Jaa


“Stranger Danger” - Introducing SmartScreen® Application Reputation

When we released the IE9 beta about a month ago we talked about the importance of trust and confidence when working with downloads. Today, we are enabling the SmartScreen application reputation service to improve download protection for IE9 beta users.  This feature works together with the SmartScreen anti-malware service that protects IE8 and IE9 beta users every day.

You can experience the protection of the SmartScreen application reputation service yourself by ensuring SmartScreen is enabled. Just click the Tools Button | Safety | Turn on SmartScreen Filter menu item, then choose Turn on SmartScreen Filter in the following dialog.

What is SmartScreen application reputation?

In the course of daily browsing, many consumers see warnings that say "This type of file may harm your computer" when downloading files. This warning may be accurate in some sense, but it is not helpful or relevant for the vast majority of internet downloads. Most consumers are accustomed to just ignoring this warning since it is shown when downloading almost any file from the web.

With IE9 we looked at ways to improve our malware protection overall and the experience consumers have with downloads. We had two primary goals in mind to help consumers make better trust decisions when downloading programs from the web:

  • Show more useful warnings when a program is a higher risk
  • Reduce the number of generic, unhelpful warnings consumers see when downloading programs

In analyzing software downloads actively in use on the internet today, we found that most have an established download footprint and no history of malware. This was the genesis of SmartScreen application reputation. By removing unnecessary warnings, the remaining warnings become relevant.

What does this mean for consumers?

With SmartScreen Application Reputation, IE9 warns you before you run or save a higher risk program that may be an attempt to infect your computer with socially engineered malware.  IE9 also stays out of the way for downloads with an established reputation. Based on real-world data we estimate that this new warning will be seen only 2-3 times a year for most consumers compared to today where there is a warning for every software download.

Why is this approach necessary?

The key challenge with malware on the internet is that attacks are fast moving and quick to change. The importance of application reputation is as an early warning system. There is latency between the outbreak of an attack and when it is detected and blocked. Consumers today are unprotected during that time.   Think of this new warning as “stranger danger” – it’s an early warning system for undetected malware. No antivirus or protection technology is perfect; it takes time to identify and block malicious sites and applications.  Blocking after detection is still an important strategy, but there remains a gap between the start of an attack and when it is detected and blocked.  IE9 SmartScreen application reputation fills that gap. 

How does this work?

When you download a program in IE9 a file identifier and the publisher of the application (if digitally signed) are sent to a new application reputation service in the cloud. If the program has an established reputation there is no warning. If the file is downloaded from a reported malicious site, IE9 blocks the download, just like IE8 does. However, if the file does not have an established reputation, IE lets you know in the notification bar and download manager, enabling you to make an informed trust decision.

SmartScreen application reputation warning in the notification bar

SmartScreen application reputation warning in the Actions dialog

Application reputation warning in the notification bar (top) and the Actions dialog (bottom)

See how it works

You can try it out for yourself. Linked below are two identically named files, one with established reputation and one that is unknown to our service. Without application reputation, it is difficult to tell which download has established reputation and which is uncommon and a higher risk to your computer and information. Download each with IE9 to see the SmartScreen application reputation experience in action.

Are all ‘uncommon’ programs malicious?

Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Application reputation is intended to provide context and guidance for those who need it, especially if the warning is unexpected. Like SmartScreen in IE8, this is an opt-in service and can be easily disabled in the Tools menu, but this is not recommended.

Note to application developers:

Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation.  Reputation is generated and assigned to digital certificates as well as specific files.

As an application developer, there are industry best practices that will affect your download's reputation. To help establish your application's reputation, consider doing the following:

Digitally sign your programs with an Authenticode signature

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs.

Ensure downloads are not detected as malware

Downloaded programs that are detected and confirmed as malware will affect both the download’s reputation and the reputation of the digital certificate.

Apply for a Windows Logo

To learn more about the Windows Logo visit the Windows 7 Logo Program page on MSDN. This is a free process for signed programs that can help establish reputation for your download.

We are extremely excited to enable this feature today for our IE9 beta users. We’re investing heavily in the intelligence powering this feature, as well as improving our existing malware and phishing protection. We think this new approach is an essential companion to the existing SmartScreen features and represents our continued commitment to protecting users.

Ryan Colvin
Program Manager, SmartScreen

Comments

  • Anonymous
    October 13, 2010
    You know, its funny. I go to download a recently-released Java update and some other program from AMD's website and both times I get greeted with the '<file> is not commonly downloaded and could harm your computer' notification. Not commonly downloaded? I wonder why that could be. Either way, now having to make an extra click on Actions (hoping to open the folder containing the two downloaded files), I see that 'Open folder' is nowhere to be found, only the incorrectly recommended 'Delete' and 'Run anyway'. Now I have to manually nagivate to the folder. Disables SmartScreen

  • Anonymous
    October 13, 2010
    As an independent ISV I hope someone will work on the wording before IE9 is released. I think it's a good idea but what is "commonly" downloaded? I mean just think of all the MSFT downloads that would display this warning (though I'm sure all Microsoft signed downloads will be exempt.) It'd probably be less confusing to just keep on displaying the same warning as usual but skip it or show some kind of "Known Safe" green stamp for well known apps.

  • Anonymous
    October 13, 2010
    This just begs the question, "How does Microsoft know what people are downloading?" Is Microsoft logging user's download activity and creating some repository for analysis and comparison? This also seems to insinuate that if a large scale malware attack/distribution occurred and people were downloading (inadvertently of course) malware, the user wouldn't get a warning at all prior to downloading malicious files that seem to be common downloads.

  • Anonymous
    October 13, 2010
    It is still a total UI FAILURE to put messages that you want a user to pay any level of attention to at the bottom of the screen with no animation when displayed. a.) they should animate slightly and b.) they should be at the top.  Many years of UI  Research have proven this.

  • Anonymous
    October 13, 2010
    The comment has been removed

  • Anonymous
    October 13, 2010
    Vista's UAC has done more for security than any other measure in the Windows lifecycle. So, yes please... Bring it on!

  • Anonymous
    October 13, 2010
    What about IE9 beta-2? And what about supporting W3C Widget - dev.w3.org/.../widgets ?

  • Anonymous
    October 14, 2010
    Great to see understandable prompts /  messages for the user. Looking forward to the ful lE9 release. One thing I really miss from Chrome, though, is 'paste and go' as a right-click option when copy & pasting URLs. That would be superb in IE9.

  • Anonymous
    October 14, 2010
    The comment has been removed

  • Anonymous
    October 14, 2010
    lots more detail on how and where the reputations are generated, please! @jayp the Open and preview accelerator in IE8 works in IE9; select the URL, click on the blue blob and choose open in new tab - then you don't have to copy it; install from www.ieaddons.com/.../Open_URL_in_New_Tab_with_Preview

  • Anonymous
    October 14, 2010
    The comment has been removed

  • Anonymous
    October 14, 2010
    Ryan, thats good stuff to know that you have enough data so the alert isn't the norm!

  • Anonymous
    October 14, 2010
    When I mentioned paste & go I was referring to pasting into the address bar - sorry, should've clarified. In Chrome, if you have a URL on the clipboard, you can right-click on the address and select 'Paste & Go' - I find it incredibly useful.

  • Anonymous
    October 15, 2010
    ie9 "Open containing folder" will not work. IE8 works great. That's it, that's the only difference, filescreen on/off doesn't help, in fact the shortcut to the file appears to have something appended to the name such as "hmb2035.partial", when smartscreen is on.

  • Anonymous
    October 17, 2010
    'Paste & Go'  is an Opera feature. It has had it for many years now.

  • Anonymous
    October 18, 2010
    Which file types does this apply to? e.g. If I serve up report content from my Enterprise level, private web applications as download-able "Excel" files, is this going to hit my users on every single request because the files will ALL be unknown (generated server side) and *.XLS files might contain macros, that might affect the end users computer? If so, is there a way to allow the client to turn off this feature for a domain?... I'm expecting 1,000's of help desk calls if this feature is on by default for all "executable" file-types in private web app environments where files are generated. jake

  • Anonymous
    October 18, 2010
    The comment has been removed

  • Anonymous
    October 19, 2010
    "Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. " It's unclear to me what exactly is meant by "a single certificate".  Do you mean by a specific signing authority or literally the individual certificate that one entity possesses?  Will my downloads be treated the same as all other downloads signed with a Comodo certificate (that's what I use) or do you mean that all downloads signed with the specific certificate that Comodo issued me be treated the same?  If so, then I, as a small independent software vender am in trouble since I only have a small number of applications in niche markets.  Of course, LARGE software publishing houses (like Microsoft) won't be harmed by this policy.  Luck for them...

  • Anonymous
    October 19, 2010
    It would be good to see the IE9 work better to rid itself of the backdoor cookies and such (like Evercookie - http://samy.pl/evercookie/)  Supposedly, Safari does well with it, I've tried Google Chrome in incognito and after restarting it, it seems to be secure - but IE9 in in private, after restarting, the site still has its cookie there.   It's great we're protecting bad downloads, but the silent tracking tools are getting very prolific and problematic for security.

  • Anonymous
    October 20, 2010
    Have you considered working together with the WinQual team, so that application developers can get notified via existing WinQual mechanisms about their reputation, and especially in case one of their apps is flagged as malicious? In my opinion this would increase transparency and quality, raising the value of both the WinQual and the SmartScreen ecosystems. You could even give a few points extra spositive core to a signed application that is already known for the sole fact that it iwas uploaded to WinQual.

  • Anonymous
    October 22, 2010
    You suggest that developers apply for a Windows Logo as one method of establishing a reputation.  But browser plugins are ineligible for the Windows Logo program.  Is there an alternative?

  • Anonymous
    October 22, 2010
    The comment has been removed

  • Anonymous
    October 25, 2010
    "Reputation is assigned to the specific certificate that a developer or ISV uses to sign their code, not the certificate issuer.  It allows our intelligence system to aggregate all reputation for your applications to a single object rather than several distinct ones.  If your certificate has established reputation, all existing applications (and any new ones signed with the same cert) will share that established reputation." And when I renew my certificate, am I back to square-one or does my new certificate inherit the reputation weight of my previous expired certificate?

  • Anonymous
    October 25, 2010
    The comment has been removed

  • Anonymous
    October 27, 2010
    @BradC: > You suggest that developers apply for a Windows Logo as one method of establishing a reputation. No. You can sign up on Winqual independently of any Windows Logos you may want. There's many things you can do once you sign up on Winqual, for example getting crash dump data that helps you understand where you can improve your code. This is why we access and update our Winqual data frequently, much more frequently than getting a  newlogo every now and then. And this is why Microsoft has all our binaries and digital certificates from the past 10 years. What I am saying is that Microsoft could start using this same information it already has also for reputation purposes.