SmartScreen® Application Reputation in IE9

Social-engineering attacks, like tricking a user into running a malicious program,
are far more common than attacks on security vulnerabilities. Application Reputation
in IE9 helps protect users from these socially engineered malware attacks. This post
offers details about real-world attacks and how these protections work.

For context, recent studies (like
this one) show that despite the headlines that exploits of software vulnerabilities
get, people browsing the Web are more likely to face a socially engineered attack.
Recent articles (like
this one) have compared different approaches to protecting people. Application
Reputation is a natural extension of the current protections
introduced in IE7 & IE8 that block phishing sites and sites that
distribute malicious programs.


The Technology of Socially-Engineered Attack and Defense

User-downloaded malware is a huge problem and getting bigger.

Through the SmartScreen Filter, IE has been
effective at blocking socially engineered malware attacks and malicious
downloads – IE blocks between 2 and 5 million attacks a day for IE8 and IE9 customers.
Since the release of IE8, SmartScreen has blocked more than 1.5 billion attempted
malware attacks. IE is still the
only major production browser to offer this kind of protection from socially
engineered malware. From our experience operating these services at scale, we have
found that 1 out of every 14 programs downloaded is later confirmed as malware.

Originally, SmartScreen protection was URL-based. IE7 introduced protection from
phishing attacks by integrating a cloud-based URL-reputation service. IE8 added
another layer of protection, also based on URLs (or Web addresses), to protect users
from sites that offered malicious downloads and used social engineering techniques
(“Run this to watch movies for free, download this security software to clean your
machine, or get great emoticons!”) to get users to download and run them. URL-based
protection from socially engineered malware attacks is an important layer of defense
for consumers today on the Web.

That said, IE9 adds another layer of defense against socially engineered attacks
that now looks at the application being downloaded - this is in addition to the
URL-based protection described above. This new layer of protection is called SmartScreen
Application Reputation. When it comes to program downloads, other browsers today
either warn on every file or don’t warn at all. Neither of these approaches helps
the user make a better decision. Application Reputation also addresses a limitation present
in all block-based approaches that happens at the beginning of new attacks,
before a Web site or program has been identified as malicious.

Using reputation helps protect users from newly released malware programs - pretending
to be legitimate software programs - that are not yet detected by existing defense
mechanisms. Reputation also enables IE9 to remove unnecessary warnings for downloads
with an established positive reputation. Both publishers and individual applications
build reputation. For example, a digitally signed application from a well-known
publisher that has been widely downloaded has a better reputation than an unsigned
application that has not yet been downloaded widely and has just been posted on
a newly created Web site.

Diagram showing the Application Reputation and URL Reputation services working with IE9.


Anatomy of a Real World Attack

Let’s look at how the feature protected actual IE9 users from one particular attack.
The figure shows the download traffic of a very large-scale malware attack (hundreds
of thousands of downloads). Application Reputation warned IE9 users about this malicious
program from the very moment it hit the Web at Hour 0:

Chart of a real malware attack showing malware downloads over time.

Real Malware Attack Traffic & Timeline

Traditional block-based protection (URL-blocking as well as anti-virus) came in
after Hour 11, well after the attack had passed its active period. The download
warning within IE about the lack of an application reputation was the only defense
that users had. 99% of IE9 users who clicked to download this malicious program
chose to delete or not run the program from the Application Reputation unknown
program warning.

Screen shot of SmartScreen Application Reputation Unknown Program warning notification.

SmartScreen Application Reputation Unknown Program Warning

In this attack, IE9 Application Reputation interrupted the deception of the attack
(which was otherwise very convincing) and most users were able to make a great decision
on their own. This outcome is exactly why we built SmartScreen Application Reputation
into IE9. 99% of users were able to avoid the infection.

This is just one real-world example. Below, we discuss how this trend holds strong
in aggregate. Application Reputation is a game changer for protection against socially-engineered
malware attacks, which is the largest risk on the Web today.


Early Results: Reputation Informs Better Consumer Decisions

From looking at IE9 usage data, starting from the IE9 beta, we see two main patterns:


Dramatic reduction in malware infections for IE9 users

  • Users are choosing to delete or not run malware 95% of the time from the new Application
    Reputation warnings
  • We estimate that Application Reputation will prevent more than 20 Million additional
    infections per month (on top of existing SmartScreen URL reputation blocks)


Streamlined experience that warns only when the risk is high

  • Because programs and publishers can now establish a reputation, 90% of program downloads
    no longer show browser security warnings when users have SmartScreen enabled
  • From our data, the typical user will only see 2 warnings per year
  • On any given day, clicking through the “unknown warning” carries a risk between
    25% and 70% of malware infection

The reputation that applications and publishers build from actual customers is at
the core of how this protection works. Most people would be cautious about buying
something online from a complete stranger. Sites like
Ebay, Etsy,
Angie’s List, and Amazon.com show
how people use reputation features to make better trust decisions online.

IE9 applies the concept of community reputation to programs that users download.
From the data we’ve collected about user downloads from the browser, 1 out of every
14 programs downloaded is later confirmed as malware. Consumers need information
to make better decisions.

IE9 uses an application’s reputation to warn customers about downloads that carry
a higher risk because they have not yet established a reputation. More than 50%
of programs lacking a reputation are new to the Web on a given day. On a daily basis,
25% to 70% of programs that trigger an Application Reputation warning in IE9 are
later confirmed as malware. Programs and publishers that have already built reputation
do not show a warning.

Many users rarely or never download programs that don’t already have an established
application reputation. When they do, this warning is critical. Users are more likely
to pay attention to this warning because it appears infrequently. Users can still
choose to download the file. Our data shows that customers are making more informed
choices – taking the time to check the source, or confirm it is something they meant
to download. With SmartScreen Application Reputation, users are doing a much better
job distinguishing between malware and legitimate downloads.


Better Consumer Protection through Data

Our goal is to establish a reputation for the publisher of every program on the
Web so that consumers can have a safer and easier experience downloading them. Leading
up to the IE9 beta, we analyzed billions of downloads and built a continuous model
of application reputation and trust across the Web.

To sustain these coverage rates, we’ve built large-scale, objective intelligence
systems that process billions of pieces of information on a daily basis. These systems
are constantly building out reputation for new and existing applications and publishers.
As of today, there are tens of thousands of publishers and millions of individual
applications with an organically established reputation and we’re adding more all
day, every day.

Sometimes, some users will see warnings for legitimate software that happens to
be new and has not yet established a reputation. From the reports we received from the community, this is a rare exception. A new program from an existing publisher
with an established reputation inherits the publisher’s reputation from that publisher’s
code signing certificate. New publishers can build their code-signing reputation
quickly with every download. Unsigned programs were the cause of 96% of the warnings
that consumers have seen to date. The remaining 4% of warnings came from certificates
previously associated with malware or certificates that were new and are still building
a reputation. Customers can and do make informed choices to click through the warning
when they trust the person they are transacting with and expect a download.


How Developers and Publishers Establish Reputation

By following industry best practices, developers can accelerate the process of building
a good reputation. For example, signed programs typically build reputation twice
as fast as unsigned programs. We recommend
digitally signing programs with an Authenticode signature. Making
sure that programs are not detected as malware is clearly important as well. The
Windows Logo
process also helps establish a software publisher’s reputation.


Safer Is Beautiful

SmartScreen Application Reputation is protecting consumers every day.

There are many reasons to recommend your friends and family upgrade to Internet
Explorer 9. We think staying safer online is a big one.

—Jeb Haber, Program Manager Lead, SmartScreen