"Unknown Publisher" - Windows SmartScreen Issues RRS feed

  • Question

  • Greetings,

    I am the CEO of a new startup company currently making anti-virus software. Right now, during testing, we are getting pop-ups that say "Windows has protected your PC" & "Unknown Publisher." When speaking to my developer, he said I ned to contact Microsoft and pay for a authenticity certificate. Where can I go to contact the correct people so I can get our product tested and approved. Thank you!  

    Wednesday, March 16, 2016 10:39 PM

All replies

  • Smart screen is a peer to peer screening process so you need enough reputation from people who choose to run your app after downloading. 

    A Microsoft Authenticode signature can help the user to verify your file is not tempered after being released. It does not help you to pass the smart screen, unless you have used the same Microsoft Authenticode certificate to sign an old version of your program that already passed the smart screen.

    Visual C++ MVP

    Sunday, March 27, 2016 3:52 PM
  • Authenticode certificates are sold by a number of major 3rd party CAs, specifically those that are listed by default in the Windows Certificate Store (viewable via "Internet properties") under "trusted root Certificateion authorities" with an "Advanced Option" of "Code Signing" checked by default.

    In practice, if there is any driver component in your planned antivirus solution, you will need to get the certificate from one of the (fewer) authorities for whom Microsoft has issued a "cross certificate" for signing driver files (.sys files etc.) on 64 bit versions of XP through Windows 8.1.  Plus an EV code signing certificate (about twice the price) for signing drivers submitted to Microsoft for Microsoft signing for Windows 10.  Last time I checked those were, in alphabetical order: AddTrust, Certum, DigiCert, Entrust, GlobalSign, GoDaddy (allegedly broken according to another discussion), NetLock, SecurityComm, Starfield, StartCom, Symantec (GeoTrust, TC TrustCenter, Thawte and VeriSign brands) and UTNUserFirst.

    For the EV certificate, note that it is only available with modern signing strength (SHA-256), and that the Microsoft division dealing with driver signing may or may not accept all issuers of EV code signing certificates that are accepted by the Microsoft division setting the policies for signing regular programs.  You will have to hunt down that driver signing division (may have a "hardware quality" related name) and ask them.

    For the non-EV certificate that signs all the other files, you will need both an SHA-256 based certificate for Windows 7 and later (can be the EV certificate for allegedly better treatment in SmartScreen), and an SHA-1 based certificate (cannot be issued as an EV certificate, will be harder and harder to get) for use on Vista, XP and clean Windows 7 installs (that is Windows 7 without the relevant code signing Windows Updates).  For Windows 7 (unpatched), Vista and XP, the ability to handle SHA-256 based certificates may depend on the exact file type being signed and which service pack (if any) has been installed.

    You will also need to set up a "special relationship" with a 3rd Microsoft Division in order for your antivirus to be recognized by the "Solve PC Issues"/"Security Center" taskbar icon as "the user has installed an antivirus program, stop telling them they haven't".  The requirements for doing so are unknown (to me).

    Note that in all cases, it is the Windows Version on the end users machine, not the Windows Version you develop on that counts, and that many users will want to install your antivirus before connecting to the Internet and downloading Windows Updates (hence my information above about using a different certificate for Windows 7 machines that are freshly reinstalled without the latest Windows Updates).

    As with all things security, there are lots of additional complications, and you need to take much better than average care of protection your signature keys, but hopefully you already have strong security expertise in house (otherwise you shouldn't try to be in the Antivirus business).

    Monday, March 28, 2016 2:01 PM