SmartScreen® Application Reputation in IE9

Social-engineering attacks, like tricking a user into running a malicious program,
are far more common than attacks on security vulnerabilities. Application Reputation
in IE9 helps protect users from these socially engineered malware attacks. This post
offers details about real-world attacks and how these protections work.

For context, recent studies (like
this one) show that despite the headlines that exploits of software vulnerabilities
get, people browsing the Web are more likely to face a socially engineered attack.
Recent articles (like
this one) have compared different approaches to protecting people. Application
Reputation is a natural extension of the current protections
introduced in IE7 & IE8 that block phishing sites and sites that
distribute malicious programs.

The Technology of Socially-Engineered Attack and Defense

User-downloaded malware is a huge problem and getting bigger.

Through the SmartScreen Filter, IE has been
effective at blocking socially engineered malware attacks and malicious
downloads – IE blocks between 2 and 5 million attacks a day for IE8 and IE9 customers.
Since the release of IE8, SmartScreen has blocked more than 1.5 billion attempted
malware attacks. IE is still the
only major production browser to offer this kind of protection from socially
engineered malware. From our experience operating these services at scale, we have
found that 1 out of every 14 programs downloaded is later confirmed as malware.

Originally, SmartScreen protection was URL-based. IE7 introduced protection from
phishing attacks by integrating a cloud-based URL-reputation service. IE8 added
another layer of protection, also based on URLs (or Web addresses), to protect users
from sites that offered malicious downloads and used social engineering techniques
(“Run this to watch movies for free, download this security software to clean your
machine, or get great emoticons!”) to get users to download and run them. URL-based
protection from socially engineered malware attacks is an important layer of defense
for consumers today on the Web.

That said, IE9 adds another layer of defense against socially engineered attacks
that now looks at the application being downloaded - this is in addition to the
URL-based protection described above. This new layer of protection is called SmartScreen
Application Reputation. When it comes to program downloads, other browsers today
either warn on every file or don’t warn at all. Neither of these approaches helps
the user make a better decision. Application Reputation also addresses a limitation present
in all block-based approaches that happens at the beginning of new attacks,
before a Web site or program has been identified as malicious.

Using reputation helps protect users from newly released malware programs - pretending
to be legitimate software programs - that are not yet detected by existing defense
mechanisms. Reputation also enables IE9 to remove unnecessary warnings for downloads
with an established positive reputation. Both publishers and individual applications
build reputation. For example, a digitally signed application from a well-known
publisher that has been widely downloaded has a better reputation than an unsigned
application that has not yet been downloaded widely and has just been posted on
a newly created Web site.

Anatomy of a Real World Attack

Let’s look at how the feature protected actual IE9 users from one particular attack.
The figure shows the download traffic of a very large-scale malware attack (hundreds
of thousands of downloads). Application Reputation warned IE9 users about this malicious
program from the very moment it hit the Web at Hour 0:

Real Malware Attack Traffic & Timeline

Traditional block-based protection (URL-blocking as well as anti-virus) came in
after Hour 11, well after the attack had passed its active period. The download
warning within IE about the lack of an application reputation was the only defense
that users had. 99% of IE9 users who clicked to download this malicious program
chose to delete or not run the program from the Application Reputation unknown
program warning.

SmartScreen Application Reputation Unknown Program Warning

In this attack, IE9 Application Reputation interrupted the deception of the attack
(which was otherwise very convincing) and most users were able to make a great decision
on their own. This outcome is exactly why we built SmartScreen Application Reputation
into IE9. 99% of users were able to avoid the infection.

This is just one real-world example. Below, we discuss how this trend holds strong
in aggregate. Application Reputation is a game changer for protection against socially-engineered
malware attacks, which is the largest risk on the Web today.

Early Results: Reputation Informs Better Consumer Decisions

From looking at IE9 usage data, starting from the IE9 beta, we see two main patterns:

Dramatic reduction in malware infections for IE9 users

• Users are choosing to delete or not run malware 95% of the time from the new Application
  Reputation warnings
• We estimate that Application Reputation will prevent more than 20 Million additional
  infections per month (on top of existing SmartScreen URL reputation blocks)

Streamlined experience that warns only when the risk is high

• Because programs and publishers can now establish a reputation, 90% of program downloads
  no longer show browser security warnings when users have SmartScreen enabled
• From our data, the typical user will only see 2 warnings per year
• On any given day, clicking through the “unknown warning” carries a risk between
  25% and 70% of malware infection

The reputation that applications and publishers build from actual customers is at
the core of how this protection works. Most people would be cautious about buying
something online from a complete stranger. Sites like
Ebay, Etsy,
Angie’s List, and Amazon.com show
how people use reputation features to make better trust decisions online.

IE9 applies the concept of community reputation to programs that users download.
From the data we’ve collected about user downloads from the browser, 1 out of every
14 programs downloaded is later confirmed as malware. Consumers need information
to make better decisions.

IE9 uses an application’s reputation to warn customers about downloads that carry
a higher risk because they have not yet established a reputation. More than 50%
of programs lacking a reputation are new to the Web on a given day. On a daily basis,
25% to 70% of programs that trigger an Application Reputation warning in IE9 are
later confirmed as malware. Programs and publishers that have already built reputation
do not show a warning.

Many users rarely or never download programs that don’t already have an established
application reputation. When they do, this warning is critical. Users are more likely
to pay attention to this warning because it appears infrequently. Users can still
choose to download the file. Our data shows that customers are making more informed
choices – taking the time to check the source, or confirm it is something they meant
to download. With SmartScreen Application Reputation, users are doing a much better
job distinguishing between malware and legitimate downloads.

Better Consumer Protection through Data

Our goal is to establish a reputation for the publisher of every program on the
Web so that consumers can have a safer and easier experience downloading them. Leading
up to the IE9 beta, we analyzed billions of downloads and built a continuous model
of application reputation and trust across the Web.

To sustain these coverage rates, we’ve built large-scale, objective intelligence
systems that process billions of pieces of information on a daily basis. These systems
are constantly building out reputation for new and existing applications and publishers.
As of today, there are tens of thousands of publishers and millions of individual
applications with an organically established reputation and we’re adding more all
day, every day.

Sometimes, some users will see warnings for legitimate software that happens to
be new and has not yet established a reputation. From the reports we received from the community, this is a rare exception. A new program from an existing publisher
with an established reputation inherits the publisher’s reputation from that publisher’s
code signing certificate. New publishers can build their code-signing reputation
quickly with every download. Unsigned programs were the cause of 96% of the warnings
that consumers have seen to date. The remaining 4% of warnings came from certificates
previously associated with malware or certificates that were new and are still building
a reputation. Customers can and do make informed choices to click through the warning
when they trust the person they are transacting with and expect a download.

How Developers and Publishers Establish Reputation

By following industry best practices, developers can accelerate the process of building
a good reputation. For example, signed programs typically build reputation twice
as fast as unsigned programs. We recommend
digitally signing programs with an Authenticode signature. Making
sure that programs are not detected as malware is clearly important as well. The
Windows Logo
process also helps establish a software publisher’s reputation.

Safer Is Beautiful

SmartScreen Application Reputation is protecting consumers every day.

There are many reasons to recommend your friends and family upgrade to Internet
Explorer 9. We think staying safer online is a big one.

—Jeb Haber, Program Manager Lead, SmartScreen

Comments

• Anonymous
  May 17, 2011
  If you are so keen on digital signing (which by the way is a good idea), then provide certificates for free. I will NOT waste 400+ dollars a year simply to get prettier warning dialogs. The current system is punishing small developers who cannot afford these absurd amounts. If you want to really reduce false positives, provide ALL developers with free certificates. That way, everyone will be more secure.

• Anonymous
  May 17, 2011
  Asbjorn, do ALL malware developers also get free certificates?

• Anonymous
  May 17, 2011
  If you guys are going to show malware blocked in that chart... then maybe you should also chart "Legitimate Harmless Software Blocked" You don't because there is way more legitimate software blocked than malware. making the user jump through hoops to run legitimate free software will destroy what makes Windows great. if you are not going to offer a free certification process to sign code then at least make the option of 'Run Anyway' more visible.

• Anonymous
  May 17, 2011
  The comment has been removed

• Anonymous
  May 17, 2011
  The comment has been removed

• Anonymous
  May 17, 2011
  The comment has been removed

• Anonymous
  May 17, 2011
  The comment has been removed

• Anonymous
  May 17, 2011
  The comment has been removed

• Anonymous
  May 17, 2011
  .jxr, .hdp  - Filename extension(JPEG XR) support.

• Anonymous
  May 17, 2011
  Instead of supporting web-of-trust models you continue to rely on the traditional hierarchical PKI models that as could be seen with Comodo (again) not that long ago.

• Anonymous
  May 17, 2011
  I agree with Asbjørn.  And to Roman's comment, simple verification of the applicant will avoid as many false positives as any other code signing certificate.  Nothing at all is stopping a malware author from spending $400 and signing a worm with it.  That's a weakness of code signing.  However, once a malware author is discovered, it's a lot harder for another certificate to be issued to him/her. As a developer of freeware, I have to say it's frustrating to see my application get the big red X despite hundreds of thousands of downloads and no complaints. All that said, the software downloading experience (including the security aspects) is a vast improvement over IE8.  If there were more free "trust" models supported, that would be good for everybody. As frustrating as it is to see the big red X for my software, it's more frustrating to know that after the user sees that warning several dozen times on software they know is legitimate, the more likely it will be that they will completely ignore it when real malware comes along.

• Anonymous
  May 17, 2011
  The comment has been removed

• Anonymous
  May 18, 2011
  The comment has been removed

• Anonymous
  May 18, 2011
  @Revoka: Web of Trust is already abused sometimes, flagging legitimate sites as bad because someone decided "hey, let's flag this site, their owner did something we didn't like!" on /b/. If it was implemented in IE, the rankings would become completely useless. PS : Guys, the "Run anyway" button only takes two clicks...the first time might be difficult, but if you still have got problems to do it afterwards, I don't think it's IE's problem.

• Anonymous
  May 18, 2011
  The Web of Trust (WOT) plugin for Firefox and Chrome does something similar, so IE is not the only game in town. And, Microsoft, please explain why it is safe to run a browser that is part of the OS, as opposed to a separate program running with no system privileges? If IE gets hacked, so goes Windows.

• Anonymous
  May 18, 2011
  Do you plan to have an API or library of sorts for use of the technology on applications other than IE9?

• Anonymous
  May 18, 2011
  Parrotlover77, "simple verification"... Like an automated email verification?

• Anonymous
  May 18, 2011
  @JimTN - Internet Explorer comes with the OS but is just another user mode application, with no "system privileges" whatsoever. In fact, it's even more locked down than most apps (UAC, MIC, DEP, UIPI, Protected Mode). I'd suggest to read up on Windows security mechanisms, including those introduced in Windows Vista and beyond.

• Anonymous
  May 19, 2011
  @parrotlover - whatever browser your unsigned app is downloaded in, your users will always see Windows warning them that the code is not signed when they go to install and showing a yellow flag. malware that's signed with a cert? that is even easier to detect and block because new malware with the same cert shows up right away ;-) perhaps what Smartscreen needs is a route for authors to submit false positive notices? OTOH there are several unsigned apps I often download that do not trigger the red warning because they have built reputation on Smartscreen, so it's far from a universal problem.

• Anonymous
  May 19, 2011
  The comment has been removed

• Anonymous
  May 19, 2011
  The comment has been removed

• Anonymous
  May 19, 2011
  The comment has been removed

• Anonymous
  May 19, 2011
  @clearmythroat: There are several countermeasures to the ActiveX problem.

1. That's what ActiveX Filtering was built for [1]. It isn't enabled by default, but maybe we'll see this in the future.
2. An ActiveX control needs to be installed first, it can't do anything until you approved the installation. So the user has to explicitly confirm the installation of malicious code. UAC prevents simple click attacks/frauds, so it is really the user who has to accept it.
3. No 2 in turn means that there needs to be a way to get the ActiveX on the computer, most likely a download. That's where SmartScreen Application Reputation kicks in. This is one of the many instances where things were really insecure in the WinXP era: everyone ran as admin and malicious code was just one click away. Thankfully these times are over. When you run Vista/7 with IE9 (both in the default configuration) the whole ActiveX problem vanishes. It just isn't a problem any more. [1] blogs.msdn.com/.../activex-filtering-for-consumers.aspx

• Anonymous
  May 19, 2011
  The comment has been removed

• Anonymous
  May 20, 2011
  @clearmythroat, @PhilstucK - ActiveX controls run as part of a process which is subject to all security measures at the level of the security stack in Windows. In fact, using the words "Windows OS" and "ActiveX" in the same sentence is just like using "Windows OS" and "Paint" in the same sentence. They share the same relationship. You make it sound like ActiveX gets special treatment at the OS level, which is doesn't. All in all, it's a matter of defense in depth. Things like UAC help, but there have been a lot of enhancements to the OS security stack, especially since Vista, that contribute to an overall better security. Ooh's points illustrate the current state of affairs with ActiveX very well.

• Anonymous
  May 20, 2011
  @PhistucK support.microsoft.com/.../240797

• Anonymous
  May 20, 2011
  The comment has been removed

• Anonymous
  May 21, 2011
  App reputation just does not work. It's a horrible decision to determine whether a downloaded app is dangerous based on popularity. Take the case of the newest version of Classic Shell. It had nearly 19000 downloads in May 2011 (sourceforge.net/project/stats/detail.php?group_id=290975&ugn=classicshell&type=prdownload&mode=alltime&file_id=0) but is still being warned as dangerous. (img39.imageshack.us/img39/3284/appreputationfail.png). So in a way IE9 is preventing this app from becoming more popular. And what happens to the established reputation if the URL changes because a new version is out?

• Anonymous
  May 22, 2011
  @tuxplorer: App reputation is as much about educating the average internet user as it is as blocking malicious downloads. If someone deliberately downloads and installs ClassicShell, then that person must fiat that one install one more time that it is intentional. It doesn't compare by the literal millions of malware downloads that are trying to get their foot in through a social engineering attack. These messages (hopefully) make the masses more aware not to download every "fluffybunny.exe" file they come across. And if a person can't make the distinction between a legitimate, intentional, but not commonly downloaded file and a piece of malware then yes, perhaps it is a good idea to block it by default. This is not about vendors, developers, etc. being able to push software to their customers. This is about protection of end-users having no clue at all what they are downloading and installing on their computers.

• Anonymous
  May 22, 2011
  .jxr, .hdp  - Filename extension(JPEG XR) support.

• Anonymous
  May 22, 2011
  @tuxplorer: There are lots of malware that have been downloaded more than 19k times. (btw, you shouldn't use a leaked build to make bug reports...maybe it's a bug in the Win8 IE9) @yellowstone: I think they heard you...

• Anonymous
  May 23, 2011
  How does one get my SIGNED program listed as one that does not produce the "..has not been downloaded...could be bad" warning?

• Anonymous
  May 23, 2011
  I bought a code sign cert from comodo (www.comodo.com/.../code-signing-certificate.php) for a plugin i have developed for powerpoint. But my users still see smart screen... How do i solve this? this is bad user experience for a genuine exe.

• Anonymous
  May 24, 2011
  Hey Guys, I know you usually don't reply to the blog comments, but I figure you read them. So you may want to clarify in your post another type of file reputation warning IE9 displays. Unlike the one shown in your blog post, this message doesn't have the red frame, and says something like "this file is downloaded in an unusual way" I've got the Russian version of it tools.oszone.net/.../smartscreen-message.jpg Yet, it won't let running the file. What files trigger such a message? I'd appreciate your clarification; otherwise, I'll be seeking for it via MVP channels :)

• Anonymous
  May 24, 2011
  @Vadim The Application Reputation warning in the notification bar only shows the red shield and border if the file is not digitally signed.  The different warning experiences for signed and unsigned files were shown in a previous blog post:  blogs.msdn.com/.../smartscreen-174-application-reputation-building-reputation.aspx You should be able to run the download by clicking the Actions button, expanding "More Options", and then choosing "Run Anyway".

• Anonymous
  May 25, 2011
  RyanCol [MSFT] Thanks for your quick response! I understand the color coding system now. For some reason I thought the messages in these dialogs were not the same. I guess I was just looking at them in different OSs with different languages :) And yes, I know how to run files with app rep warning. I meant you can't run them with one click.