SmartScreen Filter and Resulting Internet Communication in Windows 8 and Windows Server 2012

Internet Explorer 10 includes SmartScreen Filter, which operates in the background when the browser is running. It provides an early warning system to notify users of suspicious websites that could be engaging in phishing attacks or distributing malware through a socially engineered attack.

Note
SmartScreen Filter is one of the multiple layers of defense in the antiphishing and malware protection strategies developed by Microsoft. For more information, see What is SmartScreen Filter? on the Microsoft website.

The following list describes the enhancements that SmartScreen Filter provides:

• Anti-phishing and anti-malware support. The SmartScreen Filter helps block sites that are reported to host phishing attacks or distribute malicious software through socially engineered attacks. This protection is URL reputation-based, which means that it evaluates the URLs to determine whether they are known to distribute or host unsafe content. SmartScreen Filter also provides application reputation checks, which check the reputation of a downloaded program itself, or the digital signature that is used to sign a file. If the file or certificate has an established reputation, no warnings are shown. If the file does not have an established reputation, the user is at higher risk of malware infection and is shown a more severe warning. The reputation-based analysis in SmartScreen Filter is an additional layer of protection, in addition to signature-based anti-malware technologies, such as the Malicious Software Removal Tool, Microsoft Security Essentials, and Windows Defender, to protect against malicious software.
  
  
• Heuristics and enhanced telemetry. New heuristics combined with enhanced telemetry allow SmartScreen to identify and block malicious sites more quickly.
  
  
• Group Policy support. Group Policy can be used to enable or disable the SmartScreen Filter for Internet Explorer users across an entire Windows domain. One Group Policy option allows domain administrators to prevent users from overriding SmartScreen Filter warning screens. When these Group Policy restrictions are enabled, the option to override the SmartScreen warnings is removed. For more information, see To Control SmartScreen Filter by using Group Policy later in this document.
  
  

In a managed environment, you can use Group Policy to control SmartScreen Filter in a variety of ways, including the following:

• Turn on SmartScreen Filter so that it runs automatically on all computers that are running Internet Explorer 10.
  
  
• Prevent users from overriding or clicking through SmartScreen Filter warnings.
  
  
• Turn off SmartScreen Filter.
  
  

For details about the preceding options, see Controlling SmartScreen Filter to limit the flow of information to and from the Internet later in this section.

This subsection describes how SmartScreen Filter might communicate with a site on the Internet as it evaluates a website URL that a user is trying to reach.

• Default settings: SmartScreen Filter is disabled unless the feature is enabled by the user or through a Group Policy setting. Users can manually check the reputation for an individual site by using the Safety menu.
  
  
• Triggers: When the user visits an Internet site, the URL of the site is compared against a list of high traffic websites that is built into SmartScreen Filter. If the URL matches a site on the list, no further checks occur for that URL. If the URL does not match a site on the list and SmartScreen Filter is enabled, SmartScreen Filter sends a query to the Microsoft URL Reputation Service (URS). If the URS detects that a URL is a known malicious site, a warning is shown to help prevent the user from entering personal information or downloading malware.
  
  
• Specific information sent: The following information is sent over an encrypted (HTTPS) connection to the URL Reputation Web Service:
  
  
  • URL: The full request URL is included. However, if the Internet URL is listed as legitimate on the “allowed sites” list, SmartScreen Filter takes no action and nothing is sent.
    
    
  • Detailed software version information: The browser version, the SmartScreen Filter version, and the version of the “high traffic site” list.
    
    
  • Operating system version: The version of Windows that the browser is installed on.
    
    
  • Language and locale setting for the browser: The language and locale for the browser display, for example, English (United States).
    
    
  • Anonymous statistics about how often SmartScreen Filter is triggered: SmartScreen Filter tracks basic statistics, such as how often a warning is generated and how often a query is made to the URL Reputation Service. This statistical information is sent to Microsoft periodically, and it is used to analyze the performance and improve the quality of the SmartScreen Filter.
    
    For more information, see the Internet Explorer 10 Privacy Statement on the Microsoft website.
    
    
• User notification: If SmartScreen Filter is enabled, the user is not notified when SmartScreen Filter performs a check and is notified if SmartScreen Filter detects a URL that is reported as unsafe.
  
  
• Logging: By default, SmartScreen Filter does not log events. However, if you use the Application Compatibility Toolkit to enable logging for application compatibility events, SmartScreen Filter logs an event when a website is blocked or has suspicious characteristics.
  
  For information, see Application Compatibility.
  
  
• Encryption: All information that is sent to the URL Reputation Service is encrypted by using the HTTPS protocol.
  
  
• Access: The teams that maintain SmartScreen Filter and the URL Reputation Service have access to the data that is sent to the URL Reputation Service (including the anonymous statistics described earlier in this list).
  
  
• Privacy: URLs that are collected may unintentionally contain personal information (depending on the design of the website that is visited). Like the other information that is sent to Microsoft, this information is not used to identify, contact, or target advertising to users. In addition, Microsoft filters address strings to remove personal information where possible. For more information, see the Internet Explorer 10 Privacy Statement on the Microsoft website.
  
  
• Transmission protocol and port: The transmission protocol for any information that is transmitted to the URL Reputation Service is HTTPS, and the port is 443.
  
  
• Ability to disable: SmartScreen Filter can be disabled through the Windows 8 or the Windows Server 2012 interface or through Group Policy. For more information, see Additional references later in this section.
  
  

This subsection provides information about how to control settings for SmartScreen Filter on a computer running Windows 8 and Windows Server 2012.

• What is SmartScreen Filter?
  
  
• Internet Explorer 10 and Resulting Internet Communication in Windows 8 and Windows Server 2012 (in this document)
  
  
• Windows 8: Security and Control
  
  
• Secure Windows Server 2012
  
  
• Internet Explorer 10 Privacy Statement