How to get Windows' Smart Screen to trust my Installer?

About

Asked 19/12, 2019 at 11:49 Answered 20/2, 2020 at 17:5

Solved windows windows-installer smartscreen

I'm trying to deploy and distribute a C++ app on Windows.

I've managed to create an MSI installer with Visual Studio (with the Microsoft Visual Studio Installer Project extension). When I run it on my computer, everything is fine. But if I run it on someone's else computer, Windows Defender displays a SmartScreen warning:

We are still in beta, so we don't have a lot of money or any certificates, but we want to make the beta available without this warning to allow users to test the product and give us feedback (we want to setup a build-measure-learn method).

I've seen that I can use EV certificates to remove this warning (but they are too expensive, so it's not an option).

How can I remove this warning for every user who downloads my installer from my website (without any cost, if possible)?

Lalitta answered 19/12, 2019 at 11:49 Comment(5)

Have you checked SmartScreen FAQ? – Ontologism 19/12, 2019 at 11:58

You need to add a digital signature (certified) to your installer (.msi) file. Unfortunately, acquiring an appropriate certificate is not without cost. – Latt 19/12, 2019 at 11:59

SmartScreen is "trust-based" - you gain reputation (or lose it). I suppose you could try to upload the binary to virustotal.com to check, and also download it yourself a number of times from different computers to improve "trust". That data has to get reported to the SmartScreen database, how that is done I don't know. Maybe the CompatTelRunner.exe scheduled task submits such data? Usage analysis is based on submitted IE, Edge, Windows, Anti-Virus, download volume, download logs, download URL past history, etc... Get an EV certificate. – Bourgogne 19/12, 2019 at 21:40

@AdrianMole How is Pandora? – Bourgogne 20/12, 2019 at 0:21

@SteinÅsmul Trial Separation! I kept telling her not to but she insisted on opening that wee box. – Latt 20/12, 2019 at 11:7

You need an officially code sign or and code sign EV certificate, it will cost some money, and sign with signtool or build events your output (dll, msi, exe) with that certificates. Then your setup, is from a known publisher (you / your brand).

You can use a self-signed cert, but then you need to install the cert on every machine ... that use case is useful for "internal" usage. In your case, when you offer a download from your Website, you need to inform the user, that you used a self-sign cert and you can offer the CA of your cert and ask the user to install it ... or you just mention that the cert is self-signed and share the Fingerprints / MD5 Hashes so your customers can verify the content on there own.

Titanism answered 20/2, 2020 at 17:5 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags