|
I am one of the creators of SmartScreen application reputation. SmartScreen is a reputation-based safety feature that allows 'know' downloaded software to run friction-free but interrupts the execution of 'unknow' downloaded software with a 'stranger-danger' warning. SmartScreen application reputation was first launched in IE9 (2010/2011) and then was integrated into Windows (starting with Windows 8 in 2012). It has been a few years since I have worked on SmartScreen, but I thought providing some context may be interesting. Windows 7 made great strides in addressing software vulnerabilities. And bad guys quickly moved from software vuln exploits to socially engineered attacks. They tricked users into download and running spurious programs (using a variety of techniques - ranging from SEO to scare-ware website that tricked people into thinking that their machines were compromised to running sophisticated ad campaigns). The problem with traditional anti-virus (AV) approach was that by the time the AV analysts could get their hands on a new binary, analyze it, classify it as malicious, write a signature, and distribute it - it was generally too late. The bad guys monetized the latency between when they published a new binary on the internet and when the AV vendors were able to effectively detect it as malware. SmartScreen tried to flip that dynamic - by using reputation. By volume, majority of downloads were benign; there was no point in warning users when the likelihood of future infections from such downloads was nearly zero. However, for software that had never been seen before - there was a significant risk associated with it - all the yet-undetected-malware resided in that set (depending on the situation and context - the risk of future malware infection could range from 25% to 75%). So, for 'known' software, SmartScreen eliminated the mostly-useless warning (that everyone had grown used to clicking through); for 'unknown' software (which the AV companies still hadn't deemed as malicious; yet-undetected-malware would be 'unknown'), SmartScreen showed a 'stranger-danger' warning. This was incredibly effective in stemming the socially engineered malware attacks. In the overwhelming majority of the cases - users did the right thing; they chose not to run the downloaded programs that were later detected as malicious. When SmartScreen was launched, nearly 7% of all downloads were later detected as malware by AV. In a couple of years, the incidence of socially engineered malware had dropped significantly (By a ton! By many orders of magnitude. Most bad actors changed their business model to bundleware - bundling unwanted, non-malicious, software with popular downloads). An important factor was that SmartScreen had expansive coverage on (knew about) all executable binaries downloaded from the Internet - in order to mitigate the risk of users getting used to ignoring the warnings if they saw those too often. Most users saw one or two SmartScreen warnings in a year. And, when they saw the warnings, the risk was significant - and users did the right thing in those cases (not run the downloaded program). SmartScreen provided highly effective 0-hour protection against socially engineered malware by helping users make the right trust-decisions. There was some friction - for developers and advanced users (who downloaded esoteric, non-very-commonly-downloaded software more frequently). For developers, reputation came in two forms - either each individual binary that they published could 'acquire' reputation - or if they had a code signing certificate - then that certificate could 'acquire' reputation (and any binary that was signed with the certificate would inherit it; which was a better option). In either case, if the developer went rogue or published a program the was malicious - it was straightforward to deal with that problem. SmartScreen could instantaneously revoke the reputation for the certificate or the binary. There is a meaningful cost (time, behavior) that the developer incurred in order to get reputation - and it is hard, expensive, and not-scalable for bad actors to 'acquire' reputation - and if they did end up behaving badly after acquiring reputation (e.g. signing malware with code signing certs that has acquire reputation), that reputation would be lost very quickly - really hurting their ROI. So yes - there was some friction. In many / most cases, new executables and publishers 'acquired' reputation after a short period (typically a few days) and many advanced users understood why they would occasionally see the SmartScreen warning and would make the right action choice. But the benefits to the larger ecosystem were incredibly significant and impactful. |
It remains difficult if not impossible for a brand new developer to coordinate a new launch or for an open source project to release unsigned binaries without triggering SmartScreen's rather opaque and user-hostile reputation block. At first glance, the dialog does not give the user any information that it is even possible to execute the program. Of course it stops malware. It brings the average Windows user to a dead stop!
Based on the number of regular people I help on a daily basis who download completely legitimate, "esoteric, non-very-commonly-downloaded software" I must say that I do not find your arguments very compelling. This tool could have easily remained in your browser where it belongs.