5

I have a .NET application written in C# using Visual Studio 2012. I'm promoting the application through my own website and have it available for download. When downloading it in Chrome I get a message stating that my application is "not commonly downloaded and could be dangerous". Additionally, when I download my own application and execute it Avast sees it as suspicious and wants to run it in the sandbox.

Is there anyway I can prevent this from happening (without purchasing a certificate for signing)? I don't want potential users to run into this issue.

Edit: I am not doing anything malicious or using any hooks in my application. The application is just a small simple tool as you can see here.

Aaron
  • 10,386
  • 13
  • 37
  • 53
  • Look at it from Chrome's point of view : how/why should it trust your app? And Avast only knows 'downloaded from Internet'. Buy a certificate. – H H Sep 19 '12 at 19:35

2 Answers2

4

Either you code-sign the App or you wait until a few thousands of people download your App, install it, not report it as garbage and then you get good-will grant from providers.

Erre Efe
  • 15,387
  • 10
  • 45
  • 77
  • So there's no immediate way around this other than buying a certificate? – Aaron Sep 19 '12 at 19:37
  • 4
    No. There isn't and that's great! Imagine your browser trusting trash for every Little script kiddie... so sad if that was the case! – Erre Efe Sep 19 '12 at 19:38
  • While it doesn't prevent the need to purchase a certificate entirely, I've found a suitable workaround that only requires the purchase of a single certificate; you only have to pay for your reputation/identity verification one time, with no need to renew. As it does require an initial purchased certificate and a considerable amount of setup work, it's outside the scope of all the script kiddies. My [SmartScreen Filter workaround](http://stackoverflow.com/questions/15538925/how-can-i-work-around-smartscreen-filter-without-spending-a-boatload-of-money) might be useful for you. – Shannon Cook May 30 '13 at 15:31
  • 1
    Buying a certificate doesn't help. I've just signed our installer with a certificate and users still get the warning. – NickG Jan 14 '16 at 16:02
1

Even if your application is signed with a certificate issued by one of the CA's participating in Microsoft's Trusted Root Certificate Authority program, it could still face some issues unless you use an EV Authenticode code signing certificate and/or continue to renew the same certificate in perpetuity. See "IE9 SmartScreen Warning, Despite Following All Recommendations" for an example. In short, you're paying for reputation as a software publisher.

Community
  • 1
  • 1
Shannon Cook
  • 737
  • 1
  • 7
  • 16