How IE9 uses app reputation to axe malware

Summary:Microsoft security specialist Jeb Haber explains how Internet Explorer 9 is banking on application reputation to cut malware attacks

The first release candidate of Internet Explorer 9, the next version of Microsoft's web browser, is due in days, incorporating a number of new security features. ZDNet UK spoke to Microsoft Internet Explorer security specialist Jeb Haber about the browser's application-reputation approach to malware.

According to the latest PandaLabs annual security report, a third of all viruses ever written were created in 2010. That volume of new malware is almost impossible for antivirus software or online malware-blocking services to keep up with, so Microsoft's Internet Explorer (IE) 9 browser will take another approach — and do away with most warning dialogs you see when you download files today.

With the release candidate of IE9 expected next week, we asked Microsoft's Jeb Haber, principal program manager lead for the SmartScreen service in IE, how the application-reputation feature works, what it protects you from — and whether looking at all the files downloaded in IE has privacy implications.

Q: What's the biggest security issue for users that your team is addressing?
A: We think executable downloads are the biggest threat they face. The basic intent of our team is to focus on helping users stay safe online. If you think about the threat landscape, you think about attacks on the computer, vulnerabilities and so on; and attacks on websites, cross-site scripting and that sort of stuff. And then there are attacks on the users, social engineering — that's what we focus on.

We already deal with two types of threats, phishing and malware, with this thing we call the URS — the URL Recognition Service. We picked a specific type of threat, socially-engineered malware and we blocked 1.2 billion in 16 months. Malware is really the biggest problem. We see anywhere from one in 50 to one in a 100 [fewer] phishing blocks compared with malware blocks.

But you're not blocking it all, so you decided to take a different approach?
What we found with all the block-based solutions, with antivirus and our own stuff, there's this latency between detection and protection. We wanted to take that problem of identifying and blocking and turn it on its head. Instead of identifying what's bad, identify what's good — and what's left over, treat that differently.

How do you identify the known good files?
We looked at the concentration of code [on the web] by file hash and code-signing certificates to see if there was a consolidation big enough we could basically build an established reputation list and [say] the stuff that's unknown is risky.

Reputation is either for a specific program — for the hash of the file you download — or the certificate. If you sign code and use that certificate over time, you will develop a reputation.

If a certificate has established a good reputation over time, anything it produces — as long as you do not start signing malware — will have a good reputation. Part of this approach is encouraging good code-signing practices, because it is impossible for us to establish reputation on every program.

We wanted to take that problem of identifying and blocking and turn it on its head. Instead of identifying what's bad, identify what's good — what's left over, treat that differently.

We've seen some malware authors signing code to avoid warnings about unsigned code…
That's great. Now I get to kill everything with one stroke instead of playing whack-a-mole all over the place. I get to take them all out.

If a download has a good reputation, IE9 won't warn you before you download it — and you believe that's safer than warning people all the time?
There's a bunch of warnings we show that are irrelevant. We wanted to get rid of that "everything is scary on the internet" warning. We didn't want that for when you download [something like] iTunes.

Because people ignore it?
It's horrible habituation. People get used to seeing it and they just look for the button to click on. We looked at the data. We know what click-through rates are. It's a meaningless warning for that particular file for that particular user.

In some large sense, yes, things from the internet might be dangerous. But how does that help me when you tell me that about everything? Don't warn people when they don't need to be warned and warn them when they're...

Topics: Security


Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.