why is smartscreen.exe unsigned?

I only provided that forum link about the same IP address as a possible reason your device might attempt to connect to that address, even though it was only confirmed by the original poster.

Why are you opening all of those ports to the Internet? Do you truly have FTP, SMTP, HTTP[S}, IMAP, and whatever other services are implied by those available from your PC via the Internet?

I spent about 20 years as a network administrator and later as a security professional and even I wouldn't want to manage an Internet facing server in this day and age, let alone a client PC trying to fake being one, the risks are just too high with little to gain. Let the professionals do it for you.

If you're just 'playing' here or I'm misunderstanding and all of these ports are open in an outbound direction, then again, why bother?

Every device I own has had inbound ports fully blocked (e.g., stealth in old slang terminology) even on my internal networks for over 25 years now, as far back as the first Windows XP firewall. As I said above, the risks simply aren't worth the trouble and while moving between customer networks the last dozen years of my career or so, risking malware attacks wasn't something I could afford.

I've seen many people trying to learn computers on their own post in forums like this one over the decades and most are simply playing with fire. If you have a purpose behind this great, but many times in the past all I've typically seen in such cases are people running around trying to figure out basic questions like why SmartScreen.exe is unsigned when most others would simply never even notice.

If your purpose is actually to learn, try to find a university course in computers where you can ask such questions and learn something more important and deeper than what most people will tell you, since few in forums have backgrounds like mine.

I spent my first few years after building my own true microcomputer (with floppy disks) soldered from a kit of pc boards, chips, and other components, working for the store where I bought it and helping customers maintain theirs while writing assembly language software as well. I then went to a technical college where I soon became a student employee and later returned for another decade as the computer technician and later their first true academic network manager and campuswide administrator. I never had more fun learning, since I got to work with all of the same people I initially took courses with. It'd be difficult to find a similar situation today, but the point is direct interaction with such people teaches much faster than trying to learn on your own, even for someone as motivated as I was at building their own machine.

Rob

Quite a few Windows executables are unsigned, since many like Smartscreen.exe aren't intended to be run manually by users and instead only executed by other components of Windows itself.

On my own Windows 10 in S Mode (vs. legacy mode Windows that's more easily attacked by malware), the smartscreen.exe file is also not signed and dated 12/13/2022 8:23pm.

As for IP address 104.18.20.226 the online IP lookup utilities I tried all show this as a Cloudflare assigned address, though the information varies as to where this is located (usually San Franscisco) and other details collected about this particular host IP.

The problem with these online IP utilities is they're only as good as their information sources, so placing any real faith in them is dangerous. Unless multiple such lookup sites all converge on precisely the same results, I'd always take them with a grain of salt and even then, it's possible they're simply copying information they've gleaned from each other in a common internet tendency to apply circular logic.

One of the hits I got to my search for IP address 104.18.20.226 was the following thread at the Cloudflare Community, which though from Dec. 2018 may provide a clue as to a possible reason for its association with your PC.

IP Adress 104.18.20.226 showing in my kaspersky network scvhost connection - Website, Application, Performance / Security - Cloudflare Community

You didn't state how you determined that "the request to run the process is coming from" that IP address, so are you certain that's true and it's not simply being invoked internally to verify some process related to that particular address?

Rob

Thanks Elise. The software Netstalker asks if I trust a few other Windows processes, but they are always labeled as Signed processes. This smartscreen.exe is labeled unsigned. So my hesitancy comes from the "unsigned" aspect rather than Netstalker asking if I trust it. I tried to kill the process but received the message from Netstalker that it can not be killed. The second part of my concern is the originating ip 104.18.20.226 is labeled Malicious Spider by ip-tracker.

As for scanning it, I don't know where to find it since it is not running. If I scan the process in system32, of course it would be legitimate (I guess?) but C:\windows\system32\smartscreen.exe "can not be found." I was wondering if the unsigned smartscreen.exe trying to execute is NOT the one from system32 - or rather the one that should be in system32. You can tell I'm in over my head.

I’m not familiar with Netstalker, but it could simply be that SmartScreen is intercepting the connection from the IP and that is why it is being flagged.

It should be legitimate if it’s in system32 as you would expect.

It might also work running the SFC tool in case it is corrupted from something as well.

For steps on how to use this tool, please see here:

https://support.microsoft.com/topic/79aa86cb-ca...

Please let me know if you need any further assistance.

Kind Regards,

Elise

Hi, I'm Elise, and I'd be happy to help with your issue.

It doesn’t sound legitimate as you shouldn’t be asked if you trust smartscreen, it’s already part of Windows and should be implicitly trusted.

I would suggest running a scan using Windows security or something like Malware Bytes.

Please let me know if you need any further assistance.

Kind Regards,

Elise