How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting warning"

Asked 23/2, 2018 at 11:19 Answered 11/3, 2021 at 12:21

Solved windows installation windows-installer

149

My company distributes an installer to customers via our website. Recently when I download via the website and try to run the installer I get the warning message:

Windows protected your PC

Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

If I right-click on the installer and choose Properties I note the following:

Our installer is signed.

How do I find the reason for the Windows Defender SmartScreen warning?

I have not managed to find any log file for Windows Defender nor found anything in the Event Viewer.

Harder answered 23/2, 2018 at 11:19 Comment(8)

It seems that the problem is that we are signing with a "Standard Code Signing Certificate". If we sign with a "Extended Validation (EV) Code Signing Certificate" we do not need to build trust by having our software installed by many users. Instead the certificate issuer undertakes a vetting process where they make sure we are a legit company. I suspect there has been a policy change with a recent Windows 10 upgrade. Anyway it would be really useful to be able to read logs from Windows Defender. Next time the problem might be something else, and it is a pain to find out what is wrong. – Harder 23/2, 2018 at 17:50

What kind of money are we talking about for an EV Code Signing Certificate? Did you check? Without sounding too out there: who smells a racket? We are now "trust based" unless you dig deeper in your wallet? Strange with the overhead of "normal" certificates if they yield no trust? Do they hold water as "tampering proof " at least? Maybe see my comment below on Virustotal. – Characterization 23/2, 2018 at 19:48

$410 vs $289 per year. I think it is almost fair enough. Seems they do a little bit of extra work like contacting the company by phone, looking up the company in official registers etc. Yes ordinary certificates guarantee that the installer has not been tampered with. – Harder 24/2, 2018 at 12:12

Thanks for the information. Sounds like what they did 15+ years ago when getting a normal certificate? We had to provide quite a bit of information back then as well, but I guess things have de-evolved - price seems like back then though. The more things change, the more they stay the same - only the name changes? What about a mandatory malware check before such a EV certificate can be used? I mean, if they are into "trust" and "reputation" beyond pure tamper proof - that would be the better requirement over simply checking that the company exists? Don't you think? Signed malware - not great. – Characterization 24/2, 2018 at 13:28

Adding a link to an older Q/A: How to pass the smart screen on Win8 when install a signed application?. – Characterization 3/3, 2018 at 22:41

@Andy, was you original certificate issued by CA in Windows Root Certificate Program? Did the EV certificate help? – Skyros 24/5, 2018 at 13:21

Also see https://mcmap.net/q/103518/-how-long-to-get-rid-of-smartscreen-warning-after-signing-code – Disoperation 5/3, 2021 at 6:12

I had same issue with heroku.exe... I ran the installer from command prompt (in Administrator mode) just by typing path where the installer is (e.g.: C:\Downloads\heroku-x64.exe) and press enter and I was able to install it which was previously being blocked... – Peggie 18/4, 2021 at 19:13

If you have a standard code signing certificate, some time will be needed for your application to build trust. Microsoft affirms that an Extended Validation (EV) Code Signing Certificate allows us to skip this period of trust-building. According to Microsoft, extended validation certificates will enable the developer to immediately establish a reputation with SmartScreen. Otherwise, the users will see a warning like "Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", with the two buttons: "Run anyway" and "Don't run".

Another Microsoft resource states the following (quote): "Although not required, programs signed by an EV code signing certificate can immediately establish a reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals."

My experience is as follows. Since 2005, we have been using regular (non-EV) code signing certificates to sign .MSI, .EXE and .DLL files with timestamps, and there has never been a problem with SmartScreen until 2018, when there was just one case when it took 3 days for a beta version of our application to build trust since we have released it to beta testers. It was in the middle of the certificate validity period. I don't know what SmartScreen might not like in that specific version of our application, but there have been no SmartScreen complaints since then. Therefore, if your certificate is a non-EV, it is a signed application (such as an .MSI file) that will build trust over time, not a certificate. For example, a certificate can be issued a few months ago and used to sign many files, but for each signed file you publish, it may take a few days for SmartScreen to stop complaining about the file after publishing, as was in our case in 2018.

We didn't submit our software to Microsoft malware analysis. Microsoft started to provide this service in 2017. It may be a viable alternative to an Extended Validation (EV) certificate.

In conclusion, to avoid the warning altogether, i.e., prevent it from happening even suddenly, you need an Extended Validation (EV) code signing certificate, and/or, you can submit your software to Microsoft malware analysis.

Underlying answered 30/6, 2018 at 9:50 Comment(2)

Sharing a link to a similar answer on SmartScreen. "Buying trust"... Hmmm... – Characterization 30/10, 2020 at 22:11

An EV Certificate is only availalbe to someone with a registered company. If you are an Independent Software Vendor without a registered company, you cannot purchase an EV Certificate. – Granddaughter 25/5, 2021 at 17:17

147

TL;DR

This warning is shown if your app doesn't have enough reputation with Microsoft SmartScreen yet. In order to gain reputation, you can either

submit your app for malware analysis to Microsoft,
buy an "Extended Validation" (EV) code signing certificate,
buy an "Organization Validation" (OV) code signing certificate, or
just wait for a long time.

Read on for the details about these different options.

Option 1: Submit your app for malware analysis to Microsoft

Microsoft allows software developers to submit a file for malware analysis. According to Microsoft, this will help developers to "validate detection of their products". If the review was successful, the Microsoft SmartScreen warnings will go away faster, or sometimes even instantly (it worked instantly for one of my own apps). You need to have a Microsoft account to submit your app for review.

However, note that if you release an updated version of your app, then you'll also have to request a new review again. To overcome this problem, you'll either have to use an "Extended Validation" or an "Organization Validation" code signing certificate (see below).

Option 2: Buy an "Extended Validation" (EV) code signing certificate

A guaranteed way to immediately and permanently get rid of the Microsoft SmartScreen warnings is to buy an "Extended Validation" (EV) code signing certificate from one of the Microsoft-approved certificate authorities (CA's), and to sign your app with that EV certificate.

Such an EV certificate will cost you somewhere between 250 and 700 USD per year (you better compare prices), and will only be issued to registered businesses. If you're a single developer, you must be a sole proprietor and have an active business license. You can read more about the formal requirements for EV code signing certificates in the EV Code Signing Certificate Guidelines.

An EV certificate must either be stored on a secure physical hardware token or on an HSM (Hardware Security Module). Your CA will handle this for you.

Option 3: Buy an "Organization Validation" (OV) code signing certificate

You can also buy a cheaper "Organization Validation" (OV) code signing certificate (also known as "standard" or "non-EV" certificates), and sign your app with that certificate. This will also permanently, but not instantly, make the Microsoft SmartScreen warnings disappear. An OV certificate will cost you between 100 and 500 USD per year (again, you better compare prices), and can also be issued to private developers without an active business license. Some CA's also offer discounts for open source projects.

Since June 2023, newly issued (or renewed) OV certificates must also be stored on either a secure physical hardware token or on an HSM (Hardware Security Module). Your CA will handle this for you. It's not possible anymore to store an OV certificate on your own computer.

No instant solution

The problem with OV code signing certificates is that they do not instantly silence Microsoft SmartScreen. Instead, some time will be needed for your certificate to build reputation before the warning will go away. However, once your certificate has built enough reputation, all applications signed with that certificate will be permanently trusted by Microsoft SmartScreen and won't trigger the warning anymore.

How long will it take?

So, how long will it take until the Microsoft SmartScreen warning will disappear when using an OV code signing certificate? Unfortunately, this is difficult to answer, since Microsoft itself refuses to publish any details about this. According to inofficial numbers reported by various sources (see below), it usually takes between 2 and 8 weeks until the warning will permanently go away. It seems that the exact duration also depends on the reputation of the website from which your app is downloaded.

The inofficial numbers are:

18 days and about 430 app installs. Source: one of my own certificates (Dec 2022)
42 days and about 1.400 app installs. Source: one of my own certificates (Feb 2021)
16 days and about 2.000 app installs. Source: one of my own certificates (May 2020)
One month and more than 10.000 downloads. Source: here (Jan 2020)
Between a few weeks and a month. Source: here (Dec 2019)
About 2-3 weeks. Source: here (Dec 2019)
About 3.000 downloads. Source: here (Dec 2013)

The problem of certificate rollover

Certificate rollover occurs when your old certificate expires and you begin signing your code with a new certificate.

It's a good idea to buy your OV code signing certificate with the longest possible validity period because when you renew your certificate, the reputation will unfortunately not automatically carry over to the new certificate (not even if it's signed against the same private key as the old certificate).

However, you can mitigate the rollover problem by getting your new code signing certificate before your old certificate expires, and then using both the old (but not yet expired!) and the new certificate to sign your code, resulting in two signatures. The signature from your old certificate will continue to bypass SmartScreen and, at the same time, the new signature will help the new certificate to build up trust. So, the idea is that your new certificate becomes trusted before your old certificate expires.

If your old certificate should have already expired, then you can still add the signature from your new certificate to an already released version of your app, and then re-release that app version as a dual-signed app. As before, this will also help the new certificate to build up trust.

To correctly dual-sign your app, first sign your code with the old certificate, and then sign it again with the new certificate, using the /as command line option of Microsoft's SignTool to append an additional signature to the first one (instead of replacing it).

Option 4: Just wait for a long time

If you don't take any measures at all, the Microsoft SmartScreen warning will also go away eventually. This might however take a ridiculous amount of time (months) and / or downloads (tens of thousands). Another big problem is that each time you'll release an updated version of your app, the waiting period will start all over again. So, this probably isn't the solution you're looking for.

Disoperation answered 11/3, 2021 at 12:21 Comment(13)

Can confirm that option 1 got rid of the warning within 24h for. – Eliezer 3/9, 2021 at 19:33

Overall a very good summary of the options, very useful indeed! However, submitting app to the app store (option 4) will NOT do the trick. When 'reputation based protection settings' is turned on in Windows Security console, 'app store apps check' is also turned on by default. So if you are developer of the app, your app will still get the warning even if it is submitted to the app store and a user downloads from the app store. User will need to specifically turn off this check, which as a developer, we can't mandate. – Reger 8/9, 2021 at 11:30

@Reger Thanks for pointing this out. You're right, SmartScreen is actually also enabled for Microsoft store apps by default (in Windows 10, at least). I've updated my answer and have removed the Microsoft app store option. – Disoperation 9/9, 2021 at 20:38

This turns into something like the old "Nobody will hire you w/o experience and you'll never get experience until somebody hires you" problem. The current message from SmartScreen is basically just "You don't want to do this and because you're too stupid to make your own choices, we won't even give you the option." So if it won't let anybody run the thing, how, exactly, is it supposed to build up trust? – Agglomerate 20/5, 2022 at 15:41

@SteveRindsberg During the initial phase when your new code signing certificate isn't trusted yet, you can submit your app for malware analysis to Microsoft in order to avoid the Windows Defender warning. But still, make sure that you additionally always also code-sign your app, so that your certificate can build up trust. – Disoperation 22/5, 2022 at 13:36

@Disoperation Thanks for the reply, but I've had a code signing certificate for over five years, and just renewed it in December 2021. I'd think that after even 6 months it'd no longer be considered "new". I code sign all of my MSIs and the code within them, but my client's still getting a Defender warning. Submitting the thing to MS every time there's change (happens VERY often when the app's under development) is a non-starter. IMO, MS has just gone over the top with this. – Agglomerate 22/5, 2022 at 16:58

Regarding SmartScreen exemption not carrying over to renewed certs: the trick is to go back and re-sign a previously released product already signed with an already exempted cert with your new/renewed cert (resulting in two signatures). The original signature will continue to bypass SmartScreen and the new signature will give the new cert the street credit it needs to become exempted. – Inexpedient 18/6, 2022 at 18:20

@MahmoudAl-Qudsi Thank you very much for pointing this out. I've included your comment into the answer. – Disoperation 21/6, 2022 at 11:22

Apparently the EV certs aren't as "immediate" as the microsoft docs say. I bought 1 and went through all the validation for weeks. Did a new build, signed and submitted to microsoft as a test and got this response: "The signing certificate (thumbprint : ***) is still in the process of establishing reputation." No indication of why or how it will establish reputation, but the "immediate" that their docs state is clearly not true. – Ritualize 25/8, 2022 at 23:39

I can confirm that the option 1 worked for me. The problem was solved within less than 24 hours. In particular, the answer from Microsoft was that the application signed with the certificate and the certificate itself need to establish reputation separately. In my case, the application has established the reputation after 2-3 downloads. The certificate is still in the process of establishing the reputation, however, the warning no longer appears. – Janitor 21/10, 2022 at 10:14

I waited for 7 years - it is still not valid. So, "Option 4" may be not a suitable solution – Matson 9/4, 2023 at 20:20

Great answer! Although a great idea, the /as signtool option for double signing you mention in Option 3 didn't work for my MSI file, throwing SignTool Error: Multiple signature support is not implemented for this filetype. – Cork 15/1 at 14:39

@HummelingEngineeringBV First, please make sure you're using the latest SignTool version. Also, maybe dual-signing just doesn't work for msi files? I'm not sure. But I can say that dual-signing worked well for me when signing an exe file. – Disoperation 16/1 at 13:31

After clicking on Properties of any installer(.exe) which block your application to install (Windows Defender SmartScreen prevented an unrecognized app ) for that issue i found one solution

Right click on installer(.exe)

Select properties option.

Click on checkbox to check Unblock at the bottom of Properties.

This solution work for Heroku CLI (heroku-x64) installer(.exe)

Ranita answered 8/12, 2018 at 18:40 Comment(4)

this doesn't solve it for other people downloading it! – Tubb 11/9, 2019 at 0:5

May be you are doing something wrong or may be your (.exe) is corrupted. @Tubb – Ranita 11/9, 2019 at 4:3

This is the better solution. Windows Defender was blocking the Kaspersky AVZ anti-viral toolkit :-O – Dripstone 11/9, 2019 at 6:54

You saved me. This works. Anyway I am installing SAM from AWS which is suppose to be secured – Eryneryngo 13/4, 2020 at 8:52

We didn't submit our software to Microsoft malware analysis. Microsoft started to provide this service in 2017. It may be a viable alternative to an Extended Validation (EV) certificate.

Underlying answered 30/6, 2018 at 9:50 Comment(2)

Sharing a link to a similar answer on SmartScreen. "Buying trust"... Hmmm... – Characterization 30/10, 2020 at 22:11

UPDATE: Another writeup here: How to add publisher in Installshield 2018 (might be better).

I am not too well informed about this issue, but please see if this answer to another question tells you anything useful (and let us know so I can evolve a better answer here): How to pass the Windows Defender SmartScreen Protection? That question relates to BitRock - a non-MSI installer technology, but the overall issue seems to be the same.

Extract from one of the links pointed to in my answer above: "...a certificate just isn't enough anymore to gain trust... SmartScreen is reputation based, not unlike the way StackOverflow works... SmartScreen trusts installers that don't cause problems. Windows machines send telemetry back to Redmond about installed programs and how much trouble they cause. If you get enough thumbs-up then SmartScreen stops blocking your installer automatically. This takes time and lots of installs to get sufficient thumbs. There is no way to find out how far along you got."

Honestly this is all news to me at this point, so do get back to us with any information you dig up yourself.

The actual dialog text you have marked above definitely relates to the Zone.Identifier alternate data stream with a value of 3 that is added to any file that is downloaded from the Internet (see linked answer above for more details).

I was not able to mark this question as a duplicate of the previous one, since it doesn't have an accepted answer. Let's leave both question open for now? (one question is for MSI, one is for non-MSI).

Mycenaean answered 23/2, 2018 at 12:31 Comment(3)

It's all a scam IMO. I've helped a few customers worth through this. The rail PITA is that the process requires a FIPS 140-2 Level 2 token which makes automating builds a real challenge. – Lacefield 23/2, 2018 at 19:4

Maybe just running the setup through virustotal.com and then waiting a couple of days could affect the trust? Who knows? In essence it is just an "unknown binary" before it is identified by security software. Doubt it would help much, but worth a try. – Characterization 23/2, 2018 at 19:14

Maybe the telemetry from Windows Defender is what is actually being used? As such, maybe run Defender on several PCs that also chat back to Microsoft as well? I don't know much about this, just that "something" is being sent back to the death star :-). I would run Defender on my MSI and also its administrative image (will be without a digital certificate) and see what happens. Great if someone could illuminate what actually happens for such telemetry data. – Characterization 25/2, 2018 at 3:9

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++