Windows Smartscreen Gets Smarter
Microsoft rolled out a new version of its Smartscreen web content filtering software in the December 2015, “Patch Tuesday” update. Just like Gandalf on the bridge in Lord of the Rings, the new and improved Smartscreen aims to protect you from dangers that lurk in dark places. Read on to learn about Smartscreen, what it can do, and why it may not help you, unless...
What's in the New Smartscreen?
The new Smartscreen purportedly protects users against drive-by downloads, zero-day exploits, and malware-infected ads (malvertisements), as well as blocking phishing sites and rogue websites that infect visitors with malware.
It sounds like Microsoft has all of your security bases covered, doesn’t it? Well, only if you are running Windows 10. The new features aren’t available with Smartscreen in Windows 7 or 8.1, and Smartscreen is not available at all in earlier versions of Windows.
And what about this report from Tom’s Guide? “SmartScreen on a fully updated version of Edge running in Windows 10 failed to stop an Adobe Shockwave Flash-based Trojan found on a second-tier porn site… The Trojan was immediately detected in Edge's cache by a trial version of McAfee LiveSafe installed on the PC...”
So the new, improved Smartscreen is not 100% effective at blocking malware. What does it block, and in what way(s) is it better than filtering protections in other browsers, such as Chrome or Firefox? To answer these questions, we’ll have to delve into the details of how Smartscreen works, and what Microsoft has added to the Windows 10 version of Smartscreen.
How Smartscreen Works
Unlike typical anti-malware software, Smartscreen does not look at the content retrieved from websites. Instead, it looks at the web address (URL) that Edge or Internet Explorer is trying to fetch. Smartscreen sorts all URLs into one of three categories:
- Known “bad” URLs that Microsoft knows are sources of danger, either malware or phishing attacks
- Known “good” URLs that Microsoft trusts, such as major retailers’ sites or financial institutions
- Unknown URLs about which Microsoft has no information
Smartscreen blocks all but the “good” URLs that Microsoft is very sure pose no danger. It blocks “bad” URLs and displays a red warning screen that says, in part, “This site has been reported as unsafe…” Unknown URLs are blocked and a warning screen says, “This site may be unsafe…”
Smartscreen also checks the files that you attempt to download against two lists. If a file is on the “bad” list of known malware, it is blocked and you see a “malicious file blocked” alert. If the same file is not on the “bad” list and is also not on a list of “good” files that are commonly downloaded, it is blocked and you’ll see a “suspicious file” alert.
In short, Smartscreen allows only Web content that it is absolutely sure isn’t malicious to be retrieved without triggering an alert and temporary block. I say, “temporary” because Smartscreen will allow a user to proceed at his own risk, if the user can find that option buried under the “more information” link on the red warning screen. (insert smartscreen-red-warning.png)
Where Does Smartscreen Get Its Lists?
The lists of “good” and “bad” items are compiled from many sources, including malware detected by Microsoft Windows Defender; Microsoft’s Bing search engine, which crawls Web sites constantly and reports what they try to download; and reports from users of Edge and Internet Explorer browsers. (Maybe Microsoft should also ask Santa for a copy of his Naughty and Nice websites.)
The Windows operating system itself can report to Microsoft what software is being run on it and any suspicious behavior that may indicate a program is up to no good. This data enriches Microsoft’s lists of “good” and “bad” programs, as well as making users uneasy about Microsoft “spying” on them. http://askbobrankin.com/new_microsoft_spyware_on_windows_7_and_8.html
Vulnerabilities in Smartscreen?
Now that we know how Smartscreen works, perhaps we can guess why even the newest version allowed a Trojan to go unblocked.
The “second-tier” porn site on which the Trojan found by Tom’s Guide resided probably wasn’t on Smartscreen’s “bad” list because a) “second-tier” means it’s relatively obscure, and b) visitors to that site may well have reported it “safe” in order to get past Smartscreen’s blocker.
The Trojan program itself may not be on Smartscreen’s “bad” list because a) it’s a new Trojan that no one’s reported yet, or b) it’s an old Trojan whose signature characteristics have been modified so that it doesn’t match anything on Smartscreen’s “bad” list.
I note that Tom’s Guide does not say whether Smartscreen was activated in Windows 10 itself, which might have detected and reported suspicious behavior when the Trojan was executed. It doesn’t seem that the Trojan actually ran on the test machine, since it was detected by McAfee LiveSafe while it was still in Edge’s browser cache. So… it's possible (and I think likely) that the malware would have been caught and blocked by the security defenses in Windows 10, if the LiveSafe had not "intervened."
What’s Really New In Smartscreen
Smartscreen has been protecting against phishing and malware sites since 2009, when it debuted in Windows 8. The December update for Windows 10 adds two new features.
First, Smartscreen now blocks covert redirections of Edge and IE 11 browsers to servers that host exploit kits. These blocks defeat many drive-by downloads of malware, which come from the exploit kits’ sites and not from the legitimate site that a user sees in his browser.
Second, Smartscreen now includes frame-specific blocking. (insert smartscreen-frame-blocking.png) A Web page often fetches an ad from a third-party ad server and displays it in a frame. That ad may be malicious while the rest of the page is perfectly safe. In the past, Smartscreen would block the entire page, including the frame. Now, it blocks only the frame’s content. Frame-blocking helps users know that their favorite news site isn’t infected with malware, just one of the ads that it gets from a third party.
How Does Smartscreen Compare to Other “Safe Surfing” Systems?
Google Safe Browsing (GSB) is the search giant’s counterpart to Smartscreen. GSB is used by Google Chrome (Windows, Mac, Android), Mozilla Firefox (Windows, Mac) and Apple Safari (Windows, Mac) browsers. And it's not limited to people running a Microsoft browser on Windows 10...
GSB warns users only when they try to access a “bad” site that has been identified as a source of phishing or malware. Smartscreen errs on the side of caution by warning of unknown - and therefore potentially dangerous - territory. Since December 2014, GSB has also warned users of potentially harmful downloads, so-called "piggyback downloads," and newly-installed programs that mess with your browser settings or "phone home" with your private information.
It’s impossible to say whether GSB or Smartscreen has a better intelligence-gathering network. Both of them screen billions of URLs and discover thousands of new “bad” URLs each day. But they'll only work if you allow them to do their job. Don’t let mistrust of Google or Microsoft deprive you of the protection that these tools offer, however imperfect they may be.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 29 Dec 2015
|For Fun: Buy Bob a Snickers.|
Are Landlines Doomed to Extinction?
The Top Twenty
AskBob's Best of 2015 - Part One
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Windows Smartscreen Gets Smarter (Posted: 29 Dec 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved