다음을 통해 공유

SmartScreen® Application Reputation – Building Reputation

  • 아티클

With the Internet Explorer 9 (IE9) beta in September we introduced
IE9's new application reputation feature and more recently we provided a
summary of how this fits into the overall
layered approach to security. With the final release of IE9 now available,
we want to share some additional information about application reputation, clarify
how code signing impacts the IE experience, and reiterate industry best practices
that application developers should consider.

SmartScreen Application Reputation is a consumer focused safety feature that helps
consumers make better decisions about the programs they download. Downloads are
automatically assigned a reputation rating based on multiple algorithms that consider
many objective criteria, such as antivirus results, download traffic, download history,
and URL reputation. If a user opts into enabling the SmartScreen Filter, application
downloads without established reputation result in a notification (see below) warning them that the file may be a risk to their computer.

From this notification, users can choose to delete the file or ignore the warning and run the downloaded
program. For the typical user, the risk of running the download is a 25% to 40% chance
of malware infection. We've been building reputation for some time now and approximately
90% of all application downloads have established reputation by hash or digital
certificate. For the typical user, this notification is an infrequent experience
associated with higher risk of malware infection. To put the scale of this risk
in perspective, approximately 7% of all executable files downloaded by Internet
Explorer are later confirmed as malicious. A portion of these attacks are prevented
by blocklist solutions such as SmartScreen URL reputation or antivirus products.
Unfortunately, no blocklist-based solution is 100% effective at preventing these
attacks. Since Application Reputation was enabled in the IE9 beta release, the feature
has greatly reduced infection rates from attacks that were not otherwise detected
at the time of download.

Unsigned Download – IE9 Application Reputation Notification

Screen shot of the IE9 application reputation notification with an unsigned download.

Signed Download – IE9 Application Reputation Notification

Screen shot of the IE9 application reputation notification with a signed download.


How programs are identified in IE9

A download’s Application Reputation is assigned by:

  • a hash of the downloaded file
  • the digital certificate used to sign the file (if signed)

The file hash is an exact identifier for the specific file downloaded. If any part
of the application changes, the program identity (file hash) will also change. An
unsigned application that is updated regularly (e.g. unsigned daily builds) will
appear as multiple distinct programs that will have to build reputation individually.

Reputation is also generated for digitally signed downloads based on the digital
certificate used to sign the file. Digital certificates allow reputation to be assigned
to a single identity (digital certificate) across multiple files. If you are not
signing your programs, reputation will be built independently for each file you
distribute. In contrast, signed programs may inherit the reputation of your digital
certificate.


Why Sign Your Code?

For developers distributing applications online, signing your code is not required to establish reputation, but it is highly recommended.
Code signing is an industry best practice that allows consumers to authenticate
that files signed by a publisher are actually from that publisher. Signing also
helps ensure that files cannot be secretly tampered with while stored on a server
or during the download process. Without a digital signature, there is no way for
a user to validate who actually created the file. This threat is commonly exploited
by malware authors in their social engineering attacks.

Of course, the presence of a digital signature alone does not ensure a download
is non-malicious. Digitally signing your application is not a guarantee that your
download will have established reputation immediately, but can play an important
part in ensuring that your applications receive the reputation they deserve.

Note that even if SmartScreen® Filter is disabled, users will be warned before unsigned
applications are run:

Internet Explorer 9 – Unsigned File Notification

Screen shot of the IE9 notification of an unsigned download when SmartScreen filtering is disabled.


Best Practices for Application Developers

There are several industry best practices an application developer can follow to
help establish and maintain reputation for your applications:

  • Digitally sign your programs with an Authenticode signature.

    • Obtain a valid Authenticode code signing certificate from one of the many certificate
      authorities (CAs) supported by Windows.
    • Use development tools (such as
      signtool.exe) to sign your applications prior to distribution.
    • For more detailed information and a step-by-step description of the code signing process, see Eric Lawrence's excellent post Everything you need to know about Authenticode Code Signing.

  • Ensure downloads are not detected as
    malware. Downloaded programs that are detected and confirmed as malware
    will affect both the download’s reputation and the reputation of the digital certificate
    used to sign that file.

  • Apply for a Windows Logo. To learn more about the Windows Logo visit the
    Windows 7 Logo Program
    page on MSDN.

More information about digital signatures and code signing:

Thanks for your help in ensuring a safer, more streamlined download experience for consumers.

—Ryan Colvin, Program Manager, SmartScreen

Comments

  • Anonymous
    March 22, 2011
    The comment has been removed

  • Anonymous
    March 22, 2011
    IE7 which debuted with the Phishing Filter was very slow at checking web pages and often caused delays in page loading. IE8 improved so much upon the speed with the SmartScreen filter that all website checking was instantaneous. With IE9, my downloads are taking several seconds (10-15) after they complete while "running security scan". I cannot disable the Application Reputation feature without disabling SmartScreen? Why is it so slow in checking downloaded files?

  • Anonymous
    March 22, 2011
    The comment has been removed

  • Anonymous
    March 22, 2011
    We have brand new application, signed, not marked as malware and we can't apply for logo because it is IE extension. With this "nice" feature there is no way to make it more commonly downloaded because IE is forbidding to them to be commonly downloaded. And I am sure that lot of malware apps can be downloaded without problems now. So this is looks more like market share keeper :-D Firefox 4 ? Not commonly downloaded. Brand new browser app ? Not commonly downloaded. Different toolbar than Bing ? Not commonly downloaded. I suppose that accountants in Microsoft really like this feature

  • Anonymous
    March 22, 2011
    The comment has been removed

  • Anonymous
    March 22, 2011
    "not commonly downloaded" is indeed a misnomer. I and many others download mostly freeware or open source programs. None of these are signed or will be signed in the future. Most of them get updated frequently. There is no way for them to gain "reputation". Did it ever occur to Microsoft that developers that do not make money from their program (or only to a certain degree) will not be able to sign their programs? AFAIK there's not yet a Microsoft sanctioned CA included in Windows that provides code-signing certs for free. If you want to spread code-signing then provide a means for freeware and open-source developers to sign their code for free.

  • Anonymous
    March 22, 2011
    @KS, code siging is not required to be able to download an application. It's just to verify that the application wasn't tampered by anyone else.

  • Anonymous
    March 22, 2011
    In the IE9 final, it seems that it opens up zip folders automatically instead of prompting me to save them if I click them instead of right clicking and save target as.

  • Anonymous
    March 22, 2011
    So if I distribute android and blackberry and whatever other apps and iso's that users can download from their browser to side load on devices etc. They will all be flagged as malicious downloads because they are not apps signed for windows!?!?!?!? What a total Epic Design Failure! The Web is not Windows!!!!

  • Anonymous
    March 22, 2011
    Since Windows warns you about an app being unsigned with a big angry red "X" why does IE need to do this as well?  I suppose the MS answer will be defense in depth, and I can't say I necessarily disagree with the argument, but it does run me the wrong way that hobby developers are yet again being pinched.  Authenticode signatures are not cheap.  If you develop free software, you have no revenue with which to apply for one.  Windows Logo testing is cost prohibitively expensive, even for shops that DO make a profit unless they are top tier. This sort of feels like a bunch of big companies pinching the small developers. And, I must admit, I don't actually have a better solution, and there definitely is a problem.  I'm just concerned that this solution may cause more harm than good. @Walter - In my experience thus far, only *.MSIs and *.EXEs are flagged this way, so unless you use those extensions for your Android and Blackberry apps, you have no reason to worry.

  • Anonymous
    March 23, 2011
    So far I've had this block my downloading Firefox, Opera AND IE9.  Makes me long for the days when Microsoft just flat out didn't care about security.

  • Anonymous
    March 23, 2011
    love the new notifications i feel much safer

  • Anonymous
    March 23, 2011
    We are an independent software vender. Our tax software is Canada Revenue Agency (CRA) certified for the last 8 years and our software/website is listed at Canada government website. Our website includes a digital website seal issued by Thawte.  (We can change it to website seal of VeriSign if necessary.) In IE9, when customers download the software from our website, SmartScreen Filter of IE9 shows warning message recommending users not using our software. As we try to bring in new customers, the warning message becomes a big headache. As per an IEBlog below and this blog, apply for a Windows Logo could be helpful. blogs.msdn.com/.../stranger-danger-introducing-smartscreen-application-reputation.aspx We have got Windows 7 Logo on March 22, 2011. Also, the software is now signed with a VeriSign certificate (used to be a Thawte certificate). But the warning message still shows when downloading. So how long it takes for the warning to go away after we've got the Windows 7 Logo? Just in case, if Windows 7 Logo does not help, is there a way to add our website/software to the reputation list of SmartScreen Filter? We can pay for the service as long as it works. Any helps are highly appreciated.

  • Anonymous
    March 23, 2011
    My fault. When I try the download at a latter time, there is no more warning message in IE. So apply for Windows 7 Logo does help.

  • Anonymous
    March 23, 2011
    The comment has been removed

  • Anonymous
    March 24, 2011
    My thoughts are that it is good that IE9 offers a better protection against malware, but that is is unfortunate that vendors feel out of control of the process.  Application Reputation is to vendors who offer downloads as a credit report is to a consumer trying to get a loan for a car.  If my credit report has inaccurate information, I am allowed, encouraged, even, to review the information and prompt the credit agency to make corrections. I have not yet discovered similar remedies for my applications' reputations.

  • Anonymous
    March 24, 2011
    The comment has been removed

  • Anonymous
    March 24, 2011
    Frank-e What do you mean by 'sign' a dozen ZIP-archives? What will that do?

  • Anonymous
    March 24, 2011
    The comment has been removed

  • Anonymous
    March 25, 2011
    The comment has been removed

  • Anonymous
    March 25, 2011
    The comment has been removed

  • Anonymous
    March 26, 2011
    The download manager is officially an abomination for me. Microsoft can't create a decent download manager now? Downloads get stuck at 99% or 100% forever "running security scan...". There's no way to opt out of the reputation-based downloading without also disabling the SmartScreen filter. Even after disabling SmartScreen, the downloads get stalled at 99%. PDF files get stalled? And when I ask in the forums, they blame it on addons? I don't have any addons installed. Very disappointing.

  • Anonymous
    March 26, 2011
    Downloads on my Win7 Ultimate X-64 SP1 PC with IE9 RTM hang at 99% downloaded and 1 second left. If I cancel the download and rename the .partial file the download is usable. Pls fix.

  • Anonymous
    March 27, 2011
    I'm still not getting any feedback from MS about the issue I have rised here and through Customer Services. Is it your intention to destroy small businesses too?

  • Anonymous
    April 04, 2011
    I don't understand the encouragement to apply for the Windows 7 logo to help establish and maintain an application's reputation.  The Windows 7 logo is not available to browser plug-ins.  So how is this applicable?