Windows SmartScreen warning

[dexX7]

On Windows 8.1 and Windows 10 TP a SmartScreen warning is fired for Omni Core. Some browsers furthermore appear to show download warnings.

This is the default behavior I observed on several fresh systems.

Trust needs to be gained, so this is no surprise. The process however is a bit fuzzy and reputation appears to be build over time, based by user behavior, whether applications are flagged as malicious or not, [...] Providing signed files seems to play a signitifant role.

---

It looks like a shortcut exists to gain instant reputation, to quote:

Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. Other factors are considered when generating reputation and determining product experiences and EV-signed programs will be closely monitored over time.

http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx

Microsoft accepts standard code signing and extended validation (EV) code signing certificates from Symantec and DigiCert.

To my surprise actually, extended code signing even requires the use of a hardware token generator as second authentication factor. The certification comes at the cost of $449.00 (DigiCert) to $795.00 (Symantec) for 1 year plans:

• https://www.digicert.com/code-signing/ev-code-signing.htm
• http://www.symantec.com/theme.jsp?themeid=extended-validation-code-signing

General information:

• Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates

Also interesting and related:

• MSDN: Certification requirements for Windows desktop apps ("ready for Windows App Store")
• Webmaster Tools: If your site's downloads are identified as malware or unwanted software

[zathras-crypto]

Thanks @dexX7 - as you say I believe as more and more users download we would gain trust - probably just enough right at the point we release a new version and the whole process begins anew :p

For the time being I guess users will need to override this - I don't think our target audience is non-technical users and overriding 'assumed malicious' downloads must be fairly common knowledge by now seeing as the trend in the security space has reversed approach to "whitelist known good stuff" instead of "blacklist known bad stuff" (ie security software assumes it's bad until proven otherwise).

[zathras-crypto]

P.S. I take more of a conspiracy theorist view hehe - by automatically flagging any new (call it unknown but it's pure marketing semantics) software (not suitably signed as per above) as "potentially malicious" you effectively push the majority of developers through a grandfathering process to the Windows App Store deployment where your app will be "verified" and "you'll have none of these problems" related to warnings of malicious content.

Long story short - deploy software to your users the 'traditional way' and Microsoft gets nothing, deploy via Windows App Store and Microsoft get 30%.

EDIT: Sorry sounds like a rant hehe - I just have a chip on my shoulder about desktop computing being the last bastion of computing where freedom still reigns and what software you are able to run is not decided for you by Apple/Google/Microsoft. :)

[dexX7]

Haha, don't get me wrong, this is no attempt to push Omni Core into the MS App Store, but I mentioned it, because the criteria are well defined and where I was basically getting: what gets into the App Store has no SmartScreen warning, therefore this may be helpful to get rid of the warning. ;)

I stopped at this point, to dive into the app crash error, but it's probably worth to gather more information how "reputation" can be gained, e.g. if it's possible at this stage, whether we'd need to seperate further from the orginal Bitcoin Core, ...