Serious Discussion What is Smartscreen? (Win8/10)

[Deleted member 178]

ok small update, if the file was ever run with internet connected and allowed, this specific executable will be allowed forever from now on, even if you disconnect internet later and re-executing this file.

so i guess , smartscreen check or the first execution attempt after the download and if it is in the whitelist the file will be flagged as safe if you re-execute it later (with or without internet)

 

[HarborFront]

sorry i mispelled, i meant if the software isn't whitelisted (hash different from legit one) or haven't a valid certificate or the publisher is unknown; Smartscreen should alert it.

i just did the test with the latest foobar 2000 version, i downloaded it from the site, saved on desktop, disconnected internet; then executed it, smartscreen did alert me.

then i reconnected internet, smartscreen went silent

Hi

OK it works. Just tested foobar 2000 with internet disconnected and smartscreen pops up saying it cannot be reached.

Thanks

 

[Jake Miguel]

There was a time, long time back, when I bought my new i5 and installed Windows 8 on it. I did not like it and switched backed to Windows 7.

And, now I am hearing all good things about 8 and all new Windows like 8.1 & 10. Haven't used IE since Windows me.

 

[reboot]

so i guess , smartscreen check or the first execution attempt after the download and if it is in the whitelist the file will be flagged as safe if you re-execute it later (with or without internet)

For what it is worth your answer reads like a pretty accurate guess and more than solid assumption to me.

 

[Ink]

@Umbra Does that mean Windows SmartScreen is 100% cloud-based?

 

[reboot]

Hi

OK it works. Just tested foobar 2000 with internet disconnected and smartscreen pops up saying it cannot be reached.

Thanks

HarborFront, I have to tell you that I find it really impressive that you were willing to test and validate first hand the knowledge that was being shared in this thread. You didn't automatically follow in blind faith nor did you simply choose to turn a blind eye to the information and assume that it must be wrong because you hadn't seen it happen before. Thanks for the share.

 

[Deleted member 178]

@Umbra Does that mean Windows SmartScreen is 100% cloud-based?

View attachment 135741

100% i can't tell, i think there is some local mechanism that check the certificates (for example the UAC prompt's color depend on the certificate), but it is safe to assume a big part is cloud-based.

I will try to get some more accurate infos about it.

 

[Deleted member 178]

For what it is worth your answer reads like a pretty accurate guess and more than solid assumption to me.

yes, you don't have much infos about its real life usage, if we had, this thread won't exist

And you know infos are "malleable" but real life experience are more accurate (if done properly). i could research internet for hours and get more detailed infos but it won't add much to what i described

 

[Deleted member 178]

@Spawn

there some clues.

Internet Explorer 8: SmartScreen Filter
With the release of Internet Explorer 8, the Phishing Filter was renamed to SmartScreen and extended to include protection from socially engineered malware. Every website and download is checked against a local list of popular legitimate websites; if the site is not listed, the entire address is sent to Microsoft for further checks.[2] If it has been labeled as an impostor or harmful, Internet Explorer 8 will show a screen prompting that the site is reported harmful and shouldn't be visited. From there the user can either visit their homepage, visit the previous site, or continue to the unsafe page.[3] If a user attempts to download a file from a location reported harmful, then the download is cancelled. The effectiveness of SmartScreen filtering has been reported to be superior to socially engineered malware protection in other browsers.[4]

According to Microsoft, the SmartScreen technology used by Internet Explorer 8 was successful against phishing or other malicious sites and in blocking of socially engineered malware.[5]

Beginning with Internet Explorer 8, SmartScreen can be enforced using Group Policy.

SmartScreen in Windows
SmartScreen filtering at the desktop level, performing reputation checks by default on any file or application downloaded from the Internet, was introduced in Windows 8[8][9] Similar to the way SmartScreen works in Internet Explorer 9, if the program has a bad reputation, the user is alerted that running the program may harm their computer.

Microsoft SmartScreen - Wikipedia

SmartScreen
Microsoft SmartScreen helps protect you while you’re using Microsoft Edge from phishing sites that may attempt to steal your identity and personal information. Microsoft SmartScreen performs reputation checks for each site you visit, and will block the malicious ones. It will also defend you against socially-engineered downloads of malicious software using a cloud based app reputation service that is continuously evaluating the billions of new apps that are published to the internet every year for malicious behavior.

Security in Windows 10 - Windows Experience Blog

 

[Andy Ful]

Hi

I just tried. Downloaded AppCheck, switch off my internet, install AppCheck and no action from smartscreen except alerts from CFW.

I supposed AppCheck for now may not even be in MS cloud server as it's a Korean software.

That is not how SmartScreen works. When you download files using the Internet Browser, the Alternate Stream named Zone.Identifier is attached to the file.
If the file is OK, then it looks like:
[ZoneTransfer]
AppZoneId=4

If the file is not OK then it looks like:
[ZoneTransfer]
ZoneId=3

If the file is an executable: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE, then in the second case (ZoneId=3) you can see SmartScreen alert in the IE or Edge - if it is ignored, the file is downloaded.

Alternate Stream can be attached to file only on NTFS drives. If you copy the file to the non NTFS source (FAT pendrive, FAT USB Disk, DVD) the Alternate Stream is lost.
If you download a file by program downloader or torrent, then usually the Alternate Stream is not attached to the file.
If you download files in ZIP or another (compression format), the ZIP file has got Alternate Stream attached, but not the files in the ZIP archive. If you decompress the file by Explorer context menu option (Windows inbuilt), it can add to decompressed files the Alternate Stream transferred from the ZIP file. If you decompress archive (ZIP, ARJ, 7Z, etc.) by another method, usually Alternate Stream is skipped, but it depends on the program.
Files without Alternate Stream (Zone.Identifier) will be ignored by SmartScreen on the run.

If you run downloaded file it is again checked by SmartScreen but only in the second case (ZoneId=3) with SmartsScreen Cloud. If the file is now OK, then Alternate Stream (ZoneId=3) is changed to AppZoneId=4 (no SmartScreen alert). If it is not OK the SmartScreen alert is showing up.

Everybody can check this using NirSoft Alternatestreamview utility.

 

[Andy Ful]

That is not how SmartScreen works. When you download files using the Internet Browser, the Alternate Stream named Zone.Identifier is attached to the file.
If the file is OK, then it looks like:
[ZoneTransfer]
AppZoneId=4

If the file is not OK then it looks like:
[ZoneTransfer]
ZoneId=3

If the file is an executable: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE, then in the second case (ZoneId=3) you can see SmartScreen alert in the IE or Edge - if it is ignored, the file is downloaded.

Alternate Stream can be attached to file only on NTFS drives. If you copy the file to the non NTFS source (FAT pendrive, FAT USB Disk, DVD) the Alternate Stream is lost.
If you download a file by program downloader or torrent, then usually the Alternate Stream is not attached to the file.
If you download files in ZIP or another (compression format), the ZIP file has got Alternate Stream attached, but not the files in the ZIP archive. If you decompress the file by Explorer context menu option (Windows inbuilt) it can add Alternate Stream transferred from the ZIP file. If you decompress archive (ZIP, ARJ, 7Z, etc.) by another method, usually Alternate Stream is skipped, but it depends on the program.
Files without Alternate Stream (Zone.Identifier) will be ignored by SmartScreen on the run.

If you run downloaded file it is again checked by SmartScreen but only in the second case (ZoneId=3) with SmartsScreen Cloud. If the file is now OK, then Alternate Stream (ZoneId=3) is changed to AppZoneId=4 (no SmartScreen alert). If it is not OK the SmartScreen alert is showing up.

Everybody can check this using NirSoft Alternatestreamview utility.

In the new updated version of Window 10 there is one important change, that is visible in the case of the AppCheck installer. After download, it has ZoneId=3 but there's no SmartScreen alert in Edge Browser! It seems that the file is checked somwhere else and accepted to download. When the file is run from the Download folder the flag is changed to : AppZoneId=4 .
On my system, when I close Internet connection and run AppCheck, the SmartScreen alert is showing up.
My SmartSreen tests were from the previous Windows 10 version, so maybe there are some other changes. I have to repeat the tests to be sure.

 

[Andy Ful]

It seems that in the new Windows 10 version, SmartScreen works in a simpler way.

When you download files using the popular Internet Browser, the Alternate Stream named: Zone.Identifier, is attached to the file:
[ZoneTransfer]
ZoneId=3

If the file is an executable: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE, then in IE or Edge you can see SmartScreen alert for files that are not recognized as safe - if it is ignored, the file is downloaded. If the file is recognized as malicious, then the download is blocked.
I tried this in Google Chrome, and SmartScreen alert did not show up there. So, it seems that SmartScreen in the Browser, checks files and urls only in IE and Edge.

Alternate Stream can be attached to file only on NTFS drives. If you copy the file to the non NTFS source (FAT pendrive, FAT USB Disk, DVD, Memory Card, etc.) the Alternate Stream is lost.
If you download a file by program downloader or torrent, then usually the Alternate Stream is not attached to the file.
If you download files in ZIP or another (compression format), the ZIP file has got Alternate Stream attached, but not the files in the ZIP archive. If you decompress the file by Explorer context menu option (Windows inbuilt), it can add to decompressed files the Alternate Stream transferred from the downloaded ZIP file. If you decompress archive (ZIP, ARJ, 7Z, etc.) by another method, usually Alternate Stream is skipped, but it depends on the program.
Files without Alternate Stream (Zone.Identifier) will be ignored by SmartScreen on the run.

If you run any file, then SmartScreen cheks Zone.Identifier and if it has: ZoneId=3 then the file is checked in the SmartScreen Reputation Cloud. If the file is recognized as safe, then ZoneId=3 is changed to AppZoneId=4 in Zone.Identifier (no SmartScreen alert). If it is not recognized as safe, then SmartScreen alert is showing up.

see also:
SmartScreen Demo Pages: SmartScreen Demo
Windows 8 Smartscreen
Run by Smartscreen utility

 

[HarborFront]

It seems that in the new Windows 10 version, SmartScreen works in a simpler way.

When you download files using the popular Internet Browser, the Alternate Stream named: Zone.Identifier, is attached to the file:
[ZoneTransfer]
ZoneId=3

If the file is an executable: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE, then in IE or Edge you can see SmartScreen alert for files that are not recognized as safe - if it is ignored, the file is downloaded. If the file is recognized as malicious, then the download is blocked.
I tried this in Google Chrome, and SmartScreen alert did not show up there. So, it seems that SmartScreen in the Browser, checks files and urls only in IE and Edge.

Alternate Stream can be attached to file only on NTFS drives. If you copy the file to the non NTFS source (FAT pendrive, FAT USB Disk, DVD, Memory Card, etc.) the Alternate Stream is lost.
If you download a file by program downloader or torrent, then usually the Alternate Stream is not attached to the file.
If you download files in ZIP or another (compression format), the ZIP file has got Alternate Stream attached, but not the files in the ZIP archive. If you decompress the file by Explorer context menu option (Windows inbuilt), it can add to decompressed files the Alternate Stream transferred from the downloaded ZIP file. If you decompress archive (ZIP, ARJ, 7Z, etc.) by another method, usually Alternate Stream is skipped, but it depends on the program.
Files without Alternate Stream (Zone.Identifier) will be ignored by SmartScreen on the run.

If you run any file, then SmartScreen cheks Zone.Identifier and if it has: ZoneId=3 then the file is checked in the SmartScreen Reputation Cloud. If the file is recognized as safe, then ZoneId=3 is changed to AppZoneId=4 in Zone.Identifier (no SmartScreen alert). If it is not recognized as safe, then SmartScreen alert is showing up.

see also:
SmartScreen Demo Pages: SmartScreen Demo
Windows 8 Smartscreen
Run by Smartscreen utility

So, in, short, Smartscreen is only useful for downloads using IE & Edge and not suitable for other browsers, right?

 

[Deleted member 178]

So, in, short, Smartscreen is only useful for downloads using IE & Edge and not suitable for other browsers, right?

no it is system wide and work with all browser, just did the test by downloading foobar 2000 with Chrome, cut internet , and executed the exe; it is flagged.

if the file was already on the system and executed once and marked as safe, it won't trigger smartscreen for ulterior executions

 

[Andy Ful]

So, in, short, Smartscreen is only useful for downloads using IE & Edge and not suitable for other browsers, right?

Using IE or Edge you have 2 types of alerts. The first is in the browser, when downloading the file. And, if malicious the download will be blocked. The second type is from 'SmartScreen App Reputation on the Run' (only in Windows 8+) when you run the file - it is system wide.
Using other browsers you have only the second type alert, when you run the file.
The first 6 examples in: ' SmartScreen Demo' can be seen only using IE or Edge when downloading the file or browsing (firs type of alerts).
The last 2 examples in: 'SmartScreen Demo' are system wide in Windows 8+ (second type of alerts).

 

[HarborFront]

Using IE or Edge you have 2 types of alerts. The first is in the browser, when downloading the file. And, if malicious the download will be blocked. The second type is from 'SmartScreen App Reputation on the Run' (only in Windows 8+) when you run the file - it is system wide.
Using other browsers you have only the second type alert, when you run the file.
The first 6 examples in: ' SmartScreen Demo' can be seen only using IE or Edge when downloading the file or browsing (firs type of alerts).
The last 2 examples in: 'SmartScreen Demo' are system wide in Windows 8+ (second type of alerts).

I got no alert from Smartscreen in my Windows 10 Pro for the last 2 demo tests with internet disconnected like what @Umbra said

 

[HarborFront]

no it is system wide and work with all browser, just did the test by downloading foobar 2000 with Chrome, cut internet , and executed the exe; it is flagged.

if the file was already on the system and executed once and marked as safe, it won't trigger smartscreen for ulterior executions

I tested it. Actually, Smartscreen shows an alert saying it cannot be reached since there's no internet. So not sure the foobar 2000 is malicious or not. I'm using Win 10 Pro

 

[Andy Ful]

I tested it. Actually, Smartscreen shows an alert saying it cannot be reached since there's no internet. So not sure the foobar 2000 is malicious or not. I'm using Windows 10 Pro

It is normal. SmartScreen cannot connect to Reputation Cloud, and just gives you the message.

 

[HarborFront]

It is normal. SmartScreen cannot connect to Reputation Cloud, and just gives you the message.

What's the point of a message if it does not tell the user whether the application is malicious or not?

 

[Andy Ful]

100% i can't tell, i think there is some local mechanism that check the certificates (for example the UAC prompt's color depend on the certificate), but it is safe to assume a big part is cloud-based.

I will try to get some more accurate infos about it.

If the file has got EV digital certificate, the SmartScreen assumes that the file is safe. But, I do not know if it means not connecting to Reputation Cloud. I do not have got such files.