Getting around Chrome's Malicious File Warning

Question

I created an application which comprises a number of *.exe files. I've packaged these up into an NSIS installer which I hosted on my website. When I try to download it Chrome reports it as potentially malicious. At first I thought it could be the URL/site I was hosting on not being recognized so I signed up for Amazon S3 storage and moved the file there. Same problem. I then thought that packing the executables might cause this, so I tried without.
Same issue.
After some more reading I decided to try signing the executables as well as the installer package EXE.

I created a dev cert as follows:

makecert
pvk2pfx 
signtool"http://timestamp.verisign.com/scripts/timstamp.dll" *.exe

Still malicious... I check the exe's even after download and confirmed they have a digital signature tab, granted it's not a fully verified commercial certificate but I can't believe the only way around Chromes half-baked code analysis is to spend $200 a year to have a verisign etc. code signing cert issued?

Any ideas how I can change what I'm doing to avoid this nasty message?

I have the same issue. Jotti tells me there are no viruses found, so why is Google Chrome not happy? Chrome's learn more links goes to http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=99020 but it's typically unhelpful. Any ideas? — svandragt, Mar 12 '12 at 10:37
Yes, the answer is to sign up to Google Webmaster Tools, because for your website to be accepted by the public, it must first be accepted by Google, our glorious leader. All hail our glorious leader. — ADJenks, Jan 02 '19 at 21:48

score 103 · Answer 1 · answered Mar 15 '12 at 20:50

103

I had exactly this problem with an exe file that is downloadable from my web site. Whenever I tried to download the file using Chrome it gave the warning.

The solution I found was to sign up to Google Webmaster Tools and add my site. It took several days for Google to crawl my site, and fill in any information, but I went back today and finally found loads of information there.

Now I can download my file, and there is no malicious warning any more.

It seems that once Google has checked out your site and determined that you are not a bad person, the problem goes away.

answered Mar 15 '12 at 20:50

Jeff G

1,830
1
16
17

Glad it worked for you too, thus verifying it wasn't a one-off. Your site must have got crawled a lot more quickly than mine, as I had to wait several days. Thanks for the bounty. – Jeff G Mar 16 '12 at 10:40
22

All I need now is for the OP to give me a green tick, and my mission in life will be complete :) – Jeff G Mar 16 '12 at 21:14
2

Second Confirmation. Thanks. Shame I can't do anything about your life mission :( – Robert Whitley Apr 23 '12 at 13:54
8

Doesnt work for me. Webmaster tools says Google didn't detect any malware, but it still blocks the download. The file itself is not indexed (why would it be tho - its an EXE not a html file). – steve cook Sep 10 '13 at 06:40
Anything to do with AVG? (A recent update has been causing a lot of grief) – Jeff G Sep 10 '13 at 10:28
The important thing here is that the URL is indexed by Google (yes, even if it's an exe), and is not blocked in robots.txt, which was the case for me. When allowing the file in robots.txt and forcing Google to index the file solved the problem, the file now downloads without warnings. The file needs to be code signed. Having the site added to Webmaster Tools, and adding the file to a sitemap might be a requirement as well. – Sire Apr 19 '15 at 11:42
Not worked for me, my site is clean on Webmaster Tools and still Chrome blocks all my ZIP packages. – delphirules Jul 28 '15 at 17:38
I added my site - still not working - but somehow with the same browser and JS code to make the zip, this person's site is working: https://stuk.github.io/jszip/documentation/examples/download-zip-file.html – Dean Radcliffe Sep 15 '15 at 00:46
Any idea why it also calls multi-part rar files malicious, even if there's not a single executable file inside? – CodeManX Nov 23 '15 at 12:19
The bad thing is this can't work for dynamically created files (data exports in zip, xml etc.) – apostolov Oct 23 '17 at 10:11
What do you do for internally hosted web applications that Google will never see and you never want Google to see? – ADJenks Dec 20 '18 at 21:07
This just seems like Google's way of forcing people to use more of their software. – ADJenks Dec 20 '18 at 21:26

score 7 · Answer 2 · answered Mar 13 '12 at 11:02

Well, anonymous .exe are potential threats, Chrome is preventing users about this.

You are signing the exes, but I'm not quite sure your certificate is backed by a Certification Authority, like Verisign. They sell this services. But yet, I'm not sure signing will make any difference. Chrome reads the files' names inside the zip, but I don't think it decompress the entire file to read the sign.

I can tell you one or two workarounds, I'm pretty sure you know them:

Change the file extension, and ask the user to rename the files back to .exe
Password protect your zip, rar, or whatever, so Chrome won't be able to look inside, and supply the password to users: it's not a secret password

score 2 · Answer 3 · answered Jun 08 '14 at 15:49

I also had the same issue, and tried the options described above as well,but no luck. I guess I was just too impatient to wait for Google to crawl my site.

I ended up registering with Softonic and CNET's Upload.com, and submitted my application for review and inclusion on their sites. After their approval, I added the link to my site, the file downloaded fine.

The only bad thing is that you need to download the Softonic downloader to install your application on softonic, but CNET offers a "direct download link" that allows you to download your original installer.

score 1 · Answer 4 · answered May 27 '15 at 16:16

1

I ran into this issue. The simplest work around: use another [insert browser name here]. eg. firefox.

answered May 27 '15 at 16:16

Millar248

403
8
18

So you tell all the people who try to download your file that they should use a different browser? – Jeff G Sep 15 '15 at 08:46
1

No. I use another browser to download .exe's from other people. – Millar248 Sep 15 '15 at 15:40
4

This question comes up when ppl search for how to get around it when DOWNLOADING a file, this is the correct answer for them – Kevin Sep 26 '15 at 05:26

score 1 · Answer 5 · answered Jul 16 '18 at 18:31

If you have a domain with a non-standard domain suffix such as .one, Chrome will complain. So will FireFox for that matter. I don't think this was the OP's problem but if you land here because you're searching madly trying to figure out why a commom file like a .zip file is giving you a warning in Chrome or FF when downloading, it could very well be that you need to use a common domain suffix such as .com

score 0 · Answer 6 · answered Apr 17 '15 at 23:26

0

I also had this issue. I am using a certificate generated from my own CA which is installed to the Trusted root certification authorities. At first signing wasn't enough, but then I added file version with my name on it and also an icon. Now Chrome is happy to download and run it.

answered Apr 17 '15 at 23:26

George Valkov

1,217
12
10

Was it an instant or you had to wait some time untill Chrome realized the file is ok? – Alexander Selishchev Feb 04 '16 at 11:14

Getting around Chrome's Malicious File Warning

6 Answers6

Linked

Related