Login/Register
Is there a way to SmartScreen-whitelist a .exe by Microsoft? (without an EV certificate)
Asked Answered
windowscertificatecode-signingsmartscreen
A

1

6

Microsoft SmartScreen, well-known for its message:

Windows Defender SmartScreen prevented an unrecognized app from starting

is useful for end users to avoid malware, but can also harm indie developers because when they distribute binaries: the end users see frightening messages, and that is a problem for the developer's reputation (see someone's comment "My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales"):
Smart-Screen filter still complains, despite I signed the executable, why?

Even with a paid certificate, if software-release1.0.1.exe is finally whitelisted, when you release software-release1.0.2.exe update, the messages will come again:
Transferring Microsoft SmartScreen reputation to renewed certificate

The only solution seems to be Extended "EV code signing" which can be 300-500$ per year (this fixed fee makes the tax % higher for small indie developers).

Question: is there a way to get a .exe whitelisted immediately (or a few days) for all users - and not only on my own computer - by submitting it to Microsoft for analysis?

I have seen this link: https://www.microsoft.com/en-us/wdsi/filesubmission, has someone been able to use it successfully to avoid further SmartScreen alerts? (it seems that no).

Are there other methods? Such as automatically deploying 100 VMs via an automated script, and let each VM download and install the .exe automatically? But this would probably be from the same IP, then Microsoft will probably increase the reputation counter by +1 instead of +100?

enter image description here

enter image description here

Anthropophagy answered 8/9, 2020 at 9:34 Comment(1)
Also see https://mcmap.net/q/103518/-how-long-to-get-rid-of-smartscreen-warning-after-signing-codeFrannie
F
1

As you said in your question, the first solution for having trusted software is code signing with EV certificate But, another tricky solution is increasing reputation of your software.
As Microsoft said here : Reputation-based URL and app protection

If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.

So in the last paragraph of your question, you mentioned about creating mass docker containers or virtual machines for increasing trust and reputation. I complete it with a solution for same IP address in each VM or container.
The solution is using TOR as a proxy in all of your VM's or containers. With using tor you can create proxy which is connected inside TOR network and hide your real IP address in your virtual machines or containers. Tor is free for use and you can connect your nodes to it's network as many as you want and change your IP address frequently. Also it is better to have different version of windows in some of your VM's.
Remember before that you must submit your software for malware analysis,

Fuse answered 10/9, 2020 at 18:35 Comment(5)
Thank you for your answer. If Microsoft's analysis tools see only TOR addresses/IP endpoints for a .exe, it's not really sure they will want to increase its reputation.Anthropophagy
Remember before that you must submit your software for malware analysis: the problem is that Microsoft doesn't communicate about what exactly it does. There is no explicit threshold about the required number of installs, there is no mention about anything like a fixed rule "If malware analys is ok, then don't show the Smartscreen message after 100 successfull installs". So it's not really reproducible, it's purely random and/or luck, sadly.Anthropophagy
This is a reputation based system for security purposes and they do not provide information about their algorithm on purpose. You cannot find any official information about that. I recommend for the first time do it with a sample application for a test. Than you can find is microsoft check for tor ips and how many successful install can change smartscreen status of your application.Fuse
Speaking as an end user, I sincerely hope that it isn't possible or feasible for someone to game the system like that. If it was possible, then it'd be relatively easy for creators of malware to obtain a positive reputation by doing something like this.Rosenbaum
@EliezerBerlin You're ignoring the fact that you have to submit the app for analysis. So, trying to get around the system by deploying VMs for a file that you've sent for malware analysis isn't what a malicious user would waste their time on.Incubus

© 2022 - 2024 — McMap. All rights reserved.