Application Reputation

Bruce Morton

Social-engineering attacks are more common than attacks on security vulnerabilities. Traditional defense against malware is a URL-based filter to screen out known malware websites. Microsoft introduced a new defense called Application Reputation that is available in Internet Explorer 9 (IE9) through the SmartScreen Filter.

Application Reputation allows publishers and their applications to build a reputation over time through these principles:

  • Well known “good” applications have a better reputation than new applications
  • Well known “good” publishers have a better reputation than unknown publishers
  • New applications signed by known “good” publishers can have a relatively high reputation from first release

Reputation can be built for unsigned and signed applications. Signed applications can build reputation at twice the rate of those that are unsigned. Reputation based on signing relies on the identification of the publisher by a trusted certification authority and the issuance of a code-signing certificate. Reputation is built by signing ‘good’ applications, but can be easily lost if the certificate is used to sign malware.

Traditionally browsers have presented a trust dialogue box for each application download. IE9 with SmartScreen® Filter does not present a trust dialogue, if the application has built a good reputation. The benefit is that applications with good reputations will be installed without the user making a trust decision — they simply choose “Save” or “Run.” This means when IE9 does detect an application with an unknown reputation, the user is not de-sensitized to trust dialogues and will most likely make the right decision.

For more information on Application Reputation, see the following MSDN blog posts:

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation