Most Software Handling Files Overlooks SmartScreen in Windows

Innovation and Laboratory Area in ElevenPaths    22 June, 2020
Most Software Handling Files Overlooks SmartScreen in Windows

SmartScreen is a component of Windows Defender aimed at protecting users against potentially harmful attacks, whether in the form of links or files. When a user is browsing the Internet, the filter or SmartScreen component analyses the sites visited by the user and, if the user access a website considered suspicious, it displays a warning message so that the user can decide whether to continue or not. But it also warns about downloaded files.

We have conducted a study on how SmartScreen works particularly in this area and have tried to understand what triggers this protection component developed by Microsoft in order to better understand its effectiveness.

How Does SmartScreen Know Which File to Analyse?

Alternate Data Streams or ADS is a feature of the NT file system that allows metadata to be stored in a file, whether by a stream directly or by another file.

Currently ADSs are also used by different products to tag files in the “:Zone.Identifier” stream so that you know when a file is external (i.e. not created on your own computer) and therefore needs to be examined by SmartScreen. Microsoft began tagging all files downloaded through Internet Explorer (at the time), and other browser developers began doing the same to take advantage of SmartScreen’s protection.

The value written to the stream, i.e. the ZoneId, can have the value that you wish. However, SmartScreen’s behaviour is based on the values reflected in the table below:

Activating the value in any file is easy by command line:

This image has an empty alt attribute; its file name is image-64.png

Do Browsers Use This Feature to Tag Files?

We analysed the 10 most used browsers in desktop operating systems. To do this, we downloaded a file from a web page. Is the ZoneId added to the downloaded file? In most cases it is.

This image has an empty alt attribute; its file name is image-52.png

What about FTP, Code Versioning, Cloud Sync or File Transfer Clients?

We now examine other programs capable of downloading files. For example, most email clients do not add the ZoneId to be scanned by SmartScreen.

This image has an empty alt attribute; its file name is image-50.png

However, many desktop instant messaging clients do.

This image has an empty alt attribute; its file name is image-51.png

No FTP, code versioning, or cloud sync client adds the appropriate ZoneID, so files obtained by this means will not be analysed by SmartScreen.

This image has an empty alt attribute; its file name is image-53.png
This image has an empty alt attribute; its file name is image-54.png

Nor do cloud sync clients worry about tagging files.

This image has an empty alt attribute; its file name is image-55.png

The same goes for the integrated file transfer mechanisms in Windows.

This image has an empty alt attribute; its file name is image-58.png

At least, WinZip and the native Windows decompressor do respect this option if it is decompressed after the download.

This image has an empty alt attribute; its file name is image-60.png

Potential Evasions

After understanding how and when the file is tagged, the research led us to reflect on which process is responsible for running SmartScreen and whether there are ways to bypass that process. To conduct the test, we mostly tagged files that were interpreted and known by SmartScreen as malicious to find out whether or not the file executed in this way was bypassing SmartScreen. We took a series of files in different interpreted languages and set the bit, as mentioned above.

This image has an empty alt attribute; its file name is image-65.png

The result can be seen in the following table:

This image has an empty alt attribute; its file name is image-59.png

Perhaps the most interesting point is the difference when launching them by using the start command:

This image has an empty alt attribute; its file name is image-66.png

Where SmartScreen gets in the way of PowerShell, but not in the way of CMD.

This image has an empty alt attribute; its file name is image-67.png

Conclusions

In the following table, we can observe the percentage of those who do NOT implement ZoneId when the file is downloaded to be analysed by SmartScreen:

This image has an empty alt attribute; its file name is image-68.png

In general, we can conclude that a potential attacker would have several ways to get a malicious file onto a computer with greater chances of not being discovered by SmartScreen: by relying on the user to download executables through certain programs.

We believe that it is necessary for both developers and users to be aware of how SmartScreen works in order to take advantage of its detection capabilities and better protect the user.

The full report is available here:

Leave a Reply

Your email address will not be published. Required fields are marked *