Announcement

Collapse
No announcement yet.

Delivering software over the Internet and being blocked by Windows Defender.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Delivering software over the Internet and being blocked by Windows Defender.

    How is it that running Chrome installation download is not blocked by Windows Defender?

    Is there something special about a "setup" file?

    Anyone overcome this issue.

    I have a digital signing certificate and sign my .exe files. When I look at Chrome.exe they have two entries - see photo.

    Click image for larger version

Name:	Snap79.jpg
Views:	270
Size:	76.3 KB
ID:	785659Click image for larger version

Name:	Snap78.jpg
Views:	249
Size:	83.1 KB
ID:	785660

  • #2
    I've read the number of times a program is downloaded builds confidence with Microsoft.
    Chrome is also an exception in not showing EV certificates as green in the address bar. Example: https://www.godaddy.com or try a bank.
    Also if the user comes in with http to an https may cause it to be blocked.
    I wouldn't attempt installing anything without Innosetup or using a .ZIP file. Having setup or install in the name is supposed to help (at least at one time.)
    I always click on properties and then unblock before unzipping files that are downloaded.
    Definitely get ahold of your signing authority to see if they can help.

    https://revolution.screenstepslive.c...ith-inno-setup
    How long is an idea?
    Write it down.

    Comment


    • #3
      David, probably you submit this file to Virustotal and get it scanned or rename your file to BuildSNME.exe

      don't use the words Setup or Install in the filename

      Comment


      • #4
        Originally posted by Mike Doty View Post
        Chrome is also an exception in not showing EV certificates as green in the address bar.
        That's because Google (and Firefox) decided to stop feeding to what I call the scam that's EV: https://www.troyhunt.com/extended-va...y-really-dead/

        Comment


        • #5
          David,
          Can you clarify the point at which blocking occurs? As Mike suggests, I use InnoSetup and I name my files appname_setup.exe. I've not seen any problem with downloading the file using Chrome or Edge. The installation does require that I respond to a couple of Windows questions. I use Windows Defender. I put my setup files on my server and give the URL to the users.

          Comment


          • #6
            I do the same as Gary and don't have any problems with downloads from a protected https folder using InnoSetup.
            Users do have to answer question, but that can be turned off (not suggested) somewhere in internet options so doubt it is Windows Defender.

            Knuith,
            Address bar shows green using EV with Firefox. Maybe they fixed it. Try www.powerbasic.com

            Knuth,
            Correction, after reading the article. Thank you! Sounds like EV has become a waste of money.
            Firefox is in 69 series as of 10/9/19.
            In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information).
            https://www.troyhunt.com/extended-va...y-really-dead/
            How long is an idea?
            Write it down.

            Comment


            • #7
              This is from https:// setup.exe is from InnoSetup, setup.exe is signed as in setup.exe inside of setup.exe...
              Still getting this but Chrome and others do not.

              Click image for larger version

Name:	Snap80.jpg
Views:	242
Size:	88.0 KB
ID:	785722

              Comment


              • #8
                "Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals."

                https://blogs.msdn.microsoft.com/ie/...-certificates/

                "Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation. Don’t sign or distribute malicious code Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate – even if signed with an EV code signing certificate."

                Comment


                • #9
                  I see both Chrome and Firefox allow downloading, just not running without the SmartScreen questions.
                  Settings are in Windows Security, App and Browser control, Exploit Protection, Program settings, Add program to customize.
                  Sounds like you are doing everything right. Hope the signing kicks in.
                  How long is an idea?
                  Write it down.

                  Comment


                  • #10
                    Howdy, Dave,
                    Where are you on this? I'd like to avoid the need for the user to press anything - just double click on the installation file for it to begin. Have you reached that point yet?

                    I'm told that Digital Signing is need for that to happen but it doesn't seem to be working for you? From the trouble you're having, digital signing doesn't sound like the panacea that I've been led to believe.

                    Comment


                    • #11
                      I think I got to the bottom if it Gary.

                      I had to purchase a code-signing certificate that was "extended."
                      Now when I sign an .exe it downloads and will run without any issues.
                      So basically $$$$ solves the problem.


                      https://www.digicert.com/secure-site-ssl/ev-ssl/

                      "Extended Validation (EV) Code Signing Certificates include all the standard benefits of digitally signed code plus a rigorous vetting process and hardware security requirement, so your users can have even greater confidence in the integrity of your applications."

                      Comment


                      • #12
                        Hi Dave

                        Did you buy the code signing certs from K Software ?
                        https://ksoftware.freshdesk.com/supp...g-certificate-

                        Comment


                        • #13
                          I used Digicert, they send you a hardware key. Works great!

                          Comment


                          • #14
                            THanks Dave

                            Does that mean that Digicert 's "hardware key" is a flash drive ?
                            I would think that is a good way to prevent hackers from hijacking the certificate?


                            Comment


                            • #15
                              How deep did they check your ID?

                              (In other words, what keeps a hacker from buying a cert saying they are you, Microsoft, or anybody?)
                              Dale

                              Comment


                              • #16
                                Dale, I believe that each company that requested to have a signing certificate will have its company checked and verified by a law firm
                                as well as by a Country's company registrar before that company can acquire a signing certificate.
                                You can't simply call your company "Microsoft" , it needs a thorough verification of the company status and track records before such a cert can be issue



                                Please read
                                https://ksoftware.freshdesk.com/supp...g-certificate-

                                Comment


                                • #17
                                  David, how much did this cost you? How did you prove you're you?
                                  Dale

                                  Comment


                                  • #18
                                    Dale: I think it was $600.00, not a bargain! Digicert did some checking to see if my company was registered, which it is. They also called me on the phone. I figure a determined hacker could trick them.

                                    Tim: It looks like a flash drive but it is doing something proprietary to Digicert. They give you a program to sign code and it only will sign if the USB thing is plugged in. Not a USB drive you could copy.

                                    Comment


                                    • #19
                                      see if my company was registered,
                                      Ah, not for you as an individual; and you have a registered company. Thank you.
                                      Dale

                                      Comment


                                      • #20
                                        Hi David

                                        I did not find much reference on Digicert website on code protection, it is mainly for SSL website protection?
                                        The closest I got was
                                        https://www.digicert.com/code-security-solutions/

                                        and that didn't say much about the procedure to apply for code signing unlike that from K-software site https://ksoftware.freshdesk.com/supp...g-certificate-

                                        which tells you the requirements and step by step procedure of getting code signing certificate.

                                        The Digicert's flash drive key is definitely more secure and advantageous than K software or Sertigo's software key

                                        Can you please tell me where we can get more info from DigiCert on code protection? Thanks

                                        Comment

                                        Working...
                                        X