How IE9 uses app reputation to axe malware

Summary:Microsoft security specialist Jeb Haber explains how Internet Explorer 9 is banking on application reputation to cut malware attacks

...actually at greater risk. It seems simple but it's not how any other browser works — actually a lot of software doesn't work that way today.

And you think they won't ignore warnings they don't see as often?
The typical user — probably not advanced technical users or enthusiasts but the typical user — will see this warning two or three times a year. I'm being conservative. Lots of users won't see it at all.

[In the beta] we have four different UIs in play so we can see which people engaging with, which they are clicking through more, which end up with more malware running. We're looking at that data to refine the user experience for the release candidate and RTM. There will be changes.

Yes, things from the internet might be dangerous. How does that help me when you tell me that about everything?

How good is the warning? How many downloads can you give a good reputation to and how risky are the unknown files?
About 90 percent have established reputation by hash or cert — this is after [we've done] a bunch of modelling, a bunch of data mining, a bunch of work on the algorithm.

The scary thing is that with today's URL rep, about four percent of program and executable downloads are blocked already by SmartScreen. That's a scary number. The remainder, I call 'stranger danger' — things you probably don't want your non-technology friends and family to be downloading.

What we're seeing in this bucket varies over time but we're seeing 25 to 40 percent of things that show this stranger-danger warning later ending up being confirmed malware. We're saying, based on our data, the risk of clicking that button is 25 to 40 percent risk of infection.

The unknown space is also volatile. About 50 percent [of executables] every day we've never seen before — and we've been tracking these for a long time. So it's either polymorphic malware, where you're getting a new package for every download, or very weird coding practices, unsigned code that's generating itself uniquely every day and so on. The fact that about half the programs behind those unknown prompts every day are new is super-concerning.

If you're looking at all the executables online, is IE tracking what everyone downloads? Is there a privacy issue?
We have a great privacy team here at Microsoft responsible for ensuring our privacy statements are upheld.

Yes, we're collecting data — that's how intelligence works. We are processing massive amounts of data so we're looking at things in aggregate data models. There's nothing in those environments that's specific to any user.

In terms of URL rep, there is an anonymising algorithm that runs on the dataset, a Microsoft standard personally-identifying-information scrubbing algorithm on the inbound data. The data is in an access-controlled environment. There're no third parties accessing the data. It's not being shared outside the company.

This data is not used to target advertising to you. There is no mechanism in our back-end that has anything to do with ads. I don't have anybody on my team that thinks about revenue. Our intent and use of the data is our primary focus of protecting the Windows user.

How effective do you think application reputation is going to be?
I think this is a big one. I feel if users get it, I think it's going to have a huge impact on the number of socially engineered malware attacks.

Topics: Security


Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.