IE8 Security Part III: SmartScreen® Filter

As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs, I get a lot of spam. Of the spam I receive, a significant number of messages represent phishing attacks. Most of these lures aren’t very clever or convincing, but phishing has become a simple numbers game—hosting phishing sites is cheap, and even if only a few users fall for any given phishing attack, attackers will profit by increasing the volume of phishing campaigns.

In Internet Explorer 7, we introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites, and worked with partners to introduce Extended Validation certificates that light up the address bar when users visit sites with verified identity information. Beyond the Phishing Filter, Microsoft has also published educational materials on identifying phishing scams, and developed a strategy to attack phishing at multiple levels.

For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks over a million phishing attacks weekly) to develop the SmartScreen® Filter, a replacement that improves upon the Phishing Filter in a number of important ways:

• Improved user interface
• Faster performance
• New heuristics & enhanced telemetry
• Anti-Malware support
• Improved Group Policy support

I’ll describe each of these in the sections that follow.

Improved User Interface
First, we’ve simplified the opt-in experience for the SmartScreen Filter, integrating the option into the IE first-run experience. After first-run, you can later change your preferences easily by using the option on the classic Tools menu.

Next, the bold new SmartScreen blocking page offers clear language and guidance to help you avoid known-unsafe websites. Here’s a screenshot from a recent phishing site I encountered:

The “Go to my homepage” link enables you easily to navigate away from the unsafe website to start browsing from a trusted location. If you instead choose to ignore the SmartScreen warning by clicking the “Disregard and continue” link, the address bar remains red as a persistent warning as long as you are on the unsafe site.

If you uncover a new phishing site, you can submit it for analysis using the “Report Unsafe Website” option on the Tools menu. In the unlikely event of a false-positive, you can provide feedback using the “Report that this is not an unsafe website” link on the blocking page or by clicking the “Unsafe Website” flyout in the address bar.

Improved Performance
As a part of our overall investment in improving performance across Internet Explorer, we’ve made several performance tweaks to the SmartScreen Filter to improve its speed and lower its impact on browser performance. Detection of unsafe sites happens in parallel with navigation, so you can confidently surf the web without being forced to make a tradeoff between speed and safety.

New heuristics & telemetry
As attackers have evolved their phishing sites in an attempt to avoid being recognized and blocked, the SmartScreen Filter has also evolved to catch more phish than ever before. New heuristics, developed with help from security research teams across Microsoft, are able to evaluate more aspects of web pages to detect suspicious behavior. These new heuristics, combined with enhanced telemetry, allow the URL Reputation Service to identify and block phishing sites faster than ever.

In rare cases, SmartScreen will request feedback on sites of unknown reputation, as shown in this screenshot:

User feedback about unknown sites is collected by the SmartScreen web service and quickly evaluated to block new phish as they are discovered in the wild.

Anti-Malware Support
The SmartScreen Filter goes beyond anti-phishing to help block sites that are known to distribute malware, malicious software that attempts to attack your computer or steal your personal information. There are many types of malware, but most types can impact your privacy and security. The SmartScreen anti-malware feature is URL-reputation-based, which means that it evaluates the servers hosting downloads to determine if those servers are known to distribute unsafe content. SmartScreen’s reputation-based analysis works in concert with other signature-based anti-malware technologies like the Malicious Software Removal Tool, Windows Defender, and Windows Live OneCare, in order to provide comprehensive protection against malicious software.

If you are lured to a site known to distribute malware, the SmartScreen blocking page is displayed and indicates that the server is known to distribute unsafe software:

On the other hand, if you click on a direct link to a download (from an instant message, for instance) hosted by a known-malicious site, the Internet Explorer download dialog will interrupt the download to warn you of the threat:

SmartScreen’s anti-malware feature complemented by the IE8 features that combat malicious repurposing or exploit of browser add-ons, helps to protect you from a full range of malicious websites.

Group Policy Support
Group Policy can be used to enable or disable the SmartScreen Filter for Internet Explorer users across an entire Windows domain. A new Group Policy option is available that allows domain administrators to block users from overriding SmartScreen Filter warnings. When Group Policy restrictions are enabled, the option to override the SmartScreen warning screen is removed from the blocking pages and download dialog.

Privacy
As outlined in Dean’s post last week, Privacy is a core component of trustworthy browsing. As with IE7, Microsoft remains committed to helping ensure users’ privacy while providing protection from unsafe websites. URL data submitted to the SmartScreen web service for evaluation is transmitted in encrypted format over HTTPS. The data is not stored with a user's IP address or other personally identifiable information. Because user privacy is important in all Microsoft's products and technologies, Microsoft has taken steps to help ensure that no personally identifiable information is retained or used for purposes other than improving online safety; data will not be used to identify, contact, or provide advertising to users. You can read more in our privacy statement.

Conclusion
Web criminals are increasingly relying on social engineering attacks to engage in their criminal enterprises, but we’re working hard to deliver the tools to help keep you safe on the web. The IE8 SmartScreen Filter is designed to combat both phishing and malware sites while protecting your privacy and enabling high-performance browsing. I strongly recommend you enable the SmartScreen Filter and give it a spin in IE8 Beta 2, due in August.

Please stay tuned to the IEBlog for further posts on IE8 Security improvements!

Eric Lawrence
Program Manager
Internet Explorer Security

Comments

• Anonymous
  July 02, 2008
  PingBack from http://blog.a-foton.ru/2008/07/ie8-security-part-iii-smartscreen%c2%ae-filter/

• Anonymous
  July 02, 2008
  I just posted an article about Internet Explorer 8 security features . This is based on a recent briefing

• Anonymous
  July 02, 2008
  What stops the phisers from using a botnet (lots of different IPs) to report their pishing sites as safe and getting around the filter? Is there some kind of protection against this?

• Anonymous
  July 02, 2008
  My only question would be is it annoying? Take for example the Phising Filter in IE 7 not only is it the first thing I shut off, I am instantly reminded to shut it off when I visit the very first site in a new computer setup. Because this balloon keeps popping up and complaining. I am all for better security on the browser, however the Phishing filter was such an annoyance it got shut off, we even rolled shutting it off out globally in our organization because our helpdesk calls spike with users calling asking how to turn it off.

• Anonymous
  July 02, 2008
  @Kwispel: We have human graders who examine reports of phishing/not phishing. A large number of reports doesn't automatically change the rating without a person actually looking at the page in question and deciding whether it truly is phishing. @Jeff Parker: Yes, already in Beta 1, we've removed the annoyance factors you mention. This is part of what Eric describes as having "simplified the opt-in experience".

• Anonymous
  July 02, 2008
  I take it that the parallel checking will prevent the Phishing Filter problems that have been seen when using an authenticating proxy server? Phishing Filter can make the browser unusable in these sorts of setups.

• Anonymous
  July 02, 2008
  The comment has been removed

• Anonymous
  July 02, 2008
  All VERY good; keep it up. However, (I know its a bit too late in the development process) but i would love a feature, where cookies, authentication sessions, etc expire and are deleted after a number of days automatically! Like history, the user chooses how long info is kept. Anyone know of an addon?

• Anonymous
  July 02, 2008
  So from the screenshot in the “New heuristics & telemetry” section I gather that the filter will give a warning if you directly access an IP address. Will this warning also pop up when accessing a LAN address? E.g. 10.0.0.1 or 192.168.1.1 or 127.0.0.1? It shouldn’t, IMO, as these addresses don’t pose a phishing threat and are frequently used by developers for development purposes. ~Grauw

• Anonymous
  July 02, 2008
  Do you use mixed-script domain names as a heuristic? It seems like a warning should be triggered whenever users visit a domain name that does includes characters beyond simple ASCII and their own character set. You might also want to add an option to prohibit browsing of non-ASCII domains. (Non-ASCII domains are bound to lead to a big increase in phishing due to the similarity of different glyphs.)

• Anonymous
  July 02, 2008
  The comment has been removed

• Anonymous
  July 02, 2008
  I highly appreciate the functionality and aesthetics if how this is implemented in to IE. I also applaud emphasizing the domain name (or IP address) of the potential attack site. Eric, I'm surprised though that you simply don't just use an email form to protect your email address from spammers. Unless you spend time with the Hotmail folks working on spam filters? PS - I see rounded corners, any chance we could at least get "-ie-border-radius" support in IE8? :D

• Anonymous
  July 02, 2008
  Internet Explorer 8 - Security

• Anonymous
  July 02, 2008
  So the SmartScreen Filter has two buttons, Yes and No, where both will report the address to Microsoft, either as safe or unsafe. I'm glad I'm not using the IE anymore at all.

• Anonymous
  July 03, 2008
  "We have human graders who examine reports of phishing/not phishing." Worldwide? Or are these Phising-lists only updated between 9h and 17h Microsoft-time?

• Anonymous
  July 03, 2008
  I work for a bank and we get phished once every six weeks.  When I report the phish in IE, it takes too long to be included in the phishing filter.  I would expect it to take 5 minutes or less to verify and add to the filter.  Most times, I am able to shut down the site at the ISP level quicker than getting it added to the phishing filter.  The phishing filter submission is typically faster for Firefox/Google.  Is there a way you can add trusted sources/priority submissions for banks/financial institutions?

• Anonymous
  July 03, 2008
  The comment has been removed

• Anonymous
  July 03, 2008
  Really nice and clear. One suggestion: If the possibility to continue and disregard the warning is disabled by administrators the smartscreen filter should state this clearly and not just tell that you only can go to homepage. Users will blame the browser or windows for this and not their own administrators. To Andre: Where did you come up with the thing that both buttons (red and green) will send report to MS? Actually neither of them will. You must click the link: "Report this site ..." to send a report.

• Anonymous
  July 04, 2008
  IE8 Security Part III: SmartScreen® Filter

• Anonymous
  July 06, 2008
  Dear Eric: Is the anti-malware or anti-phising provider is open or only can supplied by Microsoft? Like in firefox, people can use both firefox's own database or Google's database. I think if the provider is open, maybe many professional security company could supply their solution for anti-phising and anti-malware, maybe it's a good thing for the end-users :)

• Anonymous
  July 06, 2008
  The comment has been removed

• Anonymous
  July 09, 2008
  [Note: Techblogger Claus Valca wrote an excellent guest post on June 29 about issues surrounding the popular AVG Free antivirus program. Since then, AVG has taken steps to fix problems with its new LinkScanner feature, and Claus has been kind...

• Anonymous
  July 09, 2008
  The comment has been removed

• Anonymous
  July 10, 2008
  @Nektar: Actually, a significant majority of IE7 users do turn on the Phishing Filter.  Remember, there are a number of prompts during initial use, and if the user configured the "Use recommended settings" during Vista setup, the filter is on by default for them. Integrating these choices into setup rather than first run wouldn't really work because  only one user on a computer runs IE setup, but other users of the same computer may have different preferences.  Because First-Run is per-user, the current design provides the opportunity to set their defaults as desired.  As you'll see in Beta-2, we've significantly streamlined the first run experience.  

• Anonymous
  July 10, 2008
  please do not develop the solutions "made for geeks, made by geeks". Look at the simple approach of phishing-shied from everyday user's point of view, and develop something simple as presented by http://ww.parentapproval.com/

• Anonymous
  July 10, 2008
  Most of the phishing solutions are not transparent at user-level, and seems like "made for geeks, made by geeks". Look at the simple approach of phishing-shied from everyday user's point of view, and develop something simple as presented by http://www.parentapproval.com/

• Anonymous
  July 11, 2008
  @@phish-shield: Hmm... IE8 shows a big red blocking page that says "This is a phishing site.  STOP!"  That doesn't really seem like it lacks "transparency", vs the "parent-approval" toolbar, which involves multiple configuration UI, allow lists, dozens of checkboxes, and the requirement that every website be entered manually for "allow" or "deny."   Couple that with the ludicrous "patent pending" claimed by the "parent approval" company, and you can bet that Microsoft isn't going to implement something like that.   Methinks maybe you work for those patent trolls and are hoping microsoft will do something that gets them sued?

• Anonymous
  July 30, 2008
  a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}

• Anonymous
  August 12, 2008
  Si sta avvicinando a grandi passi il rilascio della Beta 2 della versione 8 di Internet Explorer . Come

• Anonymous
  August 28, 2008
  The next beta for Internet Explorer has been released for broad distribution to the public, according

• Anonymous
  September 18, 2008
  Hello, My name is Sébastien Zimmermann. I’m the developer owner for the Visual Search Feature , which

• Anonymous
  October 23, 2008
  Привет, меня зовут Себастьян Циммерман (Sébastien Zimmermann) и я являюсь основным разработчиком функции

• Anonymous
  October 23, 2008
  Привет, меня зовут Себастьян Циммерман (Sébastien Zimmermann) и я являюсь основным разработчиком функции

• Anonymous
  December 01, 2008
  Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

• Anonymous
  February 09, 2009
  Hello, I'm Alex Glover and I'm the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen

• Anonymous
  February 17, 2009
  Изменения в фильтре SmartScreen в IE8 RC1 Привет, меня зовут Алекс Гловер (Alex Glover) и я являюсь главным

• Anonymous
  March 16, 2009
      이메일 주소를 포함한 글이 포럼이나, 뉴스그룹, 블로그 등에 올라가게 되면 엄청나게 많은 양의 스팸을 받게 됩니다. 그렇게 받는 스팸 중에는 피싱 메일이 상당수를

• Anonymous
  March 22, 2009
  A study by NSS Labs of 6 major web browsers shows a large difference in their ability to block "socially

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 22, 2009
  After my post about IE8 last week I got an email from someone asking me to explain more about other security

• Anonymous
  March 24, 2009
  My colleague in New York, Peter Laudati , just alerted me to this report in which IE8 was found to be

• Anonymous
  March 25, 2009
  Over the last year, we’ve published two posts about how the IE8 SmartScreen ® filter helps to prevent

• Anonymous
  March 30, 2009
  Безопасность IE8: защита от вредоносного ПО с помощью фильтра SmartScreen В прошлом году мы опубликовали

• Anonymous
  April 21, 2009
  I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative

• Anonymous
  June 03, 2009
  Aus aktuellem Anlass möchte ich doch einmal darauf eingehen, in wieweit aktuelle Browser den Nutzer vor potentiell gefährlichen Seiten schützt. Wichtig ist in diesem Zusammenhang, dass ich mich bei diesem Beitrag jeweils auf die aktuellste Generation

• Anonymous
  June 11, 2009
      안녕하세요. 이번에는 Jon DeVaan 이 최근에 UAC 에 대해 받은 피드백에 대해 이야기하겠습니다.  Windows 7 을 완성하기 위한 작업의

• Anonymous
  April 21, 2015
  The comment has been removed