The power behind MRS and SmartScreen

Hi folks!

I must confess when Firefox 2.0 was made publicly available I had to move from Internet Explorer 6, since it´s features were very outdated and had no tabbed browsing. Since then, Internet Explorer team got a “wake up call” and started to add new features, improve functionalities and adopt web standards.

I don´t want to talk about all through Internet Explorer history here. I do want to highlight a particular great security feature introduced by IE Team: SmartScreen Filter (formerly Phishing Filter on Internet Explorer 7).

SmartScreen Filter has been first introduced on Internet Explorer 7, named as Phishing Filter. Then Microsoft has released IE 8 and greatly improved SmartScreen technology. This improvement was compared to other market solutions. The results can be seen in the below graphic:


Figure 1 – Internet Explorer 8 vs. Other browsers

Almost two years later Microsoft Released To Web a new version of Internet Explorer, the version 9.0. This version came with many others security features and even better SmartScreen rates accordingly to NSS Labs research.


Figure 2 – Internet Explorer 9 vs. Other browsers

The whole reason I´m talking about it is because the other day a member of message boards came up with a question on how to block a certain malicious URL. He was worried about the fact that some user could be tricked to access it and get infected.

The way he wanted to block was not supported by ISA firewall syntax to block Domains and URLs.

Now what!? The war is over and the bad guys won this round? I say, no way!!!

Event though his first recommendations was to not try to access the malicious URL I started a test machine using latest Microsoft Operating System and browser software fully updated. As soon as I try to access the malicious URL the Internet Explorer 9 has returned the follow screen to me:


Figure 3 – Internet Explorer 9 SmartScreen in action

How cool is that!!?? Smile

For the matter of fact I also submitted the URL to Virus Total website for analysis on a different variety of web filters:


Figure 4 – Screenshot from VirusTotal website

As you can see only 3 of 16 web filters identified the URL as malicious. How do you think NSS Labs tests are accurate now?

Internet Explorer SmartScreen filter has done its job. How about Microsoft firewall technology? Can it block the malicious URL?? What´s the problem with that?

The truth is that none of ISA firewalls versions have a built-in URL Filtering functionality (it can be installed as an add-on though). On the other hand, the most recent version of Microsoft firewall (Forefront Threat Management Gateway (TMG) 2010) has URL Filtering out-of-the-box!

Forefront TMG 2010 leverages Microsoft Reputation Services (MRS) to query URLs categories.

Since I´m evaluating TMG 2010 at the company I work I decided to test it. At TMG 2010 GUI you can query a URL to check what category it belongs to.


Figure 5 – TMG 2010 GUI query

You can see this URL is categorized as Malicious and Spam URLs. We can assume from now that TMG will successfully block the URL, if a deny rule is blocking these categories, when an user try to access it, right?

That´s right! However, since I´m testing TMG 2010 I do not assume anything, I want to be certain! This is the result when I am trying to access this URL from a machine behind TMG 2010:


Figure 6 – TMG 2010 block page

As expected TMG 2010 successfully blocked the page!

Oh! To make it clear I returned to use Internet Explorer when the version 8 was launched and still using IE since then! Smile

The bottom line is that Microsoft has been heavily investing in security in the past years. No matter if you are a home user or a corporate user, your back it is being covered.


Paulo Oliveira.

This entry was posted in Internet Explorer, ISA Server, Security, TMG and tagged , , , , , . Bookmark the permalink.

2 Responses to The power behind MRS and SmartScreen

  1. uilson76 says:

    Very nice Paulo!!!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s