SmartScreen® Application Reputation in IE9


Social-engineering attacks, like tricking a user into running a malicious program,
are far more common than attacks on security vulnerabilities. Application Reputation
in IE9 helps protect users from these socially engineered malware attacks. This post
offers details about real-world attacks and how these protections work.

For context, recent studies (like
this one
) show that despite the headlines that exploits of software vulnerabilities
get, people browsing the Web are more likely to face a socially engineered attack.
Recent articles (like
this one
) have compared different approaches to protecting people. Application
Reputation is a natural extension of the current protections
introduced in IE7 & IE8
that block phishing sites and sites that
distribute malicious programs
.

The Technology of Socially-Engineered Attack and Defense

User-downloaded malware is a huge problem and getting bigger.

Through the SmartScreen Filter, IE has been
effective
at blocking socially engineered malware attacks and malicious
downloads – IE blocks between 2 and 5 million attacks a day for IE8 and IE9 customers.
Since the release of IE8, SmartScreen has blocked more than 1.5 billion attempted
malware attacks. IE is still the
only major production browser to offer this kind of protection
from socially
engineered malware. From our experience operating these services at scale, we have
found that 1 out of every 14 programs downloaded is later confirmed as malware.

Originally, SmartScreen protection was URL-based. IE7 introduced protection from
phishing attacks by integrating a cloud-based URL-reputation service. IE8 added
another layer of protection, also based on URLs (or Web addresses), to protect users
from sites that offered malicious downloads and used social engineering techniques
(“Run this to watch movies for free, download this security software to clean your
machine, or get great emoticons!”) to get users to download and run them. URL-based
protection from socially engineered malware attacks is an important layer of defense
for consumers today on the Web.

That said, IE9 adds another layer of defense against socially engineered attacks
that now looks at the application being downloaded – this is in addition to the
URL-based protection described above. This new layer of protection is called SmartScreen
Application Reputation. When it comes to program downloads, other browsers today
either warn on every file or don’t warn at all. Neither of these approaches helps
the user make a better decision. Application Reputation also addresses a limitation present
in all block-based approaches that happens at the beginning of new attacks,
before a Web site or program has been identified as malicious.

Using reputation helps protect users from newly released malware programs – pretending
to be legitimate software programs – that are not yet detected by existing defense
mechanisms. Reputation also enables IE9 to remove unnecessary warnings for downloads
with an established positive reputation. Both publishers and individual applications
build reputation. For example, a digitally signed application from a well-known
publisher that has been widely downloaded has a better reputation than an unsigned
application that has not yet been downloaded widely and has just been posted on
a newly created Web site.

Diagram showing the Application Reputation and URL Reputation services working with IE9.

Anatomy of a Real World Attack

Let’s look at how the feature protected actual IE9 users from one particular attack.
The figure shows the download traffic of a very large-scale malware attack (hundreds
of thousands of downloads). Application Reputation warned IE9 users about this malicious
program from the very moment it hit the Web at Hour 0:

Chart of a real malware attack showing malware downloads over time.
Real Malware Attack Traffic & Timeline

Traditional block-based protection (URL-blocking as well as anti-virus) came in
after Hour 11, well after the attack had passed its active period. The download
warning within IE about the lack of an application reputation was the only defense
that users had. 99% of IE9 users who clicked to download this malicious program
chose to delete or not run the program
from the Application Reputation unknown
program warning.

Screen shot of SmartScreen Application Reputation Unknown Program warning notification. src="http://ie.microsoft.com/testdrive/ieblog/2011/May/17_SmartScreenApplicationReputationinIE9_3.png" />
SmartScreen Application Reputation Unknown Program Warning

In this attack, IE9 Application Reputation interrupted the deception of the attack
(which was otherwise very convincing) and most users were able to make a great decision
on their own. This outcome is exactly why we built SmartScreen Application Reputation
into IE9. 99% of users were able to avoid the infection.

This is just one real-world example. Below, we discuss how this trend holds strong
in aggregate. Application Reputation is a game changer for protection against socially-engineered
malware attacks, which is the largest risk on the Web today.

Early Results: Reputation Informs Better Consumer Decisions

From looking at IE9 usage data, starting from the IE9 beta, we see two main patterns:

Dramatic reduction in malware infections for IE9 users

  • Users are choosing to delete or not run malware 95% of the time from the new Application
    Reputation warnings
  • We estimate that Application Reputation will prevent more than 20 Million additional
    infections per month (on top of existing SmartScreen URL reputation blocks)

Streamlined experience that warns only when the risk is high

  • Because programs and publishers can now establish a reputation, 90% of program downloads
    no longer show browser security warnings when users have SmartScreen enabled
  • From our data, the typical user will only see 2 warnings per year
  • On any given day, clicking through the “unknown warning” carries a risk between
    25% and 70% of malware infection

The reputation that applications and publishers build from actual customers is at
the core of how this protection works. Most people would be cautious about buying
something online from a complete stranger. Sites like
Ebay
, Etsy,
Angie’s List
, and Amazon.com show
how people use reputation features to make better trust decisions online.

IE9 applies the concept of community reputation to programs that users download.
From the data we’ve collected about user downloads from the browser, 1 out of every
14 programs downloaded is later confirmed as malware. Consumers need information
to make better decisions.

IE9 uses an application’s reputation to warn customers about downloads that carry
a higher risk because they have not yet established a reputation. More than 50%
of programs lacking a reputation are new to the Web on a given day. On a daily basis,
25% to 70% of programs that trigger an Application Reputation warning in IE9 are
later confirmed as malware. Programs and publishers that have already built reputation
do not show a warning.

Many users rarely or never download programs that don’t already have an established
application reputation. When they do, this warning is critical. Users are more likely
to pay attention to this warning because it appears infrequently. Users can still
choose to download the file. Our data shows that customers are making more informed
choices – taking the time to check the source, or confirm it is something they meant
to download. With SmartScreen Application Reputation, users are doing a much better
job distinguishing between malware and legitimate downloads.

Better Consumer Protection through Data

Our goal is to establish a reputation for the publisher of every program on the
Web so that consumers can have a safer and easier experience downloading them. Leading
up to the IE9 beta, we analyzed billions of downloads and built a continuous model
of application reputation and trust across the Web.

To sustain these coverage rates, we’ve built large-scale, objective intelligence
systems that process billions of pieces of information on a daily basis. These systems
are constantly building out reputation for new and existing applications and publishers.
As of today, there are tens of thousands of publishers and millions of individual
applications with an organically established reputation and we’re adding more all
day, every day.

Sometimes, some users will see warnings for legitimate software that happens to
be new and has not yet established a reputation. From the reports we received from the community, this is a rare exception. A new program from an existing publisher
with an established reputation inherits the publisher’s reputation from that publisher’s
code signing certificate. New publishers can build their code-signing reputation
quickly with every download. Unsigned programs were the cause of 96% of the warnings
that consumers have seen to date. The remaining 4% of warnings came from certificates
previously associated with malware or certificates that were new and are still building
a reputation. Customers can and do make informed choices to click through the warning
when they trust the person they are transacting with and expect a download.

How Developers and Publishers Establish Reputation

By following industry best practices, developers can accelerate the process of building
a good reputation. For example, signed programs typically build reputation twice
as fast as unsigned programs. We recommend
digitally signing programs
with an Authenticode signature. Making
sure that programs are not detected as malware is clearly important as well. The
Windows Logo
process also helps establish a software publisher’s reputation.

Safer Is Beautiful

SmartScreen Application Reputation is protecting consumers every day.

There are many reasons to recommend your friends and family upgrade to Internet
Explorer 9. We think staying safer online is a big one.

—Jeb Haber, Program Manager Lead, SmartScreen


Comments (36)

  1. Asbjørn says:

    If you are so keen on digital signing (which by the way is a good idea), then provide certificates for free. I will NOT waste 400+ dollars a year simply to get prettier warning dialogs. The current system is punishing small developers who cannot afford these absurd amounts. If you want to really reduce false positives, provide ALL developers with free certificates. That way, everyone will be more secure.

  2. Roman says:

    Asbjorn, do ALL malware developers also get free certificates?

  3. Jerry says:

    If you guys are going to show malware blocked in that chart…

    then maybe you should also chart "Legitimate Harmless Software Blocked"

    You don't because there is way more legitimate software blocked than malware.

    making the user jump through hoops to run legitimate free software will destroy what makes Windows great.

    if you are not going to offer a free certification process to sign code then at least make the option of 'Run Anyway' more visible.

  4. AndyC says:

    The statistic that 1 in 14 downloads turns out to be malware is truly shocking. I had assumed it would be quite high but never imagined quite that high. Good to see better preventive measures in the browser, let's hope other browser follow in your footsteps and make mass malware infection a thing of the past.

    @Jerry: I've seen far less warnings since going to IE9 so, if anything, legitimate software seems to be easier to download and install than ever. So far I've only seen 1 'potentialy harmful' message on an executable I trusted and that was in circumstances that I would fully expect to have not earnt reputation. I'm not convinced that masses of legitimate software is being blocked, because that certainly isn't my experience.

  5. 8675309 says:

    1st time i after i upgradeded to ie9 it said xpadder was a high risk app. when its not so i took about 5 mins. to figure out how to continue the download because the option to ignore the warning was buried

    there was a post about year ago about an approved ms cirtifacte publisher worth a look

  6. snarkmaiden says:

    @jerry stats for your false positives or it didn't happen

  7. Some1 says:

    @Jerry

    Yup..fully agree with you. During the rc I tried to download the netbeans ide and was promptly informed that it was potentially dangerous.

    Still if Microsoft can correct those false positives then I'm sure this is a great step towards protecting people from this kind of malware.

  8. Lawrence says:

    Any comment on the latest update for Flash screwing up rendering on IE9?

  9. yellowstone says:

    .jxr, .hdp  – Filename extension(JPEG XR) support.

  10. Revoka says:

    Instead of supporting web-of-trust models you continue to rely on the traditional hierarchical PKI models that as could be seen with Comodo (again) not that long ago.

  11. Parrotlover77 says:

    I agree with Asbjørn.  And to Roman's comment, simple verification of the applicant will avoid as many false positives as any other code signing certificate.  Nothing at all is stopping a malware author from spending $400 and signing a worm with it.  That's a weakness of code signing.  However, once a malware author is discovered, it's a lot harder for another certificate to be issued to him/her.

    As a developer of freeware, I have to say it's frustrating to see my application get the big red X despite hundreds of thousands of downloads and no complaints.

    All that said, the software downloading experience (including the security aspects) is a vast improvement over IE8.  If there were more free "trust" models supported, that would be good for everybody.

    As frustrating as it is to see the big red X for my software, it's more frustrating to know that after the user sees that warning several dozen times on software they know is legitimate, the more likely it will be that they will completely ignore it when real malware comes along.

  12. zdb says:

    I am also finding a high number of false positives which is frustrating due to the way IE9 makes it so much more difficult to download and run these legitimate files.

  13. CAROLYN says:

    WELL I GOT SOME TYPE OF WORM OR SOMETHING I CAN ACTIVATE MY SPYBOT OR NOTHING COULD SOMEONE HELP ME —  IT ERASED ALL MY FAVORITES AND ALOT OF OTHER STUFF IM DIABLED AND CANT AFFORD TO TAKE MY LAPTOP TO THE SHOP $150  WOW  

  14. Aethec says:

    @Revoka: Web of Trust is already abused sometimes, flagging legitimate sites as bad because someone decided "hey, let's flag this site, their owner did something we didn't like!" on /b/.

    If it was implemented in IE, the rankings would become completely useless.

    PS : Guys, the "Run anyway" button only takes two clicks…the first time might be difficult, but if you still have got problems to do it afterwards, I don't think it's IE's problem.

  15. JimTN says:

    The Web of Trust (WOT) plugin for Firefox and Chrome does something similar, so IE is not the only game in town.

    And, Microsoft, please explain why it is safe to run a browser that is part of the OS, as opposed to a separate program running with no system privileges? If IE gets hacked, so goes Windows.

  16. Tony says:

    Do you plan to have an API or library of sorts for use of the technology on applications other than IE9?

  17. Parrotlover77, "simple verification"… Like an automated email verification?

  18. Bart says:

    @JimTN – Internet Explorer comes *with* the OS but is *just another* user mode application, with no "system privileges" whatsoever. In fact, it's even more locked down than most apps (UAC, MIC, DEP, UIPI, Protected Mode). I'd suggest to read up on Windows security mechanisms, including those introduced in Windows Vista and beyond.

  19. snarkmaiden says:

    @parrotlover – whatever browser your unsigned app is downloaded in, your users will always see Windows warning them that the code is not signed when they go to install and showing a yellow flag.

    malware that's signed with a cert? that is even easier to detect and block because new malware with the same cert shows up right away ;-)

    perhaps what Smartscreen needs is a route for authors to submit false positive notices? OTOH there are several unsigned apps I often download that do not trigger the red warning because they have built reputation on Smartscreen, so it's far from a universal problem.

  20. Roman says:

    @snarkmaiden, that's the whole point. Free certs will just give option to malware developers to change them every day. This is why certification is not free. The money goes towards maintaining the cert centers, verifying identity and simply serves as a measure against abuse.

  21. clearmythroat says:

    @Bart – It's all well and good that IE is being locked down (primarily because it has the greatest install base and the highest attack rate and MS want to stop us from seeking other browsers). But let's not overlook the lack of security in the Windows OS in the form of ActiveX. The implementation of ActiveX leaves all the doors open and MS has to go around looking for the doors to close. Other OSes chose the opposite design. Unfortunately until MS remove (or replace) ActiveX then Windows users will continually be subjected to this abuse.

  22. tuxplorer says:

    Just give us a damn way to turn it off without turning off SmartScreen filter. Microsoft, we don't want application reputation to be forced on advanced users who know what they are downloading. "Commonly downloaded" is not a right criteria to decide whether a file is malicious or not and it just makes no sense for unsigned but popular downloads. Unless Microsoft gets it right in IE10 or never, just give a way to turn off application reputation-based downloading completely. This is one of the annoying IE9 features that is stalling my downloads at 99% while it is "Running security scan".

  23. Ooh says:

    @clearmythroat: There are several countermeasures to the ActiveX problem.

    1. That's what ActiveX Filtering was built for [1]. It isn't enabled by default, but maybe we'll see this in the future.

    2. An ActiveX control needs to be installed first, it can't do anything until you approved the installation. So the user has to explicitly confirm the installation of malicious code. UAC prevents simple click attacks/frauds, so it is really the user who has to accept it.

    3. No 2 in turn means that there needs to be a way to get the ActiveX on the computer, most likely a download. That's where SmartScreen Application Reputation kicks in.

    This is one of the many instances where things were really insecure in the WinXP era: everyone ran as admin and malicious code was just one click away. Thankfully these times are over. When you run Vista/7 with IE9 (both in the default configuration) the whole ActiveX problem vanishes. It just isn't a problem any more.

    [1] blogs.msdn.com/…/activex-filtering-for-consumers.aspx

  24. PhistucK says:

    @Ooh -

    Not exactly… if I recall correctly, Windows Update has been installing "ActiveX Kill Bits" updates on Windows Vista as well (I do not have Windows 7 to confirm these updates concerns it), which suggests that ActiveX is still a problem.

  25. Bart says:

    @clearmythroat, @PhilstucK – ActiveX controls run as part of a process which is subject to all security measures at the level of the security stack in Windows. In fact, using the words "Windows OS" and "ActiveX" in the same sentence is just like using "Windows OS" and "Paint" in the same sentence. They share the same relationship. You make it sound like ActiveX gets special treatment at the OS level, which is doesn't. All in all, it's a matter of defense in depth. Things like UAC help, but there have been a lot of enhancements to the OS security stack, especially since Vista, that contribute to an overall better security. Ooh's points illustrate the current state of affairs with ActiveX very well.

  26. Aethec says:

    @everyone thinking ActiveX is a magical evil being: Please document yourself on what NPAPI is.

    …hint: the same thing, minus OOB execution.

  27. Tuxplorer says:

    App reputation just does not work. It's a horrible decision to determine whether a downloaded app is dangerous based on popularity. Take the case of the newest version of Classic Shell. It had nearly 19000 downloads in May 2011 (sourceforge.net/project/stats/detail.php?group_id=290975&ugn=classicshell&type=prdownload&mode=alltime&file_id=0) but is still being warned as dangerous. (img39.imageshack.us/img39/3284/appreputationfail.png). So in a way IE9 is preventing this app from becoming more popular. And what happens to the established reputation if the URL changes because a new version is out?

  28. alvatrus says:

    @tuxplorer:

    App reputation is as much about educating the average internet user as it is as blocking malicious downloads. If someone deliberately downloads and installs ClassicShell, then that person must fiat that one install one more time that it is intentional. It doesn't compare by the literal millions of malware downloads that are trying to get their foot in through a social engineering attack.

    These messages (hopefully) make the masses more aware not to download every "fluffybunny.exe" file they come across. And if a person can't make the distinction between a legitimate, intentional, but not commonly downloaded file and a piece of malware then yes, perhaps it is a good idea to block it by default.

    This is not about vendors, developers, etc. being able to push software to their customers. This is about protection of end-users having no clue at all what they are downloading and installing on their computers.

  29. yellowstone says:

    .jxr, .hdp  – Filename extension(JPEG XR) support.

  30. Aethec says:

    @tuxplorer: There are lots of malware that have been downloaded more than 19k times. (btw, you shouldn't use a leaked build to make bug reports…maybe it's a bug in the Win8 IE9)

    @yellowstone: I think they heard you…

  31. rmavro says:

    How does one get my SIGNED program listed as one that does not produce the "..has not been downloaded…could be bad" warning?

  32. Ruchit says:

    I bought a code sign cert from comodo (http://www.comodo.com/…/code-signing-certificate.php) for a plugin i have developed for powerpoint.

    But my users still see smart screen…

    How do i solve this? this is bad user experience for a genuine exe.

  33. Vadim says:

    Hey Guys,

    I know you usually don't reply to the blog comments, but I figure you read them. So you may want to clarify in your post another type of file reputation warning IE9 displays.

    Unlike the one shown in your blog post, this message doesn't have the red frame, and says something like "this file is downloaded in an unusual way" I've got the Russian version of it tools.oszone.net/…/smartscreen-message.jpg

    Yet, it won't let running the file. What files trigger such a message?

    I'd appreciate your clarification; otherwise, I'll be seeking for it via MVP channels :)

  34. RyanCol [MSFT] says:

    @Vadim

    The Application Reputation warning in the notification bar only shows the red shield and border if the file is not digitally signed.  The different warning experiences for signed and unsigned files were shown in a previous blog post:  blogs.msdn.com/…/smartscreen-174-application-reputation-building-reputation.aspx

    You should be able to run the download by clicking the Actions button, expanding "More Options", and then choosing "Run Anyway".

  35. Vadim says:

    RyanCol [MSFT]

    Thanks for your quick response! I understand the color coding system now. For some reason I thought the messages in these dialogs were not the same. I guess I was just looking at them in different OSs with different languages :)

    And yes, I know how to run files with app rep warning. I meant you can't run them with one click.