IE8 Security Part IX - Anti-Malware protection with IE8’s SmartScreen Filter

Over the last year, we’ve published two posts about how the IE8 SmartScreen® filter helps to prevent phishing and malware attacks.  In this post, I’d like to share some real-world data on the protection provided to IE8 pre-release users by the anti-malware feature.  We’ve invested heavily in this feature, and we’ve seen significant results.

Here are some key statistics:

  • We have delivered over 10 million malware blocks in the past six months
  • That’s a block for one out of 40 users, every week
  • We’ve seen (and blocked) one in every 200 downloads as malicious

These are BIG numbers – each malicious download blocked helps prevent compromise of that user’s computer.

Here’s how it works: SmartScreen’s malware protection focuses on identifying and blocking sites on the web that are distributing malicious software.  As a reputation-based feature, SmartScreen can block new threats from existing malicious sites, even if those threats are not yet blocked by traditional anti-virus or anti-malware signatures.  In this way, the SmartScreen filter complements traditional anti-virus products by providing additional dimensions for both identification and protection.  For comprehensive protection from malware, we highly recommend that users also install traditional anti-virus products and keep them up to date.

SmartScreen delivers blocks both in the navigation experience and in the file download experience depending on the situation.  This level of control allows us to block entirely malicious sites, portions of sites or just a single malicious download on an otherwise clean site (for instance, a social networking or file-sharing site).  Similar to our anti-phishing efforts, we source the malware data based on a combination of Microsoft internal and 3rd party data to deliver the most relevant, comprehensive protection.  We’re committed to making the browsing experience safer and have a team of people constantly researching and improving protection.

Not all malware protection is created equal-- just because a browser has anti-malware features doesn’t mean it protects users from the most relevant threats.  A study comparing leading browsers on their ability to block malware attack sites that attempt to fool the user with social-engineering was recently released by NSS Labs.  As you can see from the chart below, IE8 is detecting two to four times more attacks than the other browsers.  Note that IE7 does not have anti-malware URL filtering; the IE7 blocks below are due to malware sites that are also phishing sites blocked by IE7’s Phishing Filter.

Chart of Malware block rates from various browsers.

We’re committed to continuing to deliver the most relevant protection to our users.  With the investments we’ve made in hardening the IE platform, the user is usually the weakest link. Prevalent malware is packaged and delivered in such misleading ways that users understandably have a hard time recognizing when they are at risk.  That’s where SmartScreen steps in.

Here’s some common examples of what users think they are downloading:
  • Anti-Virus/Anti-Spyware products
  • Free videos, codecs & images
  • Utilities or other software
  • Online greeting cards
  • Games

Here’s the types of files users are actually trying to download:

  • Viruses
  • Spyware
  • Adware
  • Trojans
  • Backdoors
  • Dialers
  • Worms
  • Downloaders
  • Password stealers
  • Monitoring software

There are screenshots of several malicious sites in the safer online experience paper we recently published.

How you can help

Please report sites that you think may be malicious by using the built in reporting mechanism in IE8. Click on the new Safety menu | SmartScreen Filter | Report Unsafe Website.  Reports of malicious sites will be verified by Microsoft and added to the SmartScreen filter database.

Comprehensive Protection

With the demonstrated efficacy of IE8’s SmartScreen filter, we know that internet crime will evolve.  That’s why it’s so important for us to invest in comprehensive protection to address emerging threats.  Key on our list are attacks against web applications, which represent increasingly valuable targets as users’ information is moved online.

  • IE8 is the only browser to block XSS attacks “out-of-the-box.”
  • IE8 introduced the first “out-of-the-box” mechanism to allow sites to prevent ClickJacking attacks.
  • IE8 introduces new functions which allow sites to build more-secure mashups (toStaticHTML(), XDomainRequest) and supports new standards-based mechanisms (Native JSON support, postMessage()).
  • Safer default settings (DEP/NX, per-site AX) mean that users are better-protected than ever before.  Group Policy controls (for ActiveX management, enforced SmartScreen blocking, etc) allow IT administrators to reduce the number of trust decisions users face when using IE8.

We’re committed to protecting our users from the attacks of today and the attacks of the future.  Please stay tuned to the IEBlog for further posts on IE8 Security improvements and results.


Eric Lawrence
Program Manager