“Stranger Danger” - Introducing SmartScreen® Application Reputation

When we released the IE9 beta about a month ago we talked about the importance of trust and confidence when working with downloads. Today, we are enabling the SmartScreen application reputation service to improve download protection for IE9 beta users.  This feature works together with the SmartScreen anti-malware service that protects IE8 and IE9 beta users every day.

You can experience the protection of the SmartScreen application reputation service yourself by ensuring SmartScreen is enabled. Just click the Tools Button | Safety | Turn on SmartScreen Filter menu item, then choose Turn on SmartScreen Filter in the following dialog.

What is SmartScreen application reputation?

In the course of daily browsing, many consumers see warnings that say "This type of file may harm your computer" when downloading files. This warning may be accurate in some sense, but it is not helpful or relevant for the vast majority of internet downloads. Most consumers are accustomed to just ignoring this warning since it is shown when downloading almost any file from the web.

With IE9 we looked at ways to improve our malware protection overall and the experience consumers have with downloads. We had two primary goals in mind to help consumers make better trust decisions when downloading programs from the web:

  • Show more useful warnings when a program is a higher risk
  • Reduce the number of generic, unhelpful warnings consumers see when downloading programs

In analyzing software downloads actively in use on the internet today, we found that most have an established download footprint and no history of malware. This was the genesis of SmartScreen application reputation. By removing unnecessary warnings, the remaining warnings become relevant.

What does this mean for consumers?

With SmartScreen Application Reputation, IE9 warns you before you run or save a higher risk program that may be an attempt to infect your computer with socially engineered malware.  IE9 also stays out of the way for downloads with an established reputation. Based on real-world data we estimate that this new warning will be seen only 2-3 times a year for most consumers compared to today where there is a warning for every software download.

Why is this approach necessary?

The key challenge with malware on the internet is that attacks are fast moving and quick to change. The importance of application reputation is as an early warning system. There is latency between the outbreak of an attack and when it is detected and blocked. Consumers today are unprotected during that time.   Think of this new warning as “stranger danger” – it’s an early warning system for undetected malware. No antivirus or protection technology is perfect; it takes time to identify and block malicious sites and applications.  Blocking after detection is still an important strategy, but there remains a gap between the start of an attack and when it is detected and blocked.  IE9 SmartScreen application reputation fills that gap. 

How does this work?

When you download a program in IE9 a file identifier and the publisher of the application (if digitally signed) are sent to a new application reputation service in the cloud. If the program has an established reputation there is no warning. If the file is downloaded from a reported malicious site, IE9 blocks the download, just like IE8 does. However, if the file does not have an established reputation, IE lets you know in the notification bar and download manager, enabling you to make an informed trust decision.

SmartScreen application reputation warning in the notification bar

SmartScreen application reputation warning in the Actions dialog

Application reputation warning in the notification bar (top) and the Actions dialog (bottom)

See how it works

You can try it out for yourself. Linked below are two identically named files, one with established reputation and one that is unknown to our service. Without application reputation, it is difficult to tell which download has established reputation and which is uncommon and a higher risk to your computer and information. Download each with IE9 to see the SmartScreen application reputation experience in action.

Are all ‘uncommon’ programs malicious?

Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Application reputation is intended to provide context and guidance for those who need it, especially if the warning is unexpected. Like SmartScreen in IE8, this is an opt-in service and can be easily disabled in the Tools menu, but this is not recommended.

Note to application developers:

Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation.  Reputation is generated and assigned to digital certificates as well as specific files.

As an application developer, there are industry best practices that will affect your download's reputation. To help establish your application's reputation, consider doing the following:

Digitally sign your programs with an Authenticode signature

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs.

Ensure downloads are not detected as malware

Downloaded programs that are detected and confirmed as malware will affect both the download’s reputation and the reputation of the digital certificate.

Apply for a Windows Logo

To learn more about the Windows Logo visit the Windows 7 Logo Program page on MSDN. This is a free process for signed programs that can help establish reputation for your download.

We are extremely excited to enable this feature today for our IE9 beta users. We’re investing heavily in the intelligence powering this feature, as well as improving our existing malware and phishing protection. We think this new approach is an essential companion to the existing SmartScreen features and represents our continued commitment to protecting users.

Ryan Colvin
Program Manager, SmartScreen