IE8 Security Part III: SmartScreen® Filter

a-foton » IE8 Security Part III: SmartScreen?? Filter

a-foton » IE8 Security Part III: SmartScreen?? Filter — Wed, 02 Jul 2008 19:12:04 GMT

PingBack from http://blog.a-foton.ru/2008/07/ie8-security-part-iii-smartscreen%c2%ae-filter/

Internet Explorer 8 security features

SuperSite Blog — Wed, 02 Jul 2008 19:30:23 GMT

I just posted an article about Internet Explorer 8 security features . This is based on a recent briefing

re: IE8 Security Part III: SmartScreen® Filter

Kwispel — Wed, 02 Jul 2008 20:53:01 GMT

What stops the phisers from using a botnet (lots of different IPs) to report their pishing sites as safe and getting around the filter?

Is there some kind of protection against this?

re: IE8 Security Part III: SmartScreen® Filter

Jeff Parker — Thu, 03 Jul 2008 00:02:02 GMT

My only question would be is it annoying? Take for example the Phising Filter in IE 7 not only is it the first thing I shut off, I am instantly reminded to shut it off when I visit the very first site in a new computer setup. Because this balloon keeps popping up and complaining.

I am all for better security on the browser, however the Phishing filter was such an annoyance it got shut off, we even rolled shutting it off out globally in our organization because our helpdesk calls spike with users calling asking how to turn it off.

re: IE8 Security Part III: SmartScreen® Filter

AlexGl [MSFT] — Thu, 03 Jul 2008 00:32:50 GMT

@Kwispel:

We have human graders who examine reports of phishing/not phishing. A large number of reports doesn't automatically change the rating without a person actually looking at the page in question and deciding whether it truly is phishing.

@Jeff Parker:

Yes, already in Beta 1, we've removed the annoyance factors you mention. This is part of what Eric describes as having "simplified the opt-in experience".

re: IE8 Security Part III: SmartScreen® Filter

Jamie — Thu, 03 Jul 2008 01:20:46 GMT

I take it that the parallel checking will prevent the Phishing Filter problems that have been seen when using an authenticating proxy server? Phishing Filter can make the browser unusable in these sorts of setups.

re: IE8 Security Part III: SmartScreen® Filter

Techritic — Thu, 03 Jul 2008 01:42:21 GMT

Can you please get your damn standards right already? I'm tired of putting half of my time trying to get my site working in Internet Explorer.

re: IE8 Security Part III: SmartScreen® Filter

Privacy Concerns — Thu, 03 Jul 2008 03:06:26 GMT

All VERY good; keep it up.

However, (I know its a bit too late in the development process) but i would love a feature, where cookies, authentication sessions, etc expire and are deleted after a number of days automatically! Like history, the user chooses how long info is kept.

Anyone know of an addon?

re: IE8 Security Part III: SmartScreen® Filter

Laurens Holst — Thu, 03 Jul 2008 03:28:28 GMT

So from the screenshot in the “New heuristics & telemetry” section I gather that the filter will give a warning if you directly access an IP address.

Will this warning also pop up when accessing a LAN address? E.g. 10.0.0.1 or 192.168.1.1 or 127.0.0.1? It shouldn’t, IMO, as these addresses don’t pose a phishing threat and are frequently used by developers for development purposes.

~Grauw

re: IE8 Security Part III: SmartScreen® Filter

Faramond — Thu, 03 Jul 2008 07:22:33 GMT

Do you use mixed-script domain names as a heuristic? It seems like a warning should be triggered whenever users visit a domain name that does includes characters beyond simple ASCII and their own character set.

You might also want to add an option to prohibit browsing of non-ASCII domains. (Non-ASCII domains are bound to lead to a big increase in phishing due to the similarity of different glyphs.)

re: IE8 Security Part III: SmartScreen® Filter

someone — Thu, 03 Jul 2008 11:29:40 GMT

"catch more phish"? LOL

Btw you mention the anti-malware works in concert with Live OneCare....does this mean Live OneCare users are better protected with IE8's SmartScreen (TM) tech? Any plans to integrate the anti-malware feature with popular anti-virus software such as Norton, Kaspersky, NOD32?

re: IE8 Security Part III: SmartScreen® Filter

John A. Bilicki III — Thu, 03 Jul 2008 11:57:11 GMT

I highly appreciate the functionality and aesthetics if how *this* is implemented in to IE. I also applaud emphasizing the domain name (or IP address) of the potential attack site.

Eric, I'm surprised though that you simply don't just use an email form to protect your email address from spammers. Unless you spend time with the Hotmail folks working on spam filters?

PS - I see rounded corners, any chance we could at *least* get "-ie-border-radius" support in IE8? :D

Internet Explorer 8 - Security

Timeless Journeys — Thu, 03 Jul 2008 13:07:25 GMT

Internet Explorer 8 - Security

re: IE8 Security Part III: SmartScreen® Filter

Andre — Thu, 03 Jul 2008 14:43:33 GMT

So the SmartScreen Filter has two buttons, Yes and No, where both will report the address to Microsoft, either as safe or unsafe.

I'm glad I'm not using the IE anymore at all.

re: IE8 Security Part III: SmartScreen® Filter

Kwispel — Thu, 03 Jul 2008 17:05:26 GMT

"We have human graders who examine reports of phishing/not phishing."

Worldwide? Or are these Phising-lists only updated between 9h and 17h Microsoft-time?

re: IE8 Security Part III: SmartScreen® Filter

Jay — Thu, 03 Jul 2008 17:40:28 GMT

I work for a bank and we get phished once every six weeks. When I report the phish in IE, it takes too long to be included in the phishing filter. I would expect it to take 5 minutes or less to verify and add to the filter. Most times, I am able to shut down the site at the ISP level quicker than getting it added to the phishing filter. The phishing filter submission is typically faster for Firefox/Google. Is there a way you can add trusted sources/priority submissions for banks/financial institutions?

re: IE8 Security Part III: SmartScreen® Filter

EricLaw [MSFT] — Thu, 03 Jul 2008 19:01:51 GMT

@Kwispel: There are grading teams evaluating reports all day, every day, worldwide.

@Jay: Beyond user-reports, we collect phishing reports from over a dozen data providers that work with the major brand protection companies. I'm interested in troubleshooting why you're seeing such a long time to block; please feel free to send me a note (ericlaw at microsoft) next time you encounter a problem. Note, however, that there's a local cache (for performance reasons) so if you report from one machine, you should later check to see whether a block was issued from another machine.

@John: My email address was public long before spam was a significant problem. I made posts to newsgroups with my actual address many years ago, and I'm not inclined to switch now. And yes, this is somewhat nice, because I get to evaluate spam and phishing filters against "real world" data. :-)

@someone: Think of SmartScreen's anti-malware feature as a "first line of defense" against malware; it blocks sites known to deliver malware, which is nice because it can block even new/unknown malware distributed from sites that are known to distribute malicious software. In contrast, OneCare AV and third-party AV tend to be signature-based-- one the plus side, this means that known-malware are blocked even when distributed from unknown/new sites, but on the downside, there's a lag between the discovery of a new piece of malware and when a signature is generated and rolled out to block that malware. Hence, these two types of technologies work best together.

@Faramond: Please see http://blogs.msdn.com/ie/archive/2005/12/19/505564.aspx for more information about IE's handling of IDN names. In that post, we describe the mitigations in place against malicious non-ASCII names. The SmartScreen Filter will block known-malicious IDN sites, and users have the option of turning off Unicode display of IDN to completely prevent spoofing possibilities (Tools / Internet Options / Advanced / Always show encoded address).

@Laurens Holst: When evaluating a site, the fact that an IP-address was used rather than a hostname is only one factor used in the evaluation, for the reason you describe-- in many cases, navigation to IP-only sites is an innocuous daily task for IT-professionals and developers.

@Jamie: I'd be very interested to learn more about the problems you've encountered with authenticating proxies. Please send me a note (ericlaw at microsoft) with more info.

Thanks, all!

re: IE8 Security Part III: SmartScreen® Filter

Mirronelli — Thu, 03 Jul 2008 22:59:33 GMT

Really nice and clear.

One suggestion: If the possibility to continue and disregard the warning is disabled by administrators the smartscreen filter should state this clearly and not just tell that you only can go to homepage. Users will blame the browser or windows for this and not their own administrators.

To Andre: Where did you come up with the thing that both buttons (red and green) will send report to MS? Actually neither of them will. You must click the link: "Report this site ..." to send a report.

re: IE8 Security Part III: SmartScreen® Filter

IE8 Security Part III: SmartScreen® Filter — Sat, 05 Jul 2008 12:07:18 GMT

IE8 Security Part III: SmartScreen® Filter

re: IE8 Security Part III: SmartScreen® Filter

Rocky — Sun, 06 Jul 2008 16:42:36 GMT

Dear Eric:

Is the anti-malware or anti-phising provider is open or only can supplied by Microsoft? Like in firefox, people can use both firefox's own database or Google's database. I think if the provider is open, maybe many professional security company could supply their solution for anti-phising and anti-malware, maybe it's a good thing for the end-users :)

re: IE8 Security Part III: SmartScreen® Filter

CableGuy — Mon, 07 Jul 2008 10:54:57 GMT

Why not use blacklists as Firefox does?

Guest post: AVG Free 8 followup - Mischief-managed

TechBlog — Wed, 09 Jul 2008 20:30:52 GMT

[Note: Techblogger Claus Valca wrote an excellent guest post on June 29 about issues surrounding the popular AVG Free antivirus program. Since then, AVG has taken steps to fix problems with its new LinkScanner feature, and Claus has been kind...

re: IE8 Security Part III: SmartScreen® Filter

Nektar — Thu, 10 Jul 2008 12:09:36 GMT

The problem with IE7's Phishing Filter is that it is off by default and most users never care or even know to turn it on. "Phishing Filter!" they say, "What is that? Let's turn it off."

Users do not bather to change the defaults. Even educated users that I know of, do not care to check that the Filter is on or even care for its presence. Users are busy. They have more important things to do than have to configure IE options. They want it to work as best as possible out of the box. The same with the default search provider. Most users, almost all users, do not care to click "Change my default provider" and then to navigate and scroll through a page-full of providers. Please improve this experience (A) by integrating the Phishing Filter and search provider preferences into the Set-up process instead of the first-run experience so that users will give it more attention, (B) by simplifying the search provider choice dialog, putting a list-box of search provider choices in front of users during IE8 set-up instead of presenting a "confusing" full Web-page of search engines with descriptions at first-run and (C) by turning the Phishing Filter on by default. What do you think?

re: IE8 Security Part III: SmartScreen® Filter

EricLaw [MSFT] — Thu, 10 Jul 2008 18:07:38 GMT

@Nektar: Actually, a *significant majority* of IE7 users do turn on the Phishing Filter. Remember, there are a number of prompts during initial use, and if the user configured the "Use recommended settings" during Vista setup, the filter is on by default for them.

Integrating these choices into setup rather than first run wouldn't really work because only one user on a computer runs IE setup, but other users of the same computer may have different preferences. Because First-Run is per-user, the current design provides the opportunity to set their defaults as desired. As you'll see in Beta-2, we've significantly streamlined the first run experience.

re: IE8 Security Part III: SmartScreen® Filter

phish-shield — Fri, 11 Jul 2008 07:56:15 GMT

please do not develop the solutions "made for geeks, made by geeks". Look at the simple approach of phishing-shied from everyday user's point of view, and develop something simple as presented by http://ww.parentapproval.com/

re: IE8 Security Part III: SmartScreen® Filter

phish-shield — Fri, 11 Jul 2008 08:01:19 GMT

Most of the phishing solutions are not transparent at user-level, and seems like "made for geeks, made by geeks".

Look at the simple approach of phishing-shied from everyday user's point of view, and develop something simple as presented by http://www.parentapproval.com/

re: IE8 Security Part III: SmartScreen® Filter

Ted — Fri, 11 Jul 2008 23:48:20 GMT

@@phish-shield:

Hmm... IE8 shows a big red blocking page that says "This is a phishing site. STOP!" That doesn't really seem like it lacks "transparency", vs the "parent-approval" toolbar, which involves multiple configuration UI, allow lists, dozens of checkboxes, and the requirement that every website be entered manually for "allow" or "deny."

Couple that with the ludicrous "patent pending" claimed by the "parent approval" company, and you can bet that Microsoft isn't going to implement something like that.

Methinks maybe you work for those patent trolls and are hoping microsoft will do something that gets them sued?

MSDN FLASH IRELAND - INTERNATIONAL RESOURCES - 14 July 2008

Microsoft Ireland Blog — Thu, 31 Jul 2008 05:54:38 GMT

a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}

IE 8 Beta2

Igor Macori — Wed, 13 Aug 2008 12:10:37 GMT

Si sta avvicinando a grandi passi il rilascio della Beta 2 della versione 8 di Internet Explorer . Come

Consumers Begin Using Internet Explorer 8 Beta 2

US ISV Developer Evangelism Team — Thu, 28 Aug 2008 20:15:45 GMT

The next beta for Internet Explorer has been released for broad distribution to the public, according

Hello, World: Getting Started with IE8 Visual Search

IEBlog — Fri, 19 Sep 2008 02:10:54 GMT

Hello, My name is Sébastien Zimmermann. I’m the developer owner for the Visual Search Feature , which

Hello, World или начинаем работать с IE8 Visual Search

Блог команды разработчиков Internet Explorer 8 — Thu, 23 Oct 2008 17:41:35 GMT

Привет, меня зовут Себастьян Циммерман (Sébastien Zimmermann) и я являюсь основным разработчиком функции

Hello, World или начинаем работать с IE8 Visual Search

Блог команды разработчиков Internet Explorer 8 — Thu, 23 Oct 2008 17:50:14 GMT

Привет, меня зовут Себастьян Циммерман (Sébastien Zimmermann) и я являюсь основным разработчиком функции

Trustworthy Browsing with IE8: Summary

IEBlog — Tue, 02 Dec 2008 02:36:03 GMT

Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

IEBlog — Mon, 09 Feb 2009 23:09:35 GMT

Hello, I'm Alex Glover and I'm the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen

IE8 Security Part VIII: SmartScreen Filter Release Candidate Update

Блог команды разработчиков Internet Explorer 8 — Wed, 18 Feb 2009 14:26:57 GMT

Изменения в фильтре SmartScreen в IE8 RC1 Привет, меня зовут Алекс Гловер (Alex Glover) и я являюсь главным

IE8 보안 3부 : 스마트스크린 필터

IE8 팀 블로그 — Tue, 17 Mar 2009 11:50:40 GMT

    이메일 주소를 포함한 글이 포럼이나, 뉴스그룹, 블로그 등에 올라가게 되면 엄청나게 많은 양의 스팸을 받게 됩니다. 그렇게 받는 스팸 중에는 피싱 메일이 상당수를

Microsoft IE8 is one of the best Malware Catcher

Microsoft Windows Azure Cloud Talk — Sun, 22 Mar 2009 20:03:41 GMT

A study by NSS Labs of 6 major web browsers shows a large difference in their ability to block "socially

More IE8 facts

Maria's blog in Bangladesh — Mon, 23 Mar 2009 05:06:25 GMT