SmartScreen: Don’t disable it; Do this instead!

So, you’re annoyed with those SmartScreen popups every time you download a file from the Internet and try to run it.

Microsoft Defender SmartScreen helps protects against phishing or malware websites and applications, and the downloading of potentially malicious files, so don’t disable it or try to work around it.

What is happening is that browsers, when you download a file from the Internet, are attaching an alternate file stream to the file you’re downloading, and Windows SmartScreen is using that alternate file stream to determine the relative safety of that file. Malicious websites might trick you into downloading files without your knowledge, files that might then kick off various ransomware or other malware processes.

If you really, Really, REALLY trust the source file, you can remove this alternate file stream (and thus, the SmartScreen popups) by doing this:

  • Download the file with your browser
  • Go to the file in Windows Explorer
  • Right-click on the specific, trusted file, and select “Properties”
  • Check the “Unblock” box, and close.

It will look something like this:

After you unblock the file, you will no longer get any SmartScreen popups regarding this file.

For the technically curious, lets pull the curtain back a little….

I mentioned an “alternate file stream” earlier. Whats that?

An alternate file stream is a bit of “stuff” attached to a file; the “main” file. A file can have multiple alternate file streams. The alternate file stream name typically attached to a downloaded file is “Zone.Identifier”.

This “Zone.Identifier” file stream is what SmartScreen is triggering on, and “Unblock”ing will remove this file stream from the file.

The PowerShell way to remove the “Zone.Identifier” stream is:

Remove-Item .\filename.exe -Stream Zone.Identifier

Sooo…. whats in that “Zone.Identifier” file stream. Lets look:

And there you have it.

The actual file content, what you typically think of as the file, is the $DATA stream. If you try to look at it, you’ll just get a dump of binary data. Not typically recommended for a binary file. But, for a plain text file, Get-Content’ing the $DATA stream would just give you the text content of the file.