Over at ZD Net, contributor Ed Bott writes about an experiment he conducted between Internet Explorer 9 and Google Chrome and how good they were at catching malware:
Social engineering has become the dominant method of distribution for fake antivirus software. And most modern browsers, with one exception, do a terrible job of dealing with this type of threat. Current builds of Chrome display a terrible flaw that puts you at greater risk than its competitors. In my testing, a malware author was able to exploit Chrome in four easy clicks. In stark contrast, Internet Explorer 9 used some new technology to flag the exact same sites and files as suspicious, providing unmistakable warnings that have been shown to stop 95% of these attacks in their tracks.
… the Trojan executables are mutating very rapidly, perhaps even hourly. Antivirus signatures are not able to detect the mutated strains until they’ve been in the wild for a day, by which time they’ve already been replaced. Bad guys have figured that out, devising a playbook that is rendering most antivirus software useless.
So, what’s a browser maker to do? The malware is so fresh that your up-to-date antivirus software doesn’t detect it yet. Here’s where Chrome and IE9 take very different approaches.
Every download request gets passed through Microsoft’s SmartScreen filters. Google does something similar. But the IE9 version of SmartScreen includes a new set of algorithms designed to test the reputation of this executable file. Has it been seen before? Is there anything about the file name or the domain that looks suspicious?
In fact, one of the most important questions to ask is this one: Is the executable file digitally signed? Microsoft’s researchers found that roughly 96% of all those red warnings are attached to unsigned, previously unseen files. The algorithm assumes that a file—signed or unsigned—is untrustworthy until it establishes a reputation. No domain or file gets a free pass—not even a new signed release from Microsoft or Google. Every file has to build a reputation.
This approach turns conventional thinking on its head, but from a security perspective it’s the right thing to do. It deals with the problem of “dialog box fatigue” by reserving the most dire warnings for files that are new and unknown. Microsoft says that its data show the risk of being infected with malware from clicking through one of these “unknown file” warnings is at least 25% and possibly as high as 70% on any given day. Legitimate files quickly establish a reputation and no longer produce a warning. Actual malware quickly gets identified within a day or two and is fully blocked around the same time the hosting site gets shut down.
According to data that Microsoft gathered during beta testing of IE9, this approach has had a profound impact on user behavior. Fully 95% of previously undetected malware is now either deleted or not run by the user. The impact on actual infections is equally profound, with Microsoft data showing infection rates have dropped to 1/20th compared to similar rates for IE8.
This kind of improvement isn’t just a matter of clever code. It takes a tremendous investment in back-end services and a huge commitment of resources—people and money—to do the necessary analysis. This is one feature that other browser makers—especially Google—desperately need to copy.
In other words, Microsoft has a two-pronged approach built into Smartscreen when it comes to assessing the integrity of files that you download online:
- Do an anti-malware scan.
- Do a reputation scan of the file. If it is signed and has a good reputation, it allows you to download the file. If it does not have a good reputation – even if it is signed – prompt the user that the file could be potentially harmful:
This addresses the issue of pop-up fatigue – when users get lots of false positives they become dismissive of warnings and plow full steam ahead even though the file could be malicious. However, if the warning only occurs every once in a while, then there’s less chance that they will ignore it (that’s why Homer’s “Everything is OK alarm” failed – that and it broke easily).
I agree with Ed that this is a feature that other browser makers should copy. Chrome, Firefox and Internet Explorer are causing each other to create better and better browsers and that they borrow features from each other that are innovative. Microsoft deserves kudos here in their attempts to keep users safe while browsing.
Now if only we could get everyone to update from Internet Explorer 6.