Dear IT pros,
Today we discuss about Windows Defender SmartScreen features and follow its activities in defending our systems from Web link and Web download attacks. We then, address the problem with false positive blockage by SmartScreen.
Windows Defender SmartScreen Features
SmartScreen has become a part of Windows 10 OS, it was named as Windows Defender SmartScreen. It is useful to protect not just Edge, Internet Explorer browsers but also other applications such as third-party browsers, Email Client and Apps from malicious Web link attack, malicious Web download threat. Let us have a quick look into SmartScreen functionalities:
Those tests did not contain any harmful file but only virus simulation files and would be harmless.
Your testing device configured with SmartScreen should be able to prevent the users' accesses to phishing web page, malware web page, advertise web page, exploit-browser-vulnerability web page and block the download of malicious apps, potentially unwanted apps (PUA), known malware files.
SmartScreen should also be able to give warning of unknown apps and suspicious phishing web page.
An example of suspicious phishing site warned by SmartScreen:
Examples of downloads blocked by SmartScreen:
Website in the Security Blacklist will be blocked by SmartScreen as shown in the following example:
Malicious apps will be blocked by Defender SmartScreen as shown in this example:
wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
The following Events are appeared in Event Viewer
Windows Logs\Applications and Services Logs\Microsoft\Windows\SmartScreen\Debug
Also, by default, windows sense and telemetry service will collect and transport the SmartScreen event to the Microsoft Defender for Endpoint Cloud Service.
Malicious file query ‘s result :
DeviceFileEvents |where Timestamp > ago(7d) | where FileOriginUrl contains "https://demo.smartscreen.msft.net" | project Timestamp, DeviceName, InitiatingProcessAccountSid, FileName, FolderPath, FileOriginUrl, SHA1, FileOriginIP, FileSize, InitiatingProcessFileName
The query result has just shown another attack by download with file named “freevideo.exe”. It seems to be downloaded the 6th time of same file on the device named fc-cl01:
Translating it to Kusto query language means “Timestamp between (datetime(2021-01-17T05:00:00.01) .. datetime(2021-01-17T10:00:00.01))”
We will search the File Event, Device Event during the attack period:
DeviceFileEvents | where DeviceName contains "fc-cl01" | where Timestamp between (datetime(2021-01-17T05:00:00.01) .. datetime(2021-01-17T10:00:00.01)) | where FileName !contains "MicrosoftEdge"
Query result shown another unauthorized app named "PotentiallyUnwanted(2).exe" was downloaded at 1/17/2021 9:47:30, possibly the second time on same device:
DeviceEvents |where DeviceName contains "fc-cl01" |where Timestamp between (datetime(2021-01-17T05:00:00.01) .. datetime(2021-01-17T06:00:00.01)) |where FileName contains ".exe" or FileName contains ".lnk" |where FileName !contains "MicrosoftEdge" |project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, AdditionalFields, InitiatingProcessCreationTime
Query result shown the download link named "com.amtso.mobiletestfilepua.apk.lnk" was advertised and download at 1/17/2021 5:34:09 and may not related to the "PotentiallyUnwanted(2).exe" which had different downloading time at 9:47:30 :
We have a total view of Web link, Web download attacking landscape thanks to Defender for Endpoint - Advanced Hunting who worked in tandem with SmartScreen Events.
Submit File for Whitelisting to Microsoft Security Intelligence
In rare case, you may possibly experience a false positive block or warning by Defender SmartScreen when you are accessing in-house Web Apps with the appropriate URL or when browsing to a useful public website with the legitimate URLs and you think there is a need to whitelist those URLs.
Generally, there should be a direct link in the product app notification windows, for error reporting to Microsoft Security Support. In case of Defender SmartScreen, the link in the notification is shown in the following screenshot:
You should provide the information to the Defender SmartScreen Support Team if your Site gets a false-positive alarm of blockage or gets a false positive warning of unknow web site..., the following screenshot shown the report's content:
For report about the legitimate download been blocked or warned, you could manually submit the sample files by accessing the WDSI Website and choose to submit it as an enterprise user or as a developer. (Of course, you are also able to submit file as a home user too.)
Microsoft goal is to minimize false warnings or blocks. In the rare case of a false warning, Microsoft offered a web-based feedback system to help users and website owners report any errors as quickly as possible. These reports are verified by the support team and mistakes are corrected. Enterprise Premier Customer will get the highest priority in response time.
Flash Player should be removed from the Sites after December 2020
Flash will be completely removed from all browsers by December 31, 2020, via Windows Update. Companies reliant on Flash for development and playback of content are encouraged to remove the dependency on Adobe Flash prior to December 2020.
We could not express enough about the importance of Windows Defender SmartScreen at the forefront to defense our systems from weblink attacks and download attacks. We should periodically check if there is any device in our corporate network running apps and browser without Windows Defender SmartScreen. We could do a devices' registry check by Endpoint Configuration Manager - Configuration Item baseline or by Endpoint Manager - Endpoint Analytics Scripting.
I hope the information is useful.
Until next time, then.
Disclaimer The sample scripts are not supported under any Microsoft standard support program or service.
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims
all implied warranties including, without limitation, any implied warranties of merchantability or
of fitness for a particular purpose. The entire risk arising out of the use or performance of the
sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or
anyone else involved in the creation, production, or delivery of the scripts be liable for any
damages whatsoever (including, without limitation, damages for loss of business profits, business
interruption, loss of business information, or other pecuniary loss) arising out of the use of or
inability to use the sample scripts or documentation, even if Microsoft has been advised of the
possibility of such damages.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.