Distributing Windows Application - browser and antivirus problems - installation

We have Windows application (MSI install package), downloadable from our site. The problem is, that browsers and 3rd party antiviruses prevent some users from download an APP. Is there a way to make our MSI package more trustable for browsers and antivirus? Maybe it can be checked and uploaded in some other resource, and downloadable for users from here?
P.S. We use code signing certificate, and Windows store is not a variant for us now.

Reputable anti-virus vendors have a way you can send your installation packages to be "whitelisted". Browsers have their own heuristics and using an EV certificate (more expensive) is supposed to help. Edge also supposedly respects the Defender whitelist.
Ultimately, the more downloads you get, the better your URL's reputation, the better you pass the heuristics.

We've been building and releasing the same application for almost 20 years and AV false positives can still create problems. This is how we do it today:
After each release, we scan our new setup on https://www.virustotal.com/gui/home/upload and if we notice any AV vendors flagging it we reach out to each of them and submit a request for false positive removal. They all have some form or email address where you can contact them.
They usually process these requests in a few days, so no real big problem for our users and doesn't take a lot of time.
Now, with SmartScreen, there is another story. Even if our package was digitally signed for over a decade, 2 years ago when we renewed our certificate Windows flagged our installer for about 2-3 months.
This was an installer with hundreds of thousands if not millions of users in the last decade. In the end, its reputation system got back to normal and stopped flagging it but it was really annoying for our customers.
The solution to this is to buy an EV certificate (confirmed by some of our customers) and then you will get an instant reputation with SmartScreen. This Spring our normal certificate expires and we will go the EV route too.
You can read more about digital signing and EV certs in the following articles:
Why EV Code Signing? EV Code Signing vs. Regular Code Signing
How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting" warning

Related

Code signing EV certificate only helps with SmartScreen, does nothing for Windows Defender

Our organization recently obtained an EV code signing certificate. It did give us instant SmartScreen trust, but 2 things still happen:
A minor annoyance was Chrome that issued a warning file.exe is not commonly downloaded and may be dangerous to first few downloaders but it went away within a day without us doing anything.
A much greater problem is Windows Defender. Here is what it does:
When our users install the program, it flags and locks crucial components that are required. This happens to most users.
We scanned the program components locally before uploading them and found no issues. Our Virus & threat protection is up to date. We also do not trigger antivirus protection when we download the same file from the website and install it as a normal user would. Why does it act so inconsistent that it doesn’t flag files when we download it from internet on our internal PC’s but it happens to most external users?
So far, we have been collecting these generic threat names and file names from our users and submitting them to Microsoft for analysis: https://www.microsoft.com/en-us/wdsi/filesubmission
It is very admirable that MS analysts review those files within a day, but what is not good is that they seem to update their antivirus definitions only for the threat name that was detected and not mark whole file as harmless. This problem gets even more frustrating because we update our installer often since program is in active development.
I am also worried that these updates with MS threat definitions are not properly disseminated to Windows users across the world fast enough. What happens if users do not update their definitions or have them turned off?
Is there anything that we are not doing yet, but could do to reduce issues with these false positives?
EV code signing certificate was issued by DigiCert and it was very expensive. Will these issues go away after MS scans signed files several times and increases trust score of our certificate? By that I mean, will it reduce the false positives on future builds that were not yet submitted for analysis?

Is there a way to SmartScreen-whitelist a .exe by Microsoft? (without an EV certificate)

Microsoft SmartScreen, well-known for its message:
Windows Defender SmartScreen prevented an unrecognized app from starting
is useful for end users to avoid malware, but can also harm indie developers because when they distribute binaries: the end users see frightening messages, and that is a problem for the developer's reputation (see someone's comment "My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales"):
Smart-Screen filter still complains, despite I signed the executable, why?
Even with a paid certificate, if software-release1.0.1.exe is finally whitelisted, when you release software-release1.0.2.exe update, the messages will come again:
Transferring Microsoft SmartScreen reputation to renewed certificate
The only solution seems to be Extended "EV code signing" which can be 300-500$ per year (this fixed fee makes the tax % higher for small indie developers).
Question: is there a way to get a .exe whitelisted immediately (or a few days) for all users - and not only on my own computer - by submitting it to Microsoft for analysis?
I have seen this link: https://www.microsoft.com/en-us/wdsi/filesubmission, has someone been able to use it successfully to avoid further SmartScreen alerts? (it seems that no).
Are there other methods? Such as automatically deploying 100 VMs via an automated script, and let each VM download and install the .exe automatically? But this would probably be from the same IP, then Microsoft will probably increase the reputation counter by +1 instead of +100?
As you said in your question, the first solution for having trusted software is code signing with EV certificate But, another tricky solution is increasing reputation of your software. As Microsoft said here :
Reputation-based URL and app protection
If a URL, a file, an app, or a certificate has an established
reputation, users won't see any warnings. If, however, there's no
reputation, the item is marked as a higher risk and presents a warning
to the user.
So in the last paragraph of your question, you mentioned about creating mass docker containers or virtual machines for increasing trust and reputation. I complete it with a solution for same IP address in each VM or container.
The solution is using TOR as a proxy in all of your VM's or containers.
With using tor you can create proxy which is connected inside TOR network and hide your real IP address in your virtual machines or containers. Tor is free for use and you can connect your nodes to it's network as many as you want and change your IP address frequently. Also it is better to have different version of windows in some of your VM's. Remember before that you must submit your software for malware analysis,

How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting warning"

My company distributes an installer to customers via our website. Recently when I download via the website and try to run the installer I get the warning message:
Windows protected your PC
Windows Defender SmartScreen prevented an
unrecognized app from starting. Running this app might put your PC at
risk.
If I right-click on the installer and choose Properties I note the following:
Our installer is signed.
How do I find the reason for the Windows Defender SmartScreen warning?
I have not managed to find any log file for Windows Defender nor found anything in the Event Viewer.
TL;DR
This warning is shown if your app doesn't have enough reputation with Microsoft SmartScreen yet. In order to gain reputation, you can either
submit your app for malware analysis to Microsoft,
buy an "Extended Validation" code signing certificate,
buy a standard code signing certificate, or
just wait for a long time.
Read on for the details about these different options.
Option 1: Submit your app for malware analysis to Microsoft
Microsoft allows software developers to submit a file for malware analysis. According to Microsoft, this will help developers to "validate detection of their products". If the review was successful, the Microsoft SmartScreen warnings will go away faster, or sometimes even instantly (it worked instantly for one of my own apps). You need to have a Microsoft account to submit your app for review.
However, note that if you release an updated version of your app, then you'll also have to request a new review again. To overcome this problem, you'll either have to use an "Extended Validation" or a standard code signing certificate (see below).
Option 2: Buy an "Extended Validation" code signing certificate
A guaranteed way to immediately and permanently get rid of the Microsoft SmartScreen warnings is to buy an "Extended Validation" (EV) code signing certificate from one of the Microsoft-approved certificate authorities (CA's), and to sign your app with that EV certificate.
Such an EV certificate will cost you somewhere between 250 and 700 USD per year, and will only be issued to registered businesses. If you're a single developer, you must be a sole proprietor and have an active business license. You can read more about the formal requirements for EV code signing certificates in the EV Code Signing Certificate Guidelines.
An EV certificate will typically be shipped to you by physical delivery on a hardware token.
Option 3: Buy a standard code signing certificate
You can also buy a cheaper "standard" (i.e. non-EV) code signing certificate, and sign your app with that certificate. This will also permanently, but not instantly, make the Microsoft SmartScreen warnings disappear. Standard code signing certificates will cost you between 100 and 500 USD per year, and can also be issued to private developers without an active business license. Some CA's also offer discounts for open source projects.
No instant solution
The problem with standard code signing certificates is that they do not instantly silence Microsoft SmartScreen. Instead, some time will be needed for your certificate to build reputation before the warning will go away. However, once your certificate has built enough reputation, all applications signed with that certificate will be permanently trusted by Microsoft SmartScreen and won't trigger the warning anymore.
How long will it take?
So, how long will it take until the Microsoft SmartScreen warning will disappear when using a standard code signing certificate? Unfortunately, this is difficult to answer, since Microsoft itself refuses to publish any details about this. According to inofficial numbers reported by various sources (see below), it usually takes between 2 and 8 weeks until the warning will permanently go away. It seems that the exact duration also depends on the reputation of the website from which your app is downloaded.
The inofficial numbers are:
18 days and about 430 app installs. Source: one of my own certificates (Dec 2022)
42 days and about 1.400 app installs. Source: one of my own certificates (Feb 2021)
16 days and about 2.000 app installs. Source: one of my own certificates (May 2020)
One month and more than 10.000 downloads. Source: here (Jan 2020)
Between a few weeks and a month. Source: here (Dec 2019)
About 2-3 weeks. Source: here (Dec 2019)
About 3.000 downloads. Source: here (Dec 2013)
The problem of certificate rollover
Certificate rollover occurs when your old certificate expires and you begin signing your code with a renewed certificate.
It's a good idea to buy your standard code signing certificate with the longest possible validity period because when you renew your certificate, the reputation will unfortunately not automatically carry over to the renewed certificate (not even if it's signed against the same private key as the old certificate).
However, you can mitigate the rollover problem by getting your renewed code signing certificate before your old certificate expires, and then using both the old (but not yet expired!) and the renewed certificate to sign your code, resulting in two signatures. The signature from your old certificate will continue to bypass SmartScreen and, at the same time, the new signature will help the new certificate to build up trust. So, the idea is that your new certificate becomes trusted before your old certificate expires.
If your old certificate should already have expired, then you can (and should!) still add the signature from your renewed certificate to an already released version of your app, in order to gain reputation for the renewed certificate.
To correctly dual-sign your app, first sign your code with the old certificate, and then sign it again with the renewed certificate, using the /as command line option of Microsoft's SignTool to append an additional signature to the first one (instead of replacing it).
Option 4: Just wait for a long time
If you don't take any measures at all, the Microsoft SmartScreen warning will also go away eventually. This might however take a ridiculous amount of time (months) and / or downloads (tens of thousands). Another big problem is that each time you'll release an updated version of your app, the waiting period will start all over again. So, this probably isn't the solution you're looking for.
After clicking on Properties of any installer(.exe) which block your application to install (Windows Defender SmartScreen prevented an unrecognized app ) for that issue i found one solution
Right click on installer(.exe)
Select properties option.
Click on checkbox to check Unblock at the bottom of Properties.
This solution work for Heroku CLI (heroku-x64) installer(.exe)
If you have a standard code signing certificate, some time will be needed for your application to build trust. Microsoft affirms that an Extended Validation (EV) Code Signing Certificate allows us to skip this period of trust-building. According to Microsoft, extended validation certificates will enable the developer to immediately establish a reputation with SmartScreen. Otherwise, the users will see a warning like "Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", with the two buttons: "Run anyway" and "Don't run".
Another Microsoft resource states the following (quote): "Although not required, programs signed by an EV code signing certificate can immediately establish a reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals."
My experience is as follows. Since 2005, we have been using regular (non-EV) code signing certificates to sign .MSI, .EXE and .DLL files with timestamps, and there has never been a problem with SmartScreen until 2018, when there was just one case when it took 3 days for a beta version of our application to build trust since we have released it to beta testers. It was in the middle of the certificate validity period. I don't know what SmartScreen might not like in that specific version of our application, but there have been no SmartScreen complaints since then. Therefore, if your certificate is a non-EV, it is a signed application (such as an .MSI file) that will build trust over time, not a certificate. For example, a certificate can be issued a few months ago and used to sign many files, but for each signed file you publish, it may take a few days for SmartScreen to stop complaining about the file after publishing, as was in our case in 2018.
We didn't submit our software to Microsoft malware analysis. Microsoft started to provide this service in 2017. It may be a viable alternative to an Extended Validation (EV) certificate.
In conclusion, to avoid the warning altogether, i.e., prevent it from happening even suddenly, you need an Extended Validation (EV) code signing certificate, and/or, you can submit your software to Microsoft malware analysis.
UPDATE: Another writeup here:
How to add publisher in Installshield 2018
(might be better).
I am not too well informed about this issue, but please see if this answer to another question tells you anything useful (and let us know so I can evolve a better answer here): How to pass the Windows Defender SmartScreen Protection? That question relates to BitRock - a non-MSI installer technology, but the overall issue seems to be the same.
Extract from one of the links pointed to in my answer above: "...a certificate just isn't enough anymore to gain trust... SmartScreen is reputation based, not unlike the way StackOverflow works... SmartScreen trusts installers that don't cause problems. Windows machines send telemetry back to Redmond about installed programs and how much trouble they cause. If you get enough thumbs-up then SmartScreen stops blocking your installer automatically. This takes time and lots of installs to get sufficient thumbs. There is no way to find out how far along you got."
Honestly this is all news to me at this point, so do get back to us with any information you dig up yourself.
The actual dialog text you have marked above definitely relates to the Zone.Identifier alternate data stream with a value of 3 that is added to any file that is downloaded from the Internet (see linked answer above for more details).
I was not able to mark this question as a duplicate of the previous one, since it doesn't have an accepted answer. Let's leave both question open for now? (one question is for MSI, one is for non-MSI).

How to avoid Windows Defender SmartScreen from installer when user download?

I understand the code signing.
But when I try to download some application, it doesn't even have code signing.
And it can still open without the Windows Defender blue screen.
Example: http://www.eainstall.com/download
How do I do that?
The Windows SmartScreen alert will go away after enough people download it.
If your software is not that popular then the warning will never go away and there is not much you can do about it.
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates:
Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.
...
Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher.

IE9 SmartScreen Warning, Despite Following All Recommendations

We offer a Windows program downloadable as an InstallShield EXE from our website.
When someone running IE9 attempts to download and run our software, they see the following message at the bottom of their screen:
PROGRAMNAME.exe is not commonly downloaded and could harm your computer.
[DELETE] [ACTIONS] [VIEW DOWNLOADS]
I've read http://blogs.msdn.com/b/ie/archive/2011/03/22/smartscreen-174-application-reputation-building-reputation.aspx
It suggests:
Digitally sign your programs with an
Authenticode signature.
Ensure downloads are not detected as
malware.
Apply for a Windows Logo.
We've done all three things. Our EXE is digitally signed with an authenticode signature (and the bar above the warning message is orange, not red, indicating that IE9 recognized and verified the signature). Our download is not detected as malware by any antivirus program we've tried. And we have applied for and received a Windows Logo.
As yet, most of our customers are not using IE 9. But this is very troublesome to those who do. Is there anything else we can do about this, or do we just have to wait until a critical mass of customers have downloaded this software before this message will go away?
(Does that mean when we release a new version, all IE 9 users will get this message again until enough of them have downloaded it?)
UPDATE 2011-06-14:
Thanks, #EricLaw-MSFT. URL is http://dakim.dakiminc.netdna-cdn.com/DakimBrainFitness.exe . (It's found on the "Download Free Trial" button on http://www.dakim.com .)
We've only been offering downloadable trials for a short while. Our primary distribution method is installation DVDs.
Extended Validation Code Signing Certificates don't suffer from the need to build reputation slowly according to this post:
Reputation is generated and assigned to digital certificates as well as specific files. Digital
certificates allow data to be aggregated and assigned to a single certificate rather than many
individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier
which makes it easier to maintain reputation across certificate renewals. Only Authenticode
Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish
reputation.
At this time, Symantec and DigiCert are offering EV code signing certificates.
In an effort to improve my answer, I've added a link to a similar question I asked and eventually answered myself.

Resources