Windows 8 Smartscreen

Status
Not open for further replies.

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
Hello!
I would like to know if smartscreen in Windows 8 (not explorer smartscreen), blocks only .exe files. Does it check other executable files like jar for example? if so, is there any list showing those extensions?
Thanks..
 

Petrovic

Level 64
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,356
Windows 8 introduced SmartScreen filtering at the desktop level, performing reputation checks by default on any file or application downloaded from the Internet. Microsoft faced concerns surrounding the privacy, legality and effectiveness of the new system; suggesting that the automatic analysis of files (which involves sending a cryptographic hash of the file and the user's IP address to a server) could be used to build a database of users' downloads online, and that the use of the outdated SSL 2.0 protocol for communication could allow an attacker to eavesdrop on the data. In response, Microsoft later issued a statement noting that IP addresses were only being collected as part of the normal operation of the service and would be periodically deleted, that SmartScreen on Windows 8 would only use SSL 3.0 for security reasons, and that information gathered via SmartScreen would not be used for advertising purposes or sold to third parties
http://en.wikipedia.org/wiki/Microsoft_SmartScreen
 

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
So no other file types other than exe's, correct;
 

Littlebits

Retired Staff
May 3, 2011
3,893
So no other file types other than exe's, correct;
I believe it checks all binary files for digital certificates, locations of download source and Microsoft's own whitelists.
Binary files are any file type extensions capable of making changes to your system including scripts.

There really is no info that I can find that lists all of the extensions supported by SmartScreen.

Test it for yourself, try to download other file type extensions and see if SmartScreen displays warnings.

Full list of binary files type extensions located here- http://www.wotsit.org/list.asp?page=1&fc=5&search=&al=

Enjoy!! :D
 

Petrovic

Level 64
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,356
Windows 8 includes a SmartScreen filter that prevents unknown and malicious programs from running. SmartScreen is part of Internet Explorer 8 and 9 – with Windows 8, it’s now integrated into the operating system.

SmartScreen is a useful security feature that will help prevent bad applications from running, but it may occasionally prevent a legitimate application from running. SmartScreen reports some information to Microsoft, so it may have some privacy implications.


How SmartScreen Works
By default, Windows 8 sends information about every application you download and install to Microsoft’s servers. Microsoft’s servers respond with an assessment of the application – if the application you’ve downloaded is something legitimate and fairly popular, such as Mozilla Firefox or iTunes, Windows 8 will run the application.

If SmartScreen doesn’t know about an application – whether it’s a new form of malware or just a niche program that few people use – Windows 8 will prevent the application from running on your computer. It will also prevent known-bad programs from running.

This is similar to the way SmartScreen works in Internet Explorer 8 and 9. When you download an application, Internet Explorer’s SmartScreen filter contacts Microsoft’s servers to determine whether the download should be allowed or not. However, with Windows 8, this is now integrated into Windows itself – if you download an application with another browser, such as Firefox or Chrome, SmartScreen will check the application.

image48.png


Running An Unrecognized Application
When you try to launch an application SmartScreen doesn’t recognize, it will display a message saying it “protected your PC” by preventing the application from running. It’s good to be cautious if you encounter this message – however, some legitimate applications may be considered unrecognized.

If you’re sure that an application you want to use is safe, click the More info link.

image49.png


Click the Run anyway button and Windows will allow the application to run, bypassing the SmartScreen filter.

image50.png


Privacy Concerns
Because SmartScreen reports information about each application you run to Microsoft to check whether the application should be run or not, it’s been singled out in the media as a potential privacy problem.

SmartScreen sends several pieces of data to Microsoft when you run a program. The information includes the file name of the application you attempt to run, along with a hash of the application’s contents — this hash is compared to Microsoft’s database. If it matches a known-good application, such as iTunes, it’s allowed to run. (For more information about the exact data sent to Microsoft, read this post on the Within Windows blog.)

When you attempt to run an application on Windows 8, Microsoft will know the file name of the application you’re attempting to run, along with your IP address.

image51.png


However, Microsoft has responded to these concerns, saying they’re not building a database of programs linked to specific users:

“We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.”

SmartScreen is a useful security feature that can help prevent less-experienced users from running applications they shouldn’t run.
http://www.howtogeek.com/123938/htg-explains-how-the-smartscreen-filter-works-in-windows-8/
 

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
Good question, is this the right kind of example?
http://blog.malwarebytes.org/security-threat/2014/03/malicious-messages-foray-facebook/
- Can it block this, if flagged by Windows SmartScreen?
Malware like this made me ask this question !
Also I assume smartscreen cannot block payloads that try to run only files executed by the user.


I did some testing in vm yesterday and saw smartscreen blocking a malware sample with an extension like CPI (control panel item, I think).
 
  • Like
Reactions: Littlebits
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top