Trend Micro Joins Sophos in Criticizing Microsoft SmartScreen Stats

Trend Micro researchers are backing up anti-malware experts from Sophos in claiming that Microsoft's recently published SmartScreen numbers are of little relevance and might actually lead to a false sense of security.

Starting with Internet Explorer 9 Microsoft has added an application reputation component to the browser's already existent SmartScreen filter.

The SmartScreen technology was originally introduced in Internet Explorer 7 as a malicious URL blocking feature and, according to the browser vendor, it has blocked 160 million phishing pages and 1.5 billion malware distribution sites so far.

Microsoft claims that IE's new app reputation filter kicks in immediately when a new attack is launched, unlike traditional antivirus signatures that start appearing after the eleventh hour.

The company says that SmartScreen warnings only appear for one in ten downloads and that one in fourteen downloaded files ultimately confirmed as malware.

Last week, Chester Wisniewski, a senior security advisor at Sophos, expressed several concerns about the numbers released by Microsoft to outline the success of IE9's app reputation feature.

As the security expert points out, there's a big problem with these statistics. They lack comparison with other, more prevalent, web infection vectors like drive-by downloads.

Drive-by download attacks occur when websites exploit vulnerabilities in plug-ins like Java, Flash or Adobe Reader to install malware on computers. In these cases, the browser has no control over the downloads.

"While we cannot comment on the exact methodology used in Microsoft’s own tests, we have to agree with Sophos’ questioning of the rather surprising results Microsoft published," said Martin Roesler, director for threat research at Trend Micro.

Mr. Roesler published a chart from the company's own internal benchmark testing which shows IE9 blocking a little over 5% of malicious URLs thrown at it. In comparison, Sophos blocked over 30%, Kaspersky Lab around 50% and Trend Micro close to 70%.

The main problem with this is not that IE9's reputation filter is not a good layer of security, because every bit helps, but that flaunting it as great web malware blocking technology when it's not, might give IE9 users a false sense of protection.