Web page archived as of 2018-05-22. Some links & features might not work.

How smart is SmartScreen?

Recently, when I had a closer look at our web access logs, I happened to see a GET request coming from an unknown IP address trying to download a file which had a random file name that we haven't had published anywhere, at least not purposely. The file name was created randomly a few hours before from a download/file sharing script which generates a temporary random link for every single download. These links are removed shortly after the download, so the second attempt was futile since the link was already removed.

After a bit of testing, creating more downloads, using different browsers etc., we concluded that the illegitimate requests were probably done on behalf of Microsoft's SmartScreen feature. Every time we accessed a file using Internet Explorer with SmartScreen turned on (and not using Private Browsing) a few hours later we saw (attempted) downloads using GET requests coming from,, and

All 3 of these IP addresses have in common that they lack rDNS, and their WHOIS data shows only major US providers (Level 3 and InterNap). All requests used faked1) User-Agent strings like for instance "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; InfoPath.1; .NET CLR 2.0.50727; Dealio Toolbar 3.4; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Windows Live Messenger 14.0.8117.0416)".

A web research for these IP addresses and SmartScreen didn't provide much information either. However, the IP addresses are known and SmartScreen's approach has been questioned before:

HTTP request headers didn't match the known behavior of the pretended browsers.
blog/141019_how_smart_is_smartscreen.txt ยท Last modified: 2016-10-03 20:37 by andreas