2

I'm trying to deploy and distribute a C++ app on Windows.

I've managed to create an MSI installer with Visual Studio (with the Microsoft Visual Studio Installer Project extension). When I run it on my computer, everything is fine. But if I run it on someone's else computer, Windows Defender displays a SmartScreen warning:

image

We are still in beta, so we don't have a lot of money or any certificates, but we want to make the beta available without this warning to allow users to test the product and give us feedback (we want to setup a build-measure-learn method).

I've seen that I can use EV certificates to remove this warning (but they are too expensive, so it's not an option).

How can I remove this warning for every user who downloads my installer from my website (without any cost, if possible)?

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Azyrod
  • 57
  • 5
  • 1
    Have you checked [SmartScreen FAQ](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)? – user7860670 Dec 19 '19 at 11:58
  • 2
    You need to add a digital signature (certified) to your installer (.msi) file. Unfortunately, acquiring an appropriate certificate is *not* without cost. – Adrian Mole Dec 19 '19 at 11:59
  • 1
    SmartScreen is "trust-based" - you gain reputation (or lose it). I suppose you could try to upload the binary to https://virustotal.com to check, and also download it yourself a number of times from different computers to improve "trust". That data has to get reported to the `SmartScreen database`, how that is done I don't know. Maybe the `CompatTelRunner.exe` scheduled task submits such data? Usage analysis is based on submitted IE, Edge, Windows, Anti-Virus, download volume, download logs, download URL past history, etc... [Get an EV certificate](https://stackoverflow.com/a/50414337/129130). – Stein Åsmul Dec 19 '19 at 21:40
  • @AdrianMole How is Pandora? – Stein Åsmul Dec 20 '19 at 00:21
  • 1
    @SteinÅsmul Trial Separation! I kept telling her *not to* but she insisted on opening that wee box. – Adrian Mole Dec 20 '19 at 11:07

1 Answers1

2

You need an officially code sign or and code sign EV certificate, it will cost some money, and sign with signtool or build events your output (dll, msi, exe) with that certificates. Then your setup, is from a known publisher (you / your brand).

You can use a self-signed cert, but then you need to install the cert on every machine ... that use case is useful for "internal" usage. In your case, when you offer a download from your Website, you need to inform the user, that you used a self-sign cert and you can offer the CA of your cert and ask the user to install it ... or you just mention that the cert is self-signed and share the Fingerprints / MD5 Hashes so your customers can verify the content on there own.

KargWare
  • 1,746
  • 3
  • 22
  • 35