:

    @Rob Parsons – Here, Here!

    There should be no way that ANYTHING can install itself just by viewing a website.  It doesn’t matter if it is the coolest software ever, installing without consent is disgusting and should be blocked (read the browser should never have allowed this behavior in the first place).

  8. steppres says:

    Of the 3 browser anti-phishing implementations I’ve used (IE8, Opera and Firefox 3), this is the best. Both Opera and Firefox have a direct link displayed that takes the user to the flagged site. IE8’s use of a hidden info box is a great idea that will protect and educate users. Bravo IE8 team, you’ve really turned Internet Explorer around!

  9. EricLaw [MSFT] says:

    @Rob Parsons: SmartScreen will block (completely, with no override prompt) installation of malicious ActiveX controls.

    @Travis: I think you’re overlooking the fact that nothing "installs itself."  The user must manually choose to install the FunWebProduct in order for the tool to be installed.  IIRC, the FunWebProduct has an accurate disclosure that explains what it does and an uninstaller that completely reverts its behavior, suggesting that it doesn’t meet the definition of malware.  

    Obviously, Microsoft cannot just go around blocking software that we personally don’t care for– there are specific criteria around what will and will not be blocked.  Please see for further detail.

  10. hAl says:


    <nblockquotequote>the FunWebProduct has an accurate disclosure that explains what it does</blockquote>

    Check how this download page is exactly obscuring that disclosure info by blurring it into a background:

    These notorious scammers are some of the the worst kind of malware creators in the world and they definitly violate several of the rules on the page that you provide.

    If those are not blocked then frankly smartfilter is not doing its job

  11. PA says:

    To further discourage people from clicking the "disregard and download unsafe file

    (recommended)" link button and make a expand button to view that linked button instead. Instead of 1 click user now have to do two click.

  12. EricLaw [MSFT] says:

    @hAl: The page that actually launches the install has a much more clear link to the EULA and privacy policy.  As outlined on the Defender page, there are many different types of potentially unwanted and malicious software.  

    The SmartScreen filter is designed to block malicious software according to specific criteria. SmartScreen blocks fake AV products, greeting card trojans, and myriad other types of malware.  

    "Potentially unwanted software" which does not meet the "malicious software" bar (because it does not misrepresent itself, has a clear privacy policy/license agreement, can be fully uninstalled, etc) will not be blocked by SmartScreen.  Users who do not agree with the practices and policies for such software should simply not install it.

  13. Vilius says:

    Eric, on the one hand I agree with you that software that has clear policy etc. should not be blocked. BUT on the other hand I agree with hAl that IE should do SOMETHING before user installs that kind of software. I would suggest showing the user a prompt with big exclamation mark that this software was found unwanted by most users and he should REALLY consider before installing it. SmartFilter should really make users SMARTER 🙂

  14. hAl says:


    The page I showed the link to was clearly deceptive on purpose.

    Obscuring infromation on what the software does was no coincidence and it clearly deceptive.

    I read the Microsoft page you listed and the cursormania software qualifies on several of the items listed on that page. (as probably all junk software does)

    If standards at MS for smartscreen filter are so low that cursormania is not considered malware than the filter is useless. I have seen trojans that do less harm to peoples computers than this rubbish.

  15. Frank says:

    hal– "no coincidence."

    sez you… and maybe it’s not… but your opinion doesn’t matter in courtroom, which is where things like this end up.  

    don’t believe me?  google for "Blue Mountain Arts junk mail lawsuit" or see //

  16. Sage says:

    MS sure has low standards. FunWebProducts is clearly deceptive and does unwanted things to any Windows OS but you won’t block it? I can’t believe what I’m reading from a MSFT employee.

  17. war59312 says:

    I’d say block it too!

    If your users are asking you to block it, screw the "standards" and keep your users happy. 😉

  18. Rob Parsons says:

    FunWebProducts – Seems like I started a bar fight.(unintentional)

    Guys & Girls (and Will) – give Eric and MS a brake. The bad guys are continually testing the waters to fend off critisism or denial of credibility of their products. It is a continual catch-up game. Lawers aren’t cheap. Politicians are useless.

    Eric – MS or somebody needs to review these borderline Addon publishers on a regular basis. It would appear that the latest offerings from FWP now meet the critera to be classed as malware – Group Policy changes are made to block access to the Add/Remove Programs applet making it impossible for novice users to remove their products.

    I don’t know how you are going to Police sites like this. You can’t be always adding or removing them from you listings. Perhaps public or peer opinion may be the best indicator.

    I am sad to see that has closed.

    The Addons Mangers’ "Search for this Addon via defaut Search Provider" could be improved if it used a a dedicated IE Addons database.

    FWP hijack the Search Provider and don’t incriminate their own products. It takes you directly to their site instead.

    Live returns no results.

    I can see opportunities here for an Addons developer to improve upon what you have done so far. How is HW progressing?


  19. gerald says:


    If an addon/toolbar/program does not have a built in (un-hindered) uninstall that registers in the add/remove programs dialog then IT IS UNFIT for installation, PERIOD.

    If Rob Parsons’ comments are correct, and the uninstall is blocked, then this software is officially malware.

    Every time I read this stuff I am so glad that Firefox is my default browser and where I install my addons.

  20. Oliver says:

    Sage and Will have apparently been living under a rock for the last few decades.  Guys, Gooogle for "Microsoft anti-competitive" and learn why it might not be such a bright idea to deliberately block other ppl’s non-malicious software, even if lots of ppl want them to.

    If Rob can show that Group Policy changes are made (instead of making a bold unproven claim here) I bet that the MS guys will block that junk right away.

  21. Ron says:

    <<I am so glad that Firefox is my default browser>>

    you know that firefox has addons that cannot be uninstalled without hunting down obscure config options, right?  thats why they provide a step by step list of files and folders to manually mess with: //

    IE and firefox aren’t that different.  Don’t install junk addons you don’t want, and everythings just fine.

  22. Rob Parsons says:

    FWP – The Add/Remove Programs block turned out to be part of the XP virtual machines original settings.

    Use SCF in conjuction with Untrusted sites lists to protect your users and networks.

    Just goes to show that security is n-tier. The weakest link is the keyboard nut.

  23. IEBlog says:

    Today we’re excited to release the final build of Internet Explorer 8 in 25 languages. IE8 makes what

  24. Manoj says:

    I open a HTTPS URL in IE8 which uses invalid cert(expired/CA not trusted/subject name mismatch), I get "There is a problem with this website’s security certificate" message which gives me option to continue or to close the web page. if I continue, I get the webpage loaded in the browser. if I open a link in this webpage in a new tab or if that webpage opens a pop-up, IE8 is again presenting me the ‘There is a problem with cert..’ message. this never used to happen in IE7. is this a change in behaviour? or a bug in IE8?

  25. EricLaw [MSFT] says:

    @Manoj: This is a limitation introduced by IE8’s multiple-process "LCIE" architecture.  The user’s choice to accept an invalid certificate is not brokered to new processes as they are created for popup windows or new tabs.

    We broker most other state (including cookies, HTTP authentication, etc) but unfortunately did not have a chance to fix this corner case.

  26. I attended Scott Charney&rsquo;s keynote this morning at RSA &ndash; Moving Towards End to End Trust