MS SmartScreen and Application Reputation

What is “Application Reputation”?

As one dog says to the other in Peter Steiner’s classic New Yorker cartoon: “On the Internet, nobody knows you’re a dog.” Software downloaded from the Internet is similar to people on the Internet—it’s hard to tell which ones are dogs, at least without help. That’s where “application reputation” technology comes in. Application reputation is a method employed by Microsoft’s SmartScreen® filter to distinguish good software from bad software as it is downloaded from the Internet. Reputation works similar to the way that we develop trust in other people—we study them over the course of multiple encounters or, if we don’t have prior experience with them, then we rely on others for information about their reputation.

One way to tell if an application has a bad reputation is to check whether its fingerprint is on a blacklist. Just like the FBI, most anti-virus (AV) systems maintain databases of fingerprints belonging to malicious software. Whenever a new bad actor appears, its fingerprint is added to the AV database. This works in most cases. However, just like in the movies, some bad actors change their faces and fingerprints to escape detection. How do they do this? They make a slight change or variation in code in order to hide it from AV programs. Some of these are referred to as “polymorphic,” meaning that they can change their appearance in multiple ways. Just like a mutating virus, each time they run, they can potentially spawn into up to a million different varieties. Thus, blacklisting bad code quickly becomes a losing battle when you’re fighting against polymorphic malware.

A whitelist is another technique for determining application reputation. Well-known code that has proven itself harmless over the years can be whitelisted. When known software with a good reputation tries to install or run on a machine where it has been whitelisted, the system can allow it. But what about new software? How does SmartScreen® identify new software as good or bad?

How Does SmartScreen® Work for Newly Published Software?

SmartScreen’s Application Reputation engine looks at whether software has been blacklisted or whitelisted. It evaluates whether the software has been previously encountered by checking a large database of code that has been encountered and collected from telemetry capabilities that users have enabled on Windows machines. New code that has not been digitally signed using an Extended Validation (EV) Code Signing Certificate will alert the end user that the software has not established a reputation (i.e. not commonly downloaded from the Internet). (In Windows 8 with SmartScreen® code that is signed with an EV Code Signing Certificate receives a higher initial reputation score. See http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx).

However, a warning appears if the software has been signed with a regular code signing certificate where the author or publisher has not yet established a reputation of trust. (Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.) As the software or its publisher gains a better reputation, the likelihood of a warning diminishes. Reputation for unsigned software is based on fingerprints while reputation based on signed software is based on the associated code signing certificate and the reputation of the CA that issued the code signing certificate.

How Does a Code Signing Certificate Enable Application Reputation?

Without getting into too much detail, the “subject name” in a code signing certificate identifies the Trusted Publisher of software that has been digitally signed. For an illustration of this, if a code signing certificate happens to be saved on your computer by Internet Explorer, then you can examine it by looking in Tools > Internet Options > Content and then clicking on Certificates > Publishers. Under the Details tab you can examine the name of the Trusted Publisher under Subject. Microsoft’s SmartScreen® and the CAs that issue EV Code Signing Certificates use this certificate information to track the reputation of trusted publishers. Previously unknown publishers have zero reputation, while consistently good publishers can have a good reputation based on prior history.

Some Final Thoughts

In the short format of this blog post I haven’t had the time or space to address all aspects of application reputation, such as screening against websites known to be sources of malware. To learn more, you can go here: http://windows.microsoft.com/en-us/windows7/smartscreen-filter-frequently-asked-questions-ie9

While no single technology or strategy can provide 100% security, EV Code Signing Certificates in conjunction with SmartScreen add increased identity verification of software publishers, have more stringent private key storage requirements, and added reputation in SmartScreen to help significantly improve the trustworthiness of software that users download on the Internet. Even with these improvements, though, it’s always advised that the end user use common sense when encountering software of unknown origin and to check the signature publisher’s name carefully to help further determine trustworthiness. Providing application reputation for signed code is just one way that Microsoft and DigiCert are improving Internet security.