Tripredacus Posted August 29, 2012 Share Posted August 29, 2012 I'm taking a look around at all the hubaloo about the SmartScreen Filter sending info about what apps you download and install. The Windows 8 EULA makes a mention of it specifically, but that it is disabled by default. I do not have a key to activate my Windows 8 deployment (I'm in Audit Mode) so I cannot determine if it gets enabled during OOBE or what. Anyways, it looks to me that SmartScreen is only a function of Internet Explorer, and may not have anything to do with installing software off a disc, or if you downloaded something using another browser. Also, my IE9 on my Win7 PC has the same thing, SmartScreen Filter installed AND enabled... Is the SmartScreen Filter in IE9 really any different than the one in IE10 that comes with Windows 8? Link to comment Share on other sites More sharing options...
cluberti Posted August 29, 2012 Share Posted August 29, 2012 Smartscreen is extended when run in Win8 to verify the authenticity of apps or programs you install or sideload, which is where it differs from IE9 on Win7 (only reports on downloaded files via IE if there's an attempt to install it). Link to comment Share on other sites More sharing options...
Joseph_sw Posted August 29, 2012 Share Posted August 29, 2012 yeah, its extended telemetry scope from IE into whole windows.as its scope enlarges, it can now be used to observe user's installing behaviour.can easy-ly employed to get general idea which apps were popular in specific IP-regions.I got this feeling about this somekind of google-envy who capable observing (& profiling) its users search behaviour. Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted August 30, 2012 Share Posted August 30, 2012 Smartscreen is extended when run in Win8 to verify the authenticity of apps or programs you install or sideload, which is where it differs from IE9 on Win7 (only reports on downloaded files via IE if there's an attempt to install it).cluberti, can you expand on this? The reporting about this is all over the map. Just off the top of my head I can think of lots of ways to install. But what constitutes an "install"? Is it when an UNINSTALL entry is created allowing add/remove of the program?Do we know enough yet to make a comprehensive yes/no list? Maybe something like this:Metro Apps installed through official store ..................... yes (presumably)Metro Apps installed bypassing official store (theoretical) ..... Win Applications installed by local signed installer ............Win Applications installed by local unsigned installer ..........Win Applications pushed by local setup, no UNINSTALL registry ...Win Applications downloaded and "Run" in MSIE ...................Win Applications downloaded and "Run" in Firefox ................Win Applications downloaded and "Run" in Chrome .................Win Applications downloaded and "Run" in Opera ..................Win Applications downloaded but NOT installed by MSIE ...........Win Applications downloaded but NOT installed by Firefox ........Win Applications downloaded but NOT installed by Chrome .........Win Applications downloaded but NOT installed by Opera ..........Would variations using a local network differ from purely local setup files? If anyone can think of another "install" vector please mention it! Link to comment Share on other sites More sharing options...
jaclaz Posted August 30, 2012 Share Posted August 30, 2012 (edited) The guy that most probably started it all, Nadim Kobeissi:http://log.nadim.cc/?p=78Is talking of "download from internet and open the install", so it is likely (but of course needs to be checked/confirmed) that there is a connection with the "Zone.Identifier" alternate data stream, like it was till now, examples:http://www.hanselman.com/blog/RemovingSecurityFromDownloadedPowerShellScriptsWithAlternativeDataStreams.aspxhttp://thewayeye.net/2012/march/2/bulk-removing-zoneidentifier-alternate-data-streams-downloaded-windows-fileshttp://www.nirsoft.net/utils/alternate_data_streams.htmlor some similar mechanism.jaclazP.S.: EDIT:Confirmed:http://arstechnica.com/information-technology/2012/08/windows-8-privacy-complaint-misses-the-forest-for-the-trees/and Chrome seemingly does the same.P.P.S: An old post but seemingly Opera doesn't use this approach (and the Author Christiam Adams seemingly submitted it to Opera as a bug )http://cristianadam.blogspot.it/2009/09/hidden-stream.htmlMozilla/Firefox should be "user selectable":https://bugzilla.mozilla.org/show_bug.cgi?id=499448I presume that also SRware Iron is immune from this, but it is not mentioned:http://www.srware.net/en/software_srware_iron_chrome_vs_iron.phpI take it back also Iron sets the Alternate Data Strem <- someone should post this as a bug!Also, since Alternate Data Streams are NTFS only, if you store the downloaded programs on a FAT12 /16/32/64 (ex_FAT) there should be no triggering of SmartScreen . Edited August 30, 2012 by jaclaz Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted August 30, 2012 Share Posted August 30, 2012 I always disable Smartscreen in the first step. Link to comment Share on other sites More sharing options...
xpclient Posted August 30, 2012 Share Posted August 30, 2012 (edited) Yes it's better to just disable it by running smartscreensettings.exe and then turn off the Action Center nags as well. Maybe IE smartscreen was useful for general browsing protection, but it's addition to IE's download reputation building which scares users by classifying genuine downloads as potentially malicious or directly in Windows which sends file names in encoded form to MS is overly intrusive of privacy. Edited August 30, 2012 by xpclient Link to comment Share on other sites More sharing options...
Joseph_sw Posted August 31, 2012 Share Posted August 31, 2012 So, in theory,its possible to creates annoyance for SmartScreen believers,by running a script/apps that may adds ADS for any files in a NTFS volumes? Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted August 31, 2012 Share Posted August 31, 2012 (... lots of good info ...)Also, since Alternate Data Streams are NTFS only, if you store the downloaded programs on a FAT12 /16/32/64 (ex_FAT) there should be no triggering of SmartScreen .Yes, I believe this is a very good way to go. There is still life in them FAT bones after all. A FAT partition or maybe a FAT flashdrive stuck in USB for \Downloads as a security buffer.The person must remember to download to and execute the SETUP.EXE file from the FAT partition. Either that or copy the \Downloads folder to a FAT disk, or running an ADS stripper.Downloading from a browser (but no "RUN") to an NTFS partition and later executing the file means an ADS is probably still attached. This is because Firefox, Opera, MSIE (not sure about Chrome) download it to one of their temp/history/wip folders (assuredly on the NTFS system partition) and copy it when done, ADS would naturally also be copied.My previous thinking was *.Microsoft.com in outbound firewall blacklist, with 'allow this time' prompt à la carte. Link to comment Share on other sites More sharing options...
jaclaz Posted August 31, 2012 Share Posted August 31, 2012 Downloading from a browser (but no "RUN") to an NTFS partition and later executing the file means an ADS is probably still attached. This is because Firefox, Opera, MSIE (not sure about Chrome) download it to one of their temp/history/wip folders (assuredly on the NTFS system partition) and copy it when done, ADS would naturally also be copied.No. At least up to version 10.*something* Opera is "kosher".And as said in Firefox it can be turned off by the user.@Joseph_swThat would be really mean , byut yes, I dont see why it wouldn't be possible....jaclaz Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted September 1, 2012 Share Posted September 1, 2012 The link that Jaclaz posted above does seem to have a good summary of what is known. Here it is again ...Windows 8 privacy complaint misses the forest for the trees ( Ars Technica 2012-08-25 )If it is all correct, the linchpin really is browser based downloads. Some key paragraphs about the mechanics of the filter:"Windows 8 extends the SmartScreen system to cover not just the URLs visited in the browser, but also files downloaded by the browser. Whenever Internet Explorer saves a file to disk, it adds information called a Zone Identifier to the file that indicates whether the file came from the Internet, the local intranet, a trusted site, or elsewhere. HTML files are additionally given the Mark of the Web to denote their origin. Third-party browsers such as Chrome do the same.In Windows 7, running an executable that has a Zone Identifier, but which lacks a trusted digital signature, yields a generic warning message to say that the program's safety can't be vouched for. Removing the Zone Identifier prevents the warning from recurring.In Windows 8, instead of merely showing a generic warning, the operating system does a SmartScreen check on the downloaded file. Because this is a file on a hard disk rather than a URL, Windows doesn't have a URL to send. Instead, as described by Rafael Rivera, it sends the file's name and a hash (and kind of cryptographic "fingerprint") of the file's contents."There is much more, including speculation about what happens in Redmond to the uploaded hash and how it may be cross-referenced to you IP-Address or Windows Live ID.Some people, specifically the Microsoft knee-jerk defenders are 'missing the forest for the trees' in yet another way, by scoffing at Kobeissi's findings and speculation because it was not perfect ( SSLv2 being used or not ), thereby supposedly nullifying all his points!?! Sorry, that is just not logical IMHO. The man was starting from a point of zero information by design since Microsoft naturally isn't blogging about the mechanics of SmartScreen. He is trying to 'cleanroom' his way to the answer and cannot be expected to nail it down immediately. His critics are pathetic IMHO, because if left to them, Microsoft could implement anything no matter how draconian. Guess what, without details from Microsoft all we have is this kind of research, speculation and educated guesses based upon previous history. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now