14

I'm planning on signing one of my software with a code signing certificate, because when a user downloads it a tries to run it, Windows 10 will show a full screen warning that it might be dangerous.

The certificate is quite expensive, and the EV certificates promise that they get rid of the warning immediately, but not in a straightforward way, I cannot really trust them.

So my question is how long does it take for windows to stop showing the warning after I buy a standard cert and sign my code, and what do I exactly need to do to make the process faster?

Thanks.

Sevron
  • 493
  • 7
  • 18
  • 1
    Well I've gone ahead and bought a code signing cert from Digicert (not an EV version), and we still have this problem. Not sure how long will it take for it to go away – Sevron Oct 05 '16 at 09:53
  • 1
    @ajbeaven sure it took a couple of days, and couple of downloads, and it have gone away. Since then we moved to EV certs for a different reason, but standars ones are still fine. – Sevron May 18 '17 at 08:48
  • 1
    Related: [Transferring Microsoft SmartScreen reputation to renewed certificate](https://security.stackexchange.com/q/222140/43677). – Martin Prikryl Mar 05 '21 at 07:08

5 Answers5

12

I forgot about this question but got resolved since then.

It took a couple of days, and couple of downloads, but it have gone away.

Since then we moved to EV cert for a different reason, but standard ones are still fine.

Sevron
  • 493
  • 7
  • 18
  • 3
    Any chance you could be more specific regarding the estimated number of downloads? I've read somewhere that it needed 3k downloads to disappear! – ajbeaven May 18 '17 at 20:05
  • 3
    For me it must have been around ~100, but there are multiple factors involved. if an user downloads it trough IE, it matters more. Also I've uploaded the app to virustotal, it might have mattered. We have also got manually white listed by an AV company. So basically you simply have to "shed" the smartscreen warning organically by your user base. – Sevron May 19 '17 at 15:30
9

Unfortunately, this is difficult to answer, since Microsoft itself refuses to publish any details about this. According to inofficial numbers reported by various sources (see below), it usually takes between 2 and 8 weeks until the warning will permanently go away. It seems that the exact duration also depends on the reputation of the website from which your app is downloaded.

The inofficial numbers are:

  • 18 days and about 430 app installs. Source: one of my own certificates (Dec 2022)
  • 42 days and about 1.400 app installs. Source: one of my own certificates (Feb 2021)
  • 16 days and about 2.000 app installs. Source: one of my own certificates (May 2020)
  • One month and more than 10.000 downloads. Source: here (Jan 2020)
  • Between a few weeks and a month. Source: here (Dec 2019)
  • About 2-3 weeks. Source: here (Dec 2019)
  • About 3.000 downloads. Source: here (Dec 2013)

Also see my other answer here to get the whole picture about these Microsoft SmartScreen warnings and what you can do and should know about it.

emkey08
  • 5,059
  • 3
  • 33
  • 34
3

It seems to be made of 2 parts - application reputation and certificate (thumbprint) reputation.

SmartScreen builds reputation both for the program and for the code signing certificate thumbprint. Application may establish reputation after a certain time and number of downloads (worldwide) and certificate thumbprint as it seems takes a bit longer to establish a reputation.

According to Microsoft, once the certificate thumbprint has gained enough reputation, any future signed executable using that certificate will no longer issue a warning so it makes sense to purchase 3-year certificate rather than 1-year to keep the thumbprint the same for as long as possible.

Microsoft does not publish how many installations are required to gain thumbprint nor software reputation. The only way to gain instant reputation is EV certificate.

Coder12345
  • 3,431
  • 3
  • 33
  • 73
2

Last time in 2017 my OV code signing certificate gained enough reputation in about 1 month and about 300 downloads.

It was a bit scary to publish a newly signed installer that shows a blue window of the Smart Screen, but I minimized the harm of that Smart screen warning: on my website I've got a webpages in different languages, so I placed the new installer on localized pages for languages that don't give much sales, like Portuguese/Romanian/Hungarian. I guess I lost some sales, but not too many.

And after 1 month or so all future signed installers were not causing a Smart Screen warning. That time I got a certificate for 4 years and lived happily all these 4 years.

Now I need to reissue the code signing certificate. Cannot renew because of the company name modification. And I want to get the new code signing certificate for maximal number of years.

But unfortunatelly certification centers give certificates now for 39 months max. Some of them allow you to pay for 4 or 5 years: they explain that after 3 years they will make a technical re-issue of the certificate for the rest 1 or 2 years. Maybe it is a good idea, maybe not, but I decided to purchase 3 year certificate.

I found that Microsoft gave the following recommendations:

· When using a new certificate (or even renewing a cert), use the same information (Name, email contact address, etc.) that was used for an older, established certificate

· Use the new certificate to sign an already established application

· Sign a new application with an already established certificate

· Ensure that applications signed with the new certificate are accessible (rather than remaining on an intranet, for example)

· Do not create many different certificates for signing applications. Use a limited number of certificates, and ensure that applications that are signed with them are not vulnerable to compromise

· Consider renewing the certificate a little early and signing a few of your applications with it before your existing certificate expires

The last advice is very important, because it is better to have a valid certificate, till the new one gain reputation.

MaxSh
  • 31
  • 1
  • 2
0

last time in 2021-12-1 ,I bought an OV code certificate. After about 3 months,it still displayed "microsoft defender smartscreen". I summited it to https://www.microsoft.com/en-us/wdsi/filesubmission. Fill in "Detection name *" use "Windows Defender SmartScreen prevented an unrecognized app from start warn". About 2 days later microsoft defender smartscreen disappeared。

YScharf
  • 1,638
  • 15
  • 20
hertz
  • 1