43

Microsoft's SmartScreen Filter under Windows 8 is a small developer's worst nightmare.

While I realize the benefits to end users and the effectiveness at stopping malicious programs from installing themselves on end users' computers, I and many other developers would rather not pay the fees for annual renewal of a Code Signing Certificate or, even worse, an EV Code Signing Certificate. Also, when products developed for use in-house are signed with a trusted certificate from an internal CA, stored in the Trusted Publishers store, they still fall prey to the filter's overzealous behavior.

Developers and Administrators used to be able to disable the warnings and prompts by installing a publisher's Code Signing Certificate in the Trusted Publishers store. Creative developers could install their self-signed Code Signing Certificate there when they install a pre-requisite signed and timestamped with a paid-for Authenticode Code Signing Certificate. After that, programs signed by the publisher would be trusted and would not trip the SmartScreen Filter alarms. Essentially, once trusted, a publisher was free from the recurring fees.

The recent changes to the SmartScreen Filter (and its inclusion as an OS "feature" in Windows 8) make it clear Microsoft wants you to buy a code signing certificate instead of creatively working around the problem they've created for you. Has anyone discovered a new method to trust publishers who use their self-signed Code Signing Certificates by default (i.e., not showing the prompts)? Short of turning off the filter completely, what can end users do to let the SmartScreen Filter know to always trust a Self-Signed certificate?

Please note that purchasing a Code Signing Certificate is not an answer to this question. I'm looking for a way to tell SmartScreen Filter to trust a publisher that does not purchase certificates from an outside source, but instead issues their own for use inside their organization.

UPDATE: I think I might have found a workaround! From MSDN, SmartScreen Filter can be disabled on Windows 8 and Internet Explorer 10 for sites listed as Trusted Sites. If someone could verify that this method works for setup programs downloaded and run from a Trusted Site in Windows 8, that would be greatly appreciated and would help a lot of ISV's and in-house development teams. It would also be the workaround needed to answer this question. Trusted Sites can be configured by group policy, so it would be simple from there.

Programmatically, turning off SmartScreen Filter for the Trusted Sites Zone can be achieved by setting either HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 for the machine or HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 for the user to 0, and adding the site to be trusted to the Trusted Sites Zone can be done as shown in this question.

Could someone please verify that my proposed workaround functions on Windows 8 for an unsigned or self-signed executable downloaded from a Trusted Site? I'm not using Windows 8 myself, having spent my OS upgrade budget on certificate fees.

Community
  • 1
  • 1
Shannon Cook
  • 737
  • 1
  • 7
  • 16
  • 1
    Probably this page could give you some useful info http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx – Spadar Shut Mar 24 '13 at 21:47
  • After skimming through the link, it looks like it might be useful. Thanks for the lead. I'll update this post when I have more time to research your link. – Shannon Cook Mar 26 '13 at 17:34
  • Unfortunately, your link doesn't get me any closer to a solution. I'm wondering if ignoring the "Trusted Publishers" store is a bug in the latest version of SmartScreen Filter, or if it's by design -intentionally rendering the "Trusted Publishers" store worthless and forcing developers to purchase certificates from Microsoft's Trusted Root members. – Shannon Cook Apr 08 '13 at 21:47
  • posting not as an answer, you can a) minimize costs via switching to startssl ($60/ 2 years), b) publish a sufficiently trusted updater once and hand off updates to it, building in your own certificate validation logic... – wizzard0 Apr 15 '13 at 17:31
  • Wizzard0, Windows 8's system-wide use of SmartScreen Filter makes the "build your own" method fail. Self-signed/private CA issued certificates are acceptable for most uses, but not for code signing. I've tried using code signing certificates issued from custom roots installed on the end user's machine, but the filter still throws up the warnings and the certificates don't earn "reputation" at all. That means the warnings are permanent and can't be circumvented to the best of my knowledge. This seems like a "feature" designed to force certificate purchases, not protect from malware. – Shannon Cook Apr 15 '13 at 19:21
  • I mean, when you implement your own updating logic, and clear the Zone Identifier from the downloaded files, then the SmartScreen filter does not get a chance to be invoked. Or am I wrong with this one? – wizzard0 Apr 19 '13 at 08:47
  • By "your own updating logic," I'm assuming you mean a launcher/update program for a single program that's EV signed or that's already installed on the end user's system. That works only if the program is already installed, so it's not a functional solution. Imagine a company with 500+ Windows 8 systems that uses multiple applications produced by multiple publishers. Administrators used to be able to distribute the publishers' self-signed code signing certificates by group policy into the trusted store to circumvent the warnings. The Windows 8 SSF ignores the Trusted Publishers store. – Shannon Cook Apr 25 '13 at 12:20
  • As for removing the Zone identifier, I've decided to add a link to an answer on how to do just that for reference purposes. http://stackoverflow.com/questions/6374673/unblock-file-from-within-net-4-c-sharp My current "workaround" is education, telling users how to get through the maze of tiny, hidden links to actually get files to run. I like Smartscreen Filter in general, but not being able to configure it to trust a publisher stored in the Trusted Publishers certificate store has me tempted to encourage people to disable it completely, or stick to Windows 7. – Shannon Cook Apr 25 '13 at 12:53
  • Probably a stupid question, but can you turn off smart screen filter during an install? – N_A Apr 29 '13 at 15:57
  • You could tell the end user to do that, but you can't do it programmatically as far as I know. Also, that doesn't quite solve the issue of the Trusted Publishers' store being ignored. Even if you could, you wouldn't be able to turn it off with the program you're installing. If anyone knows a way to programmatically disable/enable it, that might be helpful for update programs. – Shannon Cook Apr 30 '13 at 01:43
  • Setting "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System"'s REG_DWORD value EnableSmartScreen to 0 temporarily would disable it, but that would require a pre-installed update/downloader program running with administrative rights. Changing the SmartScreen registry settings would probably also get your program flagged as malware by SmartScreen. In addition, changes to this registry entry require logging off and back on to apply. – Shannon Cook Apr 30 '13 at 01:52
  • Officially, the problem with certificates added to the trusted store is simply that they haven't had time to build reputation with the SmartScreen service. That said, there does not appear to be any data anywhere I could find about how one goes about building reputation and how long it takes to do so. See http://www.cio.com.au/article/433760/win8_smartscreen_nudges_software_sellers_buy_code_signing_certs/ – Moshe Katz May 01 '13 at 05:09
  • The "Trusted Store" is where you install certificates from publishers you (i.e., the end user or the group policy administrator) trust 100%. These certificates should be exempt from the need to build reputation. I believe this to be a severe bug/oversight/design flaw in the current incarnation of the SmartScreen Filter. Once you've decided to trust someone and gone through the effort of installing their certificate in the Trusted Publishers store, a trust relationship has been established between you and the publisher, and Microsoft should not be interfering with that relationship at all. – Shannon Cook May 01 '13 at 20:53

5 Answers5

24

To quote from MSDN's website:

Detractors may claim that SmartScreen is “forcing” developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.

In other words, EV (paid) validation is just one factor in a large algorithm that determines whether the SmartScreen warning is displayed or not. If you have a lot of people that download your program, or if your program download link has not changed in a while, with some work you can get your program not to show the warning. Also, by digitally signing your code, you can increase your Appication Reputation. This is straight from Microsoft's webpage on the topic.

William
  • 570
  • 3
  • 17
  • 1
    That doesn't exactly answer my question. I asked for a workaround. Your answer is more political than technical. Could you please edit it to contain a workaround or delete it? Also, as an aside, code signing certificates not issued by a member of the Microsoft Trusted Root program do not gain reputation at all, so you're better of unsigned (in terms of reputation) if you don't have one. Unsigned executables, oddly enough, do earn reputation. – Shannon Cook May 02 '13 at 20:05
  • 12
    There is no workaround, I stated some tactics you could use in order to raise the reputation. I researched this for three hours when Windows 8 first came out, being an amateur developer myself. You can use said tactics to gain a higher reputation with their service, but Microsoft does not give out workarounds. This is the closest you can get. – William May 02 '13 at 20:51
  • 1
    That's still a non-answer. It's better to leave the question unanswered until a workaround is discovered. I had the "there is no workaround" answer from [this blog post](http://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/#comment-4939) when I posted this question. Please delete your answer. It is political rather than technical, and does not even attempt to answer the question. Installing in the Trusted Publishers store is a workaround for everything short of Windows 8, and surely another workaround will be discovered for Windows 8 as well. – Shannon Cook May 02 '13 at 21:02
  • With the 150 point bounty about to expire, you'll end up getting the "default" award of half, even though you did not answer the question. If you'd be willing to verify that my own answer works using Windows 8, I'd be happy to award you the full bounty. Otherwise, please delete your answer to avoid taking advantage of the bounty expiration in this manner. – Shannon Cook May 03 '13 at 04:11
  • 7
    Technically an answer is simply something written or said in reaction to a question. This IS a question, right? :) When you ask a question, you may not always get the response for which you hoped. William's answer confirmed there is no single work around. (e.g. Do this one thing and it will fix your issue.) Now that you know this, you'll (probably) stop looking for another answer. Knowing there is no workaround is a valuable answer. – Tyler Montney Jul 16 '15 at 04:40
  • This is the right answer, just not articulated clearly. 1) Non-EV from CA is fine and today, I can see it costs about $110 per year from Comodo. 2) Apparently, even a self-signed certificate will work after the reputation builds up. 3) Run anyway - It should be noted, that users CAN bypass the nag screen [http://www.rawinfopages.com/tips/2014/10/unblock-programs-blocked-by-windows-smartscreen/]. I read through the lengthly OP, and changed the question title to reflect the author's intention. – Kind Contributor May 06 '17 at 03:40
  • Microsoft is taking the money out of our pockets with this bold tactic which clearly shows that the intention is making money rather then protecting its users. I agree with the OP, this is not an answer and William should've respected the wish of deleting it considering that there is an bounty on the question. When did you certified microsoft developers loose the spirit of hacking.. – F.H. Dec 13 '17 at 22:52
  • 2
    I found this answer useful and am glad you didn't delete it. – Drew Noakes Jul 16 '18 at 18:06
  • Unfortunately both links are broken. If someone can point to the new location of these documents that would be useful. – Bram May 12 '20 at 17:36
5

Using a 90 day trial of Windows 8 from Microsoft, I've been able to verify that my workaround does indeed work. If you want to pay for a code signing certificate once and only once instead of paying annual fees, this method should work for you as well, but I can't make any guarantees. My solution is per-machine, but should be easy to convert to work per-user.

This is my solution:

  1. Set up your own certificate infrastructure.
  2. Publish copies of your root CA certificate, any intermediate CA certificates issued by your root, and any code signing certificates issued by your intermediate CA's to your website as .cer files.
  3. Install an SSL certificate on your website that was issued by your Root CA.
  4. Create an installer/downloader application that performs the following tasks:
    • Installs the root CA certificate (from your website, step 2) into the Trusted Root Certification Authorities store for the end user's machine.
    • Disables SmartScreen Filter for the Trusted Sites internet zone by setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 to 0.
    • Adds your website to the zone map by adding the registry key(s) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourdomain.com\yoursubdomain.
    • Maps your domain to the Trusted Sites zone by creating a DWORD named https with a value of 2 in the key created in the previous step.
  5. Purchase a code signing certificate from a member of Microsoft's Trusted Root program, preferably an EV certificate.
    • Before your purchase, make sure the certificate and timestamping scheme used by the CA for your code signing certificate will not result in OID's 1.3.6.1.4.1.311.10.3.13 or 1.3.6.1.4.1.311.10.3.14, as these would make the signature expire when the certificate expires, whether it's timestamped or not.
  6. Sign and timestamp your downloader/installer with the certificate purchased in step 5. Verify the absence of lifetime limitations on the signature. If everything is ok, you can put your purchased code signing certificate in a safe place and lock it away.
  7. Publish your downloader/installer program to your website. Make it a pre-requisite download for all your products.
  8. From this point on, you can use code signing certificates (and other certificates, for that matter) issued by your own internal certificate authorities without SmartScreen Filter being a nuisance.

The worst warning I’ve received using this method so far has been “This type of file could harm your computer.” That's the typical "You're downloading an executable file!" warning. It doesn’t hide the Run option and does not appear for ClickOnce deployments using the bootstrap webpage generated by clicking “Publish” in VS2010.

Thanks for all the comments and links.

Shannon Cook
  • 737
  • 1
  • 7
  • 16
  • I did not downvote, but step 4 sound strange. a) how would you install this installer? (how to prevent it from being marked as unsafe by SmartScreen?) b) it does not sound like a good idea to tweak users registry settings for SmartScreen Filter without his permission. – Marek Apr 07 '14 at 15:00
  • Sorry for the late reply; tax season. A)Step 5 gets the installer around the filter. B) The modifications to the registry would be made WITH the users permission, as permission is granted by the user when they accept the EULA for the software. Essentially, you're setting things as they should have been set originally. If a user chooses to trust a publisher and their website (i.e., installs the publisher's cert in the trusted store), then SmartScreen should trust the publisher. – Shannon Cook Apr 21 '14 at 01:37
  • 7
    Step 5 also requires "spending a boatload of money". – Damian Yerrick Oct 01 '15 at 18:02
  • 4
    I would immediately uninstall any application that meddles with my system's security settings and ban any and all applications of said developer forever. – Oliver Weichhold Mar 06 '17 at 16:11
3

I have found a really easy way to bypass the filter even without admin privileges. What you need to do is:

  1. Open notepad
  2. Type in the following line: @%*
  3. Save the file as "SkipSmartScreen.bat" (yes, with the quotes) in the same folder as your app. You can rename the batch file later
  4. To launch your app, drag your exe on to the batch file

This will then bypass smartscreen filter.

Tested on Windows 10 Home, Pro, and Enterprise, and Windows 8 Pro.

How it works:

  • @ - This is just for looks, it hides the name of the command being executed
  • %* - This expands to all command line arguments passed (e.g. the file you dropped on the batch file
  • The whole thing: It executes the file through the batch file as if it was a line in the batch file. For some reason, Windows does not do any check on files which are executed from a batch file.
geek1011
  • 495
  • 9
  • 19
1

Here is good explanation how to turn off the SmartScreen:
- Windows SmartScreen - Turn On or Off in Windows 8
- Uncheck option in Folder Options

What I used and what worked for me? It was "option one" from first link:

  1. Open the Control Panel (icons view), and click/tap on the Action Center icon.
  2. In the left pane of Action Center, click/tap on the Change Windows SmartScreen settings link.
  3. If prompted by UAC, then click/tap on Yes.
  4. Select (dot) the option for how you want Windows SmartScreen to handle unrecognized programs, then click/tap on OK.
    NOTE: The default option is to Get administrator approval before running an unrecognized app from the internet.
  5. When finished, you can close the Action Center if you like.

I hope that this is what you were looking for. :)

Monic
  • 726
  • 10
  • 31
  • Ok, I've got minus. Can enyone explain me why? – Monic Nov 09 '15 at 20:06
  • 1
    your answer is about users turning off SmartScreen on their PCs. The question is about "as an app developer, how do I prevent users from even seeing the SmartScreen windows?" This is obviously not something we can do (we have to tell users to disable it, which could have security implications). – ashes999 Jun 20 '17 at 17:22
1

Old question but I recently had the same issue where I needed to download a small installation package down to a user's pc for them to execute. But as always SmartScreen was blocking the download...

A workaround that I discovered is to package your installer file in a .zip (or the likes) and then have the user download this compressed file and execute the installer within. This is at least the "prettiest" solution that I had to use in my scenario.

This method saves you from having any kind of certificates assigned to your files. You just need your users to trust you, but this will bypass the SmartScreen Filter.

I hope this can be used as a workaround for your issue.

Thorvald Jørgensen
  • 33
  • 8