Microsoft implemented content-agnostic malware protection (CAMP) for Windows 8.1 as part of its SmartScreen Application Reputation (App Rep) technology to thwart socially engineered malware (SEM) in Internet Explorer. How does the technology work, and how effective is it?
Ask the Expert!
Michael Cobb is ready to answer your application security questions. Submit them now via email!
Microsoft first introduced SmartScreen technology in IE8 as an extension of IE7's phishing filter. Its SmartScreen servers block access to any requested URL recognized as being malicious. To provide the same protection throughout the entire operating system, Microsoft integrated the technology into Windows 8 as Windows SmartScreen. The first time any downloaded executable is run, SmartScreen sends its name and a hash of its contents to be checked against a database of known malicious code. Windows will then display a warning if the file is deemed malicious; otherwise, it is allowed to run normally.
Tests have shown that SmartScreen is very effective at thwarting social engineering attacks that try to deceive users into downloading and installing socially engineered malware. Because blacklist detection systems are constantly playing catch-up because of the dynamic characteristics of today's malware, Microsoft added content-agnostic malware protection (CAMP) technology, a reputation-based method of detecting potentially malicious code, to SmartScreen.
It's a fact of life that newly released malware has a window of opportunity to infect machines before antimalware software is updated and knows how to detect it. CAMP technology was designed to help protect users during this vulnerable period. It also helps reduce the number of unnecessary warnings involving files that already have an established positive reputation, a great improvement on previous annoying and ineffective dialog boxes (anyone remember Vista?).
Starting with Windows 8.1, SmartScreen App Rep incorporates CAMP technology and blocks attempts to download any application that is not explicitly trusted, regardless of whether it is malicious in nature. Because it now protects not just IE but the operating system as a whole, SmartScreen can perform an application reputation check the first time users launch an application downloaded from the Internet regardless of the browser used -- currently neither Firefox nor Safari use CAMP technology. SmartScreen uses a marker that is placed on files at download time to trigger a reputation check. All major Web browsers along many mail clients and IM services already add this marker, known as the "mark of the Web," to downloaded files.
The downside of CAMP technology is the potential for false positives. An unsigned application that has just been posted on a new website will score badly until it has been downloaded many times. For this reason, enterprises hosting custom applications on a Web portal should digitally sign them to ensure employees can download them without warnings. As extended validation code-signing certificates require more rigorous vetting and authentication, applications signed using an EV certificate can immediately establish a good reputation with SmartScreen services even if no prior reputation exists for that file or publisher. Additionally, enterprises and employees concerned about privacy should be aware that App Rep sends Microsoft the file name of every application that is downloaded along with the IP address that downloaded it. This information could potentially be used to identify which computer and user downloaded the application.
Although there has been limited testing of App Rep in Windows 8.1, the technology has an impressive track record in the Web browser environment. Microsoft's data shows that when an application reputation warning is shown, the risk of getting infected by socially engineered malware in the application is between 25% and 70%. In 2011, Google added CAMP to its Chrome browser and has seen similar improvements in socially engineered malware protection.
However, enterprises should note that even with the protection provided by App Rep, layered enterprise security is still vital to provide protection against other attack vectors. Many exploits today use execution methods that are out of scope for App Rep -- for example, any application that is copied from a USB or network drives. Implementing sandboxing and behavior detection technologies are critical to prevent system compromise if malware enters the network via other routes.
This was first published in February 2014