Verizon’s 2021 Data Breach Investigation Report data shows that malicious software is involved in more than 70% of system intrusions (including computer hacks). Windows Defender SmartScreen is one of the tools that helps to protect your device against these software-based threats — let’s explore what it is and how it works to protect your PC
When you’re online, you have the ability to download files from virtually anywhere. You can choose to purchase and download games, music, movies, and other types of files from trusted sources, or you can download files from shareware and third-party websites. Depending on which route you choose to take, there may be risks involved, and your device will try to protect itself — and you — against cyber threats. This is where Windows Defender SmartScreen comes to the rescue.
If you’ve ever seen any of these warning messages on your computer, you’ve benefitted from Windows Defender SmartScreen:
But what is Windows Defender SmartScreen? What does it do and how does it help keep you safe online?
What Is Windows Defender SmartScreen?
Windows Defender SmartScreen is your computer’s version of a superhero — it fights evil by working both in your browser and on your computer to identify and protect you from bad websites and software programs. This reputation-based protection tool is part of Windows Defender, your operating system’s built-in antivirus program, and serves as an alert system. Its purpose is to protect your PC by preventing you from visiting dangerous websites and downloading and/or installing malicious software programs.
Most types of malicious software (malware) require you to install them before they can cause harm to your device. But Windows SmartScreen attempts to protect you both during and before starting the installation process in three key ways:
Checks software applications and files that you attempt to install. This includes checking software-based threats (such as malware and potentially unwanted applications, or PUAs) that you have on your computer or download from third-party stores.
Analyzes websites you visit and files you download in Microsoft Edge. This browser-based tool looks for malware and PUAs in the files you download using Microsoft web browsers (like Internet Explorer and Edge). It also warns you of suspicious and dangerous websites.
Checks the software and other files you download from the Microsoft Store. Windows Defender SmartScreen also looks at items you download from the Microsoft Store to try to prevent you from downloading and installing anything malicious.
“SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer [or Microsoft Edge]. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.”
But what does all of this really mean? Let’s break it down some more.
SmartScreen Tool Offers In-Browser Protection Against Malicious Sites & Software
When you visit a suspicious or malicious page using the Microsoft Edge browser, one of the following warning messages will likely pop up in your browser:
When you try to download software from an unknown publisher using the Microsoft Edge browser, one of the two following warning messages will pop up in your browser:
Of course, you’d only see these warnings in the Edge browser. If you use other browsers such as Google Chrome or Mozilla Firefox, you won’t see that same pop-up display. Rather, you’ll receive different messages when you download software and attempt to install it on your device.
SmartScreen Triggers the “Windows Protected Your PC” Messages For Software Installations
Ever see that vibrant blue window pop up that says “Windows protected your PC”? What about the alarming red sister message that warns about a malicious file? These messages aim to warn you that you’re in danger and need to take a moment to evaluate the situation. They look like this:
Screenshots of the “Windows Protected Your PC” message and malicious file warning that display due to Microsoft Defender SmartScreen.
The first warning on the left displays when you try to install software from a small or otherwise unknown publisher (i.e., someone who doesn’t have an established reputation with Microsoft). Basically, you might see this warning when you try to install software from an unknown publisher who doesn’t sign their software with an EV code signing certificate, or they don’t sign their software at all.
The second warning displays when try to install software that matches one or all of the following:
Comes from an unverified publisher,
Is known to be malicious, or
Isn’t included on Microsoft’s list of “well known and downloaded” programs they talked about earlier.
How Microsoft Windows Defender SmartScreen Works
Windows SmartScreen is a tool for Windows-based systems that aim to protect your device against phishing and malicious software applications and websites. In particular, it helps to protect your device against threats posed by applications that come from unknown publishers.
This tool may run all the time in the background, or it may only activate when you to download and install suspicious software applications. Either way, when you try to run the .exe to install the software, the process causes the SmartScreen filter to perform a special reputation check of the software and its publisher to ensure they’re both legitimate.
Checks the software’s reputation on its list of commonly downloaded applications. It checks to see whether the software is commonly downloaded and has an established reputation.
Looks for a digital signature that verifies the signer’s identity. A digital signature helps your browser or OS know whether a known publisher signed the software. These signatures are applied through the use of code signing certificates, which we’ll talk about a little later.
Performs a checksum to ensure the hash value matches. Every piece of signed code has a hash value that helps prove its authenticity (i.e., that the software is the “real deal” and isn’t malicious software in disguise).
How SmartScreen Checks the Integrity of a Signed Software
The hashing verification process can be a bit complex. Let’s break down how it all works into a little more simple terms.
Windows Defender SmartScreen computes a cryptographic hash value for the file. This hash — basically, a long string of numbers that identify that unique file — is a way for the tool to determine whether the software was signed by a known and trusted developer or publisher.
Windows SmartScreen sends the hash information to Microsoft’s servers. This process involves checking the resulting hash value with information Microsoft keeps on file. (If the number they generate matches the one for the software, it means that it hasn’t been messed with. If the hash doesn’t match, it means that it’s been altered.)
Microsoft’s server responds to let SmartScreen know whether the file is safe. If the file is deemed safe, Windows proceeds with allowing the download or installation to occur. If not, then it blocks the application from installing or opening.
We won’t get any more technical than this — basically, it’s about checking to ensure that the software was signed by a real, known person or organization, and that the software hasn’t been messed with since they signed it.
The Role of Trust and Identity in Software Security
Trust and identity are both critical elements at the center of internet security. Without verifiable identity, trust can’t exist, and without trust, secure communications aren’t possible. After all, if you don’t know with 100% certainly that the person you’re talking to online is who they say they are, how can you trust them?
This is also important for software security. Why would you want to install software that results in displaying scary warnings? Thankfully, there is something that a software publisher can do to prevent the Windows Defender SmartScreen messages we talked about earlier from popping up: they can sign their software applications using an EV code signing certificate. Signing software with one of these certificates makes those scary warnings go away for good.
EV Code Signing Certificates Get Rid of SmartScreen Warnings
When users try to download and install software from new or little-known software publishers (i.e., software creators who haven’t yet established reputations with Microsoft), their actions are virtually guaranteed to trigger Windows SmartScreen warnings. Even if the publishers sign their software using standard code signing certificates, the SmartScreen warnings will still trigger. This is because their applications don’t have established reputations with Microsoft.
This is troubling for users because legitimate software from new or small publishers typically have a hard time gaining reputation on their own. (After all, it takes a lot of time to get tons of users to download your applications when they’ve never heard of you!) This means that every time you try to download or install software from these publishers, it’ll trigger these scary warning messages.
The only way a software publisher can ensure their software is trusted automatically is to sign their code using an EV code signing certificate. An extended validation (EV) code signing certificate takes the verification process of standard certificates to the next level. And in addition to having to have a certificate installed on the device they use to sign the software, the signer also must have physical possession of a separate security token to apply their digital signature.
So, what’s the result of signing code using an EV code signing certificate? No more SmartScreen application reputation filter warnings on users’ screens because they have instant trust with Microsoft. This is true even for brand new applications that you’re releasing for the first time — they’re trusted immediately! Pretty cool, huh?
Final Takeaways on Windows Defender SmartScreen
It’s no wonder that the internet is such a dangerous place — phishing websites and malicious (or at least suspicious) software programs seem to be everywhere. AV-TEST Institute reports more than 450,000 new malware and PUA programs are created on average every day. With so many nasty and ill-intended programs out there, it’s good to know that you’ve got something on your side that is fighting to keep you safe from these threats.
For software publishers, this just means they need to have the right tools at their disposal to allow their applications to gain immediate trust with Microsoft. Signing applications with an EV certificate is a win-win situation for users and software developers alike.
Code Signing Best Practices
Download thisCode Signing Best Practices guideto improve your software and supply chain security.
Help keep your end users safe from supply chain attacks.
Prove your software's authenticity using digital identity.
Protect your software's integrity by preventing alterations.
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Email Us
+1 (727) 291-0611
Chat Now
