Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

SmartScreen Filter discussion


  • Please log in to reply
10 replies to this topic

#1
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,696 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

I'm taking a look around at all the hubaloo about the SmartScreen Filter sending info about what apps you download and install. The Windows 8 EULA makes a mention of it specifically, but that it is disabled by default. I do not have a key to activate my Windows 8 deployment (I'm in Audit Mode) so I cannot determine if it gets enabled during OOBE or what.

Anyways, it looks to me that SmartScreen is only a function of Internet Explorer, and may not have anything to do with installing software off a disc, or if you downloaded something using another browser.

Also, my IE9 on my Win7 PC has the same thing, SmartScreen Filter installed AND enabled... Is the SmartScreen Filter in IE9 really any different than the one in IE10 that comes with Windows 8?
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg


How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,250 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag
Smartscreen is extended when run in Win8 to verify the authenticity of apps or programs you install or sideload, which is where it differs from IE9 on Win7 (only reports on downloaded files via IE if there's an attempt to install it).
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
Joseph_sw

Joseph_sw

    Member

  • Member
  • PipPip
  • 217 posts
  • OS:98SE
  • Country: Country Flag
yeah, its extended telemetry scope from IE into whole windows.
as its scope enlarges, it can now be used to observe user's installing behaviour.
can easy-ly employed to get general idea which apps were popular in specific IP-regions.

I got this feeling about this somekind of google-envy who capable observing (& profiling) its users search behaviour.

#4
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

Smartscreen is extended when run in Win8 to verify the authenticity of apps or programs you install or sideload, which is where it differs from IE9 on Win7 (only reports on downloaded files via IE if there's an attempt to install it).


cluberti, can you expand on this? The reporting about this is all over the map. Just off the top of my head I can think of lots of ways to install. But what constitutes an "install"? Is it when an UNINSTALL entry is created allowing add/remove of the program?

Do we know enough yet to make a comprehensive yes/no list? Maybe something like this:

Metro Apps installed through official store ..................... yes (presumably)
Metro Apps installed bypassing official store (theoretical) .....

Win Applications installed by local signed installer ............
Win Applications installed by local unsigned installer ..........
Win Applications pushed by local setup, no UNINSTALL registry ...

Win Applications downloaded and "Run" in MSIE ...................
Win Applications downloaded and "Run" in Firefox ................
Win Applications downloaded and "Run" in Chrome .................
Win Applications downloaded and "Run" in Opera ..................

Win Applications downloaded but NOT installed by MSIE ...........
Win Applications downloaded but NOT installed by Firefox ........
Win Applications downloaded but NOT installed by Chrome .........
Win Applications downloaded but NOT installed by Opera ..........


Would variations using a local network differ from purely local setup files? If anyone can think of another "install" vector please mention it!

... Let him who hath understanding reckon the Number Of The Beast ...


#5
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,024 posts
  • OS:none specified
  • Country: Country Flag
The guy that most probably started it all, Nadim Kobeissi:
http://log.nadim.cc/?p=78

Is talking of "download from internet and open the install", so it is likely (but of course needs to be checked/confirmed) that there is a connection with the "Zone.Identifier" alternate data stream, like it was till now, examples:
http://www.hanselman...ataStreams.aspx
http://thewayeye.net...d-windows-files
http://www.nirsoft.n...ta_streams.html
or some similar mechanism.

jaclaz

P.S.: EDIT:
Confirmed:
http://arstechnica.c...-for-the-trees/
and Chrome seemingly does the same.
P.P.S: An old post but seemingly Opera doesn't use this approach (and the Author Christiam Adams seemingly submitted it to Opera as a bug :w00t:)
http://cristianadam....den-stream.html


Mozilla/Firefox should be "user selectable":
https://bugzilla.moz...g.cgi?id=499448

I presume that also SRware Iron is immune from this, but it is not mentioned:
http://www.srware.ne...ome_vs_iron.php
I take it back also Iron sets the Alternate Data Strem :( <- someone should post this as a bug!

Also, since Alternate Data Streams are NTFS only, if you store the downloaded programs on a FAT12 :w00t: /16/32/64 (ex_FAT) there should be no triggering of SmartScreen :unsure: .

Edited by jaclaz, 30 August 2012 - 05:51 AM.


#6
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 5,941 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

I always disable Smartscreen in the first step.
Posted Image

#7
xpclient

xpclient

    XP was my idea. 3rd party apps make NT6 my idea.

  • Member
  • PipPipPip
  • 324 posts
  • OS:XP Pro x64
  • Country: Country Flag
Yes it's better to just disable it by running smartscreensettings.exe and then turn off the Action Center nags as well. Maybe IE smartscreen was useful for general browsing protection, but it's addition to IE's download reputation building which scares users by classifying genuine downloads as potentially malicious or directly in Windows which sends file names in encoded form to MS is overly intrusive of privacy.

Edited by xpclient, 30 August 2012 - 11:15 AM.

Impossible to run NT6 without third party fixes.


#8
Joseph_sw

Joseph_sw

    Member

  • Member
  • PipPip
  • 217 posts
  • OS:98SE
  • Country: Country Flag
So, in theory,
its possible to creates annoyance for SmartScreen believers,
by running a script/apps that may adds ADS for any files in a NTFS volumes?

#9
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

(... lots of good info ...)

Also, since Alternate Data Streams are NTFS only, if you store the downloaded programs on a FAT12 :w00t: /16/32/64 (ex_FAT) there should be no triggering of SmartScreen :unsure: .

Yes, I believe this is a very good way to go. There is still life in them FAT bones after all. A FAT partition or maybe a FAT flashdrive stuck in USB for \Downloads as a security buffer.

The person must remember to download to and execute the SETUP.EXE file from the FAT partition. Either that or copy the \Downloads folder to a FAT disk, or running an ADS stripper.

Downloading from a browser (but no "RUN") to an NTFS partition and later executing the file means an ADS is probably still attached. This is because Firefox, Opera, MSIE (not sure about Chrome) download it to one of their temp/history/wip folders (assuredly on the NTFS system partition) and copy it when done, ADS would naturally also be copied.

My previous thinking was *.Microsoft.com in outbound firewall blacklist, with 'allow this time' prompt à la carte.

... Let him who hath understanding reckon the Number Of The Beast ...


#10
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,024 posts
  • OS:none specified
  • Country: Country Flag

Downloading from a browser (but no "RUN") to an NTFS partition and later executing the file means an ADS is probably still attached. This is because Firefox, Opera, MSIE (not sure about Chrome) download it to one of their temp/history/wip folders (assuredly on the NTFS system partition) and copy it when done, ADS would naturally also be copied.

No. :no:
At least up to version 10.*something* Opera is "kosher".
And as said in Firefox it can be turned off by the user.

@Joseph_sw
That would be really mean :ph34r: , byut yes, I dont see why it wouldn't be possible....


jaclaz

#11
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag
The link that Jaclaz posted above does seem to have a good summary of what is known. Here it is again ...

Windows 8 privacy complaint misses the forest for the trees ( Ars Technica 2012-08-25 )

If it is all correct, the linchpin really is browser based downloads. Some key paragraphs about the mechanics of the filter:

"Windows 8 extends the SmartScreen system to cover not just the URLs visited in the browser, but also files downloaded by the browser. Whenever Internet Explorer saves a file to disk, it adds information called a Zone Identifier to the file that indicates whether the file came from the Internet, the local intranet, a trusted site, or elsewhere. HTML files are additionally given the Mark of the Web to denote their origin. Third-party browsers such as Chrome do the same.

In Windows 7, running an executable that has a Zone Identifier, but which lacks a trusted digital signature, yields a generic warning message to say that the program's safety can't be vouched for. Removing the Zone Identifier prevents the warning from recurring.

In Windows 8, instead of merely showing a generic warning, the operating system does a SmartScreen check on the downloaded file. Because this is a file on a hard disk rather than a URL, Windows doesn't have a URL to send. Instead, as described by Rafael Rivera, it sends the file's name and a hash (and kind of cryptographic "fingerprint") of the file's contents."


There is much more, including speculation about what happens in Redmond to the uploaded hash and how it may be cross-referenced to you IP-Address or Windows Live ID.

Some people, specifically the Microsoft knee-jerk defenders are 'missing the forest for the trees' in yet another way, by scoffing at Kobeissi's findings and speculation because it was not perfect ( SSLv2 being used or not ), thereby supposedly nullifying all his points!?! :no: Sorry, that is just not logical IMHO. The man was starting from a point of zero information by design since Microsoft naturally isn't blogging about the mechanics of SmartScreen. He is trying to 'cleanroom' his way to the answer and cannot be expected to nail it down immediately. His critics are pathetic IMHO, because if left to them, Microsoft could implement anything no matter how draconian. Guess what, without details from Microsoft all we have is this kind of research, speculation and educated guesses based upon previous history.

... Let him who hath understanding reckon the Number Of The Beast ...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN