SmartScreen® Application Reputation – Building Reputation

With the Internet Explorer 9 (IE9) beta in September we introduced
IE9’s new application reputation
feature and more recently we provided a
summary of how this fits into the overall
layered approach to security
. With the final release of IE9 now available,
we want to share some additional information about application reputation, clarify
how code signing impacts the IE experience, and reiterate industry best practices
that application developers should consider.

SmartScreen Application Reputation is a consumer focused safety feature that helps
consumers make better decisions about the programs they download. Downloads are
automatically assigned a reputation rating based on multiple algorithms that consider
many objective criteria, such as antivirus results, download traffic, download history,
and URL reputation. If a user opts into enabling the SmartScreen Filter, application
downloads without established reputation result in a notification (see below) warning them that the file may be a risk to their computer.

From this notification, users can choose to delete the file or ignore the warning and run the downloaded
program. For the typical user, the risk of running the download is a 25% to 40% chance
of malware infection. We’ve been building reputation for some time now and approximately
90% of all application downloads have established reputation by hash or digital
certificate. For the typical user, this notification is an infrequent experience
associated with higher risk of malware infection. To put the scale of this risk
in perspective, approximately 7% of all executable files downloaded by Internet
Explorer are later confirmed as malicious. A portion of these attacks are prevented
by blocklist solutions such as SmartScreen URL reputation or antivirus products.
Unfortunately, no blocklist-based solution is 100% effective at preventing these
attacks. Since Application Reputation was enabled in the IE9 beta release, the feature
has greatly reduced infection rates from attacks that were not otherwise detected
at the time of download.

Unsigned Download – IE9 Application Reputation Notification
Screen shot of the IE9 application reputation notification with an unsigned download.

Signed Download – IE9 Application Reputation Notification
Screen shot of the IE9 application reputation notification with a signed download.

How programs are identified in IE9

A download’s Application Reputation is assigned by:

  • a hash of the downloaded file
  • the digital certificate used to sign the file (if signed)

The file hash is an exact identifier for the specific file downloaded. If any part
of the application changes, the program identity (file hash) will also change. An
unsigned application that is updated regularly (e.g. unsigned daily builds) will
appear as multiple distinct programs that will have to build reputation individually.

Reputation is also generated for digitally signed downloads based on the digital
certificate used to sign the file. Digital certificates allow reputation to be assigned
to a single identity (digital certificate) across multiple files. If you are not
signing your programs, reputation will be built independently for each file you
distribute. In contrast, signed programs may inherit the reputation of your digital

Why Sign Your Code?

For developers distributing applications online, signing your code is not required to establish reputation, but it is highly recommended.
Code signing is an industry best practice that allows consumers to authenticate
that files signed by a publisher are actually from that publisher. Signing also
helps ensure that files cannot be secretly tampered with while stored on a server
or during the download process. Without a digital signature, there is no way for
a user to validate who actually created the file. This threat is commonly exploited
by malware authors in their social engineering attacks.

Of course, the presence of a digital signature alone does not ensure a download
is non-malicious. Digitally signing your application is not a guarantee that your
download will have established reputation immediately, but can play an important
part in ensuring that your applications receive the reputation they deserve.

Note that even if SmartScreen® Filter is disabled, users will be warned before unsigned
applications are run:

Internet Explorer 9 – Unsigned File Notification
Screen shot of the IE9 notification of an unsigned download when SmartScreen filtering is disabled.

Best Practices for Application Developers

There are several industry best practices an application developer can follow to
help establish and maintain reputation for your applications:

  • Digitally sign your programs with an Authenticode signature.
    • Obtain a valid Authenticode code signing certificate from one of the many certificate
      authorities (CAs) supported by Windows.
    • Use development tools (such as
      ) to sign your applications prior to distribution.
    • For more detailed information and a step-by-step description of the code signing process, see Eric Lawrence’s excellent post Everything you need to know about Authenticode Code Signing.
  • Ensure downloads are not detected as
    . Downloaded programs that are detected and confirmed as malware
    will affect both the download’s reputation and the reputation of the digital certificate
    used to sign that file.
  • Apply for a Windows Logo. To learn more about the Windows Logo visit the
    Windows 7 Logo Program
    page on MSDN.

More information about digital signatures and code signing:

Thanks for your help in ensuring a safer, more streamlined download experience for consumers.

—Ryan Colvin, Program Manager, SmartScreen

Comments (25)

  1. Björn says:

    Just wondering, if the message box text is the same for signed and unsigned downloads can screen-reader users differentiate what is what?

  2. tuxplorer says:

    IE7 which debuted with the Phishing Filter was very slow at checking web pages and often caused delays in page loading. IE8 improved so much upon the speed with the SmartScreen filter that all website checking was instantaneous. With IE9, my downloads are taking several seconds (10-15) after they complete while "running security scan". I cannot disable the Application Reputation feature without disabling SmartScreen? Why is it so slow in checking downloaded files?

  3. Xepol says:

    What a HUGE pile of BS.   Are you people even vaugely thinking?  If not being downloaded frequently is enough to get a red flag, you are going to be quashing a LOT of new applications from small and amateur developers without cause.  Sooner than later someone is going to complain, lawyers are going to get involved and phrases like anti-trust are going to start flying around.

    This feature should not even exist – it only creates FUD where none should be.

  4. Amper says:

    We have brand new application, signed, not marked as malware and we can't apply for logo because it is IE extension.

    With this "nice" feature there is no way to make it more commonly downloaded because IE is forbidding to them to be commonly downloaded.

    And I am sure that lot of malware apps can be downloaded without problems now.

    So this is looks more like market share keeper 😀 Firefox 4 ? Not commonly downloaded. Brand new browser app ? Not commonly downloaded. Different toolbar than Bing ? Not commonly downloaded.

    I suppose that accountants in Microsoft really like this feature

  5. ZippyV says:

    Firefox doesn't allow applications to be run immediately after downloading either but when IE does the same thing it's suddenly a problem. In fact, I just tried downloading Firefox 4: I clicked the link to download, clicked Execute and when the download finished the setup started automatically. In IE8 I would have gotten another warning and in Firefox I would have had to manually locate the application and execute it.

    It looks like IE9 made this process simpler for trusted files and on par with other browsers for untrusted files.

  6. KS says:

    "not commonly downloaded" is indeed a misnomer. I and many others download *mostly* freeware or open source programs. None of these are signed or will be signed in the future. Most of them get updated frequently. There is no way for them to gain "reputation". Did it ever occur to Microsoft that developers that do not make money from their program (or only to a certain degree) will not be able to sign their programs? AFAIK there's not yet a Microsoft sanctioned CA included in Windows that provides code-signing certs for free. If you want to spread code-signing then provide a means for freeware and open-source developers to sign their code for free.

  7. ZippyV says:

    @KS, code siging is not required to be able to download an application. It's just to verify that the application wasn't tampered by anyone else.

  8. johnnyq3 says:

    In the IE9 final, it seems that it opens up zip folders automatically instead of prompting me to save them if I click them instead of right clicking and save target as.

  9. Walter says:

    So if I distribute android and blackberry and whatever other apps and iso's that users can download from their browser to side load on devices etc. They will all be flagged as malicious downloads because they are not apps signed for windows!?!?!?!?

    What a total Epic Design Failure!

    The Web is not Windows!!!!

  10. Parrotlover77 says:

    Since Windows warns you about an app being unsigned with a big angry red "X" why does IE need to do this as well?  I suppose the MS answer will be defense in depth, and I can't say I necessarily disagree with the argument, but it does run me the wrong way that hobby developers are yet again being pinched.  Authenticode signatures are not cheap.  If you develop free software, you have no revenue with which to apply for one.  Windows Logo testing is cost prohibitively expensive, even for shops that DO make a profit unless they are top tier.

    This sort of feels like a bunch of big companies pinching the small developers.

    And, I must admit, I don't actually have a better solution, and there definitely is a problem.  I'm just concerned that this solution may cause more harm than good.

    @Walter – In my experience thus far, only *.MSIs and *.EXEs are flagged this way, so unless you use those extensions for your Android and Blackberry apps, you have no reason to worry.

  11. clocky says:

    So far I've had this block my downloading Firefox, Opera AND IE9.  Makes me long for the days when Microsoft just flat out didn't care about security.

  12. Si55y says:

    love the new notifications i feel much safer

  13. alex_sunny says:

    We are an independent software vender. Our tax software is Canada Revenue Agency (CRA) certified for the last 8 years and our software/website is listed at Canada government website. Our website includes a digital website seal issued by Thawte.  (We can change it to website seal of VeriSign if necessary.)

    In IE9, when customers download the software from our website, SmartScreen Filter of IE9 shows warning message recommending users not using our software. As we try to bring in new customers, the warning message becomes a big headache.

    As per an IEBlog below and this blog, apply for a Windows Logo could be helpful.…/stranger-danger-introducing-smartscreen-application-reputation.aspx

    We have got Windows 7 Logo on March 22, 2011. Also, the software is now signed with a VeriSign certificate (used to be a Thawte certificate). But the warning message still shows when downloading. So how long it takes for the warning to go away after we've got the Windows 7 Logo?

    Just in case, if Windows 7 Logo does not help, is there a way to add our website/software to the reputation list of SmartScreen Filter?

    We can pay for the service as long as it works.

    Any helps are highly appreciated.

  14. alex_sunny says:

    My fault.

    When I try the download at a latter time, there is no more warning message in IE.

    So apply for Windows 7 Logo does help.

  15. frank-e says:

    If you want me to "sign" about a dozen ZIP-archive to simplify your reputation magic offer free developer certificates for this purpose and a simple tool to add some kind of signature to a ZIP. Otherwise I'll assume that your download hashes are good enough – I won't test "smartscreen" on my box for privacy reasons.

  16. SkipSailors says:

    My thoughts are that it is good that IE9 offers a better protection against malware, but that is is unfortunate that vendors feel out of control of the process.  Application Reputation is to vendors who offer downloads as a credit report is to a consumer trying to get a loan for a car.  If my credit report has inaccurate information, I am allowed, encouraged, even, to review the information and prompt the credit agency to make corrections.

    I have not yet discovered similar remedies for my applications' reputations.

  17. Andrew Constant says:

    I had a call today from an existing customer. He had downloaded an update and called to ask if I 'knew it had become infected' as Windows was warning him that it contained a virus.

    This is precisely the impression that I thought users would get, please Microsoft, sort this out.

    Because of the message that reads 'Performing security scan…' he believed that Windows was scanning the installer and was reporting an actual virus within it.

    He also thought that the 'actions' button would lead to options to report or heal the infection. When I asked him to click actions and select run anyway, it took several prompts for him to see the drop-down section.

    We have a serious problem in that our downloads are regurlarly updated and we can't apply for a Windows 7 logo because part of our application is a browser add-on.

    Microsoft need to employ another method to verify downloads other than a hash of the downloaded file. A verified download folder would be an answer.

    I have serious and grave concerns that this move will damage my business and my program's reputation. Which I have already emailed to CS at MS.

    Andrew Constant

    AiMCo Software

  18. Andrew Constant says:


    What do you mean by 'sign' a dozen ZIP-archives?

    What will that do?

  19. Andrew Constant says:

    I have a workaround for the regular updates, by creating a stub installer that downlads the main installer.

    This isn't ideal as that is then subject to firewalls that may or may not allow it to download the main installer.

    Andrew Constant

    AiMCo Software

  20. Andrew Constant says:

    "SmartScreen Application Reputation is a consumer focused safety feature that helps consumers make better decisions about the programs they download"

    No it doesn't, The user is made to feel will be installing a damaging program if they ignore the suggested actions.

    The more I read about what application reputation is supposed to do, the more I think it should have been named 'APPLICATION REPUTATION DESTROYER'.

    Andrew Constant

    AiMCo Software

  21. atu says:

    Yes SmartScreen sucks. Like UAC did in Vista and 7.

    Signing should be free. Why I have to pay a fee in order for my desktop application to be pimped up by IE9?

    Screw this. People will be better off downloading it using Firefox or Chrome.

  22. tuxplorer says:

    The download manager is officially an abomination for me. Microsoft can't create a decent download manager now? Downloads get stuck at 99% or 100% forever "running security scan…". There's no way to opt out of the reputation-based downloading without also disabling the SmartScreen filter. Even after disabling SmartScreen, the downloads get stalled at 99%. PDF files get stalled? And when I ask in the forums, they blame it on addons? I don't have any addons installed. Very disappointing.

  23. jjmp says:

    Downloads on my Win7 Ultimate X-64 SP1 PC with IE9 RTM hang at 99% downloaded and 1 second left. If I cancel the download and rename the .partial file the download is usable. Pls fix.

  24. Andrew Constant says:

    I'm still not getting any feedback from MS about the issue I have rised here and through Customer Services. Is it your intention to destroy small businesses too?

  25. Brad C says:

    I don't understand the encouragement to apply for the Windows 7 logo to help establish and maintain an application's reputation.  The Windows 7 logo is not available to browser plug-ins.  So how is this applicable?