Serious Discussion What is Smartscreen? (Win8/10)

[shmu26]

It does not matter what popular browser is used to download ZIP file. It always gets :
[ZoneTransfer]
ZoneId=3

The problem arises, when the file is uzipped. Windows builtin unzip function, can transfer

[ZoneTransfer]
ZoneId=3

to unzipped files.

got it, so let's put zip files on the side.

My second question is really more like this: let's say I download what I think is a plain old pdf file.
In truth, it is javascript.
I am stupid, and I click on it.
Does smartscreen save my skin?

 

[Andy Ful]

got it, so let's put zip files on the side.

My second question is really more like this: let's say I download what I think is a plain old pdf file.
In truth, it is javascript.
I am stupid, and I click on it.
Does smartscreen save my skin?

Edit.
Read my next post first, please.

1. Not directly. It does not stop the PDF file to be opened. In Windows 10, the Edge Browser will be opened, too. The script can run or sometimes cannot run in Edge. If the script can run in Edge, then SmartScreen can block the phishing page or malicious download.
2. If Edge Browser is not set to open PDF files, then the file will be opened by default PDF viewer. If one uses Microsoft Reader (AppContainer) with disabled JavaScript option then nothing happens. If JavaScript option is enabled, then the script is locked in Appcontainer or you will be redirected to malware webpage (see ponit 1).
3. There are many possibilities.

 

[Andy Ful]

got it, so let's put zip files on the side.

My second question is really more like this: let's say I download what I think is a plain old pdf file.
In truth, it is javascript.
I am stupid, and I click on it.
Does smartscreen save my skin?

If it is double extension file malware.pdf.JS, then the script will be run, and SmartScreen can only help when the Edge or IE will be opened.

 

[shmu26]

many thanks to @Andy Ful for this amazingly detailed information!

 

[Andy Ful]

You are welcome.

 

[reboot]

No impact on SmartScreen, I think. SmartScreen App Reputation on Run works even with disabled WD. But, the excluded files should open quicker.

Okay so that short circuits some thoughts and ideas I was having around why…

1. one should really test native security as a 'whole' rather than just individual components like SmartScreen
2. excluding folders full of samples of malware and ransomware (so real time protection doesn't kick in) and then including the folders may actually skew the results.

I know that none of that probably makes sense in the context of my original question, but that's where my thoughts were headed.

Anyway I am a bit intimidated to ask further questions in case Umbra slaps me for being lazy and not testing things for myself. LOL

On a serious note thank you to for providing such detailed explanations. I have read your post several times and each time it feels like I pick up another gem.

 

[DC47561]

I leave SmartScreen switched on myself. It doesn't really do any harm. If you really need to run something, there is always the run anyway option.

 

[Andy Ful]

...
I have read your post several times and each time it feels like I pick up another gem.

That is because, sometimes they are hard to understand (even for me).

 

[Deleted member 178]

Okay so that short circuits some thoughts and ideas I was having around why…
1. one should really test native security as a 'whole' rather than just individual components like SmartScreen

Finally ! someone that use its brain ! i keep saying that since ages on various forums , even tests labs/youtesters, and some so called "security experts'" don't get it.

Anyway I am a bit intimidated to ask further questions in case Umbra slaps me for being lazy and not testing things for myself. LOL

Don't be shy , ask , anyway slaps makes your skin pinker and firmer with time

 

[Rolo]

no it is system wide and work with all browser, just did the test by downloading foobar 2000 with Chrome, cut internet , and executed the exe; it is flagged.

This is a bit inaccurate and creates confusion. SS works at the file system level and additionally works with IE & Edge; it does not work with all browsers.

IE/Edge will give notification upon download; with any other browser, SS won't kick in until the file is opened.

 

[Deleted member 178]

@Rolo exactly what i said lol

That is the meaning of system-wide, means work with all downloaded files. I didn't point detection at download but at execution, which is what is important , block when executed. Of course , using IE/Edge his better but few use them.