Windows Smartscreen Gets Smarter

Category: Security

Microsoft rolled out a new version of its Smartscreen web content filtering software in the December 2015, “Patch Tuesday” update. Just like Gandalf on the bridge in Lord of the Rings, the new and improved Smartscreen aims to protect you from dangers that lurk in dark places. Read on to learn about Smartscreen, what it can do, and why it may not help you, unless...

What's in the New Smartscreen?

The new Smartscreen purportedly protects users against drive-by downloads, zero-day exploits, and malware-infected ads (malvertisements), as well as blocking phishing sites and rogue websites that infect visitors with malware.

It sounds like Microsoft has all of your security bases covered, doesn’t it? Well, only if you are running Windows 10. The new features aren’t available with Smartscreen in Windows 7 or 8.1, and Smartscreen is not available at all in earlier versions of Windows.

And what about this report from Tom’s Guide? “SmartScreen on a fully updated version of Edge running in Windows 10 failed to stop an Adobe Shockwave Flash-based Trojan found on a second-tier p**n site… The Trojan was immediately detected in Edge's cache by a trial version of McAfee LiveSafe installed on the PC...”

Windows Smartscreen Filtering

So the new, improved Smartscreen is not 100% effective at blocking malware. What does it block, and in what way(s) is it better than filtering protections in other browsers, such as Chrome or Firefox? To answer these questions, we’ll have to delve into the details of how Smartscreen works, and what Microsoft has added to the Windows 10 version of Smartscreen.

How Smartscreen Works

Unlike typical anti-malware software, Smartscreen does not look at the content retrieved from websites. Instead, it looks at the web address (URL) that Edge or Internet Explorer is trying to fetch. Smartscreen sorts all URLs into one of three categories:

  • Known “bad” URLs that Microsoft knows are sources of danger, either malware or phishing attacks
  • Known “good” URLs that Microsoft trusts, such as major retailers’ sites or financial institutions
  • Unknown URLs about which Microsoft has no information
Don’t rely on Smartscreen URL filtering alone to protect you from malware. It’s just one layer of what should be a multilayer approach to securing your system. A firewall and a good anti-malware program are two other essential ingredients. See my articles Do I Really Need a Firewall? and Protect Your Computer With Free Anti-Virus Software to learn more about securing your computer.

Smartscreen blocks all but the “good” URLs that Microsoft is very sure pose no danger. It blocks “bad” URLs and displays a red warning screen that says, in part, “This site has been reported as unsafe…” Unknown URLs are blocked and a warning screen says, “This site may be unsafe…”

Smartscreen also checks the files that you attempt to download against two lists. If a file is on the “bad” list of known malware, it is blocked and you see a “malicious file blocked” alert. If the same file is not on the “bad” list and is also not on a list of “good” files that are commonly downloaded, it is blocked and you’ll see a “suspicious file” alert.

In short, Smartscreen allows only Web content that it is absolutely sure isn’t malicious to be retrieved without triggering an alert and temporary block. I say, “temporary” because Smartscreen will allow a user to proceed at his own risk, if the user can find that option buried under the “more information” link on the red warning screen. (insert smartscreen-red-warning.png)

Where Does Smartscreen Get Its Lists?

unsafe website warning

The lists of “good” and “bad” items are compiled from many sources, including malware detected by Microsoft Windows Defender; Microsoft’s Bing search engine, which crawls Web sites constantly and reports what they try to download; and reports from users of Edge and Internet Explorer browsers. (Maybe Microsoft should also ask Santa for a copy of his Naughty and Nice websites.)

The Windows operating system itself can report to Microsoft what software is being run on it and any suspicious behavior that may indicate a program is up to no good. This data enriches Microsoft’s lists of “good” and “bad” programs, as well as making users uneasy about Microsoft “spying” on them.

Vulnerabilities in Smartscreen?

Now that we know how Smartscreen works, perhaps we can guess why even the newest version allowed a Trojan to go unblocked.

The “second-tier” p**n site on which the Trojan found by Tom’s Guide resided probably wasn’t on Smartscreen’s “bad” list because a) “second-tier” means it’s relatively obscure, and b) visitors to that site may well have reported it “safe” in order to get past Smartscreen’s blocker.

The Trojan program itself may not be on Smartscreen’s “bad” list because a) it’s a new Trojan that no one’s reported yet, or b) it’s an old Trojan whose signature characteristics have been modified so that it doesn’t match anything on Smartscreen’s “bad” list.

I note that Tom’s Guide does not say whether Smartscreen was activated in Windows 10 itself, which might have detected and reported suspicious behavior when the Trojan was executed. It doesn’t seem that the Trojan actually ran on the test machine, since it was detected by McAfee LiveSafe while it was still in Edge’s browser cache. So… it's possible (and I think likely) that the malware would have been caught and blocked by the security defenses in Windows 10, if the LiveSafe had not "intervened."

What’s Really New In Smartscreen

Smartscreen has been protecting against phishing and malware sites since 2009, when it debuted in Windows 8. The December update for Windows 10 adds two new features.

First, Smartscreen now blocks covert redirections of Edge and IE 11 browsers to servers that host exploit kits. These blocks defeat many drive-by downloads of malware, which come from the exploit kits’ sites and not from the legitimate site that a user sees in his browser.

Second, Smartscreen now includes frame-specific blocking. (insert smartscreen-frame-blocking.png) A Web page often fetches an ad from a third-party ad server and displays it in a frame. That ad may be malicious while the rest of the page is perfectly safe. In the past, Smartscreen would block the entire page, including the frame. Now, it blocks only the frame’s content. Frame-blocking helps users know that their favorite news site isn’t infected with malware, just one of the ads that it gets from a third party.

How Does Smartscreen Compare to Other “Safe Surfing” Systems?

Google Safe Browsing (GSB) is the search giant’s counterpart to Smartscreen. GSB is used by Google Chrome (Windows, Mac, Android), Mozilla Firefox (Windows, Mac) and Apple Safari (Windows, Mac) browsers. And it's not limited to people running a Microsoft browser on Windows 10...

GSB warns users only when they try to access a “bad” site that has been identified as a source of phishing or malware. Smartscreen errs on the side of caution by warning of unknown - and therefore potentially dangerous - territory. Since December 2014, GSB has also warned users of potentially harmful downloads, so-called "piggyback downloads," and newly-installed programs that mess with your browser settings or "phone home" with your private information.

It’s impossible to say whether GSB or Smartscreen has a better intelligence-gathering network. Both of them screen billions of URLs and discover thousands of new “bad” URLs each day. But they'll only work if you allow them to do their job. Don’t let mistrust of Google or Microsoft deprive you of the protection that these tools offer, however imperfect they may be.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 29 Dec 2015

For Fun: Buy Bob a Snickers.

Prev Article:
Are Landlines Doomed to Extinction?

The Top Twenty
Next Article:
AskBob's Best of 2015 - Part One

Most recent comments on "Windows Smartscreen Gets Smarter"

Posted by:

Robb Thurston
29 Dec 2015

Thank you Bob Rankin. I appreciate your advice concerning the MS Smart Screen Filter. I run Windows 7, and for defense against viruses etc., I use MSSE, and I arrange that IE is cranked up very high in security and privacy. Thus I have some part of Smart Screen, the part offered with Win 7 and also IE. There is a tendency amongst security and privacy analysts to take MS security and privacy applications, and the facets of Windows dedicated to security and privacy, on a piece by piece basis. For example, I might find someone testing IE security alone, etc. Without offending anyone, I believe this misses the point by a very wide margin.
In that example, the IE by itself might not do very well. My experience is that the entire ecosystem of Windows is designed to be used as a unit. My experience is that taken as a unit, my Win 7 is very strongly defended. I do supplement it with regular scans by Malware Bytes, as well as Emsisoft Emergency Kit and a few other third party scanners like Zemana. But the foundation of Windows 7 firewall, IE with security and privacy strongly emphasized and implemented, and MSSE, all used together as a unit. results in a system that seldom gets attacked by viruses etc. I hope that computer commenters like you and Leo Notenboom start arranging to test Windows as a unified whole, because I believe that to do otherwise is misleading. Thanks Bob!

Posted by:

Don F.
30 Dec 2015

"protect you from dangers that lurk in dark places" What I really need is something to protect me from Microsoft!!!

Posted by:

Rhonda Lea Kirk Fries
30 Dec 2015

What Don F. said.

I don't use Edge or IE unless forced--this is rare, but happens sometimes--and I certainly have their Smart Screen Filter turned off. My other protections are adequate to the task without slowing my browsing to a crawl.

I'm very angry at Microsoft today. Windows 10 is a debacle.

Posted by:

Doris D.
11 Jan 2016

I am no IT, but I have been a windows user since 3.1. That being said, I see no harm in Microsoft, or the US government watching what I do on the internet. If they are watching me, they are also watching EVERYONE. In the present climate of terrorism, I think, personally, that is a GOOD thing.
The only way to find out who is doing wrong is to watch those of us who aren't as well.
Sorry folks, but what is it you need to keep so secret??
I want a virus-free, malware-free, spyware-free, etc. environment on MY computer. So watch, filter and pick off all of them, thank you very much!

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Windows Smartscreen Gets Smarter (Posted: 29 Dec 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved