How IE9 uses app reputation to axe malware

How IE9 uses app reputation to axe malware

Summary: Microsoft security specialist Jeb Haber explains how Internet Explorer 9 is banking on application reputation to cut malware attacks

TOPICS: Security

The first release candidate of Internet Explorer 9, the next version of Microsoft's web browser, is due in days, incorporating a number of new security features. ZDNet UK spoke to Microsoft Internet Explorer security specialist Jeb Haber about the browser's application-reputation approach to malware.

According to the latest PandaLabs annual security report, a third of all viruses ever written were created in 2010. That volume of new malware is almost impossible for antivirus software or online malware-blocking services to keep up with, so Microsoft's Internet Explorer (IE) 9 browser will take another approach — and do away with most warning dialogs you see when you download files today.

With the release candidate of IE9 expected next week, we asked Microsoft's Jeb Haber, principal program manager lead for the SmartScreen service in IE, how the application-reputation feature works, what it protects you from — and whether looking at all the files downloaded in IE has privacy implications.

Q: What's the biggest security issue for users that your team is addressing?
A: We think executable downloads are the biggest threat they face. The basic intent of our team is to focus on helping users stay safe online. If you think about the threat landscape, you think about attacks on the computer, vulnerabilities and so on; and attacks on websites, cross-site scripting and that sort of stuff. And then there are attacks on the users, social engineering — that's what we focus on.

We already deal with two types of threats, phishing and malware, with this thing we call the URS — the URL Recognition Service. We picked a specific type of threat, socially-engineered malware and we blocked 1.2 billion in 16 months. Malware is really the biggest problem. We see anywhere from one in 50 to one in a 100 [fewer] phishing blocks compared with malware blocks.

But you're not blocking it all, so you decided to take a different approach?
What we found with all the block-based solutions, with antivirus and our own stuff, there's this latency between detection and protection. We wanted to take that problem of identifying and blocking and turn it on its head. Instead of identifying what's bad, identify what's good — and what's left over, treat that differently.

How do you identify the known good files?
We looked at the concentration of code [on the web] by file hash and code-signing certificates to see if there was a consolidation big enough we could basically build an established reputation list and [say] the stuff that's unknown is risky.

Reputation is either for a specific program — for the hash of the file you download — or the certificate. If you sign code and use that certificate over time, you will develop a reputation.

If a certificate has established a good reputation over time, anything it produces — as long as you do not start signing malware — will have a good reputation. Part of this approach is encouraging good code-signing practices, because it is impossible for us to establish reputation on every program.

We wanted to take that problem of identifying and blocking and turn it on its head. Instead of identifying what's bad, identify what's good — what's left over, treat that differently.

We've seen some malware authors signing code to avoid warnings about unsigned code…
That's great. Now I get to kill everything with one stroke instead of playing whack-a-mole all over the place. I get to take them all out.

If a download has a good reputation, IE9 won't warn you before you download it — and you believe that's safer than warning people all the time?
There's a bunch of warnings we show that are irrelevant. We wanted to get rid of that "everything is scary on the internet" warning. We didn't want that for when you download [something like] iTunes.

Because people ignore it?
It's horrible habituation. People get used to seeing it and they just look for the button to click on. We looked at the data. We know what click-through rates are. It's a meaningless warning for that particular file for that particular user.

In some large sense, yes, things from the internet might be dangerous. But how does that help me when you tell me that about everything? Don't warn people when they don't need to be warned and warn them when they're...

Topic: Security

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I've heard about a toolbar that spies on it's users, grabbing the edit fields, their URLs, tracks their clicks and sends that info off to Malware central in Redmond, where they use that info to create a fake search engine.

    Will this malware detector detect this and remove it?
  • Assuming you're dumb enough to listen to the rhetoric out of Google.
    Mr Nom Mom's
  • it surprises me to find out how many google fanboys out there. They follow them even when they dont make any sense! I wonder if they are on the payroll.
  • @keriminal, I would choose Google over MS any day of the week, and twice on Sunday.
  • Not enough talk about giving the axe to safe software

    Microsoft has never, in the few years since smartscreen was implemented, dealt with or comment on the problem of legitimate safe software being labeled as a security threat by the smartscreen filter and therefore not installed by the user. There is no way to get reputation for a pierce of software because it starts out being called a risk.

    So no more malware and no more independent developers distributing free software for Windows.