A friend recently wrote to me, alarmed that the SmartScreen Filter feature was constantly turning off on his laptop with IE8. Despite manually re-enabling the feature using the Safety menu multiple times per hour, it was mysteriously and repeatedly turned off without any action on his part.
He was worried for two reasons: first, because he wanted to benefit from the great protection provided by SmartScreen’s anti-malware feature, and second, because he feared that perhaps he was already infected by malware and that it was turning off SmartScreen. I suggested that it wasn’t likely that a malware infection was disabling SmartScreen—if his machine was already infected by malware, the attacker need not bother trying to socially-engineer him into installing additional malicious code.
Fortunately, he was willing to let me have a quick look at his laptop to figure out what was going on. Process Monitor is a great tool for hunting down more than performance bottlenecks— it’s also easily used to watch for unexpected changes in Internet Explorer’s registry settings.
As it turns out, I happened to know that SmartScreen’s state is controlled by a registry key named EnabledV8, but using ProcMon’s filters to watch registry keys containing the word “phishing” would have worked just as well. After re-enabling SmartScreen and restarting the browser, ProcMon reported the following reads and writes to the EnabledV8 key:
As you can plainly see, IE initially reads the SmartScreen state as enabled (“1”) but shortly afterwards, a different process comes along and writes the value “0” to the key, disabling SmartScreen. But what is ccSvcHst.exe?
Double-clicking on the first RegSetValue operation opens the Event Properties dialog, where we can see details about the event. By clicking on the Process tab, we easily can learn more about the ccSvcHst.exe process:
It turns out that this version of Norton 360 intentionally disables IE8’s SmartScreen Filter. Looking around the Norton control panel, I wasn’t able to find anywhere to turn off this behavior. I did notice that the control panel offered an “Anti-Phishing” checkbox. Experimentation revealed that when you use this checkbox to disable Norton’s phishing filter, Norton does not automatically re-enable SmartScreen Filter. However, with Norton’s filter disabled, the Norton 360 service stops repeatedly disabling SmartScreen. If you uncheck the checkbox in the Norton control panel, and manually re-enable SmartScreen, your protection from phishing and malware sites resumes without further interruption.
(Update: Symantec has changed the SmartScreen-disabling behavior in updated versions of the Norton 360 product.)
While this wasn’t one of the harder cases I’ve been asked solve, the moral of the story is clear: using the right tools takes most of the work out of detective work.
Until next time,