SmartScreen Filter and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Updated: December 16, 2009

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of SmartScreen Filter in Internet Explorer 8

Overview: Using SmartScreen Filter in a managed environment

How SmartScreen Filter communicates with a Web service on the Internet

Controlling SmartScreen Filter to limit the flow of information to and from the Internet

This section explains how SmartScreen® Filter in Internet Explorer® 8 communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.

For more information about Internet Explorer 8, see Internet Explorer 8 and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 in this document.

Internet Explorer 8 includes Microsoft® SmartScreen Filter to help protect against malicious Web sites that host phishing attacks and malware. SmartScreen Filter operates in the background when the browser is running, and it provides an early warning system to notify users of suspicious Web sites that could be engaging in phishing attacks or distributing malware through a socially engineered attack.

SmartScreen Filter is one of the multiple layers of defense in the antiphishing and malware protection strategies developed by Microsoft. For more information, see What is SmartScreen Filter? on the Microsoft Web site.

SmartScreen Filter expands on the defenses that were provided by Phishing Filter (introduced in Internet Explorer 7). It includes the following features, which are described in this document: anti-malware support, prevention of cross-site scripting, new heuristics and enhanced telemetry, an improved user interface, and improved support for Group Policy settings.

The following list describes the enhancements that SmartScreen Filter provides compared to Phishing Filter:

  • Anti-malware support. The SmartScreen Filter helps block sites that are known to distribute malicious software through socially engineered attacks. The anti-malware feature in SmartScreen Filter is URL-reputation-based, which means that it evaluates the servers that are hosting downloads to determine whether those servers are known to distribute host unsafe content. The reputation-based analysis in SmartScreen Filter works with signature-based anti-malware technologies, such as the Malicious Software Removal Tool, Microsoft Security Essentials, and Windows® Defender to protect against malicious software.

  • New heuristics and enhanced telemetry. New heuristics combined with enhanced telemetry allow SmartScreen to identify and block malicious sites more quickly.

  • Improved Group Policy support. Group Policy can be used to enable or disable the SmartScreen Filter for Internet Explorer users across an entire Windows domain. A new Group Policy option is available that allows domain administrators to prevent users from overriding SmartScreen Filter block screens. When these Group Policy restrictions are enabled, the option to ignore the SmartScreen warning is removed from the blocking pages and the dialog box that appears for downloads. For more information, see To Control SmartScreen Filter by using Group Policy later in this document.

  • Improved user interface. SmartScreen Filter is included as one of the options that users can enable the first time they run Internet Explorer 8. After users begin to use Internet Explorer 8, they can enable or disable SmartScreen Filter by selecting the SmartScreen Filter option on the Safety drop-down menu on the default Command Bar. This menu includes many of the security and privacy-related features that users can configure in Internet Explorer 8. Selecting SmartScreen Filter also offers the following options: Check This Website and Report Unsafe Website. When SmartScreen is enabled, if users navigate to a Web site that is known or suspected to be unsafe, the blocking page provides a link to their home page so that they can immediately return to a trusted Web site.

In a managed environment, you can use Group Policy to control SmartScreen Filter in a variety of ways, including the following:

  • Turn on SmartScreen Filter so that it runs automatically on all computers that are running Internet Explorer 8.

  • Block users from overriding or clicking through SmartScreen Filter warnings.

  • Turn off SmartScreen Filter.

For details about the preceding options, see Controlling SmartScreen Filter to limit the flow of information to and from the Internet later in this section.

This subsection describes how SmartScreen Filter might communicate with a site on the Internet as it evaluates a Web site URL that you are trying to reach.

  • Default settings: By default, SmartScreen Filter is disabled unless the feature is enabled by the user or through a Group Policy setting. Users can manually check the reputation for an individual site using the Safety menu.

  • Triggers: When the user visits an Internet Web site, the URL of the site is compared to an “allowed sites” list that is built into SmartScreen Filter. If the URL matches a site on the list, no further reputation checks occur.

    If the URL does not match a site on the list, and SmartScreen Filter is enabled, SmartScreen Filter sends an inquiry to the Microsoft URL Reputation Service. If the URL Reputation Service detects that a URL is a known malicious site, the site is blocked, which helps prevent the user from entering personal information or downloading malware.

  • Specific information sent: The following information is sent over an encrypted (HTTPS) connection to the URL Reputation Web Service:

    • URL: The full request URL is included. However, if the Internet URL is listed as legitimate on the “allowed sites” list, SmartScreen Filter takes no action and nothing is sent.

    • Detailed software version information: The browser version, the SmartScreen Filter version, and the version of the “allowed sites” list.

    • Operating system version: The version of Windows that the browser is installed on.

    • Language and locale setting for the browser: The language and locale for the browser display, for example, English (United States).

    • Anonymous statistics about how often SmartScreen Filter is triggered: SmartScreen Filter tracks basic statistics, such as how often a warning is generated and how often a query is made to the URL Reputation Service. This statistical information is sent to Microsoft and used to analyze the performance and improve the quality of the SmartScreen Filter.

      For more information, see the Internet Explorer 8 Privacy Statement on the Microsoft Web site.

  • User notification: If SmartScreen Filter is enabled, you are not notified when SmartScreen Filter performs a check, but you are notified if SmartScreen Filter detects a known or suspicious phishing site.

  • Logging: By default, SmartScreen Filter does not log events. However, if you use the Application Compatibility Toolkit to enable logging for application compatibility events, SmartScreen Filter logs an event when a Web site is blocked or has suspicious characteristics.

    For information, see Microsoft Application Compatibility Toolkit 5.0.

  • Encryption: All information sent to the URL Reputation Service is encrypted using the HTTPS protocol.

  • Access: The teams that maintain SmartScreen Filter and the URL Reputation Service have access to the data that is sent to the URL Reputation Service (including the anonymous statistics described earlier in this list).

  • Privacy: URLs that are collected may unintentionally contain personal information (depending on the design of the Web site being visited). Like the other information that is sent to Microsoft, this information is not used to identify, contact, or target advertising to users. In addition, Microsoft filters address strings to remove personal information where possible. For more information, see the Internet Explorer 8 Privacy Statement on the Microsoft Web site.

  • Transmission protocol and port: The transmission protocol for any information that is transmitted to the URL Reputation Service is HTTPS, and the port is 443.

  • Ability to disable: SmartScreen Filter can be disabled through the Windows 7 or Windows Server® 2008 R2 interface or through Group Policy. For more information, see Additional references later in this section.

This subsection provides information about how to control settings for SmartScreen Filter.

  1. On the computer on which you want to control SmartScreen Filter, in Internet Explorer, click Safety, point to SmartScreen Filter, and then click Turn on SmartScreen Filter or Turn off SmartScreen Filter. A dialog box appears that restates these options with additional text that explains the value of using Smart Screen Filter and the risks of not using SmartScreen Filter.

  2. Accept the selected option or a different option, and then click OK.

  1. On the computer on which you want to control SmartScreen Filter, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

  2. Select Trusted sites.

  3. Under Security level for this zone, click Custom Level, and then scroll down to Use SmartScreen Filter (more than halfway down the list).

  4. Choose the setting that you want to use for Trusted sites (Enable or Disable).

    Internet Explorer Enhanced Security Configuration is a feature in Windows Server 2008 R2. If Internet Explorer Enhanced Security Configuration is enabled on a server running Windows Server 2008 R2, SmartScreen Filter is turned on for Trusted Sites. If you want to change this setting, you must first turn off Internet Explorer Enhanced Security Configuration in the Security Information section of Server Manager. For more information, see Internet Explorer 8 and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2.

  1. Using an account with domain administrative credentials, log on to a computer running Windows Server 2008 R2 (with the Group Policy Management feature installed) or Windows 7. Then open the Group Policy Management Console (GPMC) by running gpmc.msc, and edit an appropriate Group Policy object (GPO).

    You must perform this procedure by using GPMC on a computer running Windows Server 2008 R2 or Windows 7. For information about using Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2.

  2. If you want the Group Policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the Group Policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.

  3. Expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Internet Explorer.

  4. In the details pane, double-click Turn off Managing SmartScreen filter. Click Enabled, which means that users cannot control SmartScreen Filter settings, and then choose a setting for Select SmartScreen filter mode:

    • On: Automatic SmartScreen Filter is always turned on in Security Zones for which the feature is Enabled.

    • Off: SmartScreen Filter does not automatically perform reputation checks. Users can manually trigger a check by using the Safety menu.

      Disabling this Group Policy setting (Turn off Managing SmartScreen filter) does not disable SmartScreen Filter. Users can control SmartScreen Filter settings on a local computer that is running Windows Server 2008 R2.

Community Additions