This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 52%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I am a software developer. I write and sell a (Visual C++) software product. I have just released a new version of my software. First in years. Customers buy a licence and download the software from the Internet. I've had my share of false positives from AV programs in the past and have done everything we can to avoid that happening. Actually recently it seemed to have got much better. We always have a valid code signing certificate and we always sign both the program itself and the installation program. The following happened when we just released a new version of the software.
(1) If a customer using Microsoft Edge clicked on the download button to download the installation program from an Amazon S3 bucket, Microsoft Defender SmartScreen put up a big red screen saying "THIS SITE HAS BEEN REPORTED AS UNSAFE" (in big letters). It gives the name of the download site (our bucket) and then says "Microsoft recommends you don't continue to this site. It has been reported to Microsoft for containing harmful programs that may try to steal personal or financial information". This of course is nonsense. We have reported this several times, but it's still happening.
(2) If you downloaded the software using another browser, when you tried to run it, Windows Defender said it contained a trojan virus. We had previously submitted the file to VirusTotal and all 64 AV programs had pronounced it clean. We of course at once submitted the file to Windows Defender, and to be fair they responded quite quickly. Windows Defender (in its updated virus definitions at least) no longer is reporting any problems with the file.
(3) However, now if you download the file on a web browser (other than Microsoft Edge because they're still blocking it), when you come to run it, you get another screen (blue this time) from Microsoft Defender Smartscreen which says "WINDOWS PROTECTED YOUR PC" (in big letters). And then says "Microsoft Defender SmartScreen prevented an unrecognised app from starting. Running this app might put your PC at risk".
It has been doing this last one for ages. I have tried reporting all of these issues to Microsoft every way I can think of. I have submitted numerous files. I have given all the information I can think of about myself and my company. We have been around for over 20 years. We have been using code signed certificates for a very long time (can't remember when we started doing that).
WHAT CAN WE DO TO STOP THIS HAPPENING?
We have tried contacting Microsoft support. We just get passed from one team to another. We have tried going via our Microsoft representative that get our MSDN sub and software licences from. They say they can't help. We have looked everywhere on the Internet for help and advice. This is damaging our business. Our customers are understandably very concerned and complaining. What are we supposed to do?
HELP!!!
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
A programming language created by Microsoft that serves a stepping stone for beginners from block-based coding languages to more complex text-based languages.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 12%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
I can only concur with what you're experiencing. I've seen a considerable rise in false positives from Microsoft Defender over the last few months, and the warnings that are given are terrible. It makes you suspicious they're trying to kill off downloading software for some reason.
Hi @simonx , tag small-basic-discussion is not suitable for your c++ question. Because small-basic-discussion is for Microsoft Small Basic program language. Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 36%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Any progress on this? Really annoying situation :\
Here's my blog post about this:
That's not very Smart of you, Microsoft
Microsoft needs to realize this is a big problem for ISVs.
Good blog post - sums up the situation well for folks in our situation. Having said that, I've not had any reports of it happening for my latest releases, so maybe MS have loosened the noose at some point?
Still a problem for me. I've dual code signed with SHA1 and SHA256. I've submitted my software several times for analysis.
Supposedly, I just need enough downloads from different IP addresses for it to become trusted. But who will download an untrusted app? Chicken and egg.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 77%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
I'm late to the game and just got the taste of this myself. Maybe going to the EV cert might be the correct answer for us since we have an established business. Still, this is utterly an annoying problem to have. This reminds me of the over-the-top DRM on games. Funnily, the only people suffering are the customers and not the people that MS is trying to supposedly guard against.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 63%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
@Louis Kessler Hi from the future... The question on everyone's lips... what happenned after 3 years; are you in the process of renewing your cert / did you have any joy with the new one?
https://www.beholdgenealogy.com/blog/?p=3823
In case it helps, some people recommend signing code with the old and new one for a while so the old one allows the program to be trusted whilst the new one gains reputation (it seems you have to sign old THEN new, i.e. order seems to matter).
Good luck with it!
John,
Thanks for the tip about double code signing. However, due to the high (and recently increased) cost of code signing, I usually wait until just before my current one expires before I buy a new one.
Yes. I did renew my certificate, this time with Sectigo for 3 years at a whopping $709 USD which includes the 1-time cost of the USB hardware token. But the purchase was much easier than in the past as everything was done electronically and I did not need in-person contact or a lawyer's certified stamp.
I am still finishing up the current release of my software, so I can't tell you yet if the new certificate will have the same trust issues or for how long. But when I do, I may update my old article or post a new one.
After my release, I will also see if I can get my program on the Microsoft store and see if that helps the trust issues.
Nice one, thanks for the feedback; and for sharing the blog in the first place. Good luck with your new cert / next release.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 11%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)
Same problem here. We are software development company and have been signing our builds with Extended Validation (EV) Code Signing Certificates for years. Still, our customers get the SmartScreen warning message.
Similarly, when we attempted to publish our app on Microsoft store we faced same problem - Microsoft Store team refuses to publish apps if they have that SmarScreen window popping up.
We managed to resolve issues with the SmartScreen on all our test computers but it does not matter. What matters if your app raises that window on Microsoft Store team when they do a test installation. There is absolutely nothing you can do about it but keep posting negative reviews about SmartScreen and Microsoft in general.
For the benefit of anyone else who's had the same problem, I did buy an EV code signing certificate (I had 2 years to run on my old OV code signing certificate but I got nothing back on that) ... and hey presto all my problems went away (touch wood). Can't say I felt happy about having to pay even more for something I felt I'd already paid for, but at least it has seemed to fix the problem. I appreciate that this option is not available to everyone though. The current system seems designed to squeeze the smaller players out. In whose interest is that?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Thanks for taking the time to come back and share your experience.
This reminds me that this could already be a lot easier (and hence also cheaper?!), if CAs, MS and others would just wake up and use what is available.
In most countries at least in EU you can get a government issued citizen certificate on a smart card or mobile phone SIM. It is not a code signing certificate, but it identifies you just as well as a passport. So technically it would be rather easy and cheap to identify people reliably online. Hopefully the production cost reduction would be reflected on the certificate price for eID users.
The browser technologies to access the certificate are a bit lacking and governments resort to different in-house (in-country?) solutions. EU has a program to offer a service to consolidate the slightly different member state e-identities to a single identity service available to service providers.
(It would also be tremendously useful if you could add your citizen serial number to online accounts so you could recover access to your account by contacting your local authorities for new credentials if you lost your old keys.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 9%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
We've continued to have problems with this even though we've had an EV cert for years. Some government employees and contractors can't tell Edge the file is acceptable, so they have to do things like download the file at a library or at home (since they can't use any browser but Edge) in order to get around this. It would be awesome if Microsoft would provide a way for this to be fixed. It's not just affecting small, independent developers, but also well-established companies.
Yes I'd seen that. It looks like I will have to shell out. Can't say I feel happy about it.
I notice that there is some suggestion that things may be a little easier if you have an "EV" code signing certificate rather than an "OV" one. The former are about 3 times more expensive, and it's very unclear what you're paying for. Does anyone know anything about this? Should I pay for an "EV" certificate (even though my OV certificate has 2 more years to run and there's no upgrade option)?
Information here implies that an EV code signing cert gives you instant reputation, though it also says you can get the OV certs accepted too if you play a game. :(
EV certificates require an incorporated business. Many independent software vendors like myself have not registered their company as a business and cannot purchase an EV code signing certificate.
I know the situation well. If you're a sole developer you have a heck of a time proving to the code signing issuer who you are.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 44%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
You mean reputation, not repudiation, right? The latter means rejection or denial.