Windows 7 / Getting Started

How the Smart Screen Filter Works

Phishing and other malicious activities thrive on lack of communication and limited sharing of information. To effectively provide anti-phishing warning systems and protection, the new SmartScreen filter in Internet Explorer 8 consolidates the latest industry information about the ever-growing number of fraudulent Web sites spawned every day in an online service that is updated several times an hour. SmartScreen feeds this information back to warn and help protect Internet Explorer 8 customers proactively.

SmartScreen is designed around the principle that an effective early-warning system must ensure that information is derived dynamically and updated frequently. This system combines client-side scanning for suspicious Web site characteristics with an opt-in Phishing Filter that uses three checks to help protect users from phishing:

  • Compares addresses of Web sites a user attempts to visit with a list of reported legitimate sites stored on the user's computer
  • Analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites
  • Sends Web site addresses to a Microsoft online service for comparison to a frequently updated list of reported phishing sites

The service checks a requested URL against a list of known, trusted Web sites. If a Web site is a suspected phishing site, Internet Explorer 8 displays a yellow button labeled Suspicious Website in the address bar. The user can then click the button to view a more detailed warning.

If a Web site is a known phishing site, Internet Explorer 8 displays a warning with a red status bar. If the user chooses to ignore the warnings and continue to the Web site, the status bar remains red and prominently displays the Phishing Website message in the address bar.

Internet Explorer first checks a Web site against a legitimate list (also known as an allow list) of sites stored on your local computer. This legitimate list is generated by Microsoft based on Web sites that have been reported as legitimate. If the Web site is on the legitimate list, the Web site is considered safe, and no further checking is done. If the site is not on the legitimate list or if the site appears suspicious based on heuristics, Internet Explorer can use two techniques to determine whether a Web site might be a phishing Web site:

  • Local analysis Internet Explorer examines the Web page for patterns and phrases that indicate it might be a malicious site. Local analysis provides some level of protection against new phishing sites that are not yet listed in the online list. Additionally, local analysis can help protect users who have disabled online lookup.
  • Online lookup Internet Explorer sends the URL to Microsoft, where it is checked against a list of known phishing sites. This list is updated regularly.

When you use SmartScreen to check Web sites automatically or manually (by selecting SmartScreen Filter from the Tools menu and then clicking Check This Website), the address of the Web site you are visiting is sent to Microsoft (specifically, to https://urs.microsoft.com, using TCP port 443), together with some standard information from your computer such as IP address, browser type, and SmartScreen version number. To help protect your privacy, the information sent to Microsoft is encrypted using SSL and is limited to the domain and path of the Web site. Other information that might be associated with the address, such as search terms, data you enter in forms, or cookies, will not be sent.

Note Looking up a Web site in the online Phishing Filter can require transferring 8 KB of data or more. Most of the 8 KB is required to set up the encrypted HTTPS connection. The Phishing Filter will send a request only once for each domain you visit within a specific period of time. However, a single Web page can have objects stored in multiple servers, resulting in multiple requests. Requests for different Web pages require separate HTTPS sessions.

For example, if you visit the Bing search Web site at http://www.bing.com and enter MySecret as the search term, instead of sending the full address http://www.bing.com /search?q=MySecret&FORM=QBLH, SmartScreen removes the search term and only sends http://www.bing.com/search. Address strings might unintentionally contain personal information, but this information is not used to identify you or contact you. If users are concerned that an address string might contain personal or confidential information, users should not report the site. For more information, read the Internet Explorer 8 privacy statement at http://www.microsoft.com/windows/internet-explorer/privacy.aspx.

Anonymous statistics about your usage will also be sent to Microsoft, such as the time and total number of Web sites browsed since an address was sent to Microsoft for analysis. This information, along with the information described earlier, will be used to analyze the performance and improve the quality of the SmartScreen service. Microsoft will not use the information it receives to personally identify you. Some URLs that are sent may be saved to be included in the legitimate list and then provided as client updates. When saving this information, additional information-including the SmartScreen and operating system version and your browser language-will be saved.

Although the online list of phishing sites is regularly updated, users might find a phishing site that is not yet on the list. Users can help Microsoft identify a potentially malicious site by reporting it. Within Internet Explorer 8, select SmartScreen Filter from the Tools menu and then click Report Unsafe Website. Users are then taken to a simple form they can submit to inform Microsoft of the site.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows Internet Explorer
  2. Internet Explorer 8 Improvements
  3. InPrivate Browsing
  4. InPrivate Filtering
  5. Compatibility View
  6. SmartScreen
  7. Domain Highlighting
  8. Tab Isolation
  9. Accelerators
  10. Improvements Previously Introduced in Internet Explorer 7
  11. User Interface Changes
  12. Tabbed Browsing
  13. Search Bar
  14. How to Create a Web Link to Add a Custom Search Provider
  15. How to Configure Custom Search Providers Using the Registry
  16. How to Configure Custom Search Providers Using Group Policy
  17. RSS Feeds
  18. Improved Standards Support
  19. Expanded Group Policy Settings
  20. Defending Against Malware
  21. How Protected Mode Improves Security
  22. How the Protected Mode Compatibility Layer Works
  23. How to Solve Protected Mode Incompatibilities
  24. URL-Handling Protection
  25. Address Bar Visibility
  26. Cross-Domain Scripting Attack Protection
  27. Controlling Browser Add-ons
  28. Add -on Manager Improvements
  29. Protecting Against Data Theft
  30. Security Status Bar
  31. How the Smart Screen Filter Works
  32. How to Configure Smart Screen Options
  33. Deleting Browsing History
  34. Blocking IDN Spoofing
  35. Security Zones
  36. Understanding Zones
  37. Configuring Zones on the Local Computer
  38. Configuring Zones Using Group Policy
  39. Network Protocol Lockdown
  40. Managing Internet Explorer Using Group Policy
  41. Group Policy Settings for Internet Explorer 7 and Internet Explorer 8
  42. New Group Policy Settings for Internet Explorer 8
  43. Using the Internet Explorer Administration Kit
  44. Troubleshooting Internet Explorer Problems
  45. Internet Explorer Does Not Start
  46. An Add-on Does Not Work Properly
  47. Some Web Pages Do Not Display Properly
  48. Preventing Unwanted Toolbars
  49. The Home Page or Other Settings Have Changed