20

I know that even a software signed with a new code signing certificate triggers Microsoft Defender SmartScreen warning:

Windows Defender SmartScreen prevented an unrecognized app from starting

The warning goes away only after the certificate builds a reputation:
Smart-Screen filter still complains, despite I signed the executable, why?

But we are signing our software (WinSCP) with DigiCert code signing certificate for years. It is a plain certificate, no Extended Validation (EV).

As our certificate is expiring soon, we have renewed it. But now, signed with the renewed certificate, our software triggers the SmartScreen warning.

Is that expected? Is the reputation really not transferred to the renewed certificate? If not, what does it take to build the reputation again? The new (beta) version of our software (signed with the renewed certificate) is out for few days already, and it has tens of thousands of installations, but it still triggers the warning. Or is there a way to help the reputation to transfer somehow?

We have tried to submit the files for malware analysis to Microsoft. Although the binaries passed the tests, it did not have visible effect on the SmartScreen check.

Martin Prikryl
  • 493
  • 5
  • 21
  • 2
    We face this situation each time we renew our Authenticode certificate. Without EV, you must build the reputation from the scratch. – Jozef Izso Dec 02 '19 at 11:26
  • @JozefIzso Thanks for your comment. And how long does it take to build it? – Martin Prikryl Dec 02 '19 at 11:30
  • 1
    It takes few weeks while we use our internal builds and no longer than month. – Jozef Izso Dec 02 '19 at 13:16
  • "...SmartScreen builds reputation for both individual programs and for the certificate used to sign that code. Code signing is important to our reputation intelligence because this higher level identity allows us to build reputation across multiple programs signed by a publisher. It is also important for publishers because signed programs inherit the reputation of the certificate with which they are signed; this means every program a publisher distributes doesn’t need to build reputation individually." – Petr Dec 02 '19 at 21:38
  • 1
    More here... https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/ However, how long does it take to build reputation for a new certificate? – Petr Dec 02 '19 at 21:39
  • 4
    Yes, we must use the software internally long enough so customers do not face the SmartScreen information. Usually we don't see it after few days when up to 10 people use it. – Jozef Izso Dec 05 '19 at 09:37
  • @JozefIzso About one month after a release, the SmartScreen message stopped showing. But now we have released a new version of the software signed with the same certificate and it shows the message again. Is that expected? I expected that the message will be gone for good. Thanks. – Martin Prikryl Jan 07 '20 at 08:14
  • We found that as long as you submit the application for certification the reputation will carry over. It won't matter that there is a new certificate: https://docs.microsoft.com/en-us/windows/win32/win_cert/windows-certification-portal – pcalkins Mar 02 '20 at 20:17
  • 1
    @JozefIzso Only ~ 10 people is enough such that future customers won't see it again? – Basj Sep 08 '20 at 09:30
  • @MechMK1 No, the reputation isn't transferred, even if the renewed certificate has the same public key. I've renewed my certificate in Jan 2021, using the same certificate signing request (CSR) as last time, and still SmartScreen started complaining again afterwards. Also see my answer https://stackoverflow.com/a/66582477 for details. – emkey08 Mar 28 '21 at 07:33
  • I have recently learned that it is possible to dual-sign binaries, which I think is intended to be used to sign with both SHA-1 and SHA-256. Does anyone know if it is possible to dual-sign with two different certificates? Would that possibly help to transition to a renewed certificate (before the old one expires, of course). If anyone has tried this then please let me know. Thanks! – stefansundin Jul 10 '21 at 18:44

3 Answers3

10

To complement the comment by @JozefIzso: The binary became trusted after about one month. While the further release become trusted after about 10 days only, third release did not become trusted for weeks again.

It does not look like a standard code signing certificate can be used nowadays. We gave up and went for EV certificate.

Martin Prikryl
  • 493
  • 5
  • 21
  • 1
    Thank you for this answer @MartinPrikryl. A few details: (1) *"The binary became trusted after about one month."*: just to get the order of magnitude, how many downloads / installs by end users were needed? (I think that's this count that increases the reputation, is that right?) -- (2) "*the further release become trusted after about 10 days only, third release did not become trusted for weeks again"*: does this mean that if `mysoftware-v.1.0.1.exe` is finally trusted, then you start with reputation=0 again for `mysoftware-v.1.0.2.exe`, really? – Basj Sep 08 '20 at 09:08
  • @Basj Yes, that's what our experience was like. + As my question says, the respective (beta) releases had several tens of thousand downloads. – Martin Prikryl Sep 08 '20 at 09:24
  • 1
    Thanks for your answer. So I can't expect to see the SmartScreen messages disappear for my users if, say, only 100 users have downloaded it? Do you confirm this comment? *"Usually we don't see it after few days when up to 10 people use it. – Jozef Izso"* – Basj Sep 08 '20 at 09:29
  • PS: before going the EV certificate route, did you try https://www.microsoft.com/en-us/wdsi/filesubmission, did it help? – Basj Sep 08 '20 at 09:29
  • No, I do not confirm that comment. + Yes, we tried the file submission. It did not help. – Martin Prikryl Sep 08 '20 at 09:42
  • This is porobably the answer for https://stackoverflow.com/questions/63791103/is-there-a-way-to-smartscreen-whitelist-a-exe-by-microsoft-without-an-ev-cert, that I posted, then. I think I will have to spend these 300$... – Basj Sep 08 '20 at 09:49
  • Also see https://stackoverflow.com/q/39437773 – emkey08 Mar 05 '21 at 06:05
3

As you've figured out you can't transfer it, and you're stuck without using EV. Because you've got a new certificate, it took some time for your software to be verified as safe. What I think is happening now is that your signing certification is still seen as relatively new, and needs to build up reputation, but because the previous software release was all ok I would expect that reputation build up is quicker this time.

The only definite way to speed this up is to get EV certificates. However, by submitting new releases here: https://www.microsoft.com/en-us/wdsi/filesubmission you may be able to increase reputation. This blog has some interesting statistics and spotted some potential patterns: https://www.coretechnologies.com/blog/windows/microsoft-smartscreen-filter/

One potential way to get around this, at least relatively recently, was to have an installer that changes code very infrequently. This code then downloads the program in the background and this would often work. Unfortunately, I don't think that's going to work for WinSCP (which is very useful btw, keep up the good work!).

LTPCGO
  • 965
  • 1
  • 5
  • 22
  • Thanks for your response. I have posted the first version of WinSCP signed with the renewed certificate to Microsoft already, right after the release, after the problem appeared. Though after the message did not go away in few days, I've withdrew that release. So I cannot really tell what impact, if any, it had. – I've submitted the new version of WinSCP now too, just in case... – The blog post is rather dated. SmartScreen is now built-in in Windows 10 and the check is triggered, no matter what browser you use to download the file. – Martin Prikryl Jan 08 '20 at 08:50
  • Yes, unfortunately soz which is why I doubt the second solution works now. – LTPCGO Jan 08 '20 at 10:15
  • That file submission page is quite discouraging. In particular it requires "Detection name *" if you select "Incorrectly detected as malware/malicious:". It doesn't seem appropriate to submit new software at all. – O'Rooney Jun 08 '21 at 04:09
2

This is an answer from Microsoft received in 2020: It seems the most important advice is to get the new code signing certificate before preivous expires. So the new one have time to gain reputation. Last time I got the new cert to get reputation in about 30 days.

To give you some additional background, when a certificate is renewed, or if a new certificate is used to sign files, fresh reputation needs to be established. The reputation of the previous certificate is one of the important elements in attaching reputation to the newer certificate. Typically, a renewed certificate will establish reputation more quickly than a completely new certificate such as one from a different CA or one which uses different organization details (company name, etc.). For future reference, here are some suggestions to help establish reputation for a new or renewed certificate:

· When using a new certificate (or even renewing a cert), use the same information (Name, email contact address, etc.) that was used for an older, established certificate

· Use the new certificate to sign an already established application

· Sign a new application with an already established certificate

· Ensure that applications signed with the new certificate are accessible (rather than remaining on an intranet, for example)

· Do not create many different certificates for signing applications. Use a limited number of certificates, and ensure that applications that are signed with them are not vulnerable to compromise

· Consider renewing the certificate a little early and signing a few of your applications with it before your existing certificate expires

MaxSh
  • 21
  • 2