1

Context:

I'm designing a deployment process for a Windows 10 desktop application that will run on client machines. There are two programs: an app and an installer which downloads and installs the app. It's important that clients never see any scary security warnings. The installer is signed with an Extended Validation (EV) Certificate, so it doesn't trigger Windows SmartScreen. The app is not signed by any certificate but, in testing, Windows 10 doesn't seem to complain when the user runs the app.

Questions:

  • Does Windows SmartScreen consider the unsigned app safe because it wasn't downloaded by a web browser?
  • Can I depend on this behavior and forego code signing the app?
Not My Question:

I'm not asking if I should sign the app for other reasons, I know I should. Only asking about Windows SmartScreen security warnings.

Supporting References:

Based on these references, it seems SmartScreen may only care about executables downloaded from a web browser? "Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious..." "Checking downloaded files..." ​"SmartScreen checks files that you download from the web..."

blackboxlogic
  • 111
  • 3
  • SmartScreen is an opaque system as most Microsoft stuff is, ask Microsoft how it works and if your binary might get flagged at some point. Or just sign it to reduce chances of it happening but just as Apple has OCSP failures that brick macOS machines, Microsoft will have issues with SmartScreen at some point or another. – Ginnungagap Jun 09 '21 at 09:23

0 Answers0