Understanding SmartScreen Blocking

  • [アーティクル]

I’ve received a few emails recently, asking “Why is SmartScreen blocking my newspaper’s website?” Usually, the person asking assumes that, because they trust and regularly visit the website in question, this must be a false positive in SmartScreen.

The reality is a bit more complicated, and a bit more interesting.

Many websites rely upon advertising for revenue, and those advertisements are typically delivered within subframes inside the top-level page. The problem is that advertising networks, from time to time, unknowingly deliver malicious advertising. Typically, such “malvertising” relies upon navigating the frame to a malicious website. That website, in turn, then shows prompts, pop-ups, or other messages to trick the user into installing malicious software, often called scareware.

SmartScreen is designed to perform reputation checks against frames, and when it detects that a browser subframe has been navigated to a malicious site, it replaces the top-level page with the block experience. The blocking page shows the address of the top-level page that was hosting malicious content, allowing the user to more easily detect typos or other misleading URLs.

SmartScreen blocking page on victim site with malicious subframe

In many cases, this design makes sense: if a given top-level page is hosting an IFRAME containing a phishing or malware attack, then there’s a good chance that the top-level page itself is malicious. It might, for instance, contain code to determine whether the attack’s subframe was blocked and then navigate the subframe to a different or new page on a different server, in an attempt to bypass SmartScreen. If SmartScreen blocked only the known-malicious subframe, the user could be put at risk.

When we designed the error page, we worried that technical subtleties like “inline frames” would be confusing to normal users, who might wonder why “https://good.example.com” appears in the addressbar, but “https://evil” appears within the blocking page. The user might (not unreasonably) assume that SmartScreen had simply made a mistake. Unsuspecting users might “click through” the blocking page and subject themselves to attack.

Unfortunately, this user-experience leads to confusion in the cases where the top-level page isn’t intentionally hosting malicious sub-frames. The user sees a legitimate address in the blocking page, and thinks “My friendly neighborhood newspaper can’t be evil… could it?” What’s worse, most advertising scripts randomly select an advertisement to show, and if the user (or the site owner) revisits the legitimate site in a new window, they likely will not randomly receive the malicious advertisement again and thus not encounter the SmartScreen blocking page.

If you ever encounter a SmartScreen block experience on a legitimate site, chances are very good that the browser has just blocked a malicious ad.

-Eric

PS: FiddlerCap is a tool I’ve released to help users and site-owners capture malicious advertisements. FiddlerCap easily collects all of the web traffic from your browser and saves it in a single file which can later be analyzed to determine which advertisements should be removed from the network.

Comments

  • Anonymous
    March 28, 2010
    Interesting. I have another question. Often I find a page not loading due to an ad holding up de download (at the bottom it show something like Waiting for ad.doubleclick.com/... or downloading ... . At such moments I find that the "stop" button is not working either. This is very anoying because I cannot see the page and I am not interrested in waiting for a timeout on some ad script. If not timing out I often resort to killing the IE windows through the taskmanager. This is just stupid. I should always be in control of stopping the page. Why is the "stop" button unavailable at such times.

  • Anonymous
    March 28, 2010
    The comment has been removed

  • Anonymous
    June 02, 2010
    Let me try again. I have run into this issue of severe lock ups with IE 8 on a regular bases. Typically the sites I see it having a severe issue with is forum sites. It doesn't seem to be strictly related to ads imo. It seems to me, anytime IE8 gets part of a web page and has to wait on more informatio, whether it be an ad, info from a data base, or a dropped packet, IE 8 hangs and the top/refresh and red X close buttons do not work until IE 8 either gets that information or it times out. This doesn't seem to happen in IE 7. If there is any network problems ie overr congested routers on an ISP, IE 8 will hang on webpage loading with a partial load bar at the bottom and none of the buttons work. Only opening Task manager and closing the process removes IE 8. In cases of a bad path to a website and dropped packets, I used to be able to hit stop then refresh and that usually managed to bring the page up. With IE 8, that's not possible. I've tried resetting IE 8 and disabled every addon to no avail. This is on a Windows 7 64bit Home premium machine. If you have any suggestions on how to get the Red X close, refresh and stop botton functionality back in IE 8 during these moments, I'd be happy to hear about it. If not, then how I could switch this IE 8 to IE 7 on a preinstalled Windows 7 machine could be another alternative. Hopefully this information can prove helpful and help add to hAI's post/comment.

  • Anonymous
    June 03, 2010
    Found out what causes IE8 to lock up frequently. As soon as I turned off "Protected Mode" everything was lightning fast all the time. No major delays no hang ups. Does "Protected Mode" send everything through some sort of server to be filtered/checked? Wonder what kind of balancing needs to be done for speed and efficiency.

  • Anonymous
    June 03, 2010
    The comment has been removed

  • Anonymous
    June 03, 2010
    The comment has been removed

  • Anonymous
    June 03, 2010
    Oh wait, does running "disabled" not equal running via the IE - No addons shortcut that I've read about(which seems to be missing from my laptop)?

  • Anonymous
    June 04, 2010
    Please delete my comments. I didn't know about all the add-ons. I found add-ons under the Run Without Permission and Downloaded Controls sections. Once I disabled the Norton/Symantec ones for a security suite that came with the laptop, that I never activated, and am not using.... The conflicts seem to have vanished. It is exactly as you said, add-ons conflicting with the protected mode. The problem was I didn't know where all the add-ons were to truely disable them all. So I thought I had disabled all add-ons only to leave a ton still running. I've left the microsoft ones under Run Without Permission but have disabled the redundant ones that I do not use from thrid parties. Thank you for your time and information.