IE8 SmartScreen Filter - Protecting Users at Internet Scale

The RSA 2010 Security Conference is just finishing up here in San Francisco, and I’m struck by how many of the conference sessions and keynotes have warned about the threat that socially engineered malware poses to the security of the Internet. Malware has become the scourge of the Internet, and it’s not just the security experts who are worried—the top story in my morning paper yesterday described how a typical malware attack compromised a financial firm’s network. Our data shows that one out of every 250 downloadsis the result of a user being tricked into downloading malware to their PC.

We’re proud of the protection SmartScreen® Filter provides to protect IE8 users from such attacks, and I’d like share some of the latest numbers on our level of protection.

Since we launched IE8 in March 2009, SmartScreen has blocked over 560 million attempts to download malware, recently averaging over 3 million blocks per day! Hosted in datacenters around the world, SmartScreen’s URL Reputation Service (URS) has evaluated over 250 billion URLs to help keep IE8 users safe from malware. Even more impressively, since IE7’s Phishing Filter was introduced in 2005, the URS has processed over 5.7 trillion reputation requests in order to block malicious web sites. Every day, Microsoft receives around 300 million telemetry reports from IE8 users and processes 4.1 billion URLs looking for malicious websites and files. On the back end, our systems and analysts evaluate over 1 terabyte of binaries every day to help identify sites delivering malware.

The Q1 2010 NSS Lab’s test shows that Microsoft’s continued investment in SmartScreen is paying off. Since launch, IE8’s SmartScreen Filter has continued to improve its protection against Socially Engineered Malware threats.

IE6 and 7 don’t provide protection against socially-engineered malware. If your family and friends aren’t up-to-date, please encourage them to upgrade to IE 8 for a safer Internet experience.

While IE8 offers the best built-in protection any browser offers against socially engineered malware, you still should follow best-practices to stay safe online. For instance:

• Enable SmartScreen Filter using IE8’s Safety menu ().
• Install antivirus and antispyware software from trusted sources and keep it up-to-date. Microsoft Security Essentials is available for free.
• Turn on your firewall.
• Enable Automatic Updates for Windows and other Microsoft software using Microsoft Update.
• Keep your computer's other software, including browser add-ons, up-to-date.
• Before downloading software, consider the risks and be aware of the fine print. For example, make sure the license agreement does not conceal a warning that you are about to install software with unwanted behavior.

You can read more tips and learn about common Internet attacks over on the Security Tips blog.

Stay safe out there!

Eric Lawrence
Program Manager

Comments

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  And in addition to that, ONE SITE could contain UP TO 10% OF THE URLs! So maybe as little as 50 SITES were included!

• Anonymous
  January 01, 2003
  When I goto a site that pushes a download on me e.g. download.cnet.com in Firefox a dialog pops up asking me where I want to SAVE the file. This is the safe, responsible thing to do with the downloaded file.

• Anonymous
  January 01, 2003
  next bit... However in IE, I get a dialog that offers an insecure option... (Open).  This button is the first button on the dialog and is just asking for a horrible outcome. If MSFT really cares about IE users, IE9 will REMOVE this button completely.  In an age where 560 MILLION malware attempts were blocked in IE, one can only imagine how many more files are out there.  Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation.

• Anonymous
  January 01, 2003
  third bit... Combine this with a file download manager and there will be no issues for end users.  Files are never executed automatically, yet they are easily found in the download manager and further still A/V software will instantly scan the file once it is added to the local file system (if not before).

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Apparently "Jack" works for NSS Labs too:

People quote HAAVARD as the official Opera

dispute of the test, even though according

to his website "Even though I work for Opera

Software, the opinions stated herein do not

necessarily represent those of my

employer".

That's not the point. The point that the post exposes the pseudoscientific nonsense that is these NSS Labs reports.

Opera, Chrome, Firefox, nor Safari have come

out disputing the NSS test results or

methodology. Don't you think if they trully

disagreed with the results they would have

made an official statement?

Why would they? It's futile. The Microsoft propaganda machine is running full steam ahead. Better ignore it and just move on to something else. Else, the Barbara Streisand effect.

This is the third-time MS has released the

study, and all we here from them is

silence.

Again, because they know it's futile.

Has there been another test from a different

independent test org that contradicts the

NSS test?

Irrelevant. First NSS Labs will have to provide something other than pseudoscience and manipulated statistics.

If not NSS, what test org is qualified to do

an in-the-wild phishing and malware test?

Irrelevant to the question of whether NSS Labs' "research" is valid or not.

When I search the web looking for NSS's

reputation, I see a lot of positive stuff

from people who do not have any skin in the

browser game

They evidently haven't looked deeply into NSS Labs' history, then. Also, funny how your links are all companies crowing over how NSS Labs' pseudoscience crowned them the victor in some nonsensical test at some point.

• Anonymous
  January 01, 2003
  Joe, we know that you work for NSS Labs. We also know that NSS Labs will lie. Your employer was caught lying repeatedly, even insisting that a version of Opera with no support for automatic updates updated itself. You didn't share the URL list. If you did, people wouldn't be pointing out that you didn't. Stop being a paid shill. Admit that your company engages in pseudoscientific nonsense. Of course you would LOVE other browsers to pay you lots of money to maniuplate the pseudocsience to their advantage. Is that what this is about? "Pay us, and we'll manipulate the results so you look better!" LOL.

• Anonymous
  January 01, 2003

• AntiTroll
• Jack
• Joe All these are paid shills for for NSS Labs. If you read various blogs, you will notice that they are paid by NSS Labs to spread FUD and lies anywhere NSS Labs is being criticized. The fact is that NSS Labs has failed to share their data, and there is no way to verify their claims. Combine that with blatant lies, such as Opera updating itself, and you will see that you are dealing with a deeply dishonest company which will gladly take Microsoft's money, and then launch astroturfing campaigns to harass and silence criticism. The funniest part here is when the paid NSS Labs shill says that Trend Micro endorses the methodology. Why would they not? They won the pseudoscientific and unverifiable test by NSS Labs, so they have no reason to question it! Here's another article blowing the lid off NSS Labs: http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-the-NSS-Labs-report-touting-the-benefits-of-IE8 Notice the comments: The paid NSS Labs shills are out in force, spreading lies and attacking people who criticize their pseudoscientific nonsense! http://my.opera.com/haavard/blog/show.dml/3092194#comment7307545 http://my.opera.com/haavard/blog/show.dml/3092194#comment7312183 http://my.opera.com/haavard/blog/show.dml/3092194#comment7313368 http://my.opera.com/haavard/blog/show.dml/3092194#comment7353886 http://www.favbrowser.com/nss-security-test-more-details-emerge/

• Anonymous
  March 05, 2010
  These stats are impressive....

• Anonymous
  March 05, 2010
  I will be re-posting this on Facebook, it's important for people to know what IE8 has to offer, in comparison with other browsers.

• Anonymous
  March 05, 2010
  It amazes that homes are still using IE6 or 7. Even if they use a different browser, they should still upgrade.

• Anonymous
  March 05, 2010
  Why are you still using NSS Lab as your data source, when it was discovered last time that their methodology was nonsense and their data was completely unreliable?

• Anonymous
  March 05, 2010
  @Jesper, can you please link to a clear explanation of this "discovery" about NSS Labs that you mention.  I read the NSS Labs report and it sounds as good a methodology as any to me.

• Anonymous
  March 05, 2010
  @Frederico NSSLabs test are paid by Microsoft... no wonder IE8 looks awesome in their reports lol

• Anonymous
  March 06, 2010
  @Jesper, as Frederico said, I also would like to know about that discovery, I want to believe :) Anyway, I use IE8 in my machines, in Windows 7 and Windows Vista, and so far I've had a great experience, it's fast, secure... but if we talk about web standards, other browers are better in that area. I look forward to hearing more from IE9! :) Best regards from Peru!

• Anonymous
  March 06, 2010
  @Frederico: Jesper didn't bother to read the methodology. It's easier to parrot the talking points of the non-IE fanboys than to actually read the report and decide what he thinks of the methodology himself.

• Anonymous
  March 06, 2010
  The methodology is sound. It has been endorsed by Trend Micro http://trendmicro.mediaroom.com/index.php?s=43&item=749, Gartner, and others. Non of these are friends of MS. Google fans need to start asking Google why they continue to score poorly and refuse to offer their customers equal levels of protection from drive-by attacks as they do socially engineered attacks ( malware & phishing).

• Anonymous
  March 06, 2010
  The comment has been removed

• Anonymous
  March 06, 2010
  What do the IE guys think of Google's Native Client proposal?

• Anonymous
  March 06, 2010
  I find all this to be very interesting

• Anonymous
  March 06, 2010
  Activex, you have your stats reversed. 80% of malware attacks are from social engineered attacks that all browsers don't have any protection against since the attack is against the user, not the pc or browser. http://blog.brickhousesecurity.com/2010/02/19/pdfs-make-up-80-of-all-internet-exploits/.  The only protection is to have a feature like Smartscreen and keep adobe products up to date. If you don't agree with the above article, take a look at blog by Trendmicro from about a year ago, where they determined only 20% of malware is installed through exploits. They said the vast majority of malware installations can be traced back to a socially engineered attack. Please don't throw out SWAG percentages as fact. It does nothing but harm your argument. Also don't get me wrong, I am not an IE zellot, I just believe in an honest factual discussion.  

• Anonymous
  March 06, 2010
  The comment has been removed

• Anonymous
  March 06, 2010
  The comment has been removed

• Anonymous
  March 06, 2010
  The comment has been removed

• Anonymous
  March 06, 2010
  @George Wurst They do, but Firefox's filter technology works much more consistently than Chrome.

• Anonymous
  March 06, 2010
  http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.ars

• Anonymous
  March 06, 2010
  Another article, singing the same tune: http://my.opera.com/haavard/blog/2009/03/26/malware-report-from-nss-labs-manipulates-statistics

• Anonymous
  March 06, 2010
  I just read the post.  Haavard only raised FUD about the test. He did not have proof why Opera should have scored better, especially since opera does not have any data sources for malware anymore.

• Anonymous
  March 07, 2010
  I don't really use phishing filter since usually its easy to tell if a website is fake or filled with spyware Still its impressive to see that ie has the best protection rates well done and keep up the good work

• Anonymous
  March 07, 2010
  Believe me. When Google or Firefox or Non-IE browser score well than IE, then all the people that against this report now will embrace it, praise the standard/methodology in this malware test as unbiased, and bash IE for less secure. This is life. All the Microsoft haters sitting out there, waiting for any chances to spread the FUD. Linus Torvalds: Microsoft hatred is a disease. So, to all Microsoft haters, please quarantine/isolate yourself, stop spreading the disease out.

• Anonymous
  March 07, 2010
  The comment has been removed

• Anonymous
  March 07, 2010
  If you plan to publish the full results of the next security tests that are done that are not sponsored by Microsoft then great! Otherwise do not post the results of a sponsored test. It does nothing for your credibility other than undermine it.

• Anonymous
  March 07, 2010
  Tina, if you plan to post a comment that adds to the conversation in a meaningful way, then great! Otherwise, please do not post your comment, as it does nothing for the reader other than waste their time.

• Anonymous
  March 07, 2010
  I find these tests more usefull than javascript speed test that were made by some browserbuilders themselves to show one aspect of browser speed at onesided non-realistic repetative tests

• Anonymous
  March 07, 2010
  A PCMag tester last year has shown similar results in his Anti Phishing tests even dropping FF and Chrome from the tests because they were not effective. http://www.pcmag.com/article2/0,2817,2350317,00.asp

• Anonymous
  March 07, 2010
  And another link that confirms much better results for IE8 smartscreen filtering than for instance Firefox or even some third party browser addons http://www.brighthub.com/computing/smb-security/articles/56996.aspx

• Anonymous
  March 07, 2010
  @Joe "I just read the post.  Haavard only raised FUD about the test. He did not have proof why Opera should have scored better, especially since opera does not have any data sources for malware anymore." You work for NSS Labs, don't you, Joe? Did you actually read the blog post? NSS Labs employees have been actively spreading FUD after being caught red-handed spreading misinformation in various blogs. This is from the first report, but it's equally valid, and NSS Labs has failed to provide others with a full list of URLs or any way to reproduce the results:

• NSS Labs claims that Opera automatically updated itself even though it did not support automatic updates at the time.

• The report contradicts itself ("The report says that 7% of the threats were blocked by all browsers, but Opera is claimed to have blocked only 5%").

• The test started with more than 100K URLs, but the final list was less than 500(!) URLs.

• Worst case, NSS Labs only tested 10 sites. Yes, 10 sites! According to them, the same site could have up to 10% of the total URLs.

• "According to the "Malware URL Response" table on page 3, Opera catches 15% on hour 0, and 33% after 5 days. And yet the final rate was set to only 5%"

• "According to the same table, Chrome consistently catches 25% or more, but the final score is only 16%"

• "The same table shows that IE8 never reaches 69% even once in the table, and yet its final score is raised to 69%"

• Anonymous
  March 07, 2010
  @Joe Another nice contradiction: "Also, the test included Phishing, Clickjacking, and so-called “drive-by downloads” (where the web page contains an exploit against a browser and the payload of that exploit is malware that is automatically installed)." Then "It did NOT cover Phishing, so-called “drive-by” exploits/downloads, or Clickjacking." Wow.

• Anonymous
  March 07, 2010
  You speak of what not you know. Have you called NSS and asked for the data.  I know people at Google and Safari were offered the data. According to Opera's website, the last time I looked, their one published source from Malware is defunct as a data source (Haught Secure). Safari, Google, Firefox and OPERA, have never officially disputed the test results or the methodology.   Haavard goes out of his way to say his blog is personal opinion and not an official Opera blog. As for funding, according to what I read, all the browsers were offered to split the cost of the test, but they declined and have never done a competitive test to counter the test. Now don't get me wrong.  My browser of choice is FF.  I like it's speed, customization, ad blocker, no script, and plug-in model a lot better than any other browser.  But I do wish MS allowed other products to use their protection from socially engineered attacks like Google does. I

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  Folks, just a quick reminder about the blog comment policy: While disagreements and criticism are welcome, personal attacks targeted at other commentators are not. See the full policy here: http://blogs.msdn.com/ie/archive/2004/07/22/191629.aspx

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  @Huri: James correctly notes that NSS removes URLs that don't deliver socially-engineered malware. I'm sure most folks would agree that it doesn't make sense to try to test a malware filter by testing it against URLs that don't deliver malware.

• Anonymous
  March 08, 2010
  I don't understand the the logic of a lot of these posts.   People quote HAAVARD as the official Opera dispute of the test, even though according to his website "Even though I work for Opera Software, the opinions stated herein do not necessarily represent those of my employer".  Opera, Chrome, Firefox, nor Safari have come out disputing the NSS test results or methodology. Don't you think if they trully disagreed with the results they would have made an official statement?  This is the third-time MS has released the study, and all we here from them is silence.   Has there been another test from a different independent test org that contradicts the NSS test? If not NSS, what test org is qualified to do an in-the-wild phishing and malware test? When I search the web looking for NSS's reputation, I see a lot of positive stuff from people who do not have any skin in the browser game http://www.forbes.com/2009/11/03/security-nss-labs-technology-cio-network-wildlist.html http://www-935.ibm.com/services/us/index.wss/detail/iss/a1028930 http://www.mcafee.com/us/about/press/corporate/2009/20090121_060000_x.html

• Anonymous
  March 08, 2010
  hello>> I don't know what doc you're reading, but both of the Q1 2010 PDFs from NSS clearly state that they don't include "clickjacking" attacks. (The term "clickjacking" is misused here anyway: NSS means "drive-by attacks" where they say clickjacking.) The difference between a driveby and a socially-engineered malware attack is covered in an old post on this blog: http://blogs.msdn.com/ie/archive/2009/02/09/ie8-security-part-viii-smartscreen-filter-release-candidate-update.aspx

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  (I'm breaking this into segments as this blog is refusing to accept the entire message without filtering it) (con't) ...I'm just curious - as the latter (b) URL's should only be held up to testing against the browsers that have said holes/behavior. e.g. if Chrome/Firefox do not block page 'X' because they do not contain a flaw that would allow the download of malware file 'Y' - then that should not count as a strike against Chrome/Firefox as they are already safe from this malware by design. Are there any statistics on the urls to indicate how the malware would get downloaded? I think this is a very important piece of the security puzzle that should not be overlooked.

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  The comment has been removed

• Anonymous
  March 08, 2010
  If you really want to protect your users, then quit developing operating systems. If you want to be safe, just install Linux (for example Ubuntu) on your system of buy a Mac.

• Anonymous
  March 08, 2010
  @Ubuntu >>>If you really want to protect your users, then quit developing operating systems. If you want to be safe, just install Linux (for example Ubuntu) on your system of buy a Mac.>>> Snore.

• Anonymous
  March 08, 2010
  When I goto a site that pushes a download on me e.g. download.cnet.com in Firefox a dialog pops up asking me where I want to SAVE the file. This is the safe, responsible thing to do with the downloaded file. However in IE, I get a dialog that offers an insecure option... (Open).  This button is the first button on the dialog and is just asking for a horrible outcome. If MSFT really cares about IE users, IE9 will REMOVE this button completely.  In an age where 560 M-I-L-L-I-O-N malware attempts were blocked in IE, one can only imagine how many more files are out there.  Since real-time blocking of files across the entire Internet simple does not scale it is important for IE to take a pro-active step and remove the Run button from user temptation. Combine this with a file download manager and there will be no issues for end users.  Files are never executed automatically, yet they are easily found in the download manager and further still A/V software will instantly scan the file once it is added to the local file system (if not before). thank you

• Anonymous
  March 08, 2010
  Just an FYI - the IE blog attempts to load a theme file? but gets a 403 forbidden error instead.

• Anonymous
  March 09, 2010
  The comment has been removed

• Anonymous
  March 10, 2010
  So, I've been very impressed with IE8's security. If they maintain this good security(or improve it evven better!) with IE9, and also give it good web standards support and overall browsing/page-loading performance, then I may actually use it as my main browser.

• Anonymous
  March 12, 2010
  The comment has been removed

• Anonymous
  March 12, 2010
  The comment has been removed

• Anonymous
  March 12, 2010
  @active x, Actually, MOST attacks these days are NOT exploiting browser vulnerabilities, only the most elite attackers have the intelligence and resource to conceive such attacks. The average attackers will just make a page and put a download link that says "download this and run it and your credit card will have 100 more dollars", things like that. And for those common attacks, what kind of browser you use doesn't matter, since every browser provide the functionality for people to download and run things from the internet. As for your second point, it is valid, non-IE users are usually more techie than IE users, I myself use Opera most of the time, and non-IE users are usually more security-aware, I met many IE users who don't install any AV on their system, while non-IE users all have some kind AV installed or use Linux/FreeBSD, or both ;)

• Anonymous
  March 12, 2010
  @active x, (cont.) But then they are testing the browsers, not the browser users, so it's kinda irrelevant to talk about how techie the users of a certain browser are. And for your last part, I highly doubt installing non-IE browsers on your family computers can magically make your family members more techie unless you educated them about computer security at the same time. After all, it doesn't matter whether they are using IE or Opera or Firefox or Chrome or Safari to download an executable file that says "click me and you'll see a nice firework show", so just changing the browser itself doesn't really stop them from being vulnerable to the vast majority of malware attacks out there. The only thing that can protect someone from malware attacks is to educate him/her about internet security, not just changing the browser he/she uses. Opera surely has much better web standards support than IE, that's for sure, but Opera does NOT have any better protection against malware downloads, and I don't think people can truly rely on browsers to protect them from malwares anyway, what they need is some real AV software and a brain better suited to this internet age.

• Anonymous
  March 16, 2010
  @Joshbw and wechrome: Today most exploits that people should worry about, are BOTH social and drive-by. Exploit pack are freely sold, so infesting a user is merely a question of making him click a link. And no easy solution exists.