Downloading a freshly signed version of PharoLauncher installer sometimes trigger a Windows Defender SmartScreen alert.
There is no warning when using a local file but we get a warning when downloading from Internet.
What does it mean when Microsoft Defender SmartScreen marks a downloaded program as ‘not commonly downloaded’?
If I am an application owner, what can I do to help minimise the chance of my program being flagged as “not commonly downloaded” by Microsoft Defender SmartScreen?
Reputation can be associated to a digital certificate allowing to aggregate reputation over many binaries issued by the same certificate. The certificate has to be issued by a Certificate Authority (CA) that is a member of the Windows Root Certificate Program. It can be checked here: https://docs.microsoft.com/fr-fr/security/trusted-root/participants-list
Here is the certification chain we have for Pharo Launcher:
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = NL, O = GEANT Vereniging, CN = GEANT Code Signing CA 4
Validity
Not Before: May 6 00:00:00 2021 GMT
Not After : May 5 23:59:59 2024 GMT
Subject: C = FR, L = Le Chesnay-Rocquencourt, O = INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE, OU = DSI, CN = INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Feb 18 00:00:00 2020 GMT
Not After : May 1 23:59:59 2033 GMT
Subject: C=NL, O=GEANT Vereniging, CN=GEANT Code Signing CA 4
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
Validity
Not Before: Mar 12 00:00:00 2019 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
Validity
Not Before: Jan 1 00:00:00 2004 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
USERTrust RSA Certification is indeed listed as member of Windows Root Certificate Program.
If I am a website owner, how do I correct a warning on my legitimate site?
Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
Downloading a freshly signed version of PharoLauncher installer sometimes trigger a Windows Defender SmartScreen alert.
There is no warning when using a local file but we get a warning when downloading from Internet.
Some context
A locally signed binary and the same signed binary downloaded from internet have both the same size and the same hash. After some downloads, Windows Defender does not warn again on malicious files. According to https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8, SmartScreen is a technology based on the downloads of a file by Edge users. Looking on the web for information on "smartscreen signed binary", we found assumptions that the warning is related to the reputation of the binary and so, the binary should be "mass-downloaded" to avoid the warning. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview looks like to confirm that. SmastScreen FAQ also gives us some more information: https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx#
If I am an application owner, what can I do to help minimise the chance of my program being flagged as “not commonly downloaded” by Microsoft Defender SmartScreen? Reputation can be associated to a digital certificate allowing to aggregate reputation over many binaries issued by the same certificate. The certificate has to be issued by a Certificate Authority (CA) that is a member of the Windows Root Certificate Program. It can be checked here: https://docs.microsoft.com/fr-fr/security/trusted-root/participants-list Here is the certification chain we have for Pharo Launcher:
USERTrust RSA Certification
is indeed listed as member of Windows Root Certificate Program.