Jump to content

SmartScreen Filter discussion


Tripredacus

Recommended Posts

I'm taking a look around at all the hubaloo about the SmartScreen Filter sending info about what apps you download and install. The Windows 8 EULA makes a mention of it specifically, but that it is disabled by default. I do not have a key to activate my Windows 8 deployment (I'm in Audit Mode) so I cannot determine if it gets enabled during OOBE or what.

Anyways, it looks to me that SmartScreen is only a function of Internet Explorer, and may not have anything to do with installing software off a disc, or if you downloaded something using another browser.

Also, my IE9 on my Win7 PC has the same thing, SmartScreen Filter installed AND enabled... Is the SmartScreen Filter in IE9 really any different than the one in IE10 that comes with Windows 8?

Link to comment
Share on other sites


Smartscreen is extended when run in Win8 to verify the authenticity of apps or programs you install or sideload, which is where it differs from IE9 on Win7 (only reports on downloaded files via IE if there's an attempt to install it).

Link to comment
Share on other sites

yeah, its extended telemetry scope from IE into whole windows.

as its scope enlarges, it can now be used to observe user's installing behaviour.

can easy-ly employed to get general idea which apps were popular in specific IP-regions.

I got this feeling about this somekind of google-envy who capable observing (& profiling) its users search behaviour.

Link to comment
Share on other sites

Smartscreen is extended when run in Win8 to verify the authenticity of apps or programs you install or sideload, which is where it differs from IE9 on Win7 (only reports on downloaded files via IE if there's an attempt to install it).

cluberti, can you expand on this? The reporting about this is all over the map. Just off the top of my head I can think of lots of ways to install. But what constitutes an "install"? Is it when an UNINSTALL entry is created allowing add/remove of the program?

Do we know enough yet to make a comprehensive yes/no list? Maybe something like this:

Metro Apps installed through official store ..................... yes (presumably)

Metro Apps installed bypassing official store (theoretical) .....

Win Applications installed by local signed installer ............

Win Applications installed by local unsigned installer ..........

Win Applications pushed by local setup, no UNINSTALL registry ...

Win Applications downloaded and "Run" in MSIE ...................

Win Applications downloaded and "Run" in Firefox ................

Win Applications downloaded and "Run" in Chrome .................

Win Applications downloaded and "Run" in Opera ..................

Win Applications downloaded but NOT installed by MSIE ...........

Win Applications downloaded but NOT installed by Firefox ........

Win Applications downloaded but NOT installed by Chrome .........

Win Applications downloaded but NOT installed by Opera ..........

Would variations using a local network differ from purely local setup files? If anyone can think of another "install" vector please mention it!

Link to comment
Share on other sites

The guy that most probably started it all, Nadim Kobeissi:

http://log.nadim.cc/?p=78

Is talking of "download from internet and open the install", so it is likely (but of course needs to be checked/confirmed) that there is a connection with the "Zone.Identifier" alternate data stream, like it was till now, examples:

http://www.hanselman.com/blog/RemovingSecurityFromDownloadedPowerShellScriptsWithAlternativeDataStreams.aspx

http://thewayeye.net/2012/march/2/bulk-removing-zoneidentifier-alternate-data-streams-downloaded-windows-files

http://www.nirsoft.net/utils/alternate_data_streams.html

or some similar mechanism.

jaclaz

P.S.: EDIT:

Confirmed:

http://arstechnica.com/information-technology/2012/08/windows-8-privacy-complaint-misses-the-forest-for-the-trees/

and Chrome seemingly does the same.

P.P.S: An old post but seemingly Opera doesn't use this approach (and the Author Christiam Adams seemingly submitted it to Opera as a bug :w00t:)

http://cristianadam.blogspot.it/2009/09/hidden-stream.html

Mozilla/Firefox should be "user selectable":

https://bugzilla.mozilla.org/show_bug.cgi?id=499448

I presume that also SRware Iron is immune from this, but it is not mentioned:

http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php

I take it back also Iron sets the Alternate Data Strem :( <- someone should post this as a bug!

Also, since Alternate Data Streams are NTFS only, if you store the downloaded programs on a FAT12 :w00t: /16/32/64 (ex_FAT) there should be no triggering of SmartScreen :unsure: .

Edited by jaclaz
Link to comment
Share on other sites

Yes it's better to just disable it by running smartscreensettings.exe and then turn off the Action Center nags as well. Maybe IE smartscreen was useful for general browsing protection, but it's addition to IE's download reputation building which scares users by classifying genuine downloads as potentially malicious or directly in Windows which sends file names in encoded form to MS is overly intrusive of privacy.

Edited by xpclient
Link to comment
Share on other sites

(... lots of good info ...)

Also, since Alternate Data Streams are NTFS only, if you store the downloaded programs on a FAT12 :w00t: /16/32/64 (ex_FAT) there should be no triggering of SmartScreen :unsure: .

Yes, I believe this is a very good way to go. There is still life in them FAT bones after all. A FAT partition or maybe a FAT flashdrive stuck in USB for \Downloads as a security buffer.

The person must remember to download to and execute the SETUP.EXE file from the FAT partition. Either that or copy the \Downloads folder to a FAT disk, or running an ADS stripper.

Downloading from a browser (but no "RUN") to an NTFS partition and later executing the file means an ADS is probably still attached. This is because Firefox, Opera, MSIE (not sure about Chrome) download it to one of their temp/history/wip folders (assuredly on the NTFS system partition) and copy it when done, ADS would naturally also be copied.

My previous thinking was *.Microsoft.com in outbound firewall blacklist, with 'allow this time' prompt à la carte.

Link to comment
Share on other sites

Downloading from a browser (but no "RUN") to an NTFS partition and later executing the file means an ADS is probably still attached. This is because Firefox, Opera, MSIE (not sure about Chrome) download it to one of their temp/history/wip folders (assuredly on the NTFS system partition) and copy it when done, ADS would naturally also be copied.

No. :no:

At least up to version 10.*something* Opera is "kosher".

And as said in Firefox it can be turned off by the user.

@Joseph_sw

That would be really mean :ph34r: , byut yes, I dont see why it wouldn't be possible....

jaclaz

Link to comment
Share on other sites

The link that Jaclaz posted above does seem to have a good summary of what is known. Here it is again ...

Windows 8 privacy complaint misses the forest for the trees ( Ars Technica 2012-08-25 )

If it is all correct, the linchpin really is browser based downloads. Some key paragraphs about the mechanics of the filter:

"Windows 8 extends the SmartScreen system to cover not just the URLs visited in the browser, but also files downloaded by the browser. Whenever Internet Explorer saves a file to disk, it adds information called a Zone Identifier to the file that indicates whether the file came from the Internet, the local intranet, a trusted site, or elsewhere. HTML files are additionally given the Mark of the Web to denote their origin. Third-party browsers such as Chrome do the same.

In Windows 7, running an executable that has a Zone Identifier, but which lacks a trusted digital signature, yields a generic warning message to say that the program's safety can't be vouched for. Removing the Zone Identifier prevents the warning from recurring.

In Windows 8, instead of merely showing a generic warning, the operating system does a SmartScreen check on the downloaded file. Because this is a file on a hard disk rather than a URL, Windows doesn't have a URL to send. Instead, as described by Rafael Rivera, it sends the file's name and a hash (and kind of cryptographic "fingerprint") of the file's contents."

There is much more, including speculation about what happens in Redmond to the uploaded hash and how it may be cross-referenced to you IP-Address or Windows Live ID.

Some people, specifically the Microsoft knee-jerk defenders are 'missing the forest for the trees' in yet another way, by scoffing at Kobeissi's findings and speculation because it was not perfect ( SSLv2 being used or not ), thereby supposedly nullifying all his points!?! :no: Sorry, that is just not logical IMHO. The man was starting from a point of zero information by design since Microsoft naturally isn't blogging about the mechanics of SmartScreen. He is trying to 'cleanroom' his way to the answer and cannot be expected to nail it down immediately. His critics are pathetic IMHO, because if left to them, Microsoft could implement anything no matter how draconian. Guess what, without details from Microsoft all we have is this kind of research, speculation and educated guesses based upon previous history.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...