Help me understand Windows 10's "SmartScreen"...?

[VirtualLarry]

Windows 10, under Settings, Update and Security, Windows Security, click on "Windows Security", it opens up another window, then click on "App and Browser Settings".

There are three SmartScreen related settings:
"Check Apps and Files"
"SmartScreen for Microsoft Edge"
"SmartScreen for Store Apps"

All of them, by default, are set to "Warn".

Where does it get the information to inform if they are "clean" files and apps, though?

Does it get them from the "Security Intelligence Updates", delivered by MS Update?

I'm really tired of how SmartScreen pops up on certain (new-ish) files, and says "Unknown", and requires me to click "More" and "Run anyways" (at own risk).

Even after I manually update "Security Intelligence Update".

How does SmartScreen determine that an application is "clean" and OK to run on a PC?

I can scan it with Windows Defender, it comes up as "0 threats found", but SmartScreen refuses to just open it.

I'm trying to avoid getting nasties on my system, so I don't want to manually bypass SmartScreen, if I can help it.

 

[JackMDS]

First thing need to be understood is that with Windows 10 and almost all of MS software and whatever else One uses, the computer/os/3rd party Apps, connects hundreds of times in 24 hours to online sources. Many upgrade of any software these days is more about enriching the vendors data bases by these connections rather than Fix, or provide real new features to the software.

I have few computers that set to sense and record every Network connection that interact with None Local IPs and can see all of these attempts (I did it only for research purposes since it slows down the system).

Second thing, the way we work today we gets Junk that is already old, it will usually be detected by Firewall/Antivirus/Smart screen etc.

There is contemporary Junk that one or all of our Filters are already updated to detect and be aware of.

If a totally new Junk follows some previous routines it might provoking the Defend system, But if it totally new it might take hours or few days until it gets to the Junk Data base.

It is like walking in Center Streets of New York*. One can be careful and reduce the chances to get hit by moving Objects (Cars, Bikes, Cranes, Debris falling from buildings, Muggers, etc). But No matter what One does there is No Zero Chance that nothing would happen.

As for Smart Screen – https://www.howtogeek.com/123938/htg-explains-how-the-smartscreen-filter-works-in-windows-8/

“Quote from above”

“At the operating system level, Smart Screen functions by sending information about every application you download and run to Microsoft’s servers. If the application is something legitimate and fairly popular, like Google Chrome or Apple iTunes, Windows will allow it to run. If it’s something Microsoft knows is harmful, Windows will prevent it from running”

--------------------
*The Internet is the Center Street of the World.

 

[VirtualLarry]

Second thing, the way we work today we gets Junk that is already old, it will usually be detected by Firewall/Antivirus/Smart screen etc.

There is contemporary Junk that one or all of our Filters are already updated to detect and be aware of.

If a totally new Junk follows some previous routines it might provoking the Defend system, But if it totally new it might take hours or few days until it gets to the Junk Data base.

That's what I don't get. How many days do I have to wait for this new mining app that was released a few days ago to get into the SmartScreen database? Older versions of the mining program, when they were released, they were recognized right away. It seems like it's some setting with my client machines. I've had this problem with Windows 7's SmartScreen feature as well, as some of my existing utilities weren't recognized either. Like there's something blocking SmartScreen updates. I do have Shutup10 installed, but I left SmartScreen itself enabled. And I left Windows Update enabled as well. So there shouldn't, to my knowledge, be anything blocking it.

 

[whm1974]

How often do false positives come up?

 

[JackMDS]

Maybe this can Help.

https://www.ctrl.blog/entry/how-to-false-smartscreen-positive.html

 

[VirtualLarry]

From that link, Jack:

My program was probably not flagged as malicious, but rather it doesn’t have what Microsoft calls an “application reputation.” SmartScreen looks at the history and number of downloads of executable files. A very unusual download is assumed to be riskier than a frequently downloaded file. When a file has been downloaded enough times, it will be added to SmartScreen as a safe download.

So I guess I just wait for the download to show up as "Safe" when I try to run it?

 

[VirtualLarry]

Ok, so it appears that the .exe in question, is NOT signed. This burns my britches to no end, because it's trivially-easy for someone to MITM a download link, and inject a trojan into an .EXE file IN REAL-TIME. Code signatures should be one of your first lines of defense.

Or, alternatively, the .exe in question was/is Code-signed, but I've already been MITM'ed, and my downloads are already trojaned, thus triggering SmartScreen. This is also a definite possibility.

 

[StokesMSFT]

Code signing is part of it yeah, but it also has a reputation service that examines the exe and trys to protect the user from themselves.

This gets really fun when you are trying to download, say, a cryptominer for actual intended use, as the exe's are used for hacking/mining all the time.

I think also, that the Windows Defender Chrome extension helps with this screening of downloads, but could be wrong.

 

[VirtualLarry]

This gets really fun when you are trying to download, say, a cryptominer for actual intended use, as the exe's are used for hacking/mining all the time.

That's what I was doing. I was more interested, if the file was actually trojaned, you know, with some sort of RAT code, rather than just being a mining program (which do have some legitimate uses, though for most "normies", they might consider them malware, as they would never think to install one themselves).

 

[StokesMSFT]

yeah I ended up excluding my DL directory from Defender to speed things up, which I wouldn't recommend to any normal user.