Windows Defender SmartScreen - File and Flash Player Blockage Problem

Dear IT pros, 

Today we discuss about Windows Defender SmartScreen features and follow its activities in defending our systems from Web link and Web download attacks. We then, address the problem with false positive blockage by SmartScreen.

Windows Defender SmartScreen Features 

SmartScreen has become a part of Windows 10 OS, it was named as Windows Defender SmartScreen. It is useful to protect not just Edge, Internet Explorer browsers but also other applications such as third-party browsers, Email Client and Apps from malicious Web link attack, malicious Web download threat. Let us have a quick look into SmartScreen functionalities: 

• Anti-phishing and anti-malware support. Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software.  
• Prevent drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed.  
• Reputation-based URL and app protection. Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. 
• Improved heuristics and diagnostic data. Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. 
• Blocking URLs associated with potentially unwanted applications.  software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software 
• Configure SmartScreen by GPO. You could enable SmartScreen for all devices by group policy. There are separated policies for IE, Edge and Explorer.
• Configure SmartScreen by Windows Security App. You could enable SmartScreen to act on Files, Apps and Edge browser of a device by Windows Security Center as shown here: 

• In your environment, every device should be able to pass the SmartScreen tests provided from the web site named Microsoft Defender SmartScreen Demo (msft.net)

       Those tests did not contain any harmful file but only virus simulation files and would be harmless.

Your testing device configured with SmartScreen should be able to prevent the users' accesses to phishing web page, malware web page, advertise web page, exploit-browser-vulnerability web page and block the download of malicious apps, potentially unwanted apps (PUA), known malware files.

SmartScreen should also be able to give warning of unknown apps and suspicious phishing web page.

An example of suspicious phishing site warned by SmartScreen:

Examples of downloads blocked by SmartScreen:

Website in the Security Blacklist will be blocked by SmartScreen as shown in the following example:

Malicious apps will be blocked by Defender SmartScreen as shown in this example: 

• To Record SmartScreen action in Windows Event Log we would enable SmartScreen debug mode by running the following command:

  wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true                                                            ​

                   

The following Events are appeared in Event Viewer

Windows Logs\Applications and Services Logs\Microsoft\Windows\SmartScreen\Debug

Also, by default, windows sense and telemetry service will collect and transport the SmartScreen event to the Microsoft Defender for Endpoint Cloud Service.

• Use Defender Advanced Hunting to search, It was an information event so we could  go hunting for the related and important information such as the names of devices infected by the malware file, the original Web address who propagate the files, file size, file hash, …

Malicious file query ‘s result :

• We got the source which originate the malicious distribution, in our test case, it is https://demo.smartscreen.msft.net. We also get from the result, the external IP address of the involved site, "23.99.0.12" as shown here:

• We need to search for all the file-download-attacks originated from this web site:

DeviceFileEvents
|where Timestamp > ago(7d)
| where FileOriginUrl contains "https://demo.smartscreen.msft.net"
| project Timestamp, DeviceName, InitiatingProcessAccountSid, FileName, FolderPath, FileOriginUrl, SHA1, FileOriginIP, FileSize, InitiatingProcessFileName

The query result has just shown another attack by download with file named “freevideo.exe”. It seems to be downloaded the 6th time of same file on the device named fc-cl01:

• Now we need to find any suspicious events detected on fc-cl01 device during the attack period of 1/17/2021, around the point of time 5:33 AM, we assume the attacking duration and set the period for about 5 hour.

Translating it to Kusto query language means “Timestamp between (datetime(2021-01-17T05:00:00.01) .. datetime(2021-01-17T10:00:00.01))”

We will search the File Event, Device Event during the attack period:

DeviceFileEvents
| where DeviceName contains "fc-cl01"
| where Timestamp between (datetime(2021-01-17T05:00:00.01) .. datetime(2021-01-17T10:00:00.01))
| where FileName !contains "MicrosoftEdge"

Query result shown another unauthorized app named "PotentiallyUnwanted(2).exe" was downloaded at 1/17/2021 9:47:30, possibly the second time on same device:

• We want more information about the Device Event related download (.lnk) and executable (.exe) file. We would search:

DeviceEvents
|where DeviceName contains "fc-cl01"
|where Timestamp between (datetime(2021-01-17T05:00:00.01) .. datetime(2021-01-17T06:00:00.01))
|where FileName contains ".exe" or FileName contains ".lnk"
|where FileName !contains "MicrosoftEdge"
|project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, AdditionalFields, InitiatingProcessCreationTime

Query result shown the download link named "com.amtso.mobiletestfilepua.apk.lnk" was advertised and download at 1/17/2021 5:34:09 and may not related to the "PotentiallyUnwanted(2).exe" which had different downloading time at 9:47:30  :

We have a total view of Web link, Web download attacking landscape thanks to Defender for Endpoint - Advanced Hunting who worked in tandem with SmartScreen Events.

Submit File for Whitelisting to Microsoft Security Intelligence 

In rare case, you may possibly experience a false positive block or warning by Defender SmartScreen when you are accessing in-house Web Apps with the appropriate URL or when browsing to a useful public website with the legitimate URLs and you think there is a need to whitelist those URLs. 

Generally, there should be a direct link in the product app notification windows, for error reporting to Microsoft Security Support. In case of Defender SmartScreen, the link  in the notification is shown in the following screenshot: 

You should provide the information to the Defender SmartScreen Support Team if your Site gets a false-positive alarm of blockage or gets a false positive warning of unknow web site..., the following screenshot shown the report's content:

For report about the legitimate download been blocked or warned, you could manually submit the sample files by accessing the WDSI Website and choose to submit it as an enterprise user or as a developer. (Of course, you are also able to submit file as a home user too.) 

• To submit file, browse to : https://www.microsoft.com/en-us/wdsi/filesubmission  

• To upload sample file with size more than 500MB, you could compress it by Zip or RAR archive. 
• You could report bad file to be included in the Blacklist to prevent access or report legitimate file for Whitelist access. 

• You could submit a request for almost any of Microsoft’s software and service from the dropped down list of the Form: 

Microsoft goal is to minimize false warnings or blocks. In the rare case of a false warning, Microsoft offered a web-based feedback system to help users and website owners report any errors as quickly as possible. These reports are verified by the support team and mistakes are corrected. Enterprise Premier Customer will get the highest priority in response time. 

Flash Player should be removed from the Sites after December 2020 

• Adobe has ended support of Flash Player on December 31, 2020 as per the following statement: "Adobe will end support for Flash Player at the end of 2020 and encourages content creators to migrate any existing Flash content to new open formats, such as HTML5, WebGL, and WebAssembly... Playback of Flash media (*.flv and *.swf) content in existing PDFs will not be supported." 
• According to Zdnet,  "Adobe plans to prompt users and ask them to uninstall Flash Player from their computers by the end of the year when the software is scheduled to reach End-Of-Life (EOL), on December 31, 2020... Furthermore, Adobe also said that "Flash-based content will be blocked from running in Adobe Flash Player after the EOL Date...The new update also brings an actual date to Flash's actual demise in the form of January 12, 2021 — the date after which any type of Flash content won't run inside the Flash app."
• In Microsoft Edge Chromium, Flash will be disabled by default. 

• Flash will  be disabled from Microsoft Edge classic (Edge legacy) or Internet Explorer 11 by December of 2020.  
• Group policies are available for enterprise admins and IT pros to change the Flash behavior 

Flash will be completely removed from all browsers by December 31, 2020, via Windows Update.  Companies reliant on Flash for development and playback of content are encouraged to remove the dependency on Adobe Flash prior to December 2020. 

 We could not express enough about the importance of Windows Defender SmartScreen at the forefront to defense our systems from weblink attacks and download attacks. We should periodically check if there is any device in our corporate network running apps and browser without Windows Defender SmartScreen. We could do a devices' registry check by Endpoint Configuration Manager - Configuration Item baseline or by Endpoint Manager - Endpoint Analytics Scripting. 

I hope the information is useful.

Until next time, then.

Reference: 

• https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/m... 
• Set up and use Microsoft Defender SmartScreen on individual devices
• Microsoft Defender SmartScreen Frequently Asked Questions
• Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings. 
• Detect and block potentially unwanted applications 
• Adobe wants users to uninstall Flash Player by the end of the year | ZDNet
• Adobe to block Flash content from running on January 12, 2021 | ZDNet
• End of support: Block or uninstall Adobe Flash using Group Policy or WSUS | 4sysops
• Adobe Flash Player EOL

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. 
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims
all implied warranties including, without limitation, any implied warranties of merchantability or 
of fitness for a particular purpose. The entire risk arising out of the use or performance of the
sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or 
anyone else involved in the creation, production, or delivery of the scripts be liable for any
damages whatsoever (including, without limitation, damages for loss of business profits, business
interruption, loss of business information, or other pecuniary loss) arising out of the use of or
inability to use the sample scripts or documentation, even if Microsoft has been advised of the
possibility of such damages.