March 23rd, 2011
With the Internet Explorer 9 (IE9) beta in September we introduced IE9’s new application reputation feature and more recently we provided a summary of how this fits into the overall layered approach to security. With the final release of IE9 now available, we want to share some additional information about application reputation, clarify how code signing impacts the IE experience, and reiterate industry best practices that application developers should consider.
SmartScreen Application Reputation is a consumer focused safety feature that helps consumers make better decisions about the programs they download. Downloads are automatically assigned a reputation rating based on multiple algorithms that consider many objective criteria, such as antivirus results, download traffic, download history, and URL reputation. If a user opts into enabling the SmartScreen Filter, application downloads without established reputation result in a notification (see below) warning them that the file may be a risk to their computer.
From this notification, users can choose to delete the file or ignore the warning and run the downloaded program. For the typical user, the risk of running the download is a 25% to 40% chance of malware infection. We’ve been building reputation for some time now and approximately 90% of all application downloads have established reputation by hash or digital certificate. For the typical user, this notification is an infrequent experience associated with higher risk of malware infection. To put the scale of this risk in perspective, approximately 7% of all executable files downloaded by Internet Explorer are later confirmed as malicious. A portion of these attacks are prevented by blocklist solutions such as SmartScreen URL reputation or antivirus products. Unfortunately, no blocklist-based solution is 100% effective at preventing these attacks. Since Application Reputation was enabled in the IE9 beta release, the feature has greatly reduced infection rates from attacks that were not otherwise detected at the time of download.
How programs are identified in IE9
A download’s Application Reputation is assigned by:
- a hash of the downloaded file
- the digital certificate used to sign the file (if signed)
The file hash is an exact identifier for the specific file downloaded. If any part of the application changes, the program identity (file hash) will also change. An unsigned application that is updated regularly (e.g. unsigned daily builds) will appear as multiple distinct programs that will have to build reputation individually.
Reputation is also generated for digitally signed downloads based on the digital certificate used to sign the file. Digital certificates allow reputation to be assigned to a single identity (digital certificate) across multiple files. If you are not signing your programs, reputation will be built independently for each file you distribute. In contrast, signed programs may inherit the reputation of your digital certificate.
Why Sign Your Code?
For developers distributing applications online, signing your code is not required to establish reputation, but it is highly recommended. Code signing is an industry best practice that allows consumers to authenticate that files signed by a publisher are actually from that publisher. Signing also helps ensure that files cannot be secretly tampered with while stored on a server or during the download process. Without a digital signature, there is no way for a user to validate who actually created the file. This threat is commonly exploited by malware authors in their social engineering attacks.
Of course, the presence of a digital signature alone does not ensure a download is non-malicious. Digitally signing your application is not a guarantee that your download will have established reputation immediately, but can play an important part in ensuring that your applications receive the reputation they deserve.
Note that even if SmartScreen® Filter is disabled, users will be warned before unsigned applications are run:
Best Practices for Application Developers
There are several industry best practices an application developer can follow to help establish and maintain reputation for your applications:
- Digitally sign your programs with an Authenticode signature.
- Obtain a valid Authenticode code signing certificate from one of the many certificate authorities (CAs) supported by Windows.
- Use development tools (such as signtool.exe) to sign your applications prior to distribution.
- For more detailed information and a step-by-step description of the code signing process, see Eric Lawrence’s excellent post Everything you need to know about Authenticode Code Signing.
- Ensure downloads are not detected as malware. Downloaded programs that are detected and confirmed as malware will affect both the download’s reputation and the reputation of the digital certificate used to sign that file.
- Apply for a Windows Logo. To learn more about the Windows Logo visit the Windows 7 Logo Program page on MSDN.
More information about digital signatures and code signing:
- Authenticode Overview
- Ensuring Integrity and Authenticity
- Code Signing Best Practices
- What are Digital Certificates?
Thanks for your help in ensuring a safer, more streamlined download experience for consumers.
—Ryan Colvin, Program Manager, SmartScreen