Will an authenticode certificate stop anti-virus software from flagging my application? I've done some research and am aware that it will come up as a verified company during install, but I'm really looking for it so that A/V will stop giving false positives on my application.
A certificate won´t stop flagging your application with the majority of AV. But...for SmartScreen worked for us at least.
I guess the best approach is to ask the vendors to put in their WhiteList, for example:
kaspersky
http://whitelist.kaspersky.com/trusted
Avast
https://www.avast.com/pt-br/faq.php?article=AVKB229
Symantec
https://submit.symantec.com/false_positive/
Related
We have Windows application (MSI install package), downloadable from our site. The problem is, that browsers and 3rd party antiviruses prevent some users from download an APP. Is there a way to make our MSI package more trustable for browsers and antivirus? Maybe it can be checked and uploaded in some other resource, and downloadable for users from here?
P.S. We use code signing certificate, and Windows store is not a variant for us now.
Reputable anti-virus vendors have a way you can send your installation packages to be "whitelisted". Browsers have their own heuristics and using an EV certificate (more expensive) is supposed to help. Edge also supposedly respects the Defender whitelist.
Ultimately, the more downloads you get, the better your URL's reputation, the better you pass the heuristics.
We've been building and releasing the same application for almost 20 years and AV false positives can still create problems. This is how we do it today:
After each release, we scan our new setup on https://www.virustotal.com/gui/home/upload and if we notice any AV vendors flagging it we reach out to each of them and submit a request for false positive removal. They all have some form or email address where you can contact them.
They usually process these requests in a few days, so no real big problem for our users and doesn't take a lot of time.
Now, with SmartScreen, there is another story. Even if our package was digitally signed for over a decade, 2 years ago when we renewed our certificate Windows flagged our installer for about 2-3 months.
This was an installer with hundreds of thousands if not millions of users in the last decade. In the end, its reputation system got back to normal and stopped flagging it but it was really annoying for our customers.
The solution to this is to buy an EV certificate (confirmed by some of our customers) and then you will get an instant reputation with SmartScreen. This Spring our normal certificate expires and we will go the EV route too.
You can read more about digital signing and EV certs in the following articles:
Why EV Code Signing? EV Code Signing vs. Regular Code Signing
How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting" warning
Our organization recently obtained an EV code signing certificate. It did give us instant SmartScreen trust, but 2 things still happen:
A minor annoyance was Chrome that issued a warning file.exe is not commonly downloaded and may be dangerous to first few downloaders but it went away within a day without us doing anything.
A much greater problem is Windows Defender. Here is what it does:
When our users install the program, it flags and locks crucial components that are required. This happens to most users.
We scanned the program components locally before uploading them and found no issues. Our Virus & threat protection is up to date. We also do not trigger antivirus protection when we download the same file from the website and install it as a normal user would. Why does it act so inconsistent that it doesn’t flag files when we download it from internet on our internal PC’s but it happens to most external users?
So far, we have been collecting these generic threat names and file names from our users and submitting them to Microsoft for analysis: https://www.microsoft.com/en-us/wdsi/filesubmission
It is very admirable that MS analysts review those files within a day, but what is not good is that they seem to update their antivirus definitions only for the threat name that was detected and not mark whole file as harmless. This problem gets even more frustrating because we update our installer often since program is in active development.
I am also worried that these updates with MS threat definitions are not properly disseminated to Windows users across the world fast enough. What happens if users do not update their definitions or have them turned off?
Is there anything that we are not doing yet, but could do to reduce issues with these false positives?
EV code signing certificate was issued by DigiCert and it was very expensive. Will these issues go away after MS scans signed files several times and increases trust score of our certificate? By that I mean, will it reduce the false positives on future builds that were not yet submitted for analysis?
Microsoft SmartScreen, well-known for its message:
Windows Defender SmartScreen prevented an unrecognized app from starting
is useful for end users to avoid malware, but can also harm indie developers because when they distribute binaries: the end users see frightening messages, and that is a problem for the developer's reputation (see someone's comment "My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales"):
Smart-Screen filter still complains, despite I signed the executable, why?
Even with a paid certificate, if software-release1.0.1.exe is finally whitelisted, when you release software-release1.0.2.exe update, the messages will come again:
Transferring Microsoft SmartScreen reputation to renewed certificate
The only solution seems to be Extended "EV code signing" which can be 300-500$ per year (this fixed fee makes the tax % higher for small indie developers).
Question: is there a way to get a .exe whitelisted immediately (or a few days) for all users - and not only on my own computer - by submitting it to Microsoft for analysis?
I have seen this link: https://www.microsoft.com/en-us/wdsi/filesubmission, has someone been able to use it successfully to avoid further SmartScreen alerts? (it seems that no).
Are there other methods? Such as automatically deploying 100 VMs via an automated script, and let each VM download and install the .exe automatically? But this would probably be from the same IP, then Microsoft will probably increase the reputation counter by +1 instead of +100?
As you said in your question, the first solution for having trusted software is code signing with EV certificate But, another tricky solution is increasing reputation of your software. As Microsoft said here :
Reputation-based URL and app protection
If a URL, a file, an app, or a certificate has an established
reputation, users won't see any warnings. If, however, there's no
reputation, the item is marked as a higher risk and presents a warning
to the user.
So in the last paragraph of your question, you mentioned about creating mass docker containers or virtual machines for increasing trust and reputation. I complete it with a solution for same IP address in each VM or container.
The solution is using TOR as a proxy in all of your VM's or containers.
With using tor you can create proxy which is connected inside TOR network and hide your real IP address in your virtual machines or containers. Tor is free for use and you can connect your nodes to it's network as many as you want and change your IP address frequently. Also it is better to have different version of windows in some of your VM's. Remember before that you must submit your software for malware analysis,
I understand the code signing.
But when I try to download some application, it doesn't even have code signing.
And it can still open without the Windows Defender blue screen.
Example: http://www.eainstall.com/download
How do I do that?
The Windows SmartScreen alert will go away after enough people download it.
If your software is not that popular then the warning will never go away and there is not much you can do about it.
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates:
Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.
...
Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher.
I'm not able to install the browser extension, which is based on the Crossrider API, on a computer with Windows OS. The antivirus software by Symantec warns of a trojan/virus named “Suspicious.Cloud.9” (see picture below).
I guess there is no possibility to change the generation of the Windows install wizard, except requesting a code signing certificate. Crossrider suggests three certification agencies and of them is Symantec itself.
Has/Had anyone the same or a similar problem? Will code signing solve my problem?
Thanks in advance!
Niels
Yes... i know of this issue, Suspicious Cloud 9 and Suspicious Pythia, Which you may also encounter, ARE NOT viruses or Worms, they are Merely a Message that Symantec Generates to simply say "we consider this software suspicious or suspect" and it MAY (MAY being the operative word) Contain Viruses, Now as to the reason why it considers it suspicious, the reasons are many, usually the software doesn't have a lot of Downloads behind it and is therefore untrusted Stuff Like that, You can add an exception in Norton for these things. so that it does install. the other way to do it is to disable Norton During the install, and When it detects it later, allow the instance and Norton will automatically create an exception. Hope that helps