Run by Smartscreen utility

[oldschool]

Hi Andy.

Against what data base, is RunBySmartscreen checking the files?

An unidentified "dynamic list of reported phishing sites and malicious software sites." It doesn't rely solely on lists but also analyzes for suspicious behavior and checks reputation against a list of commonly downloaded software.

Microsoft Defender SmartScreen overview - Windows Security

Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

learn.microsoft.com

 

[Andy Ful]

Hi Andy.

Against what data base, is RunBySmartscreen checking the files?

Did you read the OP?
https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561234

Should I add something to make it more understandable?

Technically, RunBySmartscreen does not check files against any database. It only makes SmartScreen for Explorer (Windows built-in) more thorough, so that SmartScreen can also check files not originating from the Internet. Additionally, it shows an alert that the file type can include active content (script, scriplet, document, etc.).

 

[pxxb1]

Did you read the OP?
https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561234

Should I add something to make it more understandable?

It does not say anything about any data base. With VirusTotal one knows what is checking the file, but with this??

 

[Andy Ful]

It does not say anything about any data base.

Quite the contrary, it explicitly mentions that the check is done via SmartScreen.

 

[pxxb1]

Quite the contrary, it explicitly mentions that the check is done via SmartScreen.

Well, i mentioned VirusTotal because that is where i am basing my mental picture about a data base. And as you know it is a lot of antivirus programs that is checking a file. So, again, what is checking this? When you answered - Smartscreen, you know what that is, but i do not. But i uppose it is Ms data base that it has for Ms Defender, or?

 

[pxxb1]

Well, i mentioned VirusTotal because that is where i am basing my mental picture about a data base. And as you know it is a lot of antivirus programs that is checking a file. So, again, what is checking this? When you answered - Smartscreen, you know what that is, but i do not. But i uppose it is Ms data base that it has for Ms Defender, or?

I suppose the "Thumbs up" menas that it is Ms Defenders data base.

Then, why has not Ms implemented that feature that RBS has into its protection do you think?

 

[Andy Ful]

Well, i mentioned VirusTotal because that is where i am basing my mental picture about a data base. And as you know it is a lot of antivirus programs that is checking a file. So, again, what is checking this? When you answered - Smartscreen, you know what that is, but i do not. But i uppose it is Ms data base that it has for Ms Defender, or?

SmartScreen is a well-known Microsoft’s cloud-based reputation service. It is used in Edge and it is integrated with Explorer (in Windows 8+).
You can easily find the details via Google.
https://www.certauri.com/how-to-gain-smart-screen-reputation-and-avoid-smart-screen-filter-warnings/
https://signmycode.com/blog/what-is-windows-defender-smartscreen

 

[Andy Ful]

Then, why has not Ms implemented that feature that RBS has into its protection do you think?

Microsoft implemented SmartScreen in Edge and integrated with Explorer (only for files originating from the Internet). RunBySmartscreen extends SmartScreen check for files not originating from the Internet and shows some info about files with active content.

 

[pxxb1]

SmartScreen is a well-known Microsoft’s cloud-based reputation service. It is used in Edge and it is integrated with Explorer (in Windows 8+).
You can easily find the details via Google.
https://www.certauri.com/how-to-gain-smart-screen-reputation-and-avoid-smart-screen-filter-warnings/

Add that to the OP.
(I wanted to hear it from you as source of the program)

 

[pxxb1]

Microsoft implemented SmartScreen in Edge and integrated with Explorer (only for files originating from the Internet). RunBySmartscreen extends SmartScreen check for files not originating from the Internet and shows some info about files with active content.

This is not really an answer.
What i am trying to see is, what the point is to use RBS when Ms Defender takes care of the file in step 2, when opening, anyway.

 

[Andy Ful]

This is not really an answer.
What i am trying to see is, what the point is to use RBS when Ms Defender takes care of the file in step 2, when opening, anyway.

MS Defender (free) and many AVs, normally do not use the reputation checks. You are probably misguided by the naming. Microsoft Defender SmartScreen is not a part of Microsoft Defender antivirus. Just like Edge (with SmartScreen) is not a part of Microsoft Defender antivirus.
SmartScreen for Explorer and Edge (with SmartScreen) work even if you use another AV.

 

[pxxb1]

MS Defender (free) and many AVs, normally do not use the reputation checks. You are probably misguided by the naming. Microsoft Defender SmartScreen is not a part of Microsoft Defender antivirus. Just like Edge (with SmartScreen) is not a part of Microsoft Defender antivirus.
SmartScreen for Explorer and Edge (with SmartScreen) work even if you use another AV.

Ok. But it uses Ms Defenders database to tell good from bad?

 

[Andy Ful]

Ok. But it uses Ms Defenders database to tell good from bad?

The database includes the telemetry from the Windows system, not only from the Microsoft Defender application. But in the end, Microsoft Defender machine learning, Microsoft Defender ASR rules, and others can access that database. So one can call that database (not precisely) MS Defender's database.

 

[oldschool]

SmartScreen is a well-known Microsoft’s cloud-based reputation service. It is used in Edge and it is integrated with Explorer (in Windows 8+).
You can easily find the details via Google.
https://www.certauri.com/how-to-gain-smart-screen-reputation-and-avoid-smart-screen-filter-warnings/
https://signmycode.com/blog/what-is-windows-defender-smartscreen

Yes. I was mistakenly responding to a the subject of SS generally, and not RBS.

MS Defender (free) and many AVs, normally do not use the reputation checks. You are probably misguided by the naming. Microsoft Defender SmartScreen is not a part of Microsoft Defender antivirus. Just like Edge (with SmartScreen) is not a part of Microsoft Defender antivirus.

Indeed, I think many people confuse these two. I see members on other forums make this mistake and/or misunderstand the SS feature on Windows. Especially those who disable it.

 

[Andy Ful]

Indeed, I think many people confuse these two. I see members on other forums make this mistake and/or misunderstand the SS feature on Windows. Especially those who disable it.

It is strange, but many people on security-related forums have a very rudimentary knowledge of Windows-built-in security features that are activated by default.
Even a few years after I created ConfigureDefender, many posters insisted that Defender on Windows Home did not have behavior-blocking capabilities, post-launch detection, ASR rules, etc. Still, many people do not know what is the 'Mark of the Web' and how it is related to Windows security.
Anyway, after many discussions, it seems that the level of knowledge about Windows-built-in security is higher, especially on the MT forum.

 

[Gandalf_The_Grey]

It is strange, but many people on security-related forums have a very rudimentary knowledge of Windows-built-in security features that are activated by default.
Even a few years after I created ConfigureDefender, many posters insisted that Defender on Windows Home did not have behavior-blocking capabilities, post-launch detection, ASR rules, etc. Still, many people do not know what is the 'Mark of the Web' and how it is related to Windows security.
Anyway, after many discussions, it seems that the level of knowledge about Windows-built-in security is higher, especially on the MT forum.

And thanks to you...

 

[LennyFox]

But to be honest, Microsoft does not make it easy to understand.

SAC, WDAC-ISG, SmartScreen, Microsoft Defender cloud level zero tolerance, ASR "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" and "Block at first sight" option have related and overlapping protections because they share the Microsoft back end data bases., reputation services. Because all of the telemetry data collected by Microsoft from so many end points, they have a competitive big data collection advantage over all other (third-party) security.

As @Gandalf_The_Grey posted thanks to Andy Full most of these advanced build-in features are accessible and usable for home users with less security knowledge

 

[pxxb1]

The database includes the telemetry from the Windows system, not only from the Microsoft Defender application. But in the end, Microsoft Defender machine learning, Microsoft Defender ASR rules, and others can access that database. So one can call that database (not precisely) MS Defender's database.

Thank you for the clarification, now i know.

 

[Andy Ful]

But to be honest, Microsoft does not make it easy to understand.

Yes, that is true. In fact, we have one big "Microsoft Endpoint Protection" implemented in Windows. It contains: Defender Antivirus (with ASR rules, Network Protection, Controlled folder access, etc.), Edge, SmartScreen, WDAC, etc. Any other AV vendor would announce all of them as parts of one product. Microsoft decided to split that product into different security layers (probably due to antimonopoly law), that can work almost independently from the viewpoint of the user. Of course, those security layers are integrated in the Microsoft cloud.

 

[Dave Russo]

Forgive my ignorance( not intentional) but when or how does the smart screen activate ? And does it only work if your running Microsoft Defender as your primary Av? The article seems to say it checks downloads and also related to web browser protection?