IE8 Security Part IX – Anti-Malware protection with IE8’s SmartScreen Filter


Over the last year, we’ve published two posts about how the IE8 SmartScreen® filter helps to prevent phishing and malware attacks.  In this post, I’d like to share some real-world data on the protection provided to IE8 pre-release users by the anti-malware feature.  We’ve invested heavily in this feature, and we’ve seen significant results.

Here are some key statistics:

  • We have delivered over 10 million malware blocks in the past six months
  • That’s a block for one out of 40 users, every week
  • We’ve seen (and blocked) one in every 200 downloads as malicious

These are BIG numbers – each malicious download blocked helps prevent compromise of that user’s computer.

Here’s how it works: SmartScreen’s malware protection focuses on identifying and blocking sites on the web that are distributing malicious software.  As a reputation-based feature, SmartScreen can block new threats from existing malicious sites, even if those threats are not yet blocked by traditional anti-virus or anti-malware signatures.  In this way, the SmartScreen filter complements traditional anti-virus products by providing additional dimensions for both identification and protection.  For comprehensive protection from malware, we highly recommend that users also install traditional anti-virus products and keep them up to date.

SmartScreen delivers blocks both in the navigation experience and in the file download experience depending on the situation.  This level of control allows us to block entirely malicious sites, portions of sites or just a single malicious download on an otherwise clean site (for instance, a social networking or file-sharing site).  Similar to our anti-phishing efforts, we source the malware data based on a combination of Microsoft internal and 3rd party data to deliver the most relevant, comprehensive protection.  We’re committed to making the browsing experience safer and have a team of people constantly researching and improving protection.

Not all malware protection is created equal– just because a browser has anti-malware features doesn’t mean it protects users from the most relevant threats.  A study comparing leading browsers on their ability to block malware attack sites that attempt to fool the user with social-engineering was recently released by NSS Labs.  As you can see from the chart below, IE8 is detecting two to four times more attacks than the other browsers.  Note that IE7 does not have anti-malware URL filtering; the IE7 blocks below are due to malware sites that are also phishing sites blocked by IE7’s Phishing Filter.

Chart of Malware block rates from various browsers.

We’re committed to continuing to deliver the most relevant protection to our users.  With the investments we’ve made in hardening the IE platform, the user is usually the weakest link. Prevalent malware is packaged and delivered in such misleading ways that users understandably have a hard time recognizing when they are at risk.  That’s where SmartScreen steps in.

Here’s some common examples of what users think they are downloading:

  • Anti-Virus/Anti-Spyware products
  • Free videos, codecs & images
  • Utilities or other software
  • Online greeting cards
  • Games

Here’s the types of files users are actually trying to download:

  • Viruses
  • Spyware
  • Adware
  • Trojans
  • Backdoors
  • Dialers
  • Worms
  • Downloaders
  • Password stealers
  • Monitoring software

There are screenshots of several malicious sites in the safer online experience paper we recently published.

How you can help

Please report sites that you think may be malicious by using the built in reporting mechanism in IE8. Click on the new Safety menu | SmartScreen Filter | Report Unsafe Website.  Reports of malicious sites will be verified by Microsoft and added to the SmartScreen filter database.

Comprehensive Protection

With the demonstrated efficacy of IE8’s SmartScreen filter, we know that internet crime will evolve.  That’s why it’s so important for us to invest in comprehensive protection to address emerging threats.  Key on our list are attacks against web applications, which represent increasingly valuable targets as users’ information is moved online.

  • IE8 is the only browser to block XSS attacks “out-of-the-box.”
  • IE8 introduced the first “out-of-the-box” mechanism to allow sites to prevent ClickJacking attacks.
  • IE8 introduces new functions which allow sites to build more-secure mashups (toStaticHTML(), XDomainRequest) and supports new standards-based mechanisms (Native JSON support, postMessage()).
  • Safer default settings (DEP/NX, per-site AX) mean that users are better-protected than ever before.  Group Policy controls (for ActiveX management, enforced SmartScreen blocking, etc) allow IT administrators to reduce the number of trust decisions users face when using IE8.

We’re committed to protecting our users from the attacks of today and the attacks of the future.  Please stay tuned to the IEBlog for further posts on IE8 Security improvements and results.

Thanks!

Eric Lawrence
Program Manager

Comments (42)

  1. Anonymous says:

    Really nice!

    I would also love if you would fix all the bugs in IE8 final…

    For example that IE8 forgets picture download location and resets it to my pictures, the fact that the option to hide the activex infobar does simply nothing (if i don’t want to see that bar when i disable… flash), ie8 converting jpg/gif/png sometimes to .bmp on save, removal of reload on temporary popup allow, a way to fix xml if something messes it up -> ie8 and livemessenger history is trying to download a xml instead of showing it and all those anoying things…

    Please start bugfixing so we see this bugs fixed in the next few weeks, before you start working on IE9… thanks!

  2. Anonymous says:

    Eric Lawrence, MS IE Program Manager blog today how the IE8 SmartScreen filter helps to prevent phishing

  3. Anonymous says:

    I love the Smart screen filter and I had picked up a trojan via the php getfile pdf exploit.

    I reported the site and in less than 24 hours the smart screen filter denied me access to the site. So I know it works and applaud the IE team for this.

    Suggestion. Once you hit a site and get hit by a trojan etc. you have to re-visit the site in order to report it. Can there me a way to right click on a URL from the History pane to ‘Report this URL’?

    For me, when I do get hit with a malicious script/file I close IE and proceed with containment and cleanup. So I hesitate to go back to the offending page/site just to report it. See what I mean?

    What about an offline tool where you can submit a URL? To avoid visiting the page again.

    Otherwise again I think the feature is great and I didnt expect such a fast turn around time after I submitted the site.

    Great work!

  4. Anonymous says:

    although this is not related i have an issue with ie8; if you close a tab (clicking on the "X"), then switch to another open tab immediately (clicking on another tab) [i "think" this must be the tab to the left], the tab you just tried to close generates some kind of error/crash. ie8 itself does not crash (very impressed here) but the tab i just tried to close attempts to report the error to microsoft…

    my system meets the minimum requirements and the only addon enabled is wl tolbar. it might be that i click very fast (im one of the best clickers even if i say so myself) or there is an error on the page…

    i also know i have Visual Studio installed; it gives me the option to debug (im smart enough to know not to debug such a program)

    apart from the annoying 10seconds… ish of waiting for the error to be reported, everything else seems fine and my browsing happily continues.

    the point is that i thought it was only firefox or some other that suffered from crashes?

    ps: keep up the good work

  5. Anonymous says:

    Are there any integration points for SmartScreen reporting via malware detection on the clients?

    For example, could Windows Defender or another AV product submit a problem report for a specific URL/download in which a virus was detected, directly?

    That’d seem to be a good "closed loop" system through which data aggregated from clients (without user activity in the form of reporting the site using the UI) could be quickly acted upon.

  6. Anonymous says:

    oh, i need to second Disk4mat; why would a "sane" person under normal circustances go back to the site that led them to the malicious site – even if it is just to report that the site is bad? an offline tool is a no brainer indeed!

  7. Anonymous says:

    > IE8 introduced the first “out-of-the-box” mechanism to allow sites to prevent ClickJacking attacks.

    That’s not true. All other browser support "frame busting" out-of-the-box. IE doesn’t, hence the need for alternate ClickJacking defences.

  8. Anonymous says:

    Don’t believe the hype from the flawed NSS study.

    http://blogs.zdnet.com/security/?p=2981

    "The study’s methodology is however, greatly flawed at several key points, making its conclusions open to interpretation which should be the case when making such comparative tests."

    "For starters, NSS Labs undertook a rather minimalistic approach towards the definition of web malware. In this study, the malware URLs they’re using are basically “links that directly lead to a download that delivers a malicious payload“, a decision that directly undermines the statement of “block rate” in times when client-side vulnerabilities are massively abused courtesy of web malware exploitation kits. And since no live exploit URLs were taken into consideration, the DEP/NX Memory Protection feature within IE8 was naturally not benchmarked against known exploits-serving sites, or at least wasn’t mentioned in the report."

    "Moreover, the competing browsers’ use of SafeBrowsing’s API, a combination of automatic (honey clients) and community-driven efforts to analyze a web site in a much broader “malicious” sense has a higher potential to maintain a more comprehensive database of known badware sites. It also comes as a surprise that Firefox, Safari and Chrome have such a varying block rates given that the browsers take advantage of the SafeBrowsing project’s database. Basically, having a set of ten malicious URLs and running it against the browsers is supposed to return identical results due to the centralized database of known badware sites."

    "Interestingly, the study used Apple Safari v3 in order to come up with the 24% block rate, which excludes the built-in anti-phishing and anti-malware features introduced in Safari v4. The report is released prior ot IE8’s debut, but even if NSS’s study is in fact relevant in a real-life attack scenario, does it really matter that IE8’s outperforms the rest of the browsers in times when IE8 users are downgrading to IE7? That very same IE7 which according to the study is offering “practically no protection against malware”?"

  9. Anonymous says:

    I found this suggestion for filtering anoying ads (which of course is missing in smartscreen filtering)

    http://www.dslreports.com/forum/r22124619-IE8-InPrivate-filter-from-adblock-plus-list

    Will this kind of ad filtering affect IE8 performance ?

  10. Anonymous says:

    @Fango: If the user opts-in, Windows Defender feeds malware and origin data into the "SpyNet" webservice.  The URL Reputation Service for SmartScreen anti-malware works with the data from that webservice to block malware distribution points caught by Defender.

    @RichB: Framebusting JavaScript has known weaknesses in every browser, which is why the anti-ClickJacking feature was added. As noted here: http://blogs.msdn.com/ie/archive/2009/02/02/birth-of-a-security-feature-clickjacking-defense.aspx, "fundamentally frame breakers were never meant to be ClickJacking mitigations. If you don’t design something to prevent a security vulnerability, odds are that it doesn’t do a very good job of doing it accidentally."

    @Hype: The editorial is missing the point: SmartScreen is about blocking socially-engineered malware.  IE8 includes myriad defenses against attempted drive-by exploits, including Per-Site AX, AX Opt-in, DEP/NX, and general code-quality improvements.  

    As noted in this post, the user’s willingness to install malicious code is the weakest link in the system, and this is what SmartScreen aims to address.

    @hAl: Yes, SmartScreen is intended to block phishing and malware, not advertising.  Generally, the InPrivate feature was designed to scale to large block sets.  Clearly, there’s a tradeoff in that the filtering code will incur a cost, but if *any* network request is avoided due to the filtering, it’s likely that overall performance of the page will improve.

  11. Anonymous says:

    Just out of curiosity, I wonder what a study would show about the number of false positives the software vendors show and if these numbers directly correlate to the number of detected malware files.

    Certainly these features were long overdue and warmly welcomed since literally every PC user I seem to encounter is plagued knowingly or unknowingly by malware. I guess this is due to the abysmal 4% catch rate on IE7, the lowest of the low.

    Question though, are these new methods derived from ECMA or W3 standards or emerging standards or are they proprietary implementations of the JScript engine? This is in no way a baited question, just simple curiosity.

  12. Anonymous says:

    EricLaw [MSFT]: Yes, SmartScreen is intended to block phishing and malware, not advertising.  Generally, the InPrivate feature was designed to scale to large block sets.  Clearly, there’s a tradeoff in that the filtering code will incur a cost, but if *any* network request is avoided due to the filtering, it’s likely that overall performance of the page will improve.

    @EricLaw: That’s presuming there would be malware on the page to begin with, otherwise it would only be at cost, though I can’t imagine that anyone with a clue would want the trade a safe computer free of pesky software for a malware infested one at the cost of a few cycles.

  13. Anonymous says:

    If the ads in website is distributing malicious software will the whole website be block or is it just the ads that will be block.

    What happen if a malware turn off IE8 Smartscreen filters it doesn’t exactly have the UAC prompts will Windows Defender alert the changes. The indicator was remove so how does user find out if IE8 SmartScreen Filter is working properly? . what are the chances of the smartscreen filter failing without user knowing it?

  14. Anonymous says:

    OMG I can’t believe how hard it was to track this down.

    Sites in your IE Restricted Sites list make IE dog slow.

    Since removing hundreds or thousands of them from the Internet Options dialog is impossible because the UI sucks so bad it isn’t funny you’ll need to do a registry hack (e.g. Regedit)

    Step 1.) Quit IE if open.

    Step 2.) Search for keys named: "ZoneMap"

    for any with a sub key called "Domains", completely remove it (because again the Regedit UI sucks (you can’t delete all/multi subkeys), then re-add a new replacement key: "Domains"

    Step 3.) Repeat step 2 as needed for each occurance of the ZoneMap -> Domains key

    Step 4.) Quit Regedit, restart IE… IE now runs like its on Jet Fuel!

    Note: this does re-expose you in terms of letting you pass any drive-by sites that IE will now let you access but at least IE is NOW USABLE!!!

    Awesome! I’m so stoked that IE is actually usable now!

  15. Anonymous says:

    @totally fixed now,

    You can also use ZonedOut by http://www.funkytoad.com to remove ALL (thousands or hundreds) restricted site entries without the need to use Registry Editor in Windows.

  16. Anonymous says:

    Hi i have a problem i Windows Vista Ultimate.

    I have found out that the function "mixing" i the right corner i sound icon, does not show the name of the web page in ie8. So you can mute the sound individually for each website or tabs. This could be done in ie7. Can you fix that in ie8.

  17. Anonymous says:

    @Jeffrey: I’m not sure I what you’re trying to say vis-a-vis advertising.  SmartScreen is not an adblocker, nor is it intended to be.  Similarly, InPrivate Filtering is not an adblocker, although hAl points out that it could be configured to behave like one.

    As noted in the blog, IE7 didn’t attempt to block malware; Windows Defender (on Vista) was not a part of that weighting.

    postMessage is a standards-based HTML5 feature.  Native JSON support is a ECMAScript 3.1 feature.  ToStaticHTML was a Microsoft-innovation that others are free to implement.  XDomainRequest was proposed for standardization to the W3C.  

    @Vega: If a page is delivering malware, that page will be blocked.   We do not block only the subdownload because that could allow a bad site to detect the blocking and flip to another attack.

    Malware cannot turn off SmartScreen Filter unless it’s already running on your computer with full user permissions; once it’s already installed and running with full user permissions, it need not bother with SmartScreen, since it’s already installed!

    @totally fixed now: IE8 includes significant measures to combat drive-by sites, including DEP/NX, Per-Site AX, AX-OptIn, and Protected Mode.

    @All: On March 31st, NSS is doing a live webinar about how they did the malware test.  It will be live (March 31) and archived.   The archive will be available on the URL that is advertising the webinar http://nsslabs.com/events/webinar-web-browser-protection-against-web-malware.html.

  18. Anonymous says:

    the smart filter thing never stays on for me please fix it i always have to turn on every time.

  19. Anonymous says:

    @Tony: Please be specific about how exactly you are turning on the SmartScreen filter?  

    Are you really asking about InPrivate Filtering (which is the lock down in the status bar, unrelated to SmartScreen)?

    thx!

  20. Anonymous says:

    Just have a look at how IE fares on geek sites like OSnews. http://www.osnews.com/story/21172/A_Look_at_Browser_and_OS_Stats_for_OSNews If you really support a very broad spectrum of W3C recommendations and draft standards as well in IE9, IE may get back the lost marketshare. It’s a continuous downward trend otherwise from here.

  21. Anonymous says:

    If you argue that most visitors to such sites are Linux geeks, just see how dominant and successful Windows is there, especially Windows XP.

  22. Anonymous says:

    Hey Eric, I applaud Microsoft’s efforts in combating malware using SmartScreen filter in IE8 but I do hope we dont stop there. I love IE8 and I even think its faster than Firefox. Great job guys, more power and I do hope I see more safety features in IE9.

  23. Anonymous says:

    @hAl : one of the best way to block ads is before the browser : with a proxy.

    Try Squid 🙂

    If you only want to block domain names, you can probably do like Spybot : adding the domain names to the hosts file.

  24. Anonymous says:

    IE is the worst browser in the world… firefox and opera are better and faster…

  25. Anonymous says:

    FFFTW: Which of the tests in ACID3 actually tests something that has personally caused you problems as a web programmer?   Contrived "tests" which are deliberately intended to find corner cases which don’t work (as ACID 3 is) are far less useful than real sites.

    LinuxFan: Yes, it is not surprising that IE is not popular on a site with 41% share for Mac and Linux, considering that IE isn’t available for either platform.  Of course, IE has approximately 70% share in the real world that most of us live in.  🙂

  26. Anonymous says:

    IE I do not find good. Mozilla Firefox is better and safer.

  27. Anonymous says:

    Jack, if you want to be troll here, you’ve got to do better than that!

  28. Anonymous says:

    Jack, if you want to be troll here, you’ve got to do better than that!"…LOL

    yeah Jack you gotta hit ’em harder, its not difficult, just point out all the areas of fail surrounding IE8

  29. Register says:

    Beautifully done! Please start bugfixing so we see this bugs fixed in the next few weeks, before you start working on IE9.

  30. Anonymous says:

    I do not see MS trying to refute these claims of IE8 being considerably easier to hack than what was the general impression after following this blog.

    http://blogs.zdnet.com/security/?p=2941

    "The technique he used works against IE but not Firefox.  It allows you to place code in a specific spot in memory.  Mark Dowd and Alex Sotirov talked about this at last year’s Black Hat.  You can use a technique to make .net not opt into the mitigations and jump over hurdled easily.  With Firefox, you can’t do that.

    For all the browsers on operating systems, the hardest target is Firefox on Windows."

    I have really hard time believing Firefox is better protected but I remember last year there was some paper saying the .NET loader had some issues and this makes it sound like they might not be fixed yet?

    "I have a Chrome vulnerability right now but I don’t know how to exploit it.  It’s really hard.  The’ve got that sandbox model that’s hard to get out of.  With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox."

    The article is also inferring that Chrome has additional security compared to other browsers and there are other news sites writing things saying just that and pointing to this zdnet interview.

    I’d like to see MS refute the claims or face that all the IE8 security hype may go drown the drain.

  31. Anonymous says:

    @zzz

    That interview shows mostly that Charlie Miller was not aware that for the IE8 final the exploit method by Dowd and Sotirov has been fixed.

  32. Anonymous says:

    zzz, I’m sure MS has learned that it’s pointless to try to correct the inaccuracies in stories that are published in the media when those stories are specifically written with dramatic headlines (rather than correctness) in mind.

    Firefox, you might remember, DID fall at the pwn2own contest, but it fell on Mac (which is the real loser at the contest).  On Windows, Firefox/Chrome uses dep/NX and ASLR, like IE does.  All three browsers help prevent this type of attack from succeeding on Windows.  (As hAl points out, the dep bypass that was used at the contest doesn’t actually work in the version of ie that was released.)

    Even then, the design of the contest is pretty flawed because it treats all potential code execution flaws as equal.  Both IE and Chrome run with restricted rights (called "sandboxing" in Chrome and "Protected Mode" in IE.)  But Firefox has neither, meaning that if the bad guy DOES manage to bypass dep and ASLR, they get to run with full user permissions and trash the machine.

    Chrome’s sandbox is somewhat better than IE’s (it prevents "read" of the system) but also somewhat worse than IE’s (it runs plugins like Flash outside the sandbox with full trust).

    While some note that Chrome didn’t fall at the contest, it’s also worth remembering that no one bothered to try, which does /not/ necessarily mean that it would have been hard to do so but rather that picking on targets like Safari (which got hacked twice) was simply easier.

    The story here that zdnet and other should have written is that Windows browsers are simply safer than Mac browsers because they have protections like ASLR and dep.

    Having typed all that, the /real/ point of all of this is that these types of "drive by"/"backdoor" attacks are not really very common.  Much more common is when users get suckered into downloading malicious "through the front door" because soc. engineering is really effective.  And MS’ point with this blog post is that social eng. attacks are far less likely to be successful in IE because smartscreen is better than the competition.

    But that’s not the story you’ll read in the media because it’s a boring headline, and boring headlines don’t sell ads.

  33. Anonymous says:

    @zzz : "For all the browsers on operating systems, the hardest target is Firefox on Windows" : you understand this means that Firefox is a security breach, do you ?

  34. Anonymous says:

    ok I have Vista and downloaded vista version and i guess it. I don’t work! Here is the message:

    This installation does not support your system architecture (32/64bits).

    So what now??????

  35. Anonymous says:

    @Vanoie Ball : do you have Vista 32 or 64 bits ?

    Which version of IE8 have you downloaded : 32 or 64 bits ?

    You have to download the correct version for your OS.

  36. Anonymous says:

    @Vanoie: If you are running the 64bit version of Windows Vista, you must download the 64bit package of IE8.  (Note that this will also install the 32bit version as well).

    You can determine if you’re running the 64bit version by visiting this page in IE: http://www.enhanceie.com/ua.aspx.  If your user-agent string (in red) contains tokens like "Win64" or "WOW64", you need the 64-bit version.

  37. jjb2009 says:

    I’m confused: I have IE8 _and_ McAfee Siteadvisor. I like that it warns me with a read X that a site has dangerous downloads, or is linked to dangerous sites. Can SmartFilter do this?

    Also, a lot of the sites that McAfee reports as downloading "Red" (malware) come up with no peep from SmartFilter. When I "CHeck this website" the SmartFilter says everything is fine?!

    So, how do I know SmartFilter is REALLY working? I’d gladly junk McAfee Siteadvisor (yeah, yeah, the more "layers" the better but there is a performance hit).

  38. Anonymous says:

    @jjb2009: SmartScreen blocks navigation to (and downloads from) known-malicious sites.

    Note that McAfee’s feature works differently than ours.  A key goal for SmartScreen is that false positives must be as low as possible.

  39. jjb2009 says:

    I wondered. I found a half dozen of their most dangerous sites (known to download malware, Mcafee said). Entered in IE8 and . . . SmartFilter does nothing! Of course, I wasn’t infected with malware either so perhaps Mcafee as a LOT of false positives??

    An explanation of the difference or a FAQ might help because I know lots of people who use Mcafee siteadvisor on IE and FF and you can’t persuade them SmartFilter takes care of the job — and I’m still fuzzy on the difference. Mcafee claims it does an actual crawl of sites??

    Pat on the back:

    I read Paul Thurott’s review of IE8 — it made him switch from FF to IE8, something I have done since you went official. It’s like a new Microsoft! Perhaps I won’t have to spend all my time having to search for "things MS can’t do" — there is less and less these days. (Total digression: No idea why Apple of MS don’t have something like Clipmagic clipboard extender?).

  40. Anonymous says:

    @jjb2009: Please feel free to email me any examples; I’m happy to investigate.

  41. Anonymous says:

    The sixth edition of the Security Intelligence Report (SIR), Microsoft’s semi-annual report on the state