SmartScreen is a component of Windows Defender aimed at protecting users against potentially harmful attacks, whether in the form of links or files. When a user is browsing the Internet, the filter or SmartScreen component analyses the sites visited by the user and, if the user access a website considered suspicious, it displays a warning message so that the user can decide whether to continue or not. But it also warns about downloaded files.
We have conducted a study on how SmartScreen works particularly in this area and have tried to understand what triggers this protection component developed by Microsoft in order to better understand its effectiveness.
How Does SmartScreen Know Which File to Analyse?
Alternate Data Streams or ADS is a feature of the NT file system that allows metadata to be stored in a file, whether by a stream directly or by another file.
Currently ADSs are also used by different products to tag files in the “:Zone.Identifier” stream so that you know when a file is external (i.e. not created on your own computer) and therefore needs to be examined by SmartScreen. Microsoft began tagging all files downloaded through Internet Explorer (at the time), and other browser developers began doing the same to take advantage of SmartScreen’s protection.
The value written to the stream, i.e. the ZoneId, can have the value that you wish. However, SmartScreen’s behaviour is based on the values reflected in the table below:
Activating the value in any file is easy by command line:
Do Browsers Use This Feature to Tag Files?
We analysed the 10 most used browsers in desktop operating systems. To do this, we downloaded a file from a web page. Is the ZoneId added to the downloaded file? In most cases it is.
What about FTP, Code Versioning, Cloud Sync or File Transfer Clients?
We now examine other programs capable of downloading files. For example, most email clients do not add the ZoneId to be scanned by SmartScreen.
However, many desktop instant messaging clients do.
No FTP, code versioning, or cloud sync client adds the appropriate ZoneID, so files obtained by this means will not be analysed by SmartScreen.
Nor do cloud sync clients worry about tagging files.
The same goes for the integrated file transfer mechanisms in Windows.
At least, WinZip and the native Windows decompressor do respect this option if it is decompressed after the download.
Potential Evasions
After understanding how and when the file is tagged, the research led us to reflect on which process is responsible for running SmartScreen and whether there are ways to bypass that process. To conduct the test, we mostly tagged files that were interpreted and known by SmartScreen as malicious to find out whether or not the file executed in this way was bypassing SmartScreen. We took a series of files in different interpreted languages and set the bit, as mentioned above.
The result can be seen in the following table:
Perhaps the most interesting point is the difference when launching them by using the start command:
Where SmartScreen gets in the way of PowerShell, but not in the way of CMD.
Conclusions
In the following table, we can observe the percentage of those who do NOT implement ZoneId when the file is downloaded to be analysed by SmartScreen:
In general, we can conclude that a potential attacker would have several ways to get a malicious file onto a computer with greater chances of not being discovered by SmartScreen: by relying on the user to download executables through certain programs.
We believe that it is necessary for both developers and users to be aware of how SmartScreen works in order to take advantage of its detection capabilities and better protect the user.
The full report is available here:
