Old 1st July 2014, 23:43   #1
edouardo17
Junior Member
 
Join Date: Jun 2014
Posts: 8
Question Windows SmartScreen blocking executables

Hi guys,

I've seen that the same kind of question has already been asked on the forum, but I'd like to rephrase it for in the past discussion, the problem wasn't realy resolved...

The question is simple : How do we make Windows SmartScreen trust our executables?

I've seen in many threads that one solution was to be famous enough to be safe... If you're downloaded enough times, you become safe... But this doesn't really suits me

Two things are getting in my way: First when you download my executables, Internet Explorer or Google Chrome warns you with the following message:
code:
"... is not commonly downloaded and could harm your computer"


Then once you've allowed the file to be saved on your computer, double click on it and there it goes again :


I understand that when you download the file on the internet, it can be flagged as "threatening" because SmartScreen can base its judgment on the number of download, or any kind of shitty presumption of that sort.

HOWEVER, when you run the executable on your computer, my guess is that SmartScreen runs a quick check on the file and somehow finds out that it could do harm to the bloody computer... So my question is:

What is the physical difference between a "non-threatening" software and my executables?

I've looked into a potential whitelist that probably exists, but not on earth for sure...

The question was asked on the Microsoft Community Forum, and the unique irrelevant reply was from a Microsoft bloke. I figured out the guy didn't even read the topic subject for he only "suggested" a link to SmartScreen FAQ, which by the way, doesn't mention anything about my problem ever...

I thank you in advance for your help. Last time I requested help here was to write the scripts of my installers. Now that they're perfectly working, Windows decided to annoy me a bit more than I ever could have expected!

Cheers,

Edouard Fourmaux
edouardo17 is offline   Reply With Quote
Old 2nd July 2014, 07:30   #2
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
You should digitally sign your installer. We have never had an issue with SmartScreen because we digitally sign.

Stu
Afrow UK is offline   Reply With Quote
Old 2nd July 2014, 09:14   #3
Theresias
Junior Member
 
Join Date: Jun 2006
Posts: 48
We've seen fresh digitally signed files to be blocked as well, usually it took a few hours/days depending on the download volume for the message to go away. In essence, sign your files and it goes away much faster.
Theresias is offline   Reply With Quote
Old 2nd July 2014, 09:46   #4
edouardo17
Junior Member
 
Join Date: Jun 2014
Posts: 8
Yeah... I figured that out when I saw people complaints about being blocked by SmartScreen after purchasing a very expensive Certificate...

So yeah, I'm definitely inclined to Digitally sign my .exe, but after spending a few hours on the net, jumping from Microsoft forum to NSIS DiscussionS, I couldn't figure out how to proceed...

The only interesting thing I found was this article :

This guy explains clearly what are the purposes of signing your code...
Though it remains unclear how to digitally sign my software in practice...
I figured I had to acquire a kind of Certificate from a Software Certificate Publisher, which in every cases costs a huge amount of money... But the small developer that I am can't afford such certificate. The budget is limited to the cost of a hosted domain at OVH...

I understood that buying a certificate also meant protecting your code, and my guess is that this is what costs money... However, I do NOT need a protection for I don't really care if anyone steals my code. My executables are no software. They're only extracting files, and they're freeware, and distributed to a small community of virtual aviation enthusiasts, therefore I don't need any protection.

So is there a way to just digitally sign my executables for free so that Windows SmartScreen trusts me?
edouardo17 is offline   Reply With Quote
Old 2nd July 2014, 12:04   #5
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 859
Quote:
Originally Posted by edouardo17 View Post
So is there a way to just digitally sign my executables for free so that Windows SmartScreen trusts me?
If there was a free service then everyone would be using it, which would negate the security that Microsoft put up in the first place to protect the user.

I have a special "Program Files XP" folder for older software that has write permissions, so it's possible to use "RequestExecutionLevel User" for some situations where I don't need admin privileges. If it does need admin, then I generally run command prompt in admin mode and run the installer from there.

I don't use windows 8, so I don't get the SmartScreen prompt when I run my installers. I still get the UAC dialog like it's supposed to.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 2nd July 2014, 19:32   #6
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 4,768
Quote:
Originally Posted by edouardo17 View Post
I understand that when you download the file on the internet, it can be flagged as "threatening" because SmartScreen can base its judgment on the number of download, or any kind of shitty presumption of that sort.

HOWEVER, when you run the executable on your computer, my guess is that SmartScreen runs a quick check on the file and somehow finds out that it could do harm to the bloody computer...
This is probably because of the Zone.Identifier ADS, if you download a file in most browsers or even extract a .zip you got from the internet with explorer the file is tagged as "from the internet" and smartscreen will check it. In the file properties dialog there should be a unblock button.

Quote:
Originally Posted by edouardo17 View Post
What is the physical difference between a "non-threatening" software and my executables?
None, it should really be called SheepScreen, it just means enough people thought it was safe to execute.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 19th August 2014, 15:32   #7
AintBigAintCleve
Junior Member
 
Join Date: Aug 2014
Posts: 1
I hit the same issue with BGinfo. See my comment on this MS Community page showing how to copy a file with no ADS crap in a Group Policy Object: http://answers.microsoft.com/en-us/i...8-988860bac4fa

Basically you create a new file locally and move the downloaded/network copied file over the top of it. A ridiculous fudge that shouldn't be necessary, but it works.
AintBigAintCleve is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Developer Center > NSIS Discussion

Tags
blocking, smartscreen, whitelist, windows

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump