Security Protection – Harry Waldron MVP Rotating Header Image

Internet Explorer – Smart Screen has blocked 1.5 Billion malware downloads

Below are some interesting statistics related to Internet Explorer’s SmartScreen protection:

SmartScreen Application Reputation in IE9 http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

QUOTE: Through the SmartScreen Filter, IE has been effective at blocking socially engineered malware attacks and malicious downloads – IE blocks between 2 and 5 million attacks a day for IE8 and IE9 customers. Since the release of IE8, SmartScreen has blocked more than 1.5 billion attempted malware attacks. IE is still the only major production browser to offer this kind of protection from socially engineered malware. From our experience operating these services at scale, we have found that 1 out of every 14 programs downloaded is later confirmed as malware.

Originally, SmartScreen protection was URL-based. IE7 introduced protection from phishing attacks by integrating a cloud-based URL-reputation service. IE8 added another layer of protection, also based on URLs (or Web addresses), to protect users from sites that offered malicious downloads and used social engineering techniques (“Run this to watch movies for free, download this security software to clean your machine, or get great emoticons!”) to get users to download and run them. URL-based protection from socially engineered malware attacks is an important layer of defense for consumers today on the Web.

That said, IE9 adds another layer of defense against socially engineered attacks that now looks at the application being downloaded – this is in addition to the URL-based protection described above. This new layer of protection is called SmartScreen Application Reputation. When it comes to program downloads, other browsers today either warn on every file or don’t warn at all. Neither of these approaches helps the user make a better decision. Application Reputation also addresses a limitation present in all block-based approaches that happens at the beginning of new attacks, before a Web site or program has been identified as malicious.

Comments are closed.