A little known feature making a big difference

As part of National Cyber Security Awareness Week, we wanted to highlight one of the lesser known features in your browser that is making a big difference to the safety of Australian consumers online.  It’s called SmartScreen Application Reputation and it’s a free feature switched on by default in Internet Explorer 9.

Social-engineering attacks, like tricking a user into running a malicious program, are far more common than attacks on security vulnerabilities. Despite the headlines, recent studies show people browsing the Web are much more likely to face a socially engineered attack. User-downloaded malware is a huge problem and getting bigger, Application Reputation in Internet Explorer 9 (IE9) steps in to help protect users from these socially engineered malware attacks.

In worldwide tests, SmartScreen blocks between 2 and 5 million attacks a day for IE8 and IE9 users, proving to block between 90% and 99% of all socially engineered malware. From our experience operating these services at scale, we have found that 1 out of every 14 programs downloaded is later confirmed as malware.

                       From NSS Labs: Web Browser Group Test Socially-Engineered Malware Q3 2010

SmartScreen was first introduced to protect users from sites that tricked users with instructions like “Run this to watch movies for free, download this security software to clean your machine, or get great emoticons!” to get users to download and run malicious software. But SmartScreen Application Reputation added another layer of defense against socially engineered attacks by looking at the actual application being downloaded, not just its web address (URL). When it comes to program downloads, other browsers today either warn on every file or don’t warn at all. Neither of these approaches helps the user make a better decision.

Using reputation helps protect users from newly released malware programs - pretending to be legitimate software programs – even those that are not yet detected by existing defense mechanisms like antivirus software. Reputation also removes unnecessary warnings for downloads with an established positive reputation. Both publishers and individual applications build reputation. For example, a digitally signed application from a well-known publisher that has been widely downloaded has a better reputation than an unsigned application that has not yet been downloaded widely and has just been posted on a newly created Web site.

Looking at a Real World Attack

Let’s look at how the feature protected actual Internet Explorer 9 users from one particular attack. The figure shows the download traffic of a very large-scale malware attack (hundreds of thousands of downloads). Application Reputation warned IE9 users about this malicious program from the very moment it hit the Web at Hour 0:

Real Malware Attack Traffic & Timeline

Traditional block-based protection (URL-blocking as well as anti-virus) came in after Hour 11, well after the attack had passed its active period. The download warning within Internet Explorer 9 about the lack of an application reputation was the only defense that users had. 99% of IE9 users who clicked to download this malicious program chose to delete or not run the program from the Application Reputation unknown program warning.


SmartScreen Application Reputation Unknown Program Warning

In this attack, IE9 Application Reputation interrupted the deception of the attack (which was otherwise very convincing) and most users were able to make a great decision on their own. This outcome is exactly why we built SmartScreen Application Reputation into IE9. 99% of users were able to avoid the infection.

A Game Changer

This is just one real-world example, but it’s a pattern we see time and time again. Application Reputation is a game changer for protection against socially-engineered malware attacks, the largest risk on the Web today, and it’s effectiveness is proven in the data.

We’re seeing a dramatic reduction in malware infections for IE9 users.  Users are choosing to delete or not run malware 95% of the time from the new Application Reputation warnings.

And the streamlined user experience warns only when the risk is high.  Because programs and publishers can now establish a reputation, 90% of program downloads no longer show browser security warnings when users have SmartScreen enabled.  From our data, the typical user will only see 2 warnings per year, while on any given day, clicking through the “unknown warning” carries a risk between 25% and 70% of malware infection.

The reputation that applications and publishers build from actual customers is at the core of how this protection works. Most people would be cautious about buying something online from a complete stranger, but are more confident buying online from a brand they trust that has a good reputation in the community.  IE9 applies a similar concept of community reputation to programs that users download. From the data we’ve collected about user downloads from the browser, 1 out of every 14 programs downloaded is later confirmed as malware. Consumers need information to make better decisions.

IE9 uses an application’s reputation to warn customers about downloads that carry a higher risk because they have not yet established a reputation. More than 50% of programs lacking a reputation are new to the Web on a given day. On a daily basis, 25% to 70% of programs that trigger an Application Reputation warning in IE9 are later confirmed as malware. Programs and publishers that have already built reputation do not show a warning.

Many users rarely or never download programs that don’t already have an established application reputation. When they do, this warning is critical. Users are more likely to pay attention to this warning because it appears infrequently. Users can still choose to download the file. Our data shows that customers are making more informed choices – taking the time to check the source, or confirm it is something they meant to download. With SmartScreen Application Reputation, users are doing a much better job distinguishing between malware and legitimate downloads.

Beyond the Browser

SmartScreen Application Reputation is protecting consumers every day.  It’s on by default in Internet Explorer 9 and can be switched on as a setting in Internet Explorer 8.  As we move forward, SmartScreen is moving beyond the browser to become part of the Windows 8 operating system where it can provide even greater levels of protection.

There are many reasons to take advantage of Internet Explorer 9. We think staying safer online is a big one.