Share via

IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

  • Article

Over the last year, we’ve published two posts about how the IE8 SmartScreen® filter helps to prevent phishing and malware attacks.  In this post, I’d like to share some real-world data on the protection provided to IE8 pre-release users by the anti-malware feature.  We’ve invested heavily in this feature, and we’ve seen significant results.

Here are some key statistics:

  • We have delivered over 10 million malware blocks in the past six months
  • That’s a block for one out of 40 users, every week
  • We’ve seen (and blocked) one in every 200 downloads as malicious

These are BIG numbers – each malicious download blocked helps prevent compromise of that user’s computer.

Here’s how it works: SmartScreen’s malware protection focuses on identifying and blocking sites on the web that are distributing malicious software.  As a reputation-based feature, SmartScreen can block new threats from existing malicious sites, even if those threats are not yet blocked by traditional anti-virus or anti-malware signatures.  In this way, the SmartScreen filter complements traditional anti-virus products by providing additional dimensions for both identification and protection.  For comprehensive protection from malware, we highly recommend that users also install traditional anti-virus products and keep them up to date.

SmartScreen delivers blocks both in the navigation experience and in the file download experience depending on the situation.  This level of control allows us to block entirely malicious sites, portions of sites or just a single malicious download on an otherwise clean site (for instance, a social networking or file-sharing site).  Similar to our anti-phishing efforts, we source the malware data based on a combination of Microsoft internal and 3rd party data to deliver the most relevant, comprehensive protection.  We’re committed to making the browsing experience safer and have a team of people constantly researching and improving protection.

Not all malware protection is created equal-- just because a browser has anti-malware features doesn’t mean it protects users from the most relevant threats.  A study comparing leading browsers on their ability to block malware attack sites that attempt to fool the user with social-engineering was recently released by NSS Labs.  As you can see from the chart below, IE8 is detecting two to four times more attacks than the other browsers.  Note that IE7 does not have anti-malware URL filtering; the IE7 blocks below are due to malware sites that are also phishing sites blocked by IE7’s Phishing Filter.

Chart of Malware block rates from various browsers.

We’re committed to continuing to deliver the most relevant protection to our users.  With the investments we’ve made in hardening the IE platform, the user is usually the weakest link. Prevalent malware is packaged and delivered in such misleading ways that users understandably have a hard time recognizing when they are at risk.  That’s where SmartScreen steps in.

Here’s some common examples of what users think they are downloading:
  • Anti-Virus/Anti-Spyware products
  • Free videos, codecs & images
  • Utilities or other software
  • Online greeting cards
  • Games

Here’s the types of files users are actually trying to download:

  • Viruses
  • Spyware
  • Adware
  • Trojans
  • Backdoors
  • Dialers
  • Worms
  • Downloaders
  • Password stealers
  • Monitoring software

There are screenshots of several malicious sites in the safer online experience paper we recently published.

How you can help

Please report sites that you think may be malicious by using the built in reporting mechanism in IE8. Click on the new Safety menu | SmartScreen Filter | Report Unsafe Website.  Reports of malicious sites will be verified by Microsoft and added to the SmartScreen filter database.

Comprehensive Protection

With the demonstrated efficacy of IE8’s SmartScreen filter, we know that internet crime will evolve.  That’s why it’s so important for us to invest in comprehensive protection to address emerging threats.  Key on our list are attacks against web applications, which represent increasingly valuable targets as users’ information is moved online.

  • IE8 is the only browser to block XSS attacks “out-of-the-box.”
  • IE8 introduced the first “out-of-the-box” mechanism to allow sites to prevent ClickJacking attacks.
  • IE8 introduces new functions which allow sites to build more-secure mashups (toStaticHTML(), XDomainRequest) and supports new standards-based mechanisms (Native JSON support, postMessage()).
  • Safer default settings (DEP/NX, per-site AX) mean that users are better-protected than ever before.  Group Policy controls (for ActiveX management, enforced SmartScreen blocking, etc) allow IT administrators to reduce the number of trust decisions users face when using IE8.

We’re committed to protecting our users from the attacks of today and the attacks of the future.  Please stay tuned to the IEBlog for further posts on IE8 Security improvements and results.

Thanks!

Eric Lawrence
Program Manager

Comments

  • Anonymous
    March 25, 2009
    PingBack from http://blog.a-foton.ru/index.php/2009/03/26/ie8-security-part-ix-anti-malware-protection-with-ie8%e2%80%99s-smartscreen-filter/

  • Anonymous
    March 25, 2009
    The comment has been removed

  • Anonymous
    March 25, 2009
    Eric Lawrence, MS IE Program Manager blog today how the IE8 SmartScreen filter helps to prevent phishing

  • Anonymous
    March 25, 2009
    The comment has been removed

  • Anonymous
    March 25, 2009
    although this is not related i have an issue with ie8; if you close a tab (clicking on the "X"), then switch to another open tab immediately (clicking on another tab) [i "think" this must be the tab to the left], the tab you just tried to close generates some kind of error/crash. ie8 itself does not crash (very impressed here) but the tab i just tried to close attempts to report the error to microsoft... my system meets the minimum requirements and the only addon enabled is wl tolbar. it might be that i click very fast (im one of the best clickers even if i say so myself) or there is an error on the page... i also know i have Visual Studio installed; it gives me the option to debug (im smart enough to know not to debug such a program) apart from the annoying 10seconds... ish of waiting for the error to be reported, everything else seems fine and my browsing happily continues. the point is that i thought it was only firefox or some other that suffered from crashes? ps: keep up the good work

  • Anonymous
    March 25, 2009
    The comment has been removed

  • Anonymous
    March 25, 2009
    oh, i need to second Disk4mat; why would a "sane" person under normal circustances go back to the site that led them to the malicious site - even if it is just to report that the site is bad? an offline tool is a no brainer indeed!

  • Anonymous
    March 25, 2009
    The comment has been removed

  • Anonymous
    March 25, 2009
    Don't believe the hype from the flawed NSS study. http://blogs.zdnet.com/security/?p=2981 "The study’s methodology is however, greatly flawed at several key points, making its conclusions open to interpretation which should be the case when making such comparative tests." "For starters, NSS Labs undertook a rather minimalistic approach towards the definition of web malware. In this study, the malware URLs they’re using are basically “links that directly lead to a download that delivers a malicious payload“, a decision that directly undermines the statement of “block rate” in times when client-side vulnerabilities are massively abused courtesy of web malware exploitation kits. And since no live exploit URLs were taken into consideration, the DEP/NX Memory Protection feature within IE8 was naturally not benchmarked against known exploits-serving sites, or at least wasn’t mentioned in the report." "Moreover, the competing browsers’ use of SafeBrowsing’s API, a combination of automatic (honey clients) and community-driven efforts to analyze a web site in a much broader “malicious” sense has a higher potential to maintain a more comprehensive database of known badware sites. It also comes as a surprise that Firefox, Safari and Chrome have such a varying block rates given that the browsers take advantage of the SafeBrowsing project’s database. Basically, having a set of ten malicious URLs and running it against the browsers is supposed to return identical results due to the centralized database of known badware sites." "Interestingly, the study used Apple Safari v3 in order to come up with the 24% block rate, which excludes the built-in anti-phishing and anti-malware features introduced in Safari v4. The report is released prior ot IE8’s debut, but even if NSS’s study is in fact relevant in a real-life attack scenario, does it really matter that IE8’s outperforms the rest of the browsers in times when IE8 users are downgrading to IE7? That very same IE7 which according to the study is offering “practically no protection against malware”?"

  • Anonymous
    March 25, 2009
    I found this suggestion for filtering anoying ads (which of course is missing in smartscreen filtering) http://www.dslreports.com/forum/r22124619-IE8-InPrivate-filter-from-adblock-plus-list Will this kind of ad filtering affect IE8 performance ?

  • Anonymous
    March 26, 2009
    @Fango: If the user opts-in, Windows Defender feeds malware and origin data into the "SpyNet" webservice.  The URL Reputation Service for SmartScreen anti-malware works with the data from that webservice to block malware distribution points caught by Defender. @RichB: Framebusting JavaScript has known weaknesses in every browser, which is why the anti-ClickJacking feature was added. As noted here: http://blogs.msdn.com/ie/archive/2009/02/02/birth-of-a-security-feature-clickjacking-defense.aspx, "fundamentally frame breakers were never meant to be ClickJacking mitigations. If you don’t design something to prevent a security vulnerability, odds are that it doesn’t do a very good job of doing it accidentally." @Hype: The editorial is missing the point: SmartScreen is about blocking socially-engineered malware.  IE8 includes myriad defenses against attempted drive-by exploits, including Per-Site AX, AX Opt-in, DEP/NX, and general code-quality improvements.   As noted in this post, the user's willingness to install malicious code is the weakest link in the system, and this is what SmartScreen aims to address. @hAl: Yes, SmartScreen is intended to block phishing and malware, not advertising.  Generally, the InPrivate feature was designed to scale to large block sets.  Clearly, there's a tradeoff in that the filtering code will incur a cost, but if any network request is avoided due to the filtering, it's likely that overall performance of the page will improve.

  • Anonymous
    March 26, 2009
    Just out of curiosity, I wonder what a study would show about the number of false positives the software vendors show and if these numbers directly correlate to the number of detected malware files. Certainly these features were long overdue and warmly welcomed since literally every PC user I seem to encounter is plagued knowingly or unknowingly by malware. I guess this is due to the abysmal 4% catch rate on IE7, the lowest of the low. Question though, are these new methods derived from ECMA or W3 standards or emerging standards or are they proprietary implementations of the JScript engine? This is in no way a baited question, just simple curiosity.

  • Anonymous
    March 26, 2009
    EricLaw [MSFT]: Yes, SmartScreen is intended to block phishing and malware, not advertising.  Generally, the InPrivate feature was designed to scale to large block sets.  Clearly, there's a tradeoff in that the filtering code will incur a cost, but if any network request is avoided due to the filtering, it's likely that overall performance of the page will improve. @EricLaw: That's presuming there would be malware on the page to begin with, otherwise it would only be at cost, though I can't imagine that anyone with a clue would want the trade a safe computer free of pesky software for a malware infested one at the cost of a few cycles.

  • Anonymous
    March 26, 2009
    If the ads in website is distributing malicious software will the whole website be block or is it just the ads that will be block. What happen if a malware turn off IE8 Smartscreen filters it doesn't exactly have the UAC prompts will Windows Defender alert the changes. The indicator was remove so how does user find out if IE8 SmartScreen Filter is working properly? . what are the chances of the smartscreen filter failing without user knowing it?

  • Anonymous
    March 26, 2009
    The comment has been removed

  • Anonymous
    March 26, 2009
    @totally fixed now, You can also use ZonedOut by http://www.funkytoad.com to remove ALL (thousands or hundreds) restricted site entries without the need to use Registry Editor in Windows.

  • Anonymous
    March 26, 2009
    Hi i have a problem i Windows Vista Ultimate. I have found out that the function "mixing" i the right corner i sound icon, does not show the name of the web page in ie8. So you can mute the sound individually for each website or tabs. This could be done in ie7. Can you fix that in ie8.

  • Anonymous
    March 26, 2009
    @Jeffrey: I'm not sure I what you're trying to say vis-a-vis advertising.  SmartScreen is not an adblocker, nor is it intended to be.  Similarly, InPrivate Filtering is not an adblocker, although hAl points out that it could be configured to behave like one. As noted in the blog, IE7 didn't attempt to block malware; Windows Defender (on Vista) was not a part of that weighting. postMessage is a standards-based HTML5 feature.  Native JSON support is a ECMAScript 3.1 feature.  ToStaticHTML was a Microsoft-innovation that others are free to implement.  XDomainRequest was proposed for standardization to the W3C.   @Vega: If a page is delivering malware, that page will be blocked.   We do not block only the subdownload because that could allow a bad site to detect the blocking and flip to another attack. Malware cannot turn off SmartScreen Filter unless it's already running on your computer with full user permissions; once it's already installed and running with full user permissions, it need not bother with SmartScreen, since it's already installed! @totally fixed now: IE8 includes significant measures to combat drive-by sites, including DEP/NX, Per-Site AX, AX-OptIn, and Protected Mode. @All: On March 31st, NSS is doing a live webinar about how they did the malware test.  It will be live (March 31) and archived.   The archive will be available on the URL that is advertising the webinar http://nsslabs.com/events/webinar-web-browser-protection-against-web-malware.html.

  • Anonymous
    March 26, 2009
    the smart filter thing never stays on for me please fix it i always have to turn on every time.

  • Anonymous
    March 26, 2009
    @Tony: Please be specific about how exactly you are turning on the SmartScreen filter?   Are you really asking about InPrivate Filtering (which is the lock down in the status bar, unrelated to SmartScreen)? thx!

  • Anonymous
    March 26, 2009
    Just have a look at how IE fares on geek sites like OSnews. http://www.osnews.com/story/21172/A_Look_at_Browser_and_OS_Stats_for_OSNews If you really support a very broad spectrum of W3C recommendations and draft standards as well in IE9, IE may get back the lost marketshare. It's a continuous downward trend otherwise from here.

  • Anonymous
    March 26, 2009
    If you argue that most visitors to such sites are Linux geeks, just see how dominant and successful Windows is there, especially Windows XP.

  • Anonymous
    March 26, 2009
    Hey Eric, I applaud Microsoft's efforts in combating malware using SmartScreen filter in IE8 but I do hope we dont stop there. I love IE8 and I even think its faster than Firefox. Great job guys, more power and I do hope I see more safety features in IE9.

  • Anonymous
    March 26, 2009
    @hAl : one of the best way to block ads is before the browser : with a proxy. Try Squid :) If you only want to block domain names, you can probably do like Spybot : adding the domain names to the hosts file.

  • Anonymous
    March 27, 2009
    IE is the worst browser in the world... firefox and opera are better and faster...

  • Anonymous
    March 27, 2009
    The comment has been removed

  • Anonymous
    March 27, 2009
    IE I do not find good. Mozilla Firefox is better and safer.

  • Anonymous
    March 27, 2009
    Jack, if you want to be troll here, you've got to do better than that!

  • Anonymous
    March 28, 2009
    Jack, if you want to be troll here, you've got to do better than that!"...LOL yeah Jack you gotta hit 'em harder, its not difficult, just point out all the areas of fail surrounding IE8

  • Anonymous
    March 28, 2009
    Beautifully done! Please start bugfixing so we see this bugs fixed in the next few weeks, before you start working on IE9.

  • Anonymous
    March 29, 2009
    The comment has been removed

  • Anonymous
    March 29, 2009
    @zzz That interview shows mostly that Charlie Miller was not aware that for the IE8 final the exploit method by Dowd and Sotirov has been fixed.

  • Anonymous
    March 29, 2009
    The comment has been removed

  • Anonymous
    March 29, 2009
    @zzz : "For all the browsers on operating systems, the hardest target is Firefox on Windows" : you understand this means that Firefox is a security breach, do you ?

  • Anonymous
    March 30, 2009
    ok I have Vista and downloaded vista version and i guess it. I don't work! Here is the message: This installation does not support your system architecture (32/64bits). So what now??????

  • Anonymous
    March 30, 2009
    @Vanoie Ball : do you have Vista 32 or 64 bits ? Which version of IE8 have you downloaded : 32 or 64 bits ? You have to download the correct version for your OS.

  • Anonymous
    March 31, 2009
    @Vanoie: If you are running the 64bit version of Windows Vista, you must download the 64bit package of IE8.  (Note that this will also install the 32bit version as well). You can determine if you're running the 64bit version by visiting this page in IE: www.enhanceie.com/ua.aspx.  If your user-agent string (in red) contains tokens like "Win64" or "WOW64", you need the 64-bit version.

  • Anonymous
    March 31, 2009
    The comment has been removed

  • Anonymous
    March 31, 2009
    @jjb2009: SmartScreen blocks navigation to (and downloads from) known-malicious sites. Note that McAfee's feature works differently than ours.  A key goal for SmartScreen is that false positives must be as low as possible.

  • Anonymous
    April 01, 2009
    I wondered. I found a half dozen of their most dangerous sites (known to download malware, Mcafee said). Entered in IE8 and . . . SmartFilter does nothing! Of course, I wasn't infected with malware either so perhaps Mcafee as a LOT of false positives?? An explanation of the difference or a FAQ might help because I know lots of people who use Mcafee siteadvisor on IE and FF and you can't persuade them SmartFilter takes care of the job -- and I'm still fuzzy on the difference. Mcafee claims it does an actual crawl of sites?? Pat on the back: I read Paul Thurott's review of IE8 -- it made him switch from FF to IE8, something I have done since you went official. It's like a new Microsoft! Perhaps I won't have to spend all my time having to search for "things MS can't do" -- there is less and less these days. (Total digression: No idea why Apple of MS don't have something like Clipmagic clipboard extender?).

  • Anonymous
    April 01, 2009
    @jjb2009: Please feel free to email me any examples; I'm happy to investigate.

  • Anonymous
    May 01, 2009
    The sixth edition of the Security Intelligence Report (SIR), Microsoft’s semi-annual report on the state