Verizon’s 2021 Data Breach Investigation Report data shows that malicious software is involved in more than 70% of system intrusions (including computer hacks). Windows Defender SmartScreen is one of the tools that helps to protect your device against these software-based threats — let’s explore what it is and how it works to protect your PC
When you’re online, you have the ability to download files from virtually anywhere. You can choose to purchase and download games, music, movies, and other types of files from trusted sources, or you can download files from shareware and third-party websites. Depending on which route you choose to take, there may be risks involved, and your device will try to protect itself — and you — against cyber threats. This is where Windows Defender SmartScreen comes to the rescue.
If you’ve ever seen any of these warning messages on your computer, you’ve benefitted from Windows Defender SmartScreen:
But what is Windows Defender SmartScreen? What does it do and how does it help keep you safe online?
What Is Windows Defender SmartScreen?
Windows Defender SmartScreen is your computer’s version of a superhero — it fights evil by working both in your browser and on your computer to identify and protect you from bad websites and software programs. This reputation-based protection tool is part of Windows Defender, your operating system’s built-in antivirus program, and serves as an alert system. Its purpose is to protect your PC by preventing you from visiting dangerous websites and downloading and/or installing malicious software programs.
Most types of malicious software (malware) require you to install them before they can cause harm to your device. But Windows SmartScreen attempts to protect you both during and before starting the installation process in three key ways:
- Checks software applications and files that you attempt to install. This includes checking software-based threats (such as malware and potentially unwanted applications, or PUAs) that you have on your computer or download from third-party stores.
- Analyzes websites you visit and files you download in Microsoft Edge. This browser-based tool looks for malware and PUAs in the files you download using Microsoft web browsers (like Internet Explorer and Edge). It also warns you of suspicious and dangerous websites.
Checks the software and other files you download from the Microsoft Store. Windows Defender SmartScreen also looks at items you download from the Microsoft Store to try to prevent you from downloading and installing anything malicious.
What Windows Defender SmartScreen Does
Microsoft describes the browser protection aspect of their tool nicely:
“SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer [or Microsoft Edge]. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.”
But what does all of this really mean? Let’s break it down some more.
SmartScreen Tool Offers In-Browser Protection Against Malicious Sites & Software
When you visit a suspicious or malicious page using the Microsoft Edge browser, one of the following warning messages will likely pop up in your browser:
When you try to download software from an unknown publisher using the Microsoft Edge browser, one of the two following warning messages will pop up in your browser:
Of course, you’d only see these warnings in the Edge browser. If you use other browsers such as Google Chrome or Mozilla Firefox, you won’t see that same pop-up display. Rather, you’ll receive different messages when you download software and attempt to install it on your device.
SmartScreen Triggers the “Windows Protected Your PC” Messages For Software Installations
Ever see that vibrant blue window pop up that says “Windows protected your PC”? What about the alarming red sister message that warns about a malicious file? These messages aim to warn you that you’re in danger and need to take a moment to evaluate the situation. They look like this:
Screenshots of the “Windows Protected Your PC” message and malicious file warning that display due to Microsoft Defender SmartScreen.
The first warning on the left displays when you try to install software from a small or otherwise unknown publisher (i.e., someone who doesn’t have an established reputation with Microsoft). Basically, you might see this warning when you try to install software from an unknown publisher who doesn’t sign their software with an EV code signing certificate, or they don’t sign their software at all.
The second warning displays when try to install software that matches one or all of the following:
- Comes from an unverified publisher,
- Is known to be malicious, or
- Isn’t included on Microsoft’s list of “well known and downloaded” programs they talked about earlier.
How Microsoft Windows Defender SmartScreen Works
Windows SmartScreen is a tool for Windows-based systems that aim to protect your device against phishing and malicious software applications and websites. In particular, it helps to protect your device against threats posed by applications that come from unknown publishers.
This tool may run all the time in the background, or it may only activate when you to download and install suspicious software applications. Either way, when you try to run the .exe to install the software, the process causes the SmartScreen filter to perform a special reputation check of the software and its publisher to ensure they’re both legitimate.
- Checks the software’s reputation on its list of commonly downloaded applications. It checks to see whether the software is commonly downloaded and has an established reputation.
- Looks for a digital signature that verifies the signer’s identity. A digital signature helps your browser or OS know whether a known publisher signed the software. These signatures are applied through the use of code signing certificates, which we’ll talk about a little later.
- Performs a checksum to ensure the hash value matches. Every piece of signed code has a hash value that helps prove its authenticity (i.e., that the software is the “real deal” and isn’t malicious software in disguise).
How SmartScreen Checks the Integrity of a Signed Software
The hashing verification process can be a bit complex. Let’s break down how it all works into a little more simple terms.
- Windows Defender SmartScreen computes a cryptographic hash value for the file. This hash — basically, a long string of numbers that identify that unique file — is a way for the tool to determine whether the software was signed by a known and trusted developer or publisher.
- Windows SmartScreen sends the hash information to Microsoft’s servers. This process involves checking the resulting hash value with information Microsoft keeps on file. (If the number they generate matches the one for the software, it means that it hasn’t been messed with. If the hash doesn’t match, it means that it’s been altered.)
- Microsoft’s server responds to let SmartScreen know whether the file is safe. If the file is deemed safe, Windows proceeds with allowing the download or installation to occur. If not, then it blocks the application from installing or opening.
We won’t get any more technical than this — basically, it’s about checking to ensure that the software was signed by a real, known person or organization, and that the software hasn’t been messed with since they signed it.
The Role of Trust and Identity in Software Security
Trust and identity are both critical elements at the center of internet security. Without verifiable identity, trust can’t exist, and without trust, secure communications aren’t possible. After all, if you don’t know with 100% certainly that the person you’re talking to online is who they say they are, how can you trust them?
This is also important for software security. Why would you want to install software that results in displaying scary warnings? Thankfully, there is something that a software publisher can do to prevent the Windows Defender SmartScreen messages we talked about earlier from popping up: they can sign their software applications using an EV code signing certificate. Signing software with one of these certificates makes those scary warnings go away for good.
EV Code Signing Certificates Get Rid of SmartScreen Warnings
When users try to download and install software from new or little-known software publishers (i.e., software creators who haven’t yet established reputations with Microsoft), their actions are virtually guaranteed to trigger Windows SmartScreen warnings. Even if the publishers sign their software using standard code signing certificates, the SmartScreen warnings will still trigger. This is because their applications don’t have established reputations with Microsoft.
This is troubling for users because legitimate software from new or small publishers typically have a hard time gaining reputation on their own. (After all, it takes a lot of time to get tons of users to download your applications when they’ve never heard of you!) This means that every time you try to download or install software from these publishers, it’ll trigger these scary warning messages.
The only way a software publisher can ensure their software is trusted automatically is to sign their code using an EV code signing certificate. An extended validation (EV) code signing certificate takes the verification process of standard certificates to the next level. And in addition to having to have a certificate installed on the device they use to sign the software, the signer also must have physical possession of a separate security token to apply their digital signature.
So, what’s the result of signing code using an EV code signing certificate? No more SmartScreen application reputation filter warnings on users’ screens because they have instant trust with Microsoft. This is true even for brand new applications that you’re releasing for the first time — they’re trusted immediately! Pretty cool, huh?
Final Takeaways on Windows Defender SmartScreen
It’s no wonder that the internet is such a dangerous place — phishing websites and malicious (or at least suspicious) software programs seem to be everywhere. AV-TEST Institute reports more than 450,000 new malware and PUA programs are created on average every day. With so many nasty and ill-intended programs out there, it’s good to know that you’ve got something on your side that is fighting to keep you safe from these threats.
For software publishers, this just means they need to have the right tools at their disposal to allow their applications to gain immediate trust with Microsoft. Signing applications with an EV certificate is a win-win situation for users and software developers alike.