Microsoft has quietly upgraded its experimental Scareware Blocker in Edge Canary to not only interrupt tech-support scams but to block entire scam websites and optionally send detected URLs to Defender SmartScreen—and both new toggles are enabled by default. The change, spotted by Windows Report and echoed in Windows enthusiast forums, transforms a local, on-device defense into a network-augmented shield, raising both security prospects and privacy questions.

From Popup Interrupter to Proactive Scam Site Blocker

Scareware Blocker first appeared as a focused tool to combat the full-screen browser hijacks that frighten users with alarming audio, fake virus warnings, and urgent calls to call bogus support lines. It relied entirely on a local machine learning model that analyzed visual and behavioral cues—forced full-screen mode, overlay elements, keyboard and mouse lockouts, aggressive audio playback—to flag a page as a scam. When triggered, Edge would exit full-screen, mute the audio, and present a warning with a thumbnail of the offending page. Users could then close the tab, ignore the warning, or report the site to Microsoft.

That original model kept all processing on the device and only shared data if the user explicitly reported the page. It was a careful balance: rapid, automated intervention with minimal privacy impact. But it had limitations. A dismissed popup didn’t prevent the same scam domain from loading again, and the broader Edge user base remained unprotected unless someone took the extra step to report the site—something a panicked user might not do.

Two New Toggles Arrive in Edge Canary

Recent Canary builds now expose two distinct controls under an expanded Scareware Blocker settings area:

  • Block sites detected as scams – Instead of just breaking out of a scareware popup, Edge can now block the entire site it identifies as a scam, preventing future visits to that domain.
  • Share detected scam sites with Microsoft Defender SmartScreen – When enabled, Edge sends the website link and a scam classification to Defender SmartScreen to accelerate global blocking.

Both toggles appear enabled by default in the Canary UI. The “share” toggle includes inline help text stating that consent is given to share the link and classification so Microsoft can identify and block similar threats. For the first time, Edge will actively block the scam site and feed its own local detections into the cloud-powered reputation system.

Why Splitting Blocking and Reporting Matters

Separating the blocking control from the reporting control is a deliberate design choice. It allows users to accept a higher level of local protection without automatically agreeing to telemetry sharing. A privacy-conscious individual, for instance, can keep the “block” toggle on to automatically stop known scam domains while keeping the “share” toggle off, so no URLs leave the device. Conversely, those who want maximum network-wide protection can enable both. IT administrators get the granularity to enforce policies that match corporate compliance and privacy rules.

This split also signals that Microsoft is thinking about user choice even as it moves toward a default-on posture. The fact that both toggles are on by default in Canary, however, has already prompted discussion on Windows forums about whether that default will survive into stable releases.

The Defensive Logic: Speed, Scale, and User Friction

Scareware campaigns are fast-moving. Attackers use malvertising, domain flipping, and cloaking to serve malicious full-screen pages that vanish within hours. A purely local detector provides immediate relief for the victim, but without cloud integration, the same scam can strike thousands more before a human reports it. By automatically sending the URL and a scam classification to Defender SmartScreen, Microsoft can block the site across its entire user base in minutes.

Defender SmartScreen’s reputation database already processes billions of URL checks daily. Adding a real-time feed of locally classified scam sites—even if only a fraction are true positives—shortens the time from outbreak to global block. Microsoft also reduces user friction: a frightened user no longer has to decide whether to report the attack; the system handles it automatically. Moreover, automatic reporting feeds back into the local model’s training pipeline, helping to reduce both false negatives and false positives over time.

Technical and Administrative Details IT Teams Need

Scareware Blocker’s new capabilities are currently limited to the Canary and Dev channels, with policy templates expected to appear in Edge’s mid-130s series releases. Administrators who manage enterprise environments can already control the feature via a Group Policy / ADMX setting named ScarewareBlockerProtectionEnabled. It can be enforced through Group Policy or directly in the registry under SOFTWARE\Policies\Microsoft\Edge.

A REG_DWORD value of 1 enables the feature. When set as mandatory policy, user overrides are disallowed; when set as recommended, users can adjust the local toggle. Enterprises should test behavior carefully, as the new site-blocking and reporting toggles may have separate policy settings in future builds. Microsoft has not yet documented dedicated policies for the block and share sub-features, but they are likely to follow.

Privacy, Telemetry, and the Data Being Shared

The data shared when the reporting toggle is on is minimal: the website URL and the model’s classification (e.g., “scareware”). Defender SmartScreen already transmits URL and file metadata for reputation checks over TLS, and Microsoft asserts that such data is used exclusively for security services, not for profiling or advertising. Still, even a bare URL can reveal sensitive browsing context—a fact not lost on journalists, lawyers, activists, and others who handle confidential information.

Classification metadata may be stored alongside the URL in Microsoft’s security telemetry systems. While the company states that data retention and access are governed by the same policies that apply to SmartScreen, the default-on nature of the Canary toggles has raised eyebrows. Default-on telemetry has historically attracted scrutiny from privacy advocates and regulators, and it is unclear whether the stable Edge channel will ship with these defaults.

Mitigations for Privacy-Conscious Users and Organizations

Users who want local protection without cloud reporting can simply leave the “block” toggle on and turn off the “share” toggle. Both are independently configurable. Enterprises should lock down the feature through Group Policy to match their data-handling requirements. For example, an organization may choose to enable blocking but disable URL sharing for all managed devices, avoiding any external transmission of browsing data.

Microsoft provides a separate Edge setting for Defender SmartScreen itself, which remains recommended for blocking known malicious sites and downloads. Disabling the scam-site sharing toggle does not affect SmartScreen’s core protection; it only stops sending the locally detected URLs.

False Positives, Abuse, and the Limits of Local AI

No machine learning model is perfect. Legitimate full-screen web applications—kiosk interfaces, web-based dashboards, or video conferencing services—could trigger a false positive. While Microsoft lets users report false positives and operates the Digital Crimes Unit to investigate, an incorrect block can still disrupt workflow and erode trust.

Attackers, meanwhile, might try to poison the system. They could craft pages designed solely to trigger the blocker and generate false reports, creating noise that buries real threats or, worse, causing legitimate sites to be mistakenly blocked en masse. Reputation systems that rely on crowd-sourced reports are inherently vulnerable to such abuse, and Microsoft will need robust backend filters to separate signal from noise.

The local model also has a blind spot: because it never uploads screenshots (in the name of privacy), it must rely on its offline training set and heuristics. Rapidly evolving scam pages that use new visual patterns or avoid full-screen tricks may still evade detection until the model receives an update or SmartScreen accumulates enough corroborating reports to block the domain.

What Users Should Do Right Now

If you’re running an Edge build that includes the Scareware Blocker preview (Canary, Dev, or a recent stable release), you can find the controls under Settings > Privacy, search, and services > Security. Look for the Scareware Blocker section.

  • To maximize safety, enable the “Block sites detected as scams” toggle. This automatically stops known scam domains in their tracks.
  • If you trust Microsoft’s telemetry and want the fastest network-wide blocking, enable the “Share detected scam sites with Microsoft Defender SmartScreen” toggle.
  • If you prefer to keep browsing data local, keep the share toggle off but allow site blocking.
  • Enterprise administrators should deploy the ScarewareBlockerProtectionEnabled policy and consider setting the sharing toggle off until clear privacy guidelines are established.

Leave Defender SmartScreen enabled for comprehensive protection against phishing and malicious downloads—it complements Scareware Blocker rather than replacing it.

Beyond Scareware: Passkey Roaming and GPT-5 Rolling Into Edge

Edge Canary is also experimenting with passkey roaming, positioning the browser as a passkey provider that syncs saved credentials across devices. Dedicated “Passwords and passkeys” sync controls are appearing, reflecting the industry shift toward syncable passkeys that resist phishing yet remain user-friendly. Microsoft has already integrated GPT-5 into Copilot, and Edge’s tight coupling with AI services means the browser is becoming a central access point for generative AI tools—both for productivity and, potentially, for more sophisticated content-based attacks. These parallel developments underscore a broader trend: browsers are absorbing more security, identity, and AI responsibilities, making the configuration of features like Scareware Blocker all the more critical.

Critical Analysis: A Strong Step Forward, but Watch the Defaults

Scareware Blocker’s evolution is a net positive. The ability to block entire scam sites and feed that intelligence into SmartScreen creates a layered defense that marries fast local intervention with cloud-scale blocking. Separating blocking from reporting gives users and admins genuine choice—a rare commodity in browser security features.

Yet the default-on telemetry in Canary deserves close scrutiny. Defaults shape behavior powerfully, and if the sharing toggle remains enabled in stable builds without a transparent setup dialog, many unsuspecting users will unknowingly transmit URLs. For an experimental build, that’s understandable; for a production release, it would need a clear, privacy-conscious rollout. Microsoft must also demonstrate robust false-positive handling and a transparent appeals process for sites that are mistakenly blocked.

The broader migration toward on-device AI and cloud-reputation hybrids is here to stay. Browsers will increasingly detect scams, deceptive designs, and even AI-generated phishing pages locally, then optionally share signatures with central services. This model offers tremendous security upside but demands rigorous safeguards around data minimization, consent, and user control. For now, Edge’s Scareware Blocker upgrade is a well-engineered step forward—but its ultimate success will hinge on how Microsoft manages the inevitable tension between protection and privacy.