Manage Privacy: SmartScreen Filter and Resulting Internet Communication

 

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

In this section

Benefits and purposes of SmartScreen Filter

Overview: Using SmartScreen Filter in a managed environment

How SmartScreen Filter communicates with a web service on the InternetHow SmartScreen Filter communicates with a site on the Internet

Controlling SmartScreen Filter to limit the flow of information to and from the Internet

This section explains how SmartScreen Filter communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.

Benefits and purposes of SmartScreen

The SmartScreen Filter provides an early warning system to notify users of suspicious websites that could be engaging in phishing attacks or distributing malware through a socially engineered attack.

Note

SmartScreen Filter is one of the multiple layers of defense in the anti-phishing and malware protection strategies developed by Microsoft. For more information, see What is SmartScreen Filter? on the Microsoft website. To connect the Microsoft SmartScreen URL Reputation Service (URS), an IPv4 connection is required.

The following list describes the enhancements that SmartScreen Filter provides:

  • Anti-phishing and anti-malware support. The SmartScreen Filter helps protect users from sites that are reported to host phishing attacks or distribute malicious software through socially engineered attacks. This protection is URL reputation-based, which means that it evaluates the URLs to determine whether they are known to distribute or host unsafe content. SmartScreen Filter also provides application reputation checks, which check the reputation of a downloaded program itself, or the digital signature that is used to sign a file. If the file or certificate has an established reputation, no warnings are shown. If the file does not have an established reputation, the user is at higher risk of malware infection and is shown a more severe warning. The reputation-based analysis in SmartScreen Filter is an additional layer of protection to help protect against malicious software.

  • Heuristics and enhanced telemetry. New heuristics combined with enhanced telemetry allow SmartScreen to identify and warn users about malicious sites more quickly.

  • Group Policy support. A group policy setting can be used to keep the user from managing SmartScreen Filter. If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. For more information, see To Control SmartScreen Filter by using Group Policy later in this document.

Overview: Using SmartScreen Filter in a managed environment

In a managed environment, you can use Group Policy to control SmartScreen Filter in a variety of ways, including the following:

  • Prevent users from overriding or clicking through SmartScreen Filter warnings.

  • Turn on SmartScreen Filter so that it runs automatically.

  • Turn off SmartScreen Filter.

For details, see Controlling SmartScreen Filter to limit the flow of information to and from the Internet later in this section.

How SmartScreen Filter communicates with a web service on the Internet

This subsection describes how SmartScreen Filter might communicate with a site on the Internet as it evaluates a website URL that a user is trying to reach.

  • Default settings: SmartScreen Filter is disabled unless the feature is enabled by the user or through a Group Policy setting.

  • Triggers: When the user visits an Internet site, the URL of the site is compared against a list of high traffic websites that is built into SmartScreen Filter. If the URL matches a site on the list, no further checks occur for that URL. If the URL does not match a site on the list and SmartScreen Filter is enabled, SmartScreen Filter sends a query to the Microsoft SmartScreen URL Reputation Service (URS). If the URS indicates that a URL is reported to be unsafe, a message is shown to warn the user about entering personal information or downloading malware. Occasionally, a telemetry report containing additional information about the site may be sent to help improve the quality of the SmartScreen services. When a program is downloaded, an application reputation check may be made which requires information about the downloaded file to be sent to the SmartScreen Application Reputation service.

  • Specific information sent: The following information is sent over an encrypted (HTTPS) connection to the SmartScreen services:

    • URL: The full request URL is included only when the site is required to be checked by the URS.

    • Detailed software version information: The browser version, the SmartScreen Filter version, and the version of the “high traffic site” list.

    • Detailed information about the URL: IP hosting the site, frame URLs, heuristics results, basic network details.

    • Downloaded file information: When an application reputation check is made, the download URL, a hash of the full file, information about the digital signature, and some additional data about the downloaded file, such as file size and the hosting IP, is sent.

    • Operating system version: The version of Windows that the browser is installed on.

    • Language and locale setting for the browser: The language and locale for the browser display, for example, English (United States).

    • Anonymous statistics about how often SmartScreen Filter is triggered: SmartScreen Filter tracks basic statistics, such as how often a warning is generated and how often a query is made to the URL Reputation Service. This statistical information is sent to Microsoft periodically, and it is used to analyze the performance and improve the quality of the SmartScreen Filter.

  • User notification: If SmartScreen Filter is enabled, the user is not notified when SmartScreen Filter performs a check and is notified if SmartScreen Filter detects a URL that is reported as unsafe.

  • Logging: By default, SmartScreen Filter does not log events. However, if you use the Application Compatibility Toolkit to enable logging for application compatibility events, SmartScreen Filter logs an event when a warning is shown for a website.

    For information, see Application Compatibility.

  • Encryption: All information that is sent to SmartScreen services is encrypted by using the HTTPS protocol.

  • Access: The teams that maintain SmartScreen Filter and the URL Reputation Service have access to the data that is sent to the SmartScreen services (including the anonymous statistics described earlier in this list).

  • Privacy: URLs that are collected may unintentionally contain personal information (depending on the design of the website that is visited). Like the other information that is sent to Microsoft, this information is not used to identify, contact, or target advertising to users. In addition, Microsoft filters address strings to remove personal information where possible.

  • Transmission protocol and port: The transmission protocol for any information that is transmitted to the URL Reputation Service is over HTTPS using port 443.

  • Ability to disable: SmartScreen Filter can be disabled through the user interface or through Group Policy.

Controlling SmartScreen Filter to limit the flow of information to and from the Internet

This subsection provides information about how to control settings for SmartScreen Filter.

To Control SmartScreen Filter by using Group Policy

  1. Using an account with domain administrator credentials, open the Group Policy Management Console (GPMC) by running gpmc.msc, and edit an appropriate Group Policy Object (GPO).

  2. If you want the Group Policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the Group Policy setting to apply to users and to come into effect when users sign in or when Group Policy is refreshed, expand User Configuration.

  3. Expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Internet Explorer.

  4. In the details pane, double-click Prevent managing SmartScreen Filter, click Enabled (which means that users cannot control SmartScreen Filter settings), and then choose one of the following settings for Select SmartScreen filter mode:

    • On: Automatic SmartScreen Filter is always turned on in Security Zones for which the feature is Enabled.

    • Off: SmartScreen Filter does not automatically perform reputation checks. Users can manually trigger a check by using the Safety menu.

      Note

      Disabling the Turn off Managing SmartScreen filter Group Policy setting does not disable SmartScreen Filter. Users can control SmartScreen Filter settings on a local computer.

Additional references