I have recently created a small VB application for a friend of mine, I am using the publish feature included within Visual studio (it's the easiest way of updating it and having the updated version downloaded automatically) but when I download it, it downloads "setup.exe"
Chrome and AV's seem to think this is a virus, why is this? I have made it a full trust application and signed it with a certificate and a key, but it still think's it's a virus, any ideas?
Answer 1 Copied and pasted from http://productforums.google.com/forum/#!topic/chrome/r-9JQIboUmc
I was able to get around it without a code signing certificate, just by using SSL (which uses a less expensive certificate, and I already had one to secure access to my website), but as your experience shows it seems SSL isn't the only way...
Based on my experience and what I've read of others here, my theory of how Chrome validates downloads is that it goes through a checklist like this:
Is the host site known and trusted? (i.e. large established sites are OK)
Can the identity of the host site be verified? (i.e. via SSL certificate)
Can the the identity of the file's publisher be verified? (i.e. via code signing certificate)
Is the file known and trusted? (I had a file up for a while that was unsigned and accessed without SSL - Chrome was fine with it until I changed the binary after the security update... I'm assuming it takes some time to reach this status.)
If one of these criteria passes, the download is not flagged as malware, and if they all fail, it is.
Answer 2: Copied from http://blog.chromium.org/2012/01/all-about-safe-browsing.html
Malicious downloads are especially tricky to detect since they’re often posted on rapidly changing URLs and are even “re-packed” to fool anti-virus programs. Chrome helps counter this behavior by checking executable downloads against a list of known good files and publishers. If a file isn’t from a known source, Chrome sends the URL and IP of the host and other meta data, such as the file’s hash and binary size, to Google. The file is automatically classified using machine learning analysis and the reputation and trustworthiness of files previously seen from the same publisher and website. Google then sends the results back to Chrome, which warns you if you’re at risk.
Related
Microsoft SmartScreen, well-known for its message:
Windows Defender SmartScreen prevented an unrecognized app from starting
is useful for end users to avoid malware, but can also harm indie developers because when they distribute binaries: the end users see frightening messages, and that is a problem for the developer's reputation (see someone's comment "My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales"):
Smart-Screen filter still complains, despite I signed the executable, why?
Even with a paid certificate, if software-release1.0.1.exe is finally whitelisted, when you release software-release1.0.2.exe update, the messages will come again:
Transferring Microsoft SmartScreen reputation to renewed certificate
The only solution seems to be Extended "EV code signing" which can be 300-500$ per year (this fixed fee makes the tax % higher for small indie developers).
Question: is there a way to get a .exe whitelisted immediately (or a few days) for all users - and not only on my own computer - by submitting it to Microsoft for analysis?
I have seen this link: https://www.microsoft.com/en-us/wdsi/filesubmission, has someone been able to use it successfully to avoid further SmartScreen alerts? (it seems that no).
Are there other methods? Such as automatically deploying 100 VMs via an automated script, and let each VM download and install the .exe automatically? But this would probably be from the same IP, then Microsoft will probably increase the reputation counter by +1 instead of +100?
As you said in your question, the first solution for having trusted software is code signing with EV certificate But, another tricky solution is increasing reputation of your software. As Microsoft said here :
Reputation-based URL and app protection
If a URL, a file, an app, or a certificate has an established
reputation, users won't see any warnings. If, however, there's no
reputation, the item is marked as a higher risk and presents a warning
to the user.
So in the last paragraph of your question, you mentioned about creating mass docker containers or virtual machines for increasing trust and reputation. I complete it with a solution for same IP address in each VM or container.
The solution is using TOR as a proxy in all of your VM's or containers.
With using tor you can create proxy which is connected inside TOR network and hide your real IP address in your virtual machines or containers. Tor is free for use and you can connect your nodes to it's network as many as you want and change your IP address frequently. Also it is better to have different version of windows in some of your VM's. Remember before that you must submit your software for malware analysis,
I have built a Windows executable (with MSVC++) requiring administrator privilege to run (it indexes files) ; I even code-signed it with a code-signing certificate I bought.
It works well on Win7, Win8, but on Windows 10, if I download the file from the browser, then I get this message from IE/Edge:
This file contained a virus and was deleted
and it's nearly impossible for a (non power-user) user to have access to the ZIP, extract it, and run the .exe. (It's very complicated to find the right quarantine place, and remove it from quarantine, etc.; and also it's non-ok for a commercial product)
It's clearly a false positive (I have no virus, and I checked it with many antivirus, and https://www.virustotal.com).
What solution is there? (I thought I had tried all I can do by even code-signing it with a certificate from a well-known CA)
The file was detected by Windows Defender as a file system indexer. All these files could be considered as a threat. You should report your file as safe to Microsoft.
First of all, I'd suggest you to check if you've enabled "Real-Time Protection" and the other settings in the Windows Defender settings. Windows 10 is running almost every file through it before it gets executed (this feature is called SmartScreen and included in RealTime-Protection), so maybe that is what causes it.
If it happens even earlier, whilst downloading, then chances are that this is in your IE/Edge Settings. Unfortunately I am not aware where these settings are exactly (feel free to edit this answer if you know where they are), so I can't help you with that one.
If everything else fails, try switching to a different browser. I'm using Brave myself. It's a modified version of Chrome with a few additional features, but the choice is yours. Just make sure to disable the download protection in the settings as well. A quick browse through your privacy settings should usually allow you to change these settings.
I've created a setup.exe file and loaded it onto my web site for downloading. The .exe file has been code signed with a certificate from godaddy. When downloading the .exe file from my website using win7 it detects the certificate and displays it to be a safe download. On win10 the .exe file downloads fine but when opening the .exe the smartscreen blocks it from opening. I have many users using win10 and don't want to explain to them to turn off smartscreen. What are my options to get this .exe past win10 smarscreen?
The Windows SmartScreen alert will go away after enough people download and run it. If your software is not that popular then the warning will never go away and there is not much you can do about it. You can try to get yourself whitelisted but I would not hold my breath while waiting for that. Microsoft does not document what enough downloads is.
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Signing will help you bypass smartscreen on updates you release in the future but it will not let you bypass the initial warning:
Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation. Reputation is generated and assigned to digital certificates as well as specific files.
According to this answer, passing and uploading the results from the Windows App Certification Kit tests will build reputation faster (requires a SysDev account).
See also:
SmartScreen® Application Reputation in IE9
SmartScreen® Application Reputation – Building Reputation
Introducing SmartScreen® Application Reputation
In previous posts, I mentioned that I split my Access database project (Access 2016) in a front-end (Access) and back-end (MS-SQL). It was recommended that I save my front-end as an executable file, which I did. However, since it has macros and vba code, I always get a security warning.
I need a digital trust certificate, right? The problem is that, since I have Windows 10, I can't use the Office 2010/2013 tutorials about making a self-certificate for VBA. Can I buy one? I am confused, and would like to resolve this quickly because I intend to install the front-end exe file onto several computers at work.
Thank you very much for your time and help!
Hi Im using Mac 10.5.8 . In my app im using my own keychain(created by me), but my actual question is when I modify my code in the app every time a prompt is appearing, saying that the present app is modified do you want to allow or not.Can any one tell how to supress this prompt(allow by default when ever I change the app).I couldn't find the solution in the documentation.
The Keychain has a list of trusted applications, and this list includes a hash digest for the application. When the application changes, it becomes untrusted again. This also happens with "big" applications like Camino.
There are two special measures to reduce this: When a shared library gets updated, the system will keep track of this and accept the application even after the update. Also, when Software Update updates an app, it will fix the digests as well (which is why Apple's own apps can get away without re-confirmation).
Update: If you sign your code, Keychain will also accept updated applications (signed with the same certificate).