“Stranger Danger” – Introducing SmartScreen® Application Reputation


When we released the IE9 beta about a month ago we talked about the importance of trust and confidence when working with downloads. Today, we are enabling the SmartScreen application reputation service to improve download protection for IE9 beta users.  This feature works together with the SmartScreen anti-malware service that protects IE8 and IE9 beta users every day.

You can experience the protection of the SmartScreen application reputation service yourself by ensuring SmartScreen is enabled. Just click the Tools Button | Safety | Turn on SmartScreen Filter menu item, then choose Turn on SmartScreen Filter in the following dialog.

What is SmartScreen application reputation?

In the course of daily browsing, many consumers see warnings that say “This type of file may harm your computer” when downloading files. This warning may be accurate in some sense, but it is not helpful or relevant for the vast majority of internet downloads. Most consumers are accustomed to just ignoring this warning since it is shown when downloading almost any file from the web.

With IE9 we looked at ways to improve our malware protection overall and the experience consumers have with downloads. We had two primary goals in mind to help consumers make better trust decisions when downloading programs from the web:

  • Show more useful warnings when a program is a higher risk
  • Reduce the number of generic, unhelpful warnings consumers see when downloading programs

In analyzing software downloads actively in use on the internet today, we found that most have an established download footprint and no history of malware. This was the genesis of SmartScreen application reputation. By removing unnecessary warnings, the remaining warnings become relevant.

What does this mean for consumers?

With SmartScreen Application Reputation, IE9 warns you before you run or save a higher risk program that may be an attempt to infect your computer with socially engineered malware.  IE9 also stays out of the way for downloads with an established reputation. Based on real-world data we estimate that this new warning will be seen only 2-3 times a year for most consumers compared to today where there is a warning for every software download.

Why is this approach necessary?

The key challenge with malware on the internet is that attacks are fast moving and quick to change. The importance of application reputation is as an early warning system. There is latency between the outbreak of an attack and when it is detected and blocked. Consumers today are unprotected during that time.   Think of this new warning as “stranger danger” – it’s an early warning system for undetected malware. No antivirus or protection technology is perfect; it takes time to identify and block malicious sites and applications.  Blocking after detection is still an important strategy, but there remains a gap between the start of an attack and when it is detected and blocked.  IE9 SmartScreen application reputation fills that gap. 

How does this work?

When you download a program in IE9 a file identifier and the publisher of the application (if digitally signed) are sent to a new application reputation service in the cloud. If the program has an established reputation there is no warning. If the file is downloaded from a reported malicious site, IE9 blocks the download, just like IE8 does. However, if the file does not have an established reputation, IE lets you know in the notification bar and download manager, enabling you to make an informed trust decision.

SmartScreen application reputation warning in the notification bar

SmartScreen application reputation warning in the Actions dialog

Application reputation warning in the notification bar (top) and the Actions dialog (bottom)

See how it works

You can try it out for yourself. Linked below are two identically named files, one with established reputation and one that is unknown to our service. Without application reputation, it is difficult to tell which download has established reputation and which is uncommon and a higher risk to your computer and information. Download each with IE9 to see the SmartScreen application reputation experience in action.

Are all ‘uncommon’ programs malicious?

Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Application reputation is intended to provide context and guidance for those who need it, especially if the warning is unexpected. Like SmartScreen in IE8, this is an opt-in service and can be easily disabled in the Tools menu, but this is not recommended.

Note to application developers:

Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation.  Reputation is generated and assigned to digital certificates as well as specific files.

As an application developer, there are industry best practices that will affect your download’s reputation. To help establish your application’s reputation, consider doing the following:

Digitally sign your programs with an Authenticode signature

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs.

Ensure downloads are not detected as malware

Downloaded programs that are detected and confirmed as malware will affect both the download’s reputation and the reputation of the digital certificate.

Apply for a Windows Logo

To learn more about the Windows Logo visit the Windows 7 Logo Program page on MSDN. This is a free process for signed programs that can help establish reputation for your download.

We are extremely excited to enable this feature today for our IE9 beta users. We’re investing heavily in the intelligence powering this feature, as well as improving our existing malware and phishing protection. We think this new approach is an essential companion to the existing SmartScreen features and represents our continued commitment to protecting users.

Ryan Colvin
Program Manager, SmartScreen

Comments (25)

  1. Snowknight26 says:

    You know, its funny. I go to download a recently-released Java update and some other program from AMD's website and both times I get greeted with the '<file> is not commonly downloaded and could harm your computer' notification. Not commonly downloaded? I wonder why that could be. Either way, now having to make an extra click on Actions (hoping to open the folder containing the two downloaded files), I see that 'Open folder' is nowhere to be found, only the incorrectly recommended 'Delete' and 'Run anyway'. Now I have to manually nagivate to the folder.

    *Disables SmartScreen*

  2. josheinstein says:

    As an independent ISV I hope someone will work on the wording before IE9 is released. I think it's a good idea but what is "commonly" downloaded? I mean just think of all the MSFT downloads that would display this warning (though I'm sure all Microsoft signed downloads will be exempt.)

    It'd probably be less confusing to just keep on displaying the same warning as usual but skip it or show some kind of "Known Safe" green stamp for well known apps.

  3. Kitten says:

    This just begs the question, "How does Microsoft know what people are downloading?" Is Microsoft logging user's download activity and creating some repository for analysis and comparison? This also seems to insinuate that if a large scale malware attack/distribution occurred and people were downloading (inadvertently of course) malware, the user wouldn't get a warning at all prior to downloading malicious files that seem to be common downloads.

  4. UI FAILURE says:

    It is still a total UI FAILURE to put messages that you want a user to pay any level of attention to at the bottom of the screen with no animation when displayed. a.) they should animate slightly and b.) they should be at the top.  Many years of UI  Research have proven this.

  5. Don't let this be Vista UAC all over again! says:

    Don't want popups asking me to do something over and over & confirming my actions.  Smart Screen works best when you blacklist known vulnerabilities.  You should be able to work with partners such as OpenDNS to build a safe network approach.  I also agree with the other posts that I follow lots of monthly releases of drivers from companies like AMD as well as updates to shareware/freeware.  The last thing these organizations need is a browser potentially warning clients the software they download is risky 🙁

  6. alvatrus says:

    Vista's UAC has done more for security than any other measure in the Windows lifecycle. So, yes please… Bring it on!

  7. justuser says:

    What about IE9 beta-2?

    And what about supporting W3C Widget – dev.w3.org/…/widgets ?

  8. jayp says:

    Great to see understandable prompts /  messages for the user. Looking forward to the ful lE9 release.

    One thing I really miss from Chrome, though, is 'paste and go' as a right-click option when copy & pasting URLs. That would be superb in IE9.

  9. elm says:

    Please send this back to around 2002 when it was really needed.  Oh, I forgot.  No Internet Explorer team existed then because Microsoft didn't see the point in improving it at all.  Thank God for Firefox.

  10. mary branscombe says:

    lots more detail on how and where the reputations are generated, please!

    @jayp the Open and preview accelerator in IE8 works in IE9; select the URL, click on the blue blob and choose open in new tab – then you don't have to copy it; install from http://www.ieaddons.com/…/Open_URL_in_New_Tab_with_Preview

  11. RyanCol [MSFT] says:

    @SnowKnight26

    Thanks for the feedback on the open folder workflow via the notification bar, we'll take a look at that.  Right now you need to go to the download manager (CTRL+J) where 'open containing folder' is in the right-click context menu.  

    @Josh Einstein

    We're still working on the final wording, thanks for the feedback.  Microsoft downloads will display the warning if they have not established reputation, we have no special casing for any company.  Your point is valid though in that certs build rep as well as individual programs so programs signed with a cert that has established reputation will inherit that reputation.  ISVs should sign their programs to consolidate reputation to a single identity.

    @Don't let this be Vista UAC….

    One of our goals was to eliminate the recurring, un-targeted warning experience that exists today.  Our data shows that the typical user should only see this prompt 2-3 times a year, and the risk of infection when clicking through this prompt is significantly higher.  With respect to your other comment, monthly and even daily releases of programs that have established rep will not show this experience.

    @elm

    Malware distribution has grown substantially over the past few years, this feature is a direct response to an understood and large threat web users face today.

  12. Byron says:

    Ryan, thats good stuff to know that you have enough data so the alert isn't the norm!

  13. jayp says:

    When I mentioned paste & go I was referring to pasting into the address bar – sorry, should've clarified. In Chrome, if you have a URL on the clipboard, you can right-click on the address and select 'Paste & Go' – I find it incredibly useful.

  14. bill says:

    ie9 "Open containing folder" will not work.

    IE8 works great.

    That's it, that's the only difference, filescreen on/off doesn't help, in fact the shortcut to the file appears to have something appended to the name such as "hmb2035.partial", when smartscreen is on.

  15. Anna says:

    'Paste & Go'  is an Opera feature. It has had it for many years now.

  16. Jake says:

    Which file types does this apply to?

    e.g. If I serve up report content from my Enterprise level, private web applications as download-able "Excel" files, is this going to hit my users on every single request because the files will ALL be unknown (generated server side) and *.XLS files might contain macros, that might affect the end users computer?

    If so, is there a way to allow the client to turn off this feature for a domain?… I'm expecting 1,000's of help desk calls if this feature is on by default for all "executable" file-types in private web app environments where files are generated.

    jake

  17. Richard Avila says:

    The Windows Logo Program is complete bullshit. We (= a mid-size ISV with 40 employees) bought the required and highly expensive Verisign certificate, signed up, printed out the required contract, faxed it, and… nothing.

    Microsoft ignored us. We tried contacting Microsoft about the status of the application to apply for a Windows Logo, and again, we were just ignored. If you are going to introduce a completely pointless filtering system, at least stop ignoring small ISVs.

  18. Dan Hite says:

    "Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. "

    It's unclear to me what exactly is meant by "a single certificate".  Do you mean by a specific signing authority or literally the individual certificate that one entity possesses?  Will my downloads be treated the same as all other downloads signed with a Comodo certificate (that's what I use) or do you mean that all downloads signed with the ***specific certificate that Comodo issued me*** be treated the same?  If so, then I, as a small independent software vender am in trouble since I only have a small number of applications in niche markets.  Of course, LARGE software publishing houses (like Microsoft) won't be harmed by this policy.  Luck for them…

  19. Kevin I says:

    It would be good to see the IE9 work better to rid itself of the backdoor cookies and such (like Evercookie – http://samy.pl/evercookie/)  Supposedly, Safari does well with it, I've tried Google Chrome in incognito and after restarting it, it seems to be secure – but IE9 in in private, after restarting, the site still has its cookie there.   It's great we're protecting bad downloads, but the silent tracking tools are getting very prolific and problematic for security.

  20. MikeMS says:

    Have you considered working together with the WinQual team, so that application developers can get notified via existing WinQual mechanisms about their reputation, and especially in case one of their apps is flagged as malicious? In my opinion this would increase transparency and quality, raising the value of both the WinQual and the SmartScreen ecosystems. You could even give a few points extra spositive core to a signed application that is already known for the sole fact that it iwas uploaded to WinQual.

  21. BradC says:

    You suggest that developers apply for a Windows Logo as one method of establishing a reputation.  But browser plugins are ineligible for the Windows Logo program.  Is there an alternative?

  22. RyanCol [MSFT] says:

    @Jake

    Great questions – application reputation is focused primarily on portable executables (such as .exe) which are the file types that most commonly spread socially engineered malware.  We also check some other higher risk file types (such as .pif).

    SmartScreen application reputation checks are controlled by the same group policies as SmartScreen URL reputation (a feature in IE7, IE8, and in IE9).   SmartScreen can also be customized per security zone (e.g. internet, intranet, trusted sites).  To create a list of sites or domains that are not checked by SmartScreen, it is possible to disable SmartScreen for the Trusted Sites zone and then add any site or domain you do not want checked to that zone.  Also, these settings and zone lists can be controlled by an administrator via Group Policy for all users.  Intranet site are not checked by SmartScreen with the default settings.

    @Dan Hite

    Reputation is assigned to the specific certificate that a developer or ISV uses to sign their code, not the certificate issuer.  It allows our intelligence system to aggregate all reputation for your applications to a single object rather than several distinct ones.  If your certificate has established reputation, all existing applications (and any new ones signed with the same cert) will share that established reputation.  

    As to how this feature generates reputation and would affect smaller ISVs, please keep in mind our intelligence is not based entirely on download traffic.  Download traffic, download history, URL reputation, AV results, etc. are all criteria that our intelligence systems use to generate reputation. Far less than 1% of certs with established reputation are for publishers with very high download traffic.  The other 99%+ are for smaller ISVs and developers around the world.

  23. Dan Hite says:

    "Reputation is assigned to the specific certificate that a developer or ISV uses to sign their code, not the certificate issuer.  It allows our intelligence system to aggregate all reputation for your applications to a single object rather than several distinct ones.  If your certificate has established reputation, all existing applications (and any new ones signed with the same cert) will share that established reputation."

    And when I renew my certificate, am I back to square-one or does my new certificate inherit the reputation weight of my previous expired certificate?

  24. MikeMS says:

    @RyanCol: can you explain the "certs build rep" part in a bit more detail? Are you adding reputation to the legal entity that is the recipient of the certificate, or to the certificate itself, which expires every year? In the latter case you would be, in practice, giving a reputation premium to multi-year certificates (unless your formulas also take into account time).

    See my previous comment about Winqual: the Winqual database it the place where Microsoft knows about all of the certificates of the same entity, both because whenever you change certificate you upload the new signed reference file, and because you upload all your public files there anyway. This is the only way I see where you can overcome the fact that not all entities can be uniquely identified by certificate alone, which would be desirable (to give a unique ID to each company worldwide), but probably isn't always the case (country/state/name are unique for US businesses, but even there you can close one company and then open a new one with the same name, and that should not inherit reputation).

    Mike

  25. MikeMS says:

    @BradC:

    > You suggest that developers apply for a Windows Logo as one method of establishing a reputation.

    No. You can sign up on Winqual independently of any Windows Logos you may want. There's many things you can do once you sign up on Winqual, for example getting crash dump data that helps you understand where you can improve your code. This is why we access and update our Winqual data frequently, much more frequently than getting a  newlogo every now and then. And this is why Microsoft has all our binaries and digital certificates from the past 10 years. What I am saying is that Microsoft could start using this same information it already has also for reputation purposes.