Why is Windows Smart Screen suddenly 'protecting' PC since purchased new certificate

Asked 16/2, 2017 at 13:23 Answered 26/2, 2017 at 13:16

So I had a certificate from Comodo and bought via KSoftware that I use to sign my software so it does not generate a warning when users download it, this has been working fine but the 2 year certificate expired last month. I purchased a new certificate last week and applied to a new version of my application but now when I download it warns me unknown publisher, and wierdly when I click on more info it shows my full address instead of just my company name JThink.

I have looked at my old and new certificate in browser and noticed I had Jthink ltd in old certificate and JThink in new one, would this cause an issue ?

Update

Comodo tell me there is a period of time before Microsoft start accepting new certificates and it would still be a problem even if the company information was identical because the certicate no is different.

Is this true, and what length of timescale are we talking about here ?

Marje answered 16/2, 2017 at 13:23 Comment(2)

Did you check with Windows App Certification Kit (WACK) as recommended in #12311703 ? – Psoriasis 19/2, 2017 at 16:38

@Psoriasis no thanks that sounds like a plan, albeit a right pain in the ass to have to attempt it – Marje 20/2, 2017 at 13:35

You need to just wait some time. Windows collects different data for your new certificate (total downloads count, etc.) and in some near future (depends on downloads rate) it will mark it as white listed (if it's all OK). And all your downloads signed using this new certificate will not be blocked anymore.

The same mechanism applies (as I think) on downloads without certificates at all. Windows collects the file reputation and after some critical amount of "good-experience" downloads it marks the file as OK. The same logic applies to certificates. Thus you do not need to wait anymore if your certificate has a "good reputation".

Cur answered 26/2, 2017 at 13:16 Comment(2)

My app is for a extremely narrow "market," a 65 at most, so I'm guessing it will never get whitelisted with a Standard certificate. Yet, "Market" is quoted because it's free to users, so EV is out of the question. What should I do? – Yazbak 29/3, 2017 at 15:20

Sorry, I do not know... I've not a popular software also (as my hobby). Its installer is not signed at all. It has about 400 downloads per month. I've updated it recently - on Feb 5, 2017. Just checked - Edge, Chrome, Firefox browsers gives me no warning when I download and run the installer. – Cur 30/3, 2017 at 5:30

You need to use Extended Validation Code signing certificate which provides more trusted security certificate for your Windows binary. Regular code signing certificates are not validated by Windows smart screen protection.

I had the similar issue when Windows 10 was released with Windows smart screen protection with more advanced security features.

https://www.digicert.com/code-signing/ev-code-signing.htm

Whidah answered 26/2, 2017 at 7:44 Comment(4)

Gurdev Really I cant afford those, will a standard certificate eventually work ? – Marje 26/2, 2017 at 13:21

Paul Taylor, yes, it will. :) – Cur 26/2, 2017 at 13:23

@AlexanderDyagilev windows smart screen protection works on the data collection based on the users who trust a software publisher. Standard certificate will work but unless Microsoft collects enough data from user selecting "Trusted". For quick confirmation of you as trusted publisher EV certificate would be required. Please check this link blogs.msdn.microsoft.com/ie/2012/08/14/… – Whidah 26/2, 2017 at 14:31

Yes, you're right. But, it would be better to say that not "trusted" but allowed to run. Thus more downloads - more runs - less time to white list. – Cur 26/2, 2017 at 14:45

Recommended topics

Hot tags