Anatomy of a Real World Attack with Application Reputation

http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

 

From time to time I run IE9 to download apps and see what it says about them, and sometimes it literally eats them.

No option to keep downloading or anything like that. It starts downloading and all of a sudden, it gives that red warning and eliminates the file, which has not been fully downloaded, to start with.

This feature should had been worked out a little more, IMHO.

 

A red warning suddenly appearing halfway through your download is a sure sign of 3rd party software conflicts I'm afraid. The file hasn't been fully downloaded due to xyz reasons on your system and IE is hashing the half downloaded file which won't have a valid signature and will definitely not be commonly downloaded. A.K.A. not an IE issue.

 

So, did Microsoft not properly test their IE9 feature with Microsoft Security Essentials?

A.K.A a problem with Microsoft.

Sorry, but IE9 isn't all that perfect, and yes, it eats some downloads. A lot more people have reported it as well.

 

As you already know I use MSE and IE9, I've never experienced this issue and this is the first time I've heard anyone mention it. I guess other users are just lucky?

How would you suggest Microsoft go about this? If 3rd party conflicting software is terminating the download, how would IE9 detect that the download is unfinished? How would the user know the download is unfinished?

 

I just mentioned that the only "third-party" security app is MSE.

Just because it hasn't happened with you, so far, it doesn't mean it isn't happening to others, and that it won't happen.

The answer isn't always a third-party conflict; sometimes it's a first-party conflict.

 

I took a quick look over connect and couldn't find anyone having the issue. All I'm saying is you're very quick to lay blame on a technology that's doing an amazing everyday job at protecting users where the issue is infact incompatibilities with your machine/software. Then you follow that up with no input on how Microsoft could solve this.

Logically thinking about it, it's working fine. IE9 thinks the download is finished because of whatever situation on your PC is causing it. It has never seen the file before, because it's half of one, and will also not have any form of valid signature, because it's half a file. From what I can see, it's working perfectly fine?

I don't see what Microsoft could change to solve your situation other than try help you work out where the issue is?

 

I never said I saw it mentioned at Microsoft's forums. I've seen other people mentioning it.

You don't know where the problem lies either. So, it's all speculation.

Whether or not it was just a fluke, I didn't verify at any later moment, whether or not downloading the same app. would be OK. I honestly don't have traffic to waste on such testing. But, I know that it happened, and I know that other people have reported issues with it as well.

I just related what I experienced. It obviously is no reflection of what may be the general experience. I also won't be contacting Microsoft, because I do not wish to use IE, at all. I just decided to give it a little sping. That was all.

If any IE9 user experiences such situations, then they should help solve it. The same way I help Chromium by reporting bugs that I find. Something of my interest. Not so with IE9, so...

 

Once again, marketing. There are effective alternative for SmartScreen tsuch as LinkScanner and TrafficLight.
If it wants to boast about Application Reputation, let's see how it compares to a HIPS that checks for digital signatures.
Also, the Anti-Virus Signatures Shipped isn't applicable to all of them. Some update frequently (like every hour). Cloud AVs update in real-time.

 

Instead of praising a technology that time and time again has been succesful at protecting end users you try to find excuses?

Both of which are 3rd party downloads and both of which come with their own set of problems. Unlike SmartScreen which is built directly into the browser. Feel free to google "issue with linkscanner"

You should read the article, part of SmartScreen file reputation is checking for digital signatures. It also has 0 system impact unlike HIPS programs.

You seem to completely ignore the fact that cloud or not, signatures need to be made. This requires humans to find malware, test it in a virtual environment, create a "cure", extensively test the "cure", then deploy it. Even if it is a cloud application, these rules still apply. No AV has ever been 100% at 0 day protection and never will be.

 

Excuses? Please, they're clearly reasons.

SmartScreen Filter isn't perfect either.

How do you prove that claim?

The rules still apply for Microsoft as well.

 

Trying to degrade peoples hard work at protecting users by calling it marketing, right. They are clearly boasting, but why wouldn't they?

Nothing made by humans ever will be.

That it checks signatures? Read the article... it's a well known fact.

No, this has nothing to do with AV. This is about blocking downloads when no data of the file is available, look at the graph.

 

By that logic, you shouldn't be degrading my reasons as excuses either.

What do you mean by that? The article has no mentions of HIPS or resource usage.

I'm not talking about the AV. Application reputation needs updates as well, but at a slower pace. Malware can steal legitimate signatures.

 

Do you both a favour and stop throwing nonsense around. What logic in specific is flawed that I shouldn't be "degrading" your "reasons" (which are nothing other than excuses for diminishing this article).

I didn't realize you needed an article to tell you that HIPS programs are infact, programs, that install on your machine, and consume resources.
This article has nothing to do with HIPS, it was you that brought it up in a futile attempt at diminishing these results. How EXACTLY do you compare a program that does nothing other than throw up a dry yes or no warning (which gives the user no reassurance about file legitimacy) against a reputation system that has known identified malware that is blocked, and known good files that are allowed to run without warnings?

Again I can tell you've not even bothered to read the article, you've just gone ahead and spewed nonsense for the sake of degrading MS's work. God forbid we can't let people know that "M$" is doing good things instead of hunting for money right?

If you actually took a moment to read the article, you'd realize how silly (and I use the term lightly) the statement "application reputation needs updates" is.

Also, malware files have only ever had a legitimate signature once (stuxnet) and the signatures were invalidated within hours, not to mention it took the power of a government to do it, I bet malware authors have it real easy! I'm curious why you bring that up as an argument after stating "let's see how it compares to a HIPS that checks for digital signatures".

 

Nonsense is exactly what your derogatory comments are.

Do you need an article to tell you that browsers are in fact installed programs that consume resources? HIPS may be a bad comparison, but they do use application reputation.

I've read it and criticized it. Simple as that, degrading is just a side-effect.

It has happened, and needs to be updated afterwards. Invalidation is an update. Stuxnet isn't the only case by the way.

 

Again, point out which comment in specific is nonsense, all I've done is try to teach you something you clearly don't seem to understand.

Lol what? Are you seriously telling me that browsers consume resources, thanks for the information sherlock. This is an article on how a browser can protect you before an AV even has the ability to do so. Where exactly are you going with this?

You've yet to bring up any form of valuable criticism other than useless dribble like "HIPS CAN DO IT TOO!!11ONE", which has completely nothing to do with this article, and completely not the point of this article.

Again I must ask where are you going with this? If you're suggesting a valid signature would bypass SmartScreen, it doesn't. It only adds to the reputation, and even then, only known trusted issuers add to the reputation.

Though feel free to elaborate on what other malware has had a digital signature and how long they remained valid. Oh also, wouldn't that fool HIPS, unlike SmartScreen?

Smells to me like you're desperately trying to come up with any excuse.

 

Other than flaming me, you've taught nothing more than what the article already provided.

You said HIPS consume resources, same can be said with browsers and of course SmartScreen Filter.

You must be blind to think I've only talked about HIPS. The only one saying nonsense is you.

If you're suggesting a malware with trusted signature in SmartScreen Filter cannot bypass it, then prove that.

Google signed malware, and you'll see plenty of results. It would fool a HIPS as well.

Smells to me you're desperately trying to mock others.

 

Smartscreen filter has been a success and is easy to use....its effective for what is is. Anything can be bypassed, if you use IE there are no resource hogging issues or inconveniences caused by the Smartscreen filter, hence no reason not to use it.

 

While I do agree it's good at its job, SmartScreen Filter does use resources (didn't say hog) and can cause inconveniences.
For something to scan websites/downloads and not use resources cannot make sense. False positives do cause inconvenience.

 

Really, because the impression you broadcast is you simply haven't read it, at all.

Oh wow, are you honestly suggesting that a cloud based reputation system that uses next to 0 resources short of downloading a list is comparable to installing a full blown HIPS application that hooks in every part of your system and runs on bootup?

I ask for the 3rd time where you're going with this. If HIPS is such magic sauce, why isn't it mainstream and killed AV? Oh that's right, because no one wants to be nagged about every single file.

But I'm sure you'd rather use HIPS AND a browser both consuming resources right? The article has made it quite clear that application reputation is very effective and is beating traditional AV. Yet traditional AV is hands down more popular than HIPS.

That IS all you've talked about.

"If it wants to boast about Application Reputation, let's see how it compares to a HIPS that checks for digital signatures."

That is the ONLY thing you've said to try and "counter" MS claim for whatever reason you have that you feel the need to do so. How exactly am I the blind one here?

Stop making stuff up. I said it would be significantly more difficult to bypass than HIPS. Basic logic at it's best. File reputation > random popup.

Source please?

Smells like you've responded with absolutely nothing and once again are trying to diminish the work of Microsoft with no excuse other than "HIPS DOES IT TOO!!11ONE", when infact, SmartScreen is clearly doing it better.

 

Your opinion only.

Nope, I'm just suggesting it uses resources.

Never said HIPS is a magic sauce, stop putting words in my mouth.

Sure, pretty much anything beats traditional AV.

Hell no, it isn't. I've talked about update frequency, resource usage, your nonsense finger pointing, worthless babble, degradation, signed malware, etc. Yet you only remember HIPS. Why is that so?

I didn't make stuff up, look at your own posts. Specifically:

and

Don't be so lazy. Google it.

Once again, gibberish by the funky-looking guy.

 

What precisely is my opinion only?

What kind of resources? Look at the resource usage with IE loaded. I'd take that over hooking my entire system and causing possible instability and future issues with Windows patches.

You're trying to say it's an equivalent or superior to SmartScreen which it clearly isn't, SS doesn't spam you with warnings, it gives you meaningful information and blocks known threats.

How does "update frequency" invalidate SmartScreen and this article?

How does "resource usage" invalidate SmartScreen and this article?

It's the only thing you've mentioned as a viable match to SmartScreen's ability to block malware, is that unclear or what?

You come to this thread, trash talk SmartScreen and the brilliant work these Microsoft engineers are doing as "marketing" with nothing other than HIPS as an alternative then your argument to me is "Google it"? Thanks for the laughs.

 

Your impression of me.

Still is resource usage. Plain and simple.

Once again, putting words into my mouth. HIPS can give meaningful information as well, and allows you to permit it, which is useful for FPs

They don't necessary make it invalid, but those do exist.

I've also mentioned LinkScanner, TrafficLight, and Cloud AVs. Is that unclear or what?

You come putting words in my mouth, mocking me, continuously referring to the original article even for nonexistent information, and forgetting parts of previous conversations. LOL

FYI, here's one article out of many ~ Snipped as per TOS ~.

 

~ Snipped as per TOS ~

I can see you're obviously becoming agitated and starting to break open the rude personal remarks so this debate is obviously over. I'll leave you with some facts and feelings.

Facts:
SmartScreen is a safety mechanism meant to add an additional layer in protecting users, not a replacement for security software.
It is built directly into IE, a browser, the most commonly used application on computers and therefor, a prime place to add additional protection mechanisms such as SmartScreen to protect users.
A tiny fraction of Windows users even know what HIPS, Linkscanner, or TrafficLight is, nevermind using them.

Feelings:
I can't for the life of me understand how Microsoft protecting users upsets you to the point you claim it as marketing.
I can't understand how you would prefer 3rd party programs such as HIPS and toolbars, all with a past history of causing issues, over Microsoft's SmartScreen witch keeps getting better and better and has yet to cause any form of issues with browsing websites or updating system components.

 

Not much ruder than this:

Finally some agreeable facts.

As for the feelings, they don't upset me. The original thread title, and obvious IE boasting in the article just got on my nerves a little.

Don't use SmartScreen, cause I don't use IE. HIPS and toolbars cover much more area, including my preferred browser.