Q&A What is Smartscreen? (Win8/10)

Discussion in 'Microsoft' started by Umbra, Apr 1, 2016.

?

Do you use it ?

  1. Yes

    45 vote(s)
    86.5%
  2. No because...

    7 vote(s)
    13.5%
  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,646
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #21 Umbra, Feb 3, 2017
    Last edited: Feb 3, 2017
    ok small update, if the file was ever run with internet connected and allowed, this specific executable will be allowed forever from now on, even if you disconnect internet later and re-executing this file.

    so i guess , smartscreen check or the first execution attempt after the download and if it is in the whitelist the file will be flagged as safe if you re-execute it later (with or without internet)
     
  2. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,299
    5,757
    Far East
    Hi

    OK it works. Just tested foobar 2000 with internet disconnected and smartscreen pops up saying it cannot be reached.

    Thanks
     
    reboot and Umbra like this.
  3. Jake Miguel

    Jake Miguel Level 2

    Nov 14, 2016
    98
    566
    Singapore
    There was a time, long time back, when I bought my new i5 and installed Windows 8 on it. I did not like it and switched backed to Windows 7.

    And, now I am hearing all good things about 8 and all new Windows like 8.1 & 10. Haven't used IE since Windows me. :p
     
  4. reboot

    reboot Level 3

    Jan 27, 2017
    143
    402
    Marketing consultant
    Australia
    Windows 10
    Default-Deny
    For what it is worth your answer reads like a pretty accurate guess and more than solid assumption to me. :)
     
  5. Spawn

    Spawn Administrator
    Staff Member Content Creator

    Jan 8, 2011
    16,260
    24,189
    @Umbra Does that mean Windows SmartScreen is 100% cloud-based?

    upload_2017-2-3_10-4-12.png
     
    Dirk41 and Jake Miguel like this.
  6. reboot

    reboot Level 3

    Jan 27, 2017
    143
    402
    Marketing consultant
    Australia
    Windows 10
    Default-Deny
    HarborFront, I have to tell you that I find it really impressive that you were willing to test and validate first hand the knowledge that was being shared in this thread. You didn't automatically follow in blind faith nor did you simply choose to turn a blind eye to the information and assume that it must be wrong because you hadn't seen it happen before. Thanks for the share. :)
     
    HarborFront likes this.
  7. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,646
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #27 Umbra, Feb 3, 2017
    Last edited: Feb 3, 2017
    100% i can't tell, i think there is some local mechanism that check the certificates (for example the UAC prompt's color depend on the certificate), but it is safe to assume a big part is cloud-based.

    I will try to get some more accurate infos about it.
     
    reboot, Andy Ful, harlan4096 and 2 others like this.
  8. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,646
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    yes, you don't have much infos about its real life usage, if we had, this thread won't exist :p

    And you know infos are "malleable" but real life experience are more accurate (if done properly). i could research internet for hours and get more detailed infos but it won't add much to what i described ;)
     
    reboot and Dirk41 like this.
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,646
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    @Spawn

    there some clues.

    Microsoft SmartScreen - Wikipedia


    Security in Windows 10 - Windows Experience Blog
     
    Spawn, reboot, silversurfer and 3 others like this.
  10. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    #30 Andy Ful, Feb 3, 2017
    Last edited: Feb 3, 2017
    That is not how SmartScreen works. When you download files using the Internet Browser, the Alternate Stream named Zone.Identifier is attached to the file.
    If the file is OK, then it looks like:
    [ZoneTransfer]
    AppZoneId=4

    If the file is not OK then it looks like:
    [ZoneTransfer]
    ZoneId=3

    If the file is an executable: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE, then in the second case (ZoneId=3) you can see SmartScreen alert in the IE or Edge - if it is ignored, the file is downloaded.

    Alternate Stream can be attached to file only on NTFS drives. If you copy the file to the non NTFS source (FAT pendrive, FAT USB Disk, DVD) the Alternate Stream is lost.
    If you download a file by program downloader or torrent, then usually the Alternate Stream is not attached to the file.
    If you download files in ZIP or another (compression format), the ZIP file has got Alternate Stream attached, but not the files in the ZIP archive. If you decompress the file by Explorer context menu option (Windows inbuilt), it can add to decompressed files the Alternate Stream transferred from the ZIP file. If you decompress archive (ZIP, ARJ, 7Z, etc.) by another method, usually Alternate Stream is skipped, but it depends on the program.
    Files without Alternate Stream (Zone.Identifier) will be ignored by SmartScreen on the run.

    If you run downloaded file it is again checked by SmartScreen but only in the second case (ZoneId=3) with SmartsScreen Cloud. If the file is now OK, then Alternate Stream (ZoneId=3) is changed to AppZoneId=4 (no SmartScreen alert). If it is not OK the SmartScreen alert is showing up.

    Everybody can check this using NirSoft Alternatestreamview utility.
     
  11. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    #31 Andy Ful, Feb 3, 2017
    Last edited: Feb 3, 2017
    In the new updated version of Window 10 there is one important change, that is visible in the case of the AppCheck installer. After download, it has ZoneId=3 but there's no SmartScreen alert in Edge Browser! It seems that the file is checked somwhere else and accepted to download. When the file is run from the Download folder the flag is changed to : AppZoneId=4 .
    On my system, when I close Internet connection and run AppCheck, the SmartScreen alert is showing up.
    My SmartSreen tests were from the previous Windows 10 version, so maybe there are some other changes. I have to repeat the tests to be sure.
     
    Spawn, HarborFront, reboot and 2 others like this.
  12. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    #32 Andy Ful, Feb 3, 2017
    Last edited: Feb 3, 2017
    It seems that in the new Windows 10 version, SmartScreen works in a simpler way.

    When you download files using the popular Internet Browser, the Alternate Stream named: Zone.Identifier, is attached to the file:
    [ZoneTransfer]
    ZoneId=3

    If the file is an executable: BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR and VBE, then in IE or Edge you can see SmartScreen alert for files that are not recognized as safe - if it is ignored, the file is downloaded. If the file is recognized as malicious, then the download is blocked.
    I tried this in Google Chrome, and SmartScreen alert did not show up there. So, it seems that SmartScreen in the Browser, checks files and urls only in IE and Edge.

    Alternate Stream can be attached to file only on NTFS drives. If you copy the file to the non NTFS source (FAT pendrive, FAT USB Disk, DVD, Memory Card, etc.) the Alternate Stream is lost.
    If you download a file by program downloader or torrent, then usually the Alternate Stream is not attached to the file.
    If you download files in ZIP or another (compression format), the ZIP file has got Alternate Stream attached, but not the files in the ZIP archive. If you decompress the file by Explorer context menu option (Windows inbuilt), it can add to decompressed files the Alternate Stream transferred from the downloaded ZIP file. If you decompress archive (ZIP, ARJ, 7Z, etc.) by another method, usually Alternate Stream is skipped, but it depends on the program.
    Files without Alternate Stream (Zone.Identifier) will be ignored by SmartScreen on the run.

    If you run any file, then SmartScreen cheks Zone.Identifier and if it has: ZoneId=3 then the file is checked in the SmartScreen Reputation Cloud. If the file is recognized as safe, then ZoneId=3 is changed to AppZoneId=4 in Zone.Identifier (no SmartScreen alert). If it is not recognized as safe, then SmartScreen alert is showing up.

    see also:
    SmartScreen Demo Pages: SmartScreen Demo
    Windows 8 Smartscreen
    Run by Smartscreen utility
     
  13. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,299
    5,757
    Far East
    So, in, short, Smartscreen is only useful for downloads using IE & Edge and not suitable for other browsers, right?
     
    Andy Ful likes this.
  14. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,646
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    no it is system wide and work with all browser, just did the test by downloading foobar 2000 with Chrome, cut internet , and executed the exe; it is flagged.

    if the file was already on the system and executed once and marked as safe, it won't trigger smartscreen for ulterior executions
     
    harlan4096, reboot and Azure Phoenix like this.
  15. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    #35 Andy Ful, Feb 4, 2017
    Last edited: Feb 4, 2017
    Using IE or Edge you have 2 types of alerts. The first is in the browser, when downloading the file. And, if malicious the download will be blocked. The second type is from 'SmartScreen App Reputation on the Run' (only in Windows 8+) when you run the file - it is system wide.
    Using other browsers you have only the second type alert, when you run the file.
    The first 6 examples in: ' SmartScreen Demo' can be seen only using IE or Edge when downloading the file or browsing (firs type of alerts).
    The last 2 examples in: 'SmartScreen Demo' are system wide in Windows 8+ (second type of alerts).
     
    reboot likes this.
  16. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,299
    5,757
    Far East
    #36 HarborFront, Feb 4, 2017
    Last edited: Feb 4, 2017
    I got no alert from Smartscreen in my Windows 10 Pro for the last 2 demo tests with internet disconnected like what @Umbra said
     
  17. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,299
    5,757
    Far East
    I tested it. Actually, Smartscreen shows an alert saying it cannot be reached since there's no internet. So not sure the foobar 2000 is malicious or not. I'm using Win 10 Pro
     
  18. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    It is normal. SmartScreen cannot connect to Reputation Cloud, and just gives you the message.
     
    reboot likes this.
  19. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,299
    5,757
    Far East
    What's the point of a message if it does not tell the user whether the application is malicious or not?
     
  20. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    If the file has got EV digital certificate, the SmartScreen assumes that the file is safe. But, I do not know if it means not connecting to Reputation Cloud. I do not have got such files.
     
Loading...
Similar Threads Forum Date
Smartscreen Test Page Microsoft May 14, 2017
Update Smartscreen in Creators Update Microsoft Apr 6, 2017
Poll If you don't use IE, should you disable Smartscreen on Windows 7? General Security Discussions Mar 25, 2017