A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Friday, 9 December 2011

SmartScreen Filter Going Too Far?

Chatting to a friend earlier who had noticed requests for files on his server coming from unknown IP addresses.  Nothing weird about that, happens all the time...

BUT the files being requested had UNIQUE filenames known only to person-X and person-Y!

Looking in to this the issue is caused by IE9's SmartScreen protection. Files you download with IE are subsequently downloaded by a 3rd party, presumably for analysis. This could cause a serious breach of privacy and is DEFAULT behaviour.

User uses IE9 to request topsecretfile.exe from a server, downloads the file, job done.  The server logs a couple of minutes later look like this (lines formatted for legibility): - - [09/Dec/2011:10:14:48 +0000] "GET /topsecretfile.exe HTTP/1.1"  
   200 270336 "-" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"  - - [09/Dec/2011:10:15:27 +0000] "GET /topsecretfile.exe HTTP/1.1" 
   200 270336 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; 
   Trident/4.0; SIMBAR={DB2824C4-1E6B-11E0-BC3B-1C6F658133BA}; GTB6.6; SLCC2; 
   .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
   .NET4.0C; InfoPath.1; Windows Live Messenger 14.0.8117.0416)"

Weird huh! The top secret file you were sharing with a friend/customer/agency has been downloaded by someone else!

Zips don't escape the attention either..  - - [09/Dec/2011:10:43:56 +0000] "GET /topsecret.zip HTTP/1.1"
   200 345816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" - - [09/Dec/2011:10:45:21 +0000] "GET /topsecret.zip HTTP/1.1"
   200 345816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0
   (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Foxy/1; KKMAN3.2; .NET CLR 
   2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 
   .NET4.0C; .NET4.0E) Sleipnir/2.6.0"

You can set up .htaccess or similar on the server to block the following ranges if black helicopters are circling but this doesn't resolve the fact that possibly confidential files are being taken without you knowing. Probably overkill blocking whole subnets but something like:

Deny from
Deny from
Deny from
Deny from
Deny from

Seems odd that random user agents are being used too, why not just have "Mozilla/4.0 (Microsoft is checking your files for badness)" ?

IE9's advanced options allows you to disable the filter but it raises the question whether companies are unintentionally leaking data to Microsoft via their customers.

If you're concerned it's probably best to encrypt/password protect any files you're sending and communicate the password out of band!



  1. That's why smartscreen and similar software's was ban in our office. I work at a online research paper writing service in UK.

  2. How to play Lucky Wyniki at Pokies Casino in Japan - Casino
    Lucky Wyniki is ทางเข้า m88 a table game where ラッキーニッキー you will play a variety of different 제왕카지노 games such as blackjack, roulette, video poker, keno, video poker, and keno.

  3. I'm delighted to have discovered your blog and eager to study all of the further article. Basically, I work as a Video Animators in the web design jack. Thank you for providing all of the information.