Windows SmartScreen prevented an unrecognized app from running. Running this app might put your PC at risk


When you try to install a ClickOnce application on Windows 8 OS, it is intercepted by the SmartScreen filter. It would show the below screenshot:

Untitled

Though the application is signed with a certificate from Verisign, still the publisher name is displayed as unknown. SmartScreen dialog should be the same as for any other executable, with a “More Info” option, and “Run Anyway” button. Windows SmartScreen alerts users before running unrecognized programs downloaded from the Internet. Microsoft has extended the SmartScreen feature of Internet Explorer to Windows as well to protect users from malware. In general, SmartScreen Protection shows the above message when you try to run a newly released program or an application that has not yet established a reputation. Even though one can easily disable the SmartScreen Protection feature in Windows 8, we don’t advise you to turn off the protection.

In addition to Strong Name signing the assembly, which VS offers support for (via project property pages), you will need to Authenticode sign.  There is no direct support for Authenticode signing from Visual Studio; however, it’s easy to add as a post-build step, like so, by inserting these lines into your project file:

  <Target Name=”BeforePublish”>

    <Exec Command=”&quot;$(WindowsSdkDir)bin\signtool.exe&quot; sign
/f &quot;path_to_your_certificate&quot;
/d signed_content_description
/du signed_content_URL
/t
http://timestamp.(vendorwebsite)

/v &quot;path_to_your_exe (in the obj\$(ConfigurationName) directory)&quot;”   />

  </Target>

The /d is a string description and /du is an url that points to additional description. These two are optional parameters.

Example:

<TargetName=BeforePublish>

 <ExecCommand=&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe&quot; sign /f &quot;MyCert.pfx&quot; /p &quot;password&quot; /t http://timestamp.verisign.com/scripts/timstamp.dll &quot;C:\Projects\obj\Release\App.exe&quot; />

</Target>

Once this is done, the SmartScreen will continue to warn about the application until the certificate develops a reputation. But it would display a valid publisher name instead of unknown publisher.

*P.S. The goal of the Application Reputation experience is to warn users, when appropriate, that a downloaded application has not yet established a reputation.

Reputation is established by SmartScreen® service intelligence algorithms based on how an application is used by Windows and Internet Explorer users. Reputation may be based on the downloaded application or can also be assigned to the publisher based on digital certificate information.  Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate* can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals.

At this time, both Symantec and DigiCert are offering EV code signing certificates as described in the blog Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates

 

 


Comments (8)

  1. Thanks for this article. I followed all the steps listed above but my application still shows "Publisher Unknown" on the SmartScreen. Are there any additional steps I need to follow, or any way to check to see what exactly is causing "Publisher Unknown" to still appear?

    I had to strong name all of the assemblies used in my project, is the Authenticode sign also required for all assemblies used? (I tried adding it to all the ones I strong named in the first step, but I'm still getting "Publisher Unknown"…)  Thanks for any additional help!

  2. smondal says:

    I think the executable was NOT signed properly with your certificate after build. You can confirm the same by looking at the executable located at C:ProjectsobjReleaseApp.exe  Right Click On the Exe file (App.exe) and check if there is any tab called "Digital Signatures".

  3. "Once this is done, the SmartScreen will continue to warn about the application until the certificate develops a reputation. But it would display a valid publisher name instead of unknown publisher. "

  4. Andrew Petersen says:

    I am following these steps, but I am getting a error message when installing the application. The error is MyApp.exe, has a different computer hash than specified in manifest.

    I assume this is because this changed the .exe. How can I make the hash's the same?

  5. smondal says:

    Please resign the application and deployment manifest files.

  6. markmnl says:

    We have signed our deployment (with an Authenticode certificate) and SmartScreen still shows "Unknown Publisher", see here:

    social.msdn.microsoft.com/…/smartscreen-shows-unkown-publisher-even-though-signed-correctly-using-a-trusted-certificate

    :(

  7. Karsten says:

    How i can authenticate my software downloads, all becomes a warning , but the software is usefull since 1998

  8. smondal says:

    Please go through the P.S. Section for more details.

    The goal of the Application Reputation experience is to warn users, when appropriate, that a downloaded application has not yet established a reputation.

    Reputation is established by SmartScreen® service intelligence algorithms based on how an application is used by Windows and Internet Explorer users. Reputation may be based on the downloaded application or can also be assigned to the publisher based on digital certificate information.  Only Authenticode Certificates

    issued by a CA that is a member of the Windows Root Certificate Program can establish reputation. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate* can immediately establish reputation with

    SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals.

    At this time, both Symantec and DigiCert are offering EV code signing certificates as described in the blog Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates