Guide to SmartScreen, the Windows system protection feature that uses cloud-based intelligence to block potentially harmful applications, files, and sites. Over the years, Microsoft engineers have evolved the security tools built into Windows. One of them, certainly one of the best known, is called SmartScreen and made its debut in Internet Explorer 7 in 2006.
Initially, it was an anti phishing tool whose primary objective was to prevent visits to fraudulent sites. However, the initial implementation was relatively immature: malicious URLs were automatically blocked only based on a blocklist hosted on Microsoft servers. Since then, the tool that is now called Microsoft Defender SmartScreen has grown a lot to offer integrated multi-level protection both at the web browser (Edge) and operating system level (Windows 10 and 11).
SmartScreen: The Main Features
As mentioned, the most recent generation SmartScreen integrates many features: Protection against malicious sites. SmartScreen checks the sites you visit against a dynamic list of phishing and malicious sites. Furthermore, unlike what happened in the past, SmartScreen analyzes the content of the web pages visited in search of suspicious behavior.
Try visiting the Microsoft Defender SmartScreen URL Reputation Demos page (search for it on Google and click on the first link returned): this is a test prepared by Microsoft that shows how SmartScreen reports appear when you visit a malicious website.
The message: Suspicious site. This might be different from the place you want when a fraudster sets up a domain name that mimics (except for a few characters) that of a famous bank or company. The phenomenon is also known as typosquatting.
When opening pages known to contain malicious or potentially malicious content, SmartScreen displays a page with a completely red background with the message ” This site has been reported as unsafe” .Protection against malicious applications.
SmartScreen no longer limits its scope to just websites (and therefore Edge usage). The protection feature also checks the files downloaded to the local system and whether they are present in the ever-changing lists stored in the Microsoft cloud. These lists collect reports from the entire audience of Windows users and are composed using behavioral analysis, artificial intelligence, and then feedback from Microsoft Defender.
When an application is unknown (Microsoft keeps hashes of files that are certainly malicious and unquestionably legitimate), for example, SmartScreen pops up the Windows Protected PC warning. In the case of unknown applications, the user can take responsibility for running the program by clicking on More information and then on Run anyway.
By clicking on the Windows 10 and Windows 11 search box and then typing App and browser control, you access the main window that allows you to control the functioning of SmartScreen. In Windows 10 and 11, you can click Reputation-based security settings to adjust SmartScreen’s behavior: as you can see, the grounds are divided into various areas.
Check Apps And Files
Check whether or not the applications come from remote systems. Items downloaded from the Internet contain a “label” called Mark-of-the-Web (MotW). The presence of the MotW causes the Microsoft Office suite, Office or Microsoft 365, to activate Protected View. By clicking the right mouse button on a file downloaded from the Internet and then choosing Properties at the bottom of the General tab, the message ” The file comes from another computer.
To help protect your computer, it may be blocked ” appears. However, it should be kept in mind that some files can pass the protection mechanism and not expose the MotW, even if they come from remote systems. This is the case, for example, of many files stored in 7Zip archives that do not use Mark-of-the-Web.
A researcher has discovered a vulnerability in SmartScreen that has to do with Mark-of-the-Web verification: double-clicking on a file downloaded from the Internet can cause arbitrary code execution with the Check app option and file activated. The security bug is quite dangerous because ransomware authors have already exploited it: it is good to keep your guard up and avoid double-clicking on files of uncertain origin.
SmartScreen For Microsoft Edge
As we noted earlier, SmartScreen helps protect your system from potentially harmful or certainly harmful web pages and downloads. The protection integrates tightly with the Edge browser.
The anti phishing protection we have already discussed notifies the user of web pages developed to steal login credentials and personal data. Windows 11 also added the Warn on password reuse and Warned on insecure password storage checkboxes.
If checked, they allow you to warn the user when he pastes the password where it shouldn’t and when he reuses the same password on multiple online services. At the moment, the implementation is quite essential because the verification refers only to the password used to protect the Windows account and does not work if Windows Hello is used as an authentication mechanism.
Potentially Unwanted App Blocker
This function allows you to block the download of potentially harmful files from the Edge browser and to avoid installing applications that host unwanted content (so-called PUPs, Potentially Unwanted Programs ).
SmartScreen For Microsoft Store Apps
Now that the Microsoft Store welcomes a wide range of applications, including Win32 programs, SmartScreen verifies the reputation and content of applications distributed through this tool. The edges of SmartScreen are blurred because much of its behavior goes hand in hand with Microsoft Defender, which continues to remain free on individual Windows installations.
In Windows 11, Microsoft introduced Smart App Control ( Smart App Control ), which only works on systems installed from scratch. This function checks the programs running on the PC and uses machine learning to unmask any applications that may exhibit suspicious behavior.
Our advice is to optimize Microsoft Defender in Windows 10 and 11 using a free program like DefenderUI: it is reasonable to opt for the Recommended profile to activate even those Defender protection features that are generally not enabled.
As explained in the Microsoft Defender Secret Settings article, choosing DefenderUI’s Recommended Profile prevents Office applications and Adobe Reader from creating child processes, prevents Office from creating executable code and other methods, execution of obfuscated scripts can be blocked, Win32 API calls from Office macros are blocked.
Loading of untrusted and unsigned processes executed from USB media, executables from Webmail email clients, protection is enabled advanced against ransomware and more. This advanced Microsoft Defender setting protects against attacks that steal users’ authentication credentials.
It is not only present in Microsoft Defender for Endpoint but also in the version of Defender present in all Windows 10 and 11 systems. Bearing in mind the possible contraindications (malfunctioning of some legacy programs or poorly developed applications…) from the ASR Rules tab of DefenderUI, you can also activate the option Block credential theft from the Windows LSASS subsystem.
Turn On The SmartScreen Event Log
In Windows 10 and 11, it is possible to activate the event log, which keeps track of all the times in which, on the system in use, SmartScreen has entered into execution and of the response that the user has possibly provided. The SmartScreen log is not active by default: to enable it, press Windows+X, choose Windows PowerShell (Admin) or Terminal (Admin), then paste the
following:wevtutil sl Microsoft-Windows-SmartScreen/Debug /e: true
By pressing Windows+R, type event.MSC, then clicking on Applications and services registers, Microsoft, Windows, SmartScreen, and Debug, you will find information on all SmartScreen activations. The advice is to click on the Details tab and then on XML to check carefully what happened on the system at the date and time indicated in the log.
Read Also: How To Install Chrome OS Flex On A PC