none
How to make my app pass SmartScreen filter in IE9

    Question

  • I have an IE plugin installed using (Windows exe) installer built with Inno Setup.

    With SmartScreen filter enabled, IE9 complains that the file "is not commonly downloaded and could harm your computer".

    I've read developer suggestions in MSDN blog , but still need help finding the easiest approach to workaround this.

    1. The plugin is still in development and about to be launched, so it has a zero download reputation.

    2. The plugin installer is signed with certificate (purchased from instantssl.com).

    3. Applying for a MS Logo program seems like a huge overkill for our project

    4. The download link starts with http:// and uses ASP.NET redirect handler (.ashx) to get the real file.

    5. If I change the download link to https:// (uses a valid purchased certificate), SmartScreen filter still complains.

    6. Windows Defender or NOD32 don't report any issues with our plugin installer file.

     

    Questions :

    1. Will the Extended Validation (EV) certificate be of any help, comparing to (not EV) certificate we're using now?

    2. Can we somehow speak directly to Microsoft to enable our plugin download, without applying for MS Logo program? We're a startup owning a BizSpark account, if this helps.

    3. What estimated number of downloads can increase the rating of our installer high enough to suppress this warning message in IE9?

     

     

    Thursday, March 10, 2011 5:40 PM

Answers

All replies

  • 1. Will the Extended Validation (EV) certificate be of any help, comparing to (not EV) certificate we're using now?

     

    >> From what I read so far, this should not matter. The control has to have a valid, non-expired Authenticode signature.

    This MSDN doc has some sample code regarding how one might verify the signature of a file:

    http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx

     

    We do the following checks for a download:

    1)      An AntiMalware check using AntiPhishing/SmartScreen Url Reputation Service. 

    2)      Check the SmartScreen “App Allow List” for popular downloads

    3)      An AntiVirus check

    4)      Verify the PE file integrity using certificates.

     

    2. Can we somehow speak directly to Microsoft to enable our plugin download, without applying for MS Logo program? We're a startup owning a BizSpark account, if this helps.

    >> You can try opening up a support case and we can look into this further.

     

    3. What estimated number of downloads can increase the rating of our installer high enough to suppress this warning message in IE9?

    It is not clear if there is a hard coded number without debugging into the code.  

     

    Reference:

    http://blogs.msdn.com/b/ie/archive/2010/12/14/enhanced-protection-with-ie9-s-smartscreen-filter.aspx

    http://blogs.msdn.com/b/ie/archive/2010/10/13/stranger-danger-introducing-smartscreen-application-reputation.aspx

     

    I hope this helps.


    bill boyce
    Thursday, March 17, 2011 6:28 PM
  • Bill, our company (and a thousand other companies) are also having this same problem with IE SmartScreen regarding IE plugins. Can you elevate this for the IE team to address? Obviously there must be a way to report safe IE plugin downloads (oversight by the IE team that needs to be fixed asap)!  

    Michael Price, mprice  (at)    ceoventures.  com

    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:40 PM
    Sunday, April 24, 2011 5:16 AM
  • Its exactly the same big mess with just all other downloads! The SmartScreen filter in IE destroys our business because it just blocks nearly ANY downloads - really bad!! I can't find any link to submit a false positive download! I tried to sign and timestamp our downloads with authenticode but i didn't help. At this time, because of that smartscreen mess we have to advise all users to disable this nonfunctional filter thing or to move to a other browser... imho that can not be the final solution. Please fix it ASAP!!!!
    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:40 PM
    Monday, May 16, 2011 8:17 AM
  • I agree it is mess. SmartScreen filter blocks everything except the big guys.

    and i think requiring small developers to pay $200 to digitally sign freeware is highway robbery.

    The user is only presented with 2 options.... Don't Run this Program and Delete this program.

    It is only if the user clicks "More Options" do they see "Run Anyway"


    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:40 PM
    Monday, May 16, 2011 8:35 AM
  • I agree. We're part of the BizSpark program and our software now gets blocked by IE9, with no way to report a false positive.

    This is appalling. I've occasionally had problems with false positives from anti-virus programs, but they always have a way to report and resolve false positives. We are fully code-signed.

    Anne Currie

    MD

    WorkingProgram Software

     

    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:41 PM
    Wednesday, July 20, 2011 8:23 AM
  • What's happening Microsoft?  Some genius has decided that even signed software is now effectively Guilty until Proven Innocent.  This is damaging our business and doing nothign to protect users.
    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:41 PM
    Thursday, August 11, 2011 12:53 AM
  • I believe that the statement "not commonly downloaded" is not a foundation to judge if a SW is a malware or not, the statement does not fall under "Flase Positive" because it is always FALSE.

    Why do we get our Software signed in the first place? so that someone will come out and say I GUESS your signed software is not safe?

    I believe that MS should find a different meachnism of verifying the safety of the download without guessing!

    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:41 PM
    Wednesday, August 24, 2011 10:44 AM
  • This is a farce.  We get one answer from a Microsoft guy; another Microsoft guy marks it as "Answered" and then they disappear.  When more difficult questions come from other users who have been, what can only be described as slandered by smart screen; total silence.

    Hello Microsoft.  Customers here.  You remember them? You screwed up.  Fix it please.

    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:42 PM
    Wednesday, August 24, 2011 10:58 PM
  • Did anyone file this on connect.microsoft.com already?

    I think voting there should be a good starting point to elevate the problem..

    Thursday, August 25, 2011 5:35 AM
  • I just got tricked into downloading SweetIM (yes, I was brain dead at the time) using IE9. Where was the helpful message warning me? Well actually, there wasn't one because SweetIM is considered commonly downloaded;-) This does make the point that the 'commonly downloaded' test is meaningless.

    I have no idea whether or not SweetIM is malware, though in the forum I read the only person who didn't think it was malware was the VP of marketing for SweetIM! However, it seems reasonable that anyone distrubuting malware would make sure their program attracted a lot of downloads. Therefore, is there any value in testing for 'common downloaded'?

    I agree with everyone above who says that Microsoft should rethink this IE9 feature. It creates a false sense of security and impedes the right of bona-fide developers to distribute their products on the internet. This might be construed as an attempt to restrict trade which is illegal in the EU. I can only hope that the possibility of Microsoft losing yet another expensive legal fight with the EU might be enough to pursuade the IE product manager to remove this feature forthwith. It could be easily done, just set the bar for a common download to five. 


    will stott
    • Proposed as answer by Leon79 Tuesday, December 06, 2011 7:42 PM
    Tuesday, November 22, 2011 1:50 PM
  • I Agree 100%. This is a ridiculous attempt at security and the annoyance far outways the benefits, if there are any benefits. We post self extrating data files up for download on a regular basis. They are always different so they will never make the "safe" list. Since IE9 was released as an automatic update I have to assist multiple people every day in getting them to the point so that they can successfully extract the files. This feature is completely moronic! Maybe you want to take the calls for me Microsoft? As the poster above said it doesn't do anything about commonly downloaded viruses. Is it just going off of the file name or the hash? Who knows...the help link takes you to "page cannot be found".

     

    Total failure but what more can you expect from a team of people who deceide whether a site should be placed in the intranet zone based on the complex algorithm "Are there any periods in the URL?"

    Someone need to start a class action over this. It is a major hinderence to business operations. While were at it maybe someone should finally sue them for putting Google at the end of the search provders list and then not even adding arrows so that it looks like all of your choices are on the screen already. These business practices need to stop.

    Tuesday, December 06, 2011 7:25 PM
  • I agree that this is a serious hinderance to legitimate small-size developers like myself.  Note that Google Chrome doesn't have this "problem" - it lets me download my .exe just fine.

    It's sad - I've been a long time Windows developer.  I've been developing Windows applications for a long time and recently scoffed at web "apps" with their UI that was so much inferior to a nice, native Windows application.

    Except after dealing with many installation issues related to an Outlook plug-in I made (which seem to have nothing to do with my actual software) and issues like this "security" check, I'm coming to the conclusion that it's too much of a hassle to do Windows development.  For future projects, I will certainly be looking to see if there's any way to develop it as a web-based solution.  Any project or feature requiring the customer to do a download will probably be avoided.

    I can understand that Microsoft is sensitive about security issues after getting beaten up about it in the press, and this would have been a great feature to have in the IE6/Windows XP days.  But now it's not helping users and it's hurting the small developers.  There should at least be some way to have your application "cleared".

    Tuesday, January 24, 2012 12:13 AM
  • This question is NOT answered. 

    There are tons of posts all over the internet from software vendors as myself - I can provide links if you need them.

    Call me dumb but what I want to know is...

    How do you develop a 'reputation' - if I read this right no new software vendor (or new to SmartScreen statistics) can ever develop a 'reputation' once everyone is using this technology because 95% of our customers* will not download after they get the message. Maybe there is some high dollar list Microsoft will put you on that will give you an instant reputation??

    This is either a classic catch 22 or a bribe as far as I can tell - where do I  pay?

    Mark

    *http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

    "Users are choosing to delete or not run malware 95% of the time from the new Application Reputation warnings" - Microsoft

    PS Code signing does absolutely nothing to sove this problem.  Do we need a second signature? 


    • Edited by mdsophy1 Wednesday, February 01, 2012 9:24 PM
    Wednesday, February 01, 2012 9:17 PM
  • Microsoft rethought the issue and decided to take the feature out of the IE for the Windows 8, they placed the feature in the OPERATING SYSTEM instead and buried the "More Info" link even further with its color nearly matching the background of the message. Microsoft you are killing your own supporters because the small developers like us are making your OS more valuable to your customers. It seams that Apple becomes Microsoft with the Apps and Microsoft becomes Apple by closing the system to everybody but their partners.

    Thanks Microsoft You probably can keep the next Visual Studio because this crap is useless if I can't get my clients to install the software that I develop.

    Friday, February 10, 2012 6:25 AM
  • 100% correct. Question is not answered and for the Windows 8 it will be even worse. It looks like between the Norton and Microsoft I will have to give each and every one of my customers a certificate signed in blood and beg them to trust me enough to disable or bypass the DumbScreen Filter. The only job that filters do well is blocking the legitimate applications and not the viruses and malware. It looks like Microsoft has enough brains to screw the honest developers and not the hackers - I have to clean up trojans from my 11 year old's laptop almost on a monthly basis and he has IE9 and Norton. 

    Microsoft please realize that if you screw us badly enough we will leave and we might never come back.

    Friday, February 10, 2012 7:03 AM
  • Bump.  Microsoft, please stop ignoring this thread.

    Thanks.

    Friday, February 10, 2012 7:32 AM
  •  This bug just hit me today. Some software I recommended to a friend he could not download because of this filter. I would not be surprised if a class action lawsuit was not filed against MS for this ... this could kill small shops.
    Wednesday, February 15, 2012 4:09 PM
  • Guys, guys, please restraint your criticisms about SmartScreen Filter and Microsoft.  This is their only innovation in the last 20 years! Yeah SmartScreen Filter is totally useless and screwed up, yes it totally fails to protect our computers, yes it prevents legitimate developers to distribute their application via Internet and let the viruses and Trojan apps go through, yes our clients are losing confidence in our product and in us for getting an alarming warning message like this and they need to be trained to find the hidden action to “Run Anyway”, yes… wait, what was my point again?

    Monday, February 20, 2012 7:50 AM
  • I am a small independent software developer, and my customers are also being scared off by these dire warnings. I have signed the msi file with a Comodo certificate, but that does not seem to help.

    I have investigated getting my apps approved via the Win Logo process, but that requires a WinQual account, which in turn requires a Verisign certificate. In one of the Microsoft docs, they implied that the Verisign certificate could be had for $99, but when I followed the URL to Verisign, Verisign wanted $500. And yes, $500 is a problem.

    Ironically, I have another download on my web site for a program that I wrote 10 years ago that is still popular. It is unsigned, and it generates no warning when downloaded via IE 9. I am finally planning to update this program, and sign it, but I fully expect the updated installer to generate warnings!!

    This is kind of a nightmare.

    --Elliot Leonard

    Monday, February 27, 2012 6:06 AM
  • I am a small independent software developer, and my customers are also being scared off by these dire warnings. I have signed the msi file with a Comodo certificate, but that does not seem to help.

    I have investigated getting my apps approved via the Win Logo process, but that requires a WinQual account, which in turn requires a Verisign certificate. In one of the Microsoft docs, they implied that the Verisign certificate could be had for $99, but when I followed the URL to Verisign, Verisign wanted $500. And yes, $500 is a problem.

    Ironically, I have another download on my web site for a program that I wrote 10 years ago that is still popular. It is unsigned, and it generates no warning when downloaded via IE 9. I am finally planning to update this program, and sign it, but I fully expect the updated installer to generate warnings!!

    This is kind of a nightmare.

    --Elliot Leonard

    Monday, February 27, 2012 6:08 AM
  • The best workaround I've found is to zip up my installer. SmartScreen doesn't seem to complain in that case.
    Friday, March 02, 2012 10:11 PM
  • @Noah

    +10^6


    Rob^_^

    I would also add that distributing software as zipped archives is hard to monetorize for ISV's (Independant Software Vendors)...

    Perhaps www.oisv.org has something in the pipeline for us.

    Friday, March 02, 2012 10:37 PM
  • I'm done with this farce. I'm not going to bother with a class action. I have the time, so I'll make them waste their time the way they make me waste mine by dragging their $500/hr lawyers into small claims court here in my little town.

    ASSHOLES!

    Wednesday, March 14, 2012 12:55 AM
  • I'm done with this farce. I'm not going to bother with a class action. I have the time, so I'll make them waste their time the way they make me waste mine by dragging their $500/hr lawyers into small claims court here in my little town.

    ASSHOLES!

    • Proposed as answer by Proventus Wednesday, March 14, 2012 12:56 AM
    Wednesday, March 14, 2012 12:55 AM
  • Hey Alexey,

    Did the issue resolve ?

    I am facing the same problem, can you please help me ?

    Thanks,

    Saurabh

    Friday, March 30, 2012 12:39 PM
  • We are facing this same problem too.

    Does anybody have a fix ? 

    Thanks,

    Kevin Liang

    Thursday, May 03, 2012 3:31 PM
  • @Kevin,

    see the marked answer to this thread.


    Rob^_^

    Thursday, May 03, 2012 9:42 PM
  • I have read the following text in one of the link proposed in the marked answer

    "To learn more about the Windows Logo visit the Windows 7 Logo Program page on MSDN. This is a free process for signed programs that can help establish reputation for your download. "

    Well. I wouldn't say it's free as it will not work if you signed your app with a Comodo certificate. They only accept Verisign...which costs a lot more.

    And I'm not even sure an individual outside an organization can get a Winqual/Sysdev account anyway.

    So basically there is no way for a small individual independent developer to avoid being filtered rudely...even if the .exe is signed with a valid certificate. The message will just appear with a yellow header instead of a red one when the .exe is signed. Basically it does not make any difference.

    So basically the only solution is .zip file one...but it's really a band-aid fix.

    Wednesday, May 16, 2012 2:37 AM
  • Hi,
    I'm having the same problem. There are a lot of people that download my program but don't execute it. You may guess why....

    Currently I'm downloading it multiple times a day to get it 'commonly downloaded', the url is www.kreddit.nl if you like to help :)

    From the information above I understand that solutions like a certificate and a logo are costly and cumbersome. And above this it won't help.

    So if someone knows a way to get a file 'commonly downloaded' please let me know and post it on the forum.

    And a kind request for Microsoft, please find an ingenious solution that benefits both the naive surfer and the small entrepreneurs.

    Friday, June 01, 2012 8:57 AM
  • I'm also having the same problem. Application is EXE is properly signed, we had no IE SmartScreen filter warnings for 9+ months, and now all users do get a warning and it's killing our conversion rate. Any new information from Microsoft would be greatly appreciated!!!
    Tuesday, June 05, 2012 12:44 AM
  • The problem with SmartScreen even more worse.

    We're in the software business since 1998.

    Earlier we didn't have any problem with SmartScreen accepted all executables files signed with our certificate.

    But on May 2012 our old certificate has expired and we rewened our certificate in Comodo again. And then we faced with this nightmare. SmartScreen doesn't recognize our software files any more!

    It ignores that we use same download URL, same website, same company with same name in the certificate, just renewed certificate.

    A week later the problem still remains.

    Even if SmartScreen will accept our new certificate, this problem will return again and again every 2 year with new certificates.

    Shame to Microsoft. You ruin small software companies.

    Wednesday, June 06, 2012 2:00 PM
  • Just recently for the first time we made one of our tools downloadable (demo version). Now this with no sensible way out and some ugly workarounds (zip it seems best). I'm always impressed by a 'solution' that causes a lot of issue to everyone, fails to provide its actual purpose, and is completely ignored and not discussed by the people who created it. What would be the % of legitimate to illegitimate downloads blocked? 1 in 100, 1 in 10,000?  It must be appalling give the horrible simplicity of the block criteria and re-occurrence of the issue anytime something is updated.  Also unfortunate is people using IE9 are the least likely general users who will assume the download is a real threat.

    Remember Steve?

    developers! developers! developers! developers! oh actually you know what?  Stuff em.


    IronPaw

    Tuesday, July 24, 2012 11:29 PM
  • When will this be fixed? Listen up MS, your power comes from your devs, don't go about screwing us now. Don't force us to use alternatives to circumvent your "SmartScreen" helps us by making it work properly... eg. Provide a warning to the user about the software and that although it is not commonly downloaded if you trust the developer it may be safe. For god sakes at least make it easier for users to find the friggin "Run" button.
    Monday, August 13, 2012 6:20 PM
  • This is NOT an answer! This is the same BS we've been hearing all along. Tell us how to fix the problem. And allow recerts to carry over rep from thier previous one.
    Monday, August 13, 2012 6:26 PM
  • Interesting..

    I guess this changes the answer to my first question:

    >1. Will the Extended Validation (EV) certificate be of any help, comparing to (not EV) certificate >we're using now?

    Wednesday, August 15, 2012 10:20 AM
  • you did not even answer the questions.

    1) NO, do not buy a certificate because i did and the problem did not go away, neither on windows 7 nor on the RTM Windows 8 version. Actually on windows 8 the OS DELETES the file as soon as you go over the run button and finding the run button itself is not easy either. Even signed code with an Authenticode certicate does not remove the warning.

    What you wrote at 2) is FALSE. U use only and solely the amount of downloads. one application of ours that is one year old got enough downloads and is not signed, does not show any smartscreen. Another one published 4 months ago and SIGNED, shows the smart screen sht

    THIS IS A SCAM to blackmail developers to pay part of their revenues to microsoft in the app market since i am 100% sure that when in the app market those warnings will go away, not because the apps themselves are safer, but because microsoft got the money from us.

    it is

    1) disgustin

    2) illegal

    3) unlikely to pass the european institution requirements for competition

    Last but not least, i gave order to my lawyer to verify the possibilities to bring microsoft in a canadian court for damages and unfair competition.

    Monday, October 22, 2012 6:48 AM
  • This may offer a little bit of help to build the 'trust' that the SmartScreen is looking for...

    When deploying our App we signed it correctly with an Authenticode cert. However, when users downloaded it, the message said it was "not commonly downloaded and is not signed by its author". But it was signed by its author (us). I discovered that the way we were serving the file over http (from ASP.net code-behind) was somehow nullifying the certificate so that it wasn't recognized by SmartScreen (but it would show up later in the install process). In our case we were missing the 'attachment;' keyword and the content-length header (shown below). If you are beating your head against the smartscreen wall, make sure, at least, that your signature is correctly recognized.

                    Response.AddHeader("Content-Disposition", "attachment; filename=" & SetupExe.Name)
                    Response.AddHeader("Content-Length", SetupExe.Length.ToString())

    The difference was that in the SmartScreen warning window, it changed from “Publisher: unknown” to “Publisher: Smarter-Then-Smartscreen Business, Inc” 

    Friday, March 22, 2013 10:02 PM
  • This is indeed a serious problem. Our software is signed and it says our company name on "Publisher".

    However, as you have guessed it, it's blocked by smart filter. Not ONLY through IE9. but SYSTEM WIDE. It dosen't matter how a user downloaded the file, it WILL be blocked my Smart Filter.

    This is seriously beyond frustrating. What was the point of the certificates then? I am sorry but I am not willing to pay $500 for a Verisign for my FREEWARE. 

    I am honestly not sure what to do from this point, I will get in the boat and wait you guys until someone can come up with a better solution.

    And no, the "Marked" answer, is not an answer.
    Wednesday, March 27, 2013 12:56 AM
  • I've developed a Windows application and that gets blocked by Smartscreen in Windows 8.

    My app is an executable that is zipped so that it gets past IE, but as others have mentioned, Windows 8 blocks the app when you try to run it after being unzipped.

    I really resent having to pay to have my application 'allowed' to run by Windows, and would like to add to the weight of comments here that Microsoft seriously needs to stop choking their own product!

    Smartscreen is killing small independent software developers - Microsoft needs to add a simple (free of charge) way for developers to register and get their apps approved by smartscreen.

    Thursday, July 11, 2013 12:53 PM
  • I have the same problem and it's really a shame that it's such a hassle.

    I'm trying to help my customers in updating their video client that we host for them. The client itself can manage to fetch an .exe file from the web and run it. The exe is re-packaged by me using IExpress just to be able to also run an ini file with some registry edits (program settings), but smartscreen in windows blows it all. I'm not very experienced in thie whole distributing programs thing but it would be nice form time to time to do stuff like this to help people, but we don't have the time and knowledge to go through a whole certification progress just to pass the download to them.

    I just wanted to fill in in this thread to show that there are more people suffering from this. I will keep the topic under monitoring if an solution comes up!

    Thursday, July 25, 2013 7:10 AM
  • Yeah... This is really not cool. It doesn't make sense... False positives nullify any benefit the SmartScreen filter could possibly have. Basically, this is the exact same problem as UAC. The only way for apps to pass the filter is if the filter is bypassed multiple times. If that's the case, users will learn that it is BS and they have to just click "Run" in spite of the SmartScreen guidance. They will do this everytime and never benefit from it once.

    This is really unfortunate.

    Wednesday, August 28, 2013 2:36 AM
  • ah, I have the same issue.

    I realized why IE is going down the tubes...

    Sunday, October 13, 2013 8:05 PM
  • Started having the same issue last week with freeware application that I wrote and have been supporting for 2 years now.

    SmartScreen is a good idea, considering how much malware and other bad programs there are on internet.  But it is like ALPHA version right now that fixes one issue while introducing 10 more.

    What would be great is:

    1. Transparency on how it works.  How reputation is calculated and being able to view your reputation and how it was calculated.

    2. Ways to improve reputation without paying some 3rd party company a ton of money for doing nothing. Especially if I am trying to distribute freeware.  Why would I pay $100 or $500?

    This thread has been going on for 2 years, and doesn't seem like there is any response from MS.

    Makes me sad.

    Monday, November 04, 2013 2:03 PM
  • This is what we've added to our small company site. I think I may also include a link to this discussion. Feel free to copy any of it you wish to.

    See our download page at www dot mydataguard dot com 

    Microsoft False Warning:

    Newer versions of Windows IE,
    using their new 'SmartScreen', falsely assert that this file could harm your
    computer because 'it is not commonly downloaded'. We surmise that this is
    because we are a small software vendor. Other small developers report
    the same problem. Microsoft offers no remedy to correct this false report. Rest
    assured that you have nothing to fear from this installation file. No other
    browsers including FireFox, Safari, or Chrome report this this to be a
    problem. 

    This is known as a 'false positive'.

    To reassure yourself you may scan the file with your virus scanner. You may also check the
    file and website using this free tool virus total, a subsidiary of Google. VirusTotal is an
    excellent tool and we recommend you use it for all files or websites that you
    have concerns about.

    Saturday, April 12, 2014 3:46 PM