Microsoft Defender SmartScreen is hurting independent developers

Let us say you are an independent developer and it is time to publish your app to the world. To make it easier, you build an installer and start distributing it. A courageous early adopter downloads and runs it, only to be greeted by this strongly worded warning:

Windows SmartScreen blocking an executable from running

Indeed, in today’s Windows environment, Microsoft actively blocks binaries from running; thanks to “SmartScreen”.

But what is SmartScreen?

SmartScreen collects installation data from all Windows users in order to establish “reputation”. If the program does not have an established good reputation, you get this big warning message. By this time most users have deleted the .exe already thinking it is a malware, but SmartScreen can be bypassed by clicking on “More info” then “Run anyway”.

The digital signature racket

But how do you build reputation? First of all, Microsoft needs to be able to gather information on who has published the app, and this is done by a code signing certificate. The most obvious implication is that unsigned apps will always trigger SmartScreen. The more insidious implication is that acquiring a code signing certificate is a big expense for an individual developer. There is currently no “Let’s Encrypt” equivalent to code signing certificates; so you have to purchase it from trusted authorities. The price range is wide but a certificate only valid for a year will typically go for about $100.

SSL.com offer one of the “cheapest” code signing certs on the market, at $129 a year.

But let’s say you bite the bullet, you buy yourself an overpriced piece of prime numbers generated by a computer, sign your code and re-publish your application. You can now start getting users to install your app right? Wrong.

Building reputation is a catch 22

Even with your newly digitally signed application, SmartScreen will still trigger. After all you are an unknown new publisher, and the “building up reputation” part of SmartScreen is a complete blackbox. So here’s the catch 22: to build up reputation, you need people to install your software so that Microsoft collects data. To get users to install your software, they need not be greeted by a message that strongly suggests your piece of code will harm their computers.

It gets worse.

If you try to publish your piece of software with WinGet (in a nutshell: what will probably replace the Windows Store once it gets out of beta), you will get this message from Microsoft:

Microsoft WinGet considers triggering SmartScreen is an “error” and your software is classified as “malware”

In the words of Microsoft, your application is considered a malware if it triggers SmartScreen. They link to a potential solution in the form of submitting your file for review through a dedicated link. If you follow all this process, this is the response you will get:

We’ve reviewed your submission and we’ve confirmed that the submitted files are clean. Windows Defender Antivirus doesn’t report them as malware.
The message you observed is a notification from Windows Defender SmartScreen indicating that the application does not have known reputation in our system.
Application reputation warnings are meant to inform end users when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown”. Please note that users can still proceed to download and run the application.
In most cases, a digitally signed application will establish reputation organically, unless something has happened to denigrate existing reputation such as being used to sign malware. We will investigate this issue further and contact you if we need additional information.

In essence: your app is clean but we won’t do anything about the SmartScreen error. Our cloud bots overlords will decide when it is fine for you to be trusted.

And it still gets worse.

Let’s say you finally get accepted by the algorithms that be as a trusted publisher. Your certificate is about to expire and you renew it. Simple “business as usual” in the world of the Internet. In the world of Windows software though, that means that your reputation is reset back to nothing. Certificate renewal is not recognized by SmartScreen, it considers yourself as a new publisher again you have to go through this painful process yet another time.

This can be mitigated by purchasing a certificate with a longer validity period, but at this point the cost simply becomes an insurmountable barrier for most independent developers.

EV Code Signing Certificates

For independent developers, this is the end of the road. For publishers, there is another solution: Extended Validation Code Signing Certificate. Signing code with one of these will automatically bypass SmartScreen. It is reserved for corporations only and as the name suggests it is subject to additional background checks done by certificate authorities.

Digicert.com, a popular CA for code signing certificates, sells them for a whopping $699 a year.

As an independent developer, a solution would be to go through the troubles of incorporating a sole proprietary company and fork out the outrageous prices that these certificates command. Of course, that isn’t a realistic endeavor for most.

“Developers, developers, developers!”

“Developers, developers, developers!” was a cry from Steve Ballmer and one of the speeches that defined him as CEO of Microsoft. These infamous words were uttered back in 2006. Fourteen years later, under Satya Nadella, Microsoft is being praised for becoming more open than ever. Ironically, it seems that Microsoft made its Windows environment extremely hostile towards their beloved developers. A change in SmartScreen or on the way certificates work is needed to turn around this dire situation.

24 Comments

  1. Dr. Guy Gordon

    A reasonable solution would be for developers to act together to trust each others certificates.
    Such a system should be about trusting the Certificate, not some particular executable.
    Trust should require some minimum number of positive responses and few to no negatives.
    It should include a way to Revoke Trust.
    Realize that malware authors WILL attempt to game the system.
    (It is also possible that some corporate giants will try to kill it.)
    Both of the above require a system able to change in response to attack.

    As a starting point, how many people must trust a certificate to satisfy SmartScreen?
    I don’t expect MS has published this number.

  2. Max

    I want to add some info about UWP applications.
    You basically can’t distribute your application without buying a certificate or asking every user to install your self-signed one.

  3. Luke

    Windows10 was entirely created for the single purpose of tricking open OS users into an apple-like closed eco system. the ‘Authority’ to blocks users from developers is their most valuable asset and everything offered in windows10 is a gimmick to get it. what’s worse microshit has become the bigger contributor to linux (both in terms of money and code) so that they can push for the same ‘protect the user’ type of abusable power. When someone says they are trying to protect you, be concerned!

  4. Alex O

    Your article is spot on except one thing. For corporations, the system is just as broken, even if you shell out the money. EV certificates expire as well and have tons of issues because the trust is tied to the name of the company and if your company name changes or any kind of merge or org structure change a startup might go through, automatically wipes out your reputation. SmartScreen is not the only game in town, as Google Safe Browsing and other players will automatically block you in similar fashion to Microsoft. Even expensive services like VirusTotal Monitor, that costs hundreds per month, do not help. Developing native apps is a choice between the Apple review process (you find out if you violate ahead of time) vs constant AV vendors false positives. It’s a shitshow for legit companies and malware is still running rampant through… its just broken.

  5. Ron

    Great article. It neatly summarises all the problems I had. When I renewed my three year certificate I immediately lost “reputation” so had a lot of users complaining. I would guess it took maybe 20 installs to regain reputation.
    I have also had problems with false positives, which is strange because running the installer etc through the free http://www.virustotal.com found absolutely nothing. Cleared it up by submitting it to Microsoft’s service at https://www.microsoft.com/en-us/wdsi/filesubmission.
    All part of the fun that we independent developers have to put up with.

  6. Yes. I didn’t bother submitting my software to winget because I could see this would happen.

    One other thing that I didn’t see mentioned: those of us who create and consume indie software end up disabling smartscreen because it’s so overactive for this type of software. But if it’s not enabled, our usage of indie software isn’t building reputation.

    Technically unsigned code can still build reputation, but with no stable publisher identity it means reputation is reset with every build. This might have even worked in the 1990s, but in a world of continuously updated and serviced software it’s a non-starter.

  7. Anthony Rogan

    Had all these problems when I published my software. Nightmare. Just shows what a monopoly can get away with. Why is MIcrosoft Windows a monopoly? Cos they got rid of the competition and it is a USA company. Think Trump “dominance”!

  8. I am currently being plagued with this as well. Renewed digital certificate, smartscreen blocked installations. I re-gained reputation after a few thousand downloads, then released a small patch/update and here we go again, untrusted (without changing the certificate!?). I have at least 5K downloads now and smartscreen still blocks the installer.

    I will try submitting to that Microsoft URL for checking, thanks for pointing it out

  9. Years ago when I began developing my indie framework, I did a lengthy evaluation of the certificate system and determined that its group-dynamics-based foundation (algorithmic determination is merely 2nd-degree group dynamics), and threw it out, realizing my software would end up on the false-positive scrapheap years later, too late to do anything about it, if I didn’t. Although it is depressing that we indie developers have to be philosopher kings just to be successful, it is invigorating to be right and not be a victim. Whew!

  10. Geronimo

    The solution is abandon windows as a platform and develop por ios/android/linux/webassembly.

    There are very few things that can only be done in Windows and each passing year the list grows smaller.

  11. Peter

    Smartscreen places obstacles in the way of a potential buyer running commercial software that they have downloaded from a vendor’s website — if that vendor has not spent $100 or so for a code signing certificate for that software — not just for that software but for any new version of that software. Doesn’t that constitute “restraint of trade”, defined by Findlaw as any activity that prevents another party from conducting business as they normally would (as in providing software for sale or for evaluation with a view to sale) without such a restraint? Isn’t that illegal?

  12. RPS

    This world is moving toward a global dystopian tyranny and big tech is right in the middle of it.
    I call it a modern tower of Babel. God will make sure it fails miserably.

  13. François

    I believe the power of persuasion is in the union, in the group. Does anyone know of a developer’s association that has enough members to become a force with a voice and influence? Alone, you can’t do anything. Can we start a petition? I would sign it now. Can we get together?

  14. Matt T.

    Except you all forget how real software for public distrubution actually works and blow way out of proportion the failed development cycle. Which is completely left out of the article. A.) yes you will have some small costs and 100 or so bucks for your code signing is not much for a developer if you are an actual developer you have a 2-3k machine sitting in the floor and have spent that in energy drinks making your code. It’s just a cost of business. OR you aren’t into doing business and trying to go freeware open source. In that case you are in 1 of 2 boats. You are brand new and a ninche and people tend to bypass the smartscreen. You have hit enough popularity your site, or donations via supporters will fund the certification. So now the reputation piece.

    This is never a problem if you actually do proper program development. You run alpha and beta runs of your software, to your target audience. These few beta testers can run your software are aware that they will get the smartscreen cause you can inform them when you are sending them the beta / link to the beta software. After about 30-50 different people a really small beta group in the terms of the population. Then the reputation is established, and all of your head aches go away.

    If you aren’t beta testing in the wild a bit before release, then really smartscreen should catch your untested software. Cause there is no proof that without any mal-intent your software doesn’t instantly bluescreen my computer cause you didn’t test it against 32 thread cpu’s. And since worrying about price point of 100 bucks here or there for your code certs seems 50% of the complaint with smartscreen, chances are your not buying a 6k development machine for testing. Smartscreen isn’t always just about the malware. It also has the intent to protect against bad installs that mean no harm.

  15. Peter

    Reply to Matt T.

    > 100 or so bucks for your code signing is not much for a developer

    It is for many small independent software developers, who try to make a living from writing good and useful Windows software but whose low sales (due in part to SmartScreen’s turning off potential buyers) doesn’t support extensive promotion and advertising. And if a developer enhances their programs occasionally then Microsoft requires them to spend 100 bucks on each new version.

    > if you are an actual developer

    Who is Matt T. to say who is an “actual developer” and what is “proper” program development? Some independent software developers have 20+ years experience in software development in several programming languages (before they went independent) and already know how to develop and test software thoroughly before release. Most don’t have or need a team of beta testers (who, in any case, generally don’t work for free).

    We’re talking here of Microsoft attempting (illegally?) to block the running of Windows software (other than its own, of course). Thus the software only needs to be tested under Win7 and Win10 (and maybe Win98). When software is written to run under these OS’s then there is no need to test it against “32 thread CPU’s” by 30-50 beta testers, only by the developer and a few colleagues on the machine on which it is intended to be used (desktops and laptops).

    If a person who had downloaded commercial software from a vendor’s website (an unlikely source of malware, since the vendor has a reputation to uphold) then they need only submit the software to VirusTotal to obtain the result of over 60 tests done by companies providing anti-malware software. This is a much better way to check the safety of downloaded software than by relying on SmartScreen’s sole criterion for ‘malware’: Has the publisher spent $100 or so for a code-signing certificate? And the presence of a code-signing certificate is no guarantee of safety anyway.

    What Microsoft is doing (via SmartScreen) amounts to libel, since it is impugning the safety of software published by software vendors while providing no evidence of it.

  16. François

    I receive this morning this advice:

    One of our members had recently proposed a solution in our ASP member forum:

    > Now I found a workaround:
    > When you download your own files using the *new* MS Edge browser it will also block them. With a mouse right-click
    > you can report these files to Microsoft and them they are clean. After up to 48 hours SmartScreen will no longer block
    > these files.

    Maybe this will work for you as well?

    http://www.asp-software.org

  17. Peter

    François said:

    > One of our members had recently proposed a solution in our ASP member forum:
    >> When you download your own files using the *new* MS Edge browser it will also block them.

    The SmartScreen dire warning appears when one tries to run — rather than download — a program.

    The first post in this blog thread says:

    In the words of Microsoft, your application is considered a malware if it triggers SmartScreen. They link to a potential solution in the form of submitting your file for review through a dedicated link. If you follow all this process, this is the response you will get:

    We’ve reviewed your submission and we’ve confirmed that the submitted files are clean. Windows Defender Antivirus doesn’t report them as malware. The message you observed is a notification from Windows Defender SmartScreen indicating that the application does not have known reputation in our system. Application reputation warnings are meant to inform end users when applications do not have known positive reputation [that is, they have not been downloaded hundreds of times, and because of that this app may be malware and may harm your PC, so maybe you shouldn’t run it]. …

    In essence: your app is clean but we [Microsoft] won’t do anything about the SmartScreen error.

  18. Peter

    SmartScreen’s criterion for classification of a program as “risky” appears to have nothing to do with the program itself but to be simply: “This program lacks a code-signing certificate and it has not been downloaded at least N times” (for some N chosen by Microsoft). This criterion could have unintended consequences.

    Suppose a clever malware designer writes malware which is not detected by Windows Defender SmartScreen (probably not difficult) and which contains a malware payload which is not triggered until a period has elapsed after release which is long enough (as estimated by the malware author) for the number of downloads to be sufficient for SmartScreen to mark this program as “safe”. Thereafter running the software will not trigger SmartScreen, but when run the malware will go into action, perhaps erasing all files on the PC. Can the unfortunate owner of the now-devastated PC sue Microsoft for compensation for damage due to the failure of SmartScreen to warn them that this program might “put their PC at risk”, despite Microsoft’s claim that this is what SmartScreen is intended to warn against?

    A more intelligent version of SmartScreen would issue a warning only if there was something about the program itself which is evidence that the program is risky. For example, SmartScreen might test the program using a malware-detection program (something better than Windows Defender, which is notorious for false positives) and allow the program to run only if no evidence of malware is found — whether or not a code-signing certificate has been purchased for this program.

    If Microsoft is reluctant to do this then one has to ask why. Would it be because Windows Defender is so poor at detecting malware (and absence of malware) that it is not reliable, and Microsoft does not wish to admit that a better malware detection program (not done by Microsoft?) would be needed?

  19. Cubism Invented

    Then again it is still possible to send a malicious Excel via email and the malware is installed to recipient’s computer after an obscure yes/no question. Security in the wrong places?

  20. Blade

    Arguably, the problem with SmartScreen is it’s not tied to any multi-vendor online malware detectors. So SmatScreen is not concerning itself with the right question. Is this software malware versus does this software have a valid certificate. The problem with that is malware can have valid certificates from reputable CAs. The certificates are just bleeding money from small independent software developers.

    If you do have a valid certificate, it then becomes a question of “reputation”. Some X number of people need to have downloaded the software and not report it, but the problem with that is those people might not know the software is malware or the malware is “sleeping” and waiting a set period of time. The software might not be malware, but just buggy. The difference between such, is something users might not be able to understand the difference. Microsoft should NOT rely on non-technical users opinions about the validity of software. If users don’t like the software, because it’s buggy, they should not use it or complain to the author.

    Arguably, the way to clearly differentiate legit software from malware is actual testing of the software, by different AV vendors. This appears where Microsoft’s SmartScreen is stumbling. Microsoft Windows Defender by itself is likely not enough to establish whether software is “clean”. It’s better if software is screened by multiple vendors, like with VirusTotal, to set a base line reputation. It’s much harder for malware to get past a gauntlet of AV vendors.

    What SmartScreen should be doing is scan the software for malware and viruses. Preferably an online scan like VirusTotal (or various vendors selected by Microsoft). Then asks the user if they trust the publisher or not, showing the user detail information from the executable or installer. The choice can be Yes, No, or Undecided. Where “Undecided” gives the user the opportunity to use the information they were given to web search check on the publisher. If they don’t want to be bothered researching, they can simply say “No” to block the install and any software from that author/company.

    SmartScreen should just be a caution screen for users, to stop automatic installs, and give users the opportunity to research the publisher. Instead, Microsoft screwed it up. Creating a money drain that does nothing useful for the user or the software developer.

  21. obe

    As a user (who is also a developer), I support Microsoft’s practices on this.

    We live in a world where it is simply unsafe to run any odd executable that makes its way to our desktops.

    It’s also technically impossible (for now) to validate an executable in a way that will give 100% confidence that it’s safe.

    Requiring a developer to “register” with a certificate authority, and prove their identity in the “real” world – makes total sense. It doesn’t guarantee that their executables would not be malicious, but hopefully it can guarantee that they can be traced and held responsible, and that this fact would be enough to deter them from foul play.

    As a user, I wouldn’t want this kind of registration to be done “in bulk”, because it would lose all meaning. It is a good thing that the certificate authority has human employees examine legal proof and going through a (relatively) complex procedure. It makes sense that this manual process would cost money, and hopefully the certificate authorities themselves are scrutinized periodically and this is also an expense they need to cover.

    Many years ago I went through this exact process in order to sell an ActiveX component. I was an independent developer, living in a crappy apartment, trying to finish the product before my money runs out, but even back then I understood and accepted this requirement.

    With all due respect, if a developer cannot shell out $1,000 to get certified, then maybe they need to work as an employee for a while and save some money. Even with this kind of overhead, software development is probably still the cheapest profession to work in as an independent. How much money (both upfront, and yearly) would one need to pay if they opened any kind of “physical” business, in any country? (and especially a business that could potentially put customers at risk, such as a restaurant).

  22. Peter

    Reply to “obe”:

    > it is simply unsafe to run any odd executable that makes its way to our desktops.

    “Makes its way”? Like, just wandered in? We’re talking of users actively interested in available software from vendors (some in business for over 10 years) whose websites they can inspect.

    > if a developer cannot shell out $1,000 to get certified …

    Certificates (which don’t prove anything except that a certificate has been purchased) cost about $100 for each program — including each new version of a program. You can find useful and interesting software from independent software developers that sell (when they do) for $20-$50 (barely enough to cover costs). Vendors usually offer several programs, and conscientious developers often release new versions whenever they add improvements to their programs. If they had to purchase a certificate for program and each new version then they’d soon be bankrupt and their software would no longer available.

    > It’s also technically impossible (for now) to validate an executable in a way that will give 100% confidence that it’s safe.

    But 99% is possible. Apparently “obe” has never heard of VirusTotal: https://www.virustotal.com/gui/home/upload You can submit an executable (or an installation program) to VT’s 47 or so malware detectors for a group judgment before you decide whether to download and install it. If 99% of them say the program is clean then it probably is.

Leave a Reply

Your email address will not be published. Required fields are marked *