IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Understanding SmartScreen Blocking

Understanding SmartScreen Blocking

  • Comments 8

I’ve received a few emails recently, asking “Why is SmartScreen blocking my newspaper’s website?” Usually, the person asking assumes that, because they trust and regularly visit the website in question, this must be a false positive in SmartScreen.

The reality is a bit more complicated, and a bit more interesting.

Many websites rely upon advertising for revenue, and those advertisements are typically delivered within subframes inside the top-level page. The problem is that advertising networks, from time to time, unknowingly deliver malicious advertising. Typically, such “malvertising” relies upon navigating the frame to a malicious website. That website, in turn, then shows prompts, pop-ups, or other messages to trick the user into installing malicious software, often called scareware.

SmartScreen is designed to perform reputation checks against frames, and when it detects that a browser subframe has been navigated to a malicious site, it replaces the top-level page with the block experience. The blocking page shows the address of the top-level page that was hosting malicious content, allowing the user to more easily detect typos or other misleading URLs.

SmartScreen blocking page on victim site with malicious subframe

In many cases, this design makes sense: if a given top-level page is hosting an IFRAME containing a phishing or malware attack, then there’s a good chance that the top-level page itself is malicious. It might, for instance, contain code to determine whether the attack’s subframe was blocked and then navigate the subframe to a different or new page on a different server, in an attempt to bypass SmartScreen. If SmartScreen blocked only the known-malicious subframe, the user could be put at risk.

When we designed the error page, we worried that technical subtleties like “inline frames” would be confusing to normal users, who might wonder why “http://good.example.com” appears in the addressbar, but “http://evil” appears within the blocking page. The user might (not unreasonably) assume that SmartScreen had simply made a mistake. Unsuspecting users might “click through” the blocking page and subject themselves to attack.

Unfortunately, this user-experience leads to confusion in the cases where the top-level page isn’t intentionally hosting malicious sub-frames. The user sees a legitimate address in the blocking page, and thinks “My friendly neighborhood newspaper can’t be evil… could it?” What’s worse, most advertising scripts randomly select an advertisement to show, and if the user (or the site owner) revisits the legitimate site in a new window, they likely will not randomly receive the malicious advertisement again and thus not encounter the SmartScreen blocking page.

If you ever encounter a SmartScreen block experience on a legitimate site, chances are very good that the browser has just blocked a malicious ad.

-Eric

PS: FiddlerCap is a tool I’ve released to help users and site-owners capture malicious advertisements. FiddlerCap easily collects all of the web traffic from your browser and saves it in a single file which can later be analyzed to determine which advertisements should be removed from the network.

  • Interesting.

    I have another question.

    Often I find a page not loading due to an ad holding up de download (at the bottom it show something like Waiting for ad.doubleclick.com/... or downloading ... . At such moments I find that the "stop" button is not working either.

    This is very anoying because I cannot see the page and I am not interrested in waiting for a timeout on some ad script. If not timing out I often resort to killing the IE windows through the taskmanager. This is just stupid. I should always be in control of stopping the page.

    Why is the "stop" button unavailable at such times.

  • @hAl: I haven't encountered a case where the STOP button doesn't work, although such cases do exist (e.g. I don't believe Flash networking respects the button, for instance). But I certainly have no idea why you'd want to terminate the process... Are you saying you cannot navigate the current page to a different one?

    >because I cannot see the page

    Only a very very poorly designed page would inject ads in such a way that the page isn't rendered while waiting for the ad. What site(s) do you see this on?

  • Let me try again. I have run into this issue of severe lock ups with IE 8 on a regular bases. Typically the sites I see it having a severe issue with is forum sites. It doesn't seem to be strictly related to ads imo.

    It seems to me, anytime IE8 gets part of a web page and has to wait on more informatio, whether it be an ad, info from a data base, or a dropped packet, IE 8 hangs and the top/refresh and red X close buttons do not work until IE 8 either gets that information or it times out. This doesn't seem to happen in IE 7.

    If there is any network problems ie overr congested routers on an ISP, IE 8 will hang on webpage loading with a partial load bar at the bottom and none of the buttons work. Only opening Task manager and closing the process removes IE 8. In cases of a bad path to a website and dropped packets, I used to be able to hit stop then refresh and that usually managed to bring the page up. With IE 8, that's not possible.

    I've tried resetting IE 8 and disabled every addon to no avail. This is on a Windows 7 64bit Home premium machine. If you have any suggestions on how to get the Red X close, refresh and stop botton functionality back in IE 8 during these moments, I'd be happy to hear about it.

    If not, then how I could switch this IE 8 to IE 7 on a preinstalled Windows 7 machine could be another alternative.

    Hopefully this information can prove helpful and help add to hAI's post/comment.

  • Found out what causes IE8 to lock up frequently.

    As soon as I turned off "Protected Mode" everything was lightning fast all the time. No major delays no hang ups.

    Does "Protected Mode" send everything through some sort of server to be filtered/checked?

    Wonder what kind of balancing needs to be done for speed and efficiency.

  • @TomCat39: As mentioned here very very frequently, the vast majority of IE8 reliability and performance problems are caused by buggy browser addons. For instance, if you see a problem with Protected Mode on, the chances are very high that you have installed some ancient or low-quality add-on which isn't compatible with Protected Mode (which itself is 4 years old now).

    No, Protected Mode doesn't send anything to any sort of server, and disabling it is strongly discouraged because it puts your security at risk. You'd be far better off disabling unwanted and buggy browser add-ons.

    IE7 cannot be installed on Windows7, you can, however, run it in a virtual PC environment.

  • Fair enough. However, I'd like to reitterate, these lock ups are with all addons disabled. The only thing that seems to affect the pauses that I'm noticing was turning off Protected mode. I didn't leave it disabled. Just making one change, testing, make another, test etc etc. until I find a noticable difference. That difference happened to be the Protected Mode.

    The biggest change I'm noting between IE7 and IE8 is that when IE7 is waiting on something before rendering, the stop, refresh and red X close buttons still overrode everything and worked instantly. In IE8, more often than not, when the browesr is waiting on something before rendering the page, none of those buttons work until whatever it's waiting on finishes.

    In this case it looks to me like it's waiting on the protected mode processing to finish before it gives control back to the user via stop, refresh and red X close buttons. Even the scroll bar on the right (if a previous page was loaded and navigating away from the page pauses on loading) fails tot work.

    Once again, this behavior of IE8 is with ALL addons disabled. Java, Flash and all MS addons to boot.

    I have done quite a bit of reading about IE8 "lock ups" and most everything has pointed at addons. Thus I've done lots of testing with zero addons only to be plagued with the same constant stalls. That was the first area I looked at but it made no difference.

    Doing a bunch of Google searching brought me to this post due to hAl's post. It's the only thing that hits on the exact issues I've been trying to decipher with the stop and refresh buttons while IE8 says connecting or having a partial loading bar and having to wait 10 to almost 30 seconds for the page to finally come through and all buttons to work again.

    Should I try and run through an uninstall and reinstall of IE8? The browser came preinstalled with Google Toolbar addons (all disabled), some Norton addons (all disabled) and some Microsoft addons (like search, also disabled), and I added Java and Macromedia/Adobe Flash, which also have been disabled for now.

    I'm not really sure how I can stop these near constant stalls while keeping Protected Mode enabled.

    Any direction you can provide me would be greatly appreciated, including upgrading to IE9 if that's possible in a non beta form.

  • Oh wait, does running "disabled" not equal running via the IE - No addons shortcut that I've read about(which seems to be missing from my laptop)?

  • Please delete my comments. I didn't know about all the add-ons. I found add-ons under the Run Without Permission and Downloaded Controls sections. Once I disabled the Norton/Symantec ones for a security suite that came with the laptop, that I never activated, and am not using.... The conflicts seem to have vanished.

    It is exactly as you said, add-ons conflicting with the protected mode. The problem was I didn't know where all the add-ons were to truely disable them all. So I thought I had disabled all add-ons only to leave a ton still running. I've left the microsoft ones under Run Without Permission but have disabled the redundant ones that I do not use from thrid parties.

    Thank you for your time and information.

Page 1 of 1 (8 items)
Leave a Comment
  • Please add 3 and 6 and type the answer here:
  • Post