Phishing and malware site filters and how they workThe latest versions of all the most common browsers have the ability to recognize potentially dangerous web sites. They do this by referring to databases of known bad sites and comparing addresses requested by the user with this list. If the web address is recognized as malicious, a warning message is displayed instead of the requested page. Some figures with example warnings are shown in sections below. These databases have to be updated constantly to deal with the ever-shifting phishers and malware distributors. Different browsers use different lists. Internet Explorer 8 uses a Microsoft method called SmartScreen Filter, while Firefox and Chrome use the Google Safe Browsing API. Opera relies on malware data assembled by Netcraft. They may also employ some heuristics or rules that try to identify dubious sites from their characteristics in order to provide some real-time protection. Details of how the two most common browsers provide protection against bad sites are given next. |
Internet Explorer 8 "SmartScreen" Filter
Internet Explorer 8 uses several methods to guard against phishing and malware, Microsoft calls the approach SmartScreen Filter. Two different lists are used, a local whitelist of popular sites that is kept updated by Windows Update. and a very frequently updated online blacklist at Microsoft. Every requested web site (and download) is first checked against the local list . If the site is not found, the address is sent to the Microsoft URL Reputation Service for a check against a list of web sites and downloads that have been reported to Microsoft as unsafe or suspicious. If you attempt to go to an URL that is on the blacklist, a warning like the example shown below in Figure 1 will appear:
| Figure 1. Warning in Internet Explorer 8 about malicious site |
|---|
 |
If the SmartScreen Filter detects a site that isn't on the blacklist, it will apply further heuristic tests. If these trigger any suspicions, IE8 will display a pop-down alert as illustrated in Figure 2 below. Note that downloads are also guarded and Figure 3 shows a warning about a possibly unsafe download.
| Figure 2. Alert from IE8 about possible suspicious behavior | Figure 3. Alert from IE8 about unsafe download |
|---|---|
 |
 |
Settings for Internet Explorer 8 Filters
Some PC users find that the time that it takes for SmartScreen to check an URL slows up browsing and they prefer to disable the filtering. Others feel that the online Microsoft URL Reputation Service is not current enough and prefer to use other link checkers, such as those provided by a variety of security suites. If you have a valid reason to disable the feature, the procedure is:
- Open the "Tool" menu from the Menu Bar (not the Command Bar) or click the "Safety" button in the Command Bar.
- In the drop-down menu, select "SmartScreen Filter" (Figure 4 below).
- Click "Turn Off SmartScreen Filter..."
- In dialog box that opens, click "Turn off SmartScreen Filter". (Figure 5 below).
| Figure 4. Menu to turn off IE8 SmartScreen |
|---|
 |
| Figure 5. Dialog box to enable or disable IE8 SmartScreen |
|---|
 |
The procedure to turn SmartScreen on is the same. If SmartScreen has been disabled, the menus will reflect that setting and "turn off" will be replaced with "turn on".
Site Filtering in Firefox
Firefox uses a blacklist provided by Google that is stored locally in the urlclassifier3.sqlite file in your Firefox profile. These lists are automatically downloaded and updated approximately every half-hour when the "Phishing and Malware Protection" features are enabled. These procedures can affect performance and those who are experienced can disable the feature. Go to the "Tools" menu and select "Options". Click the "Security" tab and the dialog shown in Figure 6 will open. The appropriate area for changing settings is marked in yellow.
| Figure 6. Settings for Firefox web site filtering |
|---|
 |
Warnings in Firefox
If you try to access a site on the Firefox blacklist, a warning similar to that in Figure 7 will appear. This is actually from a test site provided by Mozilla.
| Figure 7. Firefox warning of phishing site |
|---|
 |
A different warning is shown when there are doubts about a site but it isn't confirmed as a dangerous site. Figure 8 is an example.
| Figure 8. Warning of untrusted site by Firefox |
|---|
 |
| |
|
|