Inconvenient truth about SmartScreen

By | January 2, 2018

My story starts, just like any other developer’s story would. My passion is creating software and sharing my humble creations with the world. Recently I noticed my creations (downloads) on Rizonesoft was being blocked by Windows SmartScreen. To be fair; it is not being blocked, more like a warning that the download can harm the intended user’s computer.

Obviously because of this “Warning” the user will think twice about installing the file. This effects my and Rizonesoft’s reputation directly; and this is important; but I think anyone would feel the same. Do not even get me started about the potential users lost. Recently, our new Firemin release went from potentially harmful to being malicious according to SmartScreen. How many people believe we distribute malware with our files? Hopefully this article will convince some of you that this is not the case.

SmartScreen Malicious file warning

A simple warning is not a bad thing; is it?

The Internet is a volatile place and with the recent outbreak of ransomware; people are scared. Scared to run files labelled potentially harmful. This makes me sad and frustrated. Sad for all the suffering developers, and frustrated, because this article is the only thing I can do to retaliate.

The truth about SmartScreen

After researching SmartScreen, to understand what exactly is in my applications that could be harmful. I came to the conclusion; it is not our programs it does not like, it is the way SmartScreen was engineered. It uses a reputation based detection engine. Fancy way of saying; if a program is not popular, it is detected as potentially being harmful. But there is a catch; read Microsoft’s take on the subject below:

SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.

Without going in to much detail; the unfair part here is that prior to Windows 8, only Internet Explorer users could add popularity points to a file. This means; a program like Firemin that has a majority of Firefox users will not be counted towards the “downloaded by many people” rating.

Firemin Browser Usage

67 Anti-Virus Engines can’t be wrong!

Yes, SmartScreen protects us against many malicious files. But no; it uses an unfair method to detect potentially malicious files; other security products, chose not to use this method because false positives is a definite. Unfair, because take the following as an example; ImgBurn, a popular CD/DVD burning application, are bundled with OpenCandy (malware). The SetupImgBurn_2.5.8.0.exe file has 22 detections on VirusTotal, but SmartScreen does not warn the intended user. On the other for the Firemin_4839_Setup.exe file there is no detections, but SmartScreen spits out a warning none the less.

ImgBurn vs Firemin VirusTotal scan

The Solution

There is no proper solution to stop software from being detected as malware by SmartScreen or Windows Defender. However, there is a place you can report a false positive to Microsoft, but I’m not sure how effective it is. The only other option is to wait it out. If the file you download gets enough brownie points, the warning and/or false detection should disappear.

Sharing is Caring!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 thoughts on “Inconvenient truth about SmartScreen

  1. ericlaw

    You misunderstand how SmartScreen works. Firefox (and Chrome, Edge, and IE) all tag web-originating responses with a MarkOfTheWeb, and SmartScreen (in Win8+) evaluates them.