15

So, I have been working on my own project for which I have been looking into certificates and such. While browsing reddit I found a game which I can launch the exe file, expecting to get a Windows 10 warning message, such as occurs for most games on itch.io, and for my own unsigned applications. To my surprise however, the game just straight up launched without any Windows 10 SmartScreen appearing. This is despite the program not appearing to have any digital signature in the file properties.

How is this possible?

I can only think that it was signed, but for some reason it is not showing that the program is signed.

The game was MidBoss (a legitimate game which is on itch.io and steam) which I downloaded the windows main from: https://midboss.net/classic/

I expected to get a warning like this, but no warnings whatsoever were displayed. Windows 10 smart screen warning

The properties of this application have no digital signatures tab. Properties of application

Unlike this application which has been signed. Application which was signed

vbscript
  • 153
  • 1
  • 5

1 Answers1

27

Windows Defender Smart Screen blocks or allows applications based on reputation. The reputation can be either for the application itself, or for the certificate used to sign it. Usually developers sign their code so their Authenticode certificate can build reputation and they do not have to repeat the reputation building process every time they issue an update for their application.

However, an executable (whether signed or unsigned) itself can also build reputation, which seems to be the case here. Enough people have used this particular executable safely that Smart Screen is now confident that this executable is not malicious.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • 2
    That is surprising that unsigned application can still build reputation (and that I haven't heard of that in any of the pages that I have read). I guess the author is just missing out on building reputation on their certificate which could be used for signing their other applications if they had chosen that path to follow. – vbscript Dec 28 '20 at 08:01
  • 9
    @vbscript Haha yes, nice way of putting it. Next time you want to get some malware out, just sign a game and distribute it, then use the same certificate to sign your malware :) – nobody Dec 28 '20 at 08:08
  • @nobody But wouldn't that immediately make you easier to find? – Vilx- Dec 28 '20 at 19:43
  • 2
    @Vilx- Only if you were stupid enough to register the certificate and/or distribute the game under your own identity. Identity theft is prolly easier than stealing a trusted code-signing certificate. – nobody Dec 28 '20 at 19:48
  • 2
    @vbscript It's kinda briefly mentioned [in the docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview): `Checking downloaded files against a list of files that are well known and downloaded by many Windows users`. – mgarciaisaia Dec 29 '20 at 03:52
  • What is the executable's identity for the purpose of reputation? Its hash? If it's anything that can be held constant while the behavior of the executable is changed this policy sounds disastrous. In particular it sounds really bad for anything with an embedded language interpreter with bindings for functions that affect the outside system; once the executable has good reputation with the scripts it ships with, someone can just copy it and ship it with malicious scripts to execute instead. – R.. GitHub STOP HELPING ICE Dec 29 '20 at 18:39
  • @R..GitHubSTOPHELPINGICE Yup I believe its a hash. No antimalware solution can ever be perfect. And in your scenario, its the scripts that are malicious and should be blocked, not the executable itself. Otherwise, all language interpreters would be blocked and people (specially developers) would resort to ignoring this warning every time. – nobody Dec 29 '20 at 18:52