I've created a setup.exe file and loaded it onto my web site for downloading. The .exe file has been code signed with a certificate from godaddy. When downloading the .exe file from my website using win7 it detects the certificate and displays it to be a safe download. On win10 the .exe file downloads fine but when opening the .exe the smartscreen blocks it from opening. I have many users using win10 and don't want to explain to them to turn off smartscreen. What are my options to get this .exe past win10 smarscreen?
The Windows SmartScreen alert will go away after enough people download and run it. If your software is not that popular then the warning will never go away and there is not much you can do about it. You can try to get yourself whitelisted but I would not hold my breath while waiting for that. Microsoft does not document what enough downloads is.
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Signing will help you bypass smartscreen on updates you release in the future but it will not let you bypass the initial warning:
Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation. Reputation is generated and assigned to digital certificates as well as specific files.
According to this answer, passing and uploading the results from the Windows App Certification Kit tests will build reputation faster (requires a SysDev account).
See also:
SmartScreen® Application Reputation in IE9
SmartScreen® Application Reputation – Building Reputation
Introducing SmartScreen® Application Reputation
Related
We have Windows application (MSI install package), downloadable from our site. The problem is, that browsers and 3rd party antiviruses prevent some users from download an APP. Is there a way to make our MSI package more trustable for browsers and antivirus? Maybe it can be checked and uploaded in some other resource, and downloadable for users from here?
P.S. We use code signing certificate, and Windows store is not a variant for us now.
Reputable anti-virus vendors have a way you can send your installation packages to be "whitelisted". Browsers have their own heuristics and using an EV certificate (more expensive) is supposed to help. Edge also supposedly respects the Defender whitelist.
Ultimately, the more downloads you get, the better your URL's reputation, the better you pass the heuristics.
We've been building and releasing the same application for almost 20 years and AV false positives can still create problems. This is how we do it today:
After each release, we scan our new setup on https://www.virustotal.com/gui/home/upload and if we notice any AV vendors flagging it we reach out to each of them and submit a request for false positive removal. They all have some form or email address where you can contact them.
They usually process these requests in a few days, so no real big problem for our users and doesn't take a lot of time.
Now, with SmartScreen, there is another story. Even if our package was digitally signed for over a decade, 2 years ago when we renewed our certificate Windows flagged our installer for about 2-3 months.
This was an installer with hundreds of thousands if not millions of users in the last decade. In the end, its reputation system got back to normal and stopped flagging it but it was really annoying for our customers.
The solution to this is to buy an EV certificate (confirmed by some of our customers) and then you will get an instant reputation with SmartScreen. This Spring our normal certificate expires and we will go the EV route too.
You can read more about digital signing and EV certs in the following articles:
Why EV Code Signing? EV Code Signing vs. Regular Code Signing
How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting" warning
Our organization recently obtained an EV code signing certificate. It did give us instant SmartScreen trust, but 2 things still happen:
A minor annoyance was Chrome that issued a warning file.exe is not commonly downloaded and may be dangerous to first few downloaders but it went away within a day without us doing anything.
A much greater problem is Windows Defender. Here is what it does:
When our users install the program, it flags and locks crucial components that are required. This happens to most users.
We scanned the program components locally before uploading them and found no issues. Our Virus & threat protection is up to date. We also do not trigger antivirus protection when we download the same file from the website and install it as a normal user would. Why does it act so inconsistent that it doesn’t flag files when we download it from internet on our internal PC’s but it happens to most external users?
So far, we have been collecting these generic threat names and file names from our users and submitting them to Microsoft for analysis: https://www.microsoft.com/en-us/wdsi/filesubmission
It is very admirable that MS analysts review those files within a day, but what is not good is that they seem to update their antivirus definitions only for the threat name that was detected and not mark whole file as harmless. This problem gets even more frustrating because we update our installer often since program is in active development.
I am also worried that these updates with MS threat definitions are not properly disseminated to Windows users across the world fast enough. What happens if users do not update their definitions or have them turned off?
Is there anything that we are not doing yet, but could do to reduce issues with these false positives?
EV code signing certificate was issued by DigiCert and it was very expensive. Will these issues go away after MS scans signed files several times and increases trust score of our certificate? By that I mean, will it reduce the false positives on future builds that were not yet submitted for analysis?
I have made free software and converted it into an NSIS installer. But the issue is that when users download the setup.exe first they get chrome warning not commonly downloaded and it is dangerous file with a keep button hidden under an arrow button.
Even if they choose to keep the file, when opening the installer, the windows SmartScreen shows up warning the users again.
Is there a way can I get past these two for free? I mean I don't charge my users anything.
I only know a way to bypass the download warning. However it is not the prettiest solution, but I am currently using this while researching other possibilities.
My way to bypass the SmartScreen download filter is to bundle your setup.exe into a .zip for instance and then download the zip file instead and then the users can run the setup.exe from within. After some testing and feedback, most of our users don't notice this small extra step.
When they run the setup, you need to have signed the installer using a valid certificate for the Windows warning to go away. Here I have not found any clever ways to avoid this. So you need to pay some certificate authority to create a valid certificate for your software.
Hope this answers your question.
I am new to python. I managed to write my code for logging versions and generated executable using cx_freeze. It is working fine in my machine, but when I take it to other machines, I'm getting Windows smart screen error.
Any idea how to get rid of this?
Quick help required.
Thanks in advance.enter image description here
That is how SmartScreen works, it blocks "unpopular" executables. Depending on the system configuration the user might be able to click on "More Info" and run it anyway.
If enough people download and run your .exe then the SmartScreen block will go away. Microsoft does not specify how many downloads are required in their FAQ:
When you download a program from the Internet, SmartScreen Filter will check the program against a list of programs that are downloaded by a significant number of other Internet Explorer users and a list of programs that are known to be unsafe. If the program you're downloading isn't on either list, SmartScreen Filter will display a warning that the file isn't "commonly downloaded."
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates:
Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.
...
Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher.
Removing the "Mark of the Web" by unblocking it in the files properties should also prevent the SmartScreen message.
I understand the code signing.
But when I try to download some application, it doesn't even have code signing.
And it can still open without the Windows Defender blue screen.
Example: http://www.eainstall.com/download
How do I do that?
The Windows SmartScreen alert will go away after enough people download it.
If your software is not that popular then the warning will never go away and there is not much you can do about it.
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates:
Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.
...
Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher.