Getting around Chrome's Malicious File Warning

Asked 1/3, 2012 at 8:32 Answered 16/7, 2018 at 18:31

google-chrome download executable signing authenticode

I created an application which comprises a number of *.exe files. I've packaged these up into an NSIS installer which I hosted on my website. When I try to download it Chrome reports it as potentially malicious. At first I thought it could be the URL/site I was hosting on not being recognized so I signed up for Amazon S3 storage and moved the file there. Same problem. I then thought that packing the executables might cause this, so I tried without.
Same issue.
After some more reading I decided to try signing the executables as well as the installer package EXE.

I created a dev cert as follows:

makecert
pvk2pfx 
signtool"http://timestamp.verisign.com/scripts/timstamp.dll" *.exe

Still malicious... I check the exe's even after download and confirmed they have a digital signature tab, granted it's not a fully verified commercial certificate but I can't believe the only way around Chromes half-baked code analysis is to spend $200 a year to have a verisign etc. code signing cert issued?

Any ideas how I can change what I'm doing to avoid this nasty message?

Kovach answered 1/3, 2012 at 8:32 Comment(2)

I have the same issue. Jotti tells me there are no viruses found, so why is Google Chrome not happy? Chrome's learn more links goes to support.google.com/chrome/bin/… but it's typically unhelpful. Any ideas? – Jato 12/3, 2012 at 10:37

Yes, the answer is to sign up to Google Webmaster Tools, because for your website to be accepted by the public, it must first be accepted by Google, our glorious leader. All hail our glorious leader. – Grooms 2/1, 2019 at 21:48

103

I had exactly this problem with an exe file that is downloadable from my web site. Whenever I tried to download the file using Chrome it gave the warning.

The solution I found was to sign up to Google Webmaster Tools and add my site. It took several days for Google to crawl my site, and fill in any information, but I went back today and finally found loads of information there.

Now I can download my file, and there is no malicious warning any more.

It seems that once Google has checked out your site and determined that you are not a bad person, the problem goes away.

Lucrece answered 15/3, 2012 at 20:50 Comment(12)

Glad it worked for you too, thus verifying it wasn't a one-off. Your site must have got crawled a lot more quickly than mine, as I had to wait several days. Thanks for the bounty. – Lucrece 16/3, 2012 at 10:40

All I need now is for the OP to give me a green tick, and my mission in life will be complete :) – Lucrece 16/3, 2012 at 21:14

Second Confirmation. Thanks. Shame I can't do anything about your life mission :( – Trot 23/4, 2012 at 13:54

Doesnt work for me. Webmaster tools says Google didn't detect any malware, but it still blocks the download. The file itself is not indexed (why would it be tho - its an EXE not a html file). – Wivestad 10/9, 2013 at 6:40

Anything to do with AVG? (A recent update has been causing a lot of grief) – Lucrece 10/9, 2013 at 10:28

The important thing here is that the URL is indexed by Google (yes, even if it's an exe), and is not blocked in robots.txt, which was the case for me. When allowing the file in robots.txt and forcing Google to index the file solved the problem, the file now downloads without warnings. The file needs to be code signed. Having the site added to Webmaster Tools, and adding the file to a sitemap might be a requirement as well. – Paragraph 19/4, 2015 at 11:42

Not worked for me, my site is clean on Webmaster Tools and still Chrome blocks all my ZIP packages. – Dolomite 28/7, 2015 at 17:38

I added my site - still not working - but somehow with the same browser and JS code to make the zip, this person's site is working: stuk.github.io/jszip/documentation/examples/… – Mew 15/9, 2015 at 0:46

Any idea why it also calls multi-part rar files malicious, even if there's not a single executable file inside? – Mahmoud 23/11, 2015 at 12:19

The bad thing is this can't work for dynamically created files (data exports in zip, xml etc.) – Volcano 23/10, 2017 at 10:11

What do you do for internally hosted web applications that Google will never see and you never want Google to see? – Grooms 20/12, 2018 at 21:7

This just seems like Google's way of forcing people to use more of their software. – Grooms 20/12, 2018 at 21:26

Well, anonymous .exe are potential threats, Chrome is preventing users about this.

You are signing the exes, but I'm not quite sure your certificate is backed by a Certification Authority, like Verisign. They sell this services. But yet, I'm not sure signing will make any difference. Chrome reads the files' names inside the zip, but I don't think it decompress the entire file to read the sign.

I can tell you one or two workarounds, I'm pretty sure you know them:

Change the file extension, and ask the user to rename the files back to .exe
Password protect your zip, rar, or whatever, so Chrome won't be able to look inside, and supply the password to users: it's not a secret password

Trypanosome answered 13/3, 2012 at 11:2 Comment(0)

I also had the same issue, and tried the options described above as well,but no luck. I guess I was just too impatient to wait for Google to crawl my site.

I ended up registering with Softonic and CNET's Upload.com, and submitted my application for review and inclusion on their sites. After their approval, I added the link to my site, the file downloaded fine.

The only bad thing is that you need to download the Softonic downloader to install your application on softonic, but CNET offers a "direct download link" that allows you to download your original installer.

Jetblack answered 8/6, 2014 at 15:49 Comment(0)

I ran into this issue. The simplest work around: use another [insert browser name here]. eg. firefox.

Incus answered 27/5, 2015 at 16:16 Comment(3)

So you tell all the people who try to download your file that they should use a different browser? – Lucrece 15/9, 2015 at 8:46

No. I use another browser to download .exe's from other people. – Incus 15/9, 2015 at 15:40

This question comes up when ppl search for how to get around it when DOWNLOADING a file, this is the correct answer for them – Duquette 26/9, 2015 at 5:26

If you have a domain with a non-standard domain suffix such as .one, Chrome will complain. So will FireFox for that matter. I don't think this was the OP's problem but if you land here because you're searching madly trying to figure out why a commom file like a .zip file is giving you a warning in Chrome or FF when downloading, it could very well be that you need to use a common domain suffix such as .com

Frum answered 16/7, 2018 at 18:31 Comment(0)

I also had this issue. I am using a certificate generated from my own CA which is installed to the Trusted root certification authorities. At first signing wasn't enough, but then I added file version with my name on it and also an icon. Now Chrome is happy to download and run it.

Canoness answered 17/4, 2015 at 23:26 Comment(1)

Was it an instant or you had to wait some time untill Chrome realized the file is ok? – Jaret 4/2, 2016 at 11:14

Recommended topics

Hot tags