Downloading a freshly signed version of PharoLauncher installer sometimes trigger a Windows Defender SmartScreen alert. Capture d’écran 2021-07-15 à 23 25 21 There is no warning when using a local file but we get a warning when downloading from Internet.

Some context

A locally signed binary and the same signed binary downloaded from internet have both the same size and the same hash. After some downloads, Windows Defender does not warn again on malicious files. According to https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8, SmartScreen is a technology based on the downloads of a file by Edge users. Looking on the web for information on "smartscreen signed binary", we found assumptions that the warning is related to the reputation of the binary and so, the binary should be "mass-downloaded" to avoid the warning. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview looks like to confirm that. SmastScreen FAQ also gives us some more information: https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx#

What does it mean when Microsoft Defender SmartScreen marks a downloaded program as ‘not commonly downloaded’?

If I am an application owner, what can I do to help minimise the chance of my program being flagged as “not commonly downloaded” by Microsoft Defender SmartScreen? Reputation can be associated to a digital certificate allowing to aggregate reputation over many binaries issued by the same certificate. The certificate has to be issued by a Certificate Authority (CA) that is a member of the Windows Root Certificate Program. It can be checked here: https://docs.microsoft.com/fr-fr/security/trusted-root/participants-list Here is the certification chain we have for Pharo Launcher:

    Signature Algorithm: sha384WithRSAEncryption
    Issuer: C = NL, O = GEANT Vereniging, CN = GEANT Code Signing CA 4
    Validity
        Not Before: May  6 00:00:00 2021 GMT
        Not After : May  5 23:59:59 2024 GMT
    Subject: C = FR, L = Le Chesnay-Rocquencourt, O = INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE, OU = DSI, CN = INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

Signature Algorithm: sha384WithRSAEncryption
    Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
    Validity
        Not Before: Feb 18 00:00:00 2020 GMT
        Not After : May  1 23:59:59 2033 GMT
    Subject: C=NL, O=GEANT Vereniging, CN=GEANT Code Signing CA 4

    Signature Algorithm: sha384WithRSAEncryption
    Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
    Validity
        Not Before: Mar 12 00:00:00 2019 GMT
        Not After : Dec 31 23:59:59 2028 GMT
    Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
    Validity
        Not Before: Jan  1 00:00:00 2004 GMT
        Not After : Dec 31 23:59:59 2028 GMT
    Subject: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services

USERTrust RSA Certification is indeed listed as member of Windows Root Certificate Program.

If I am a website owner, how do I correct a warning on my legitimate site?

What is SmartScreen and how can it help protect me?
Learn how to use the SmartScreen in Microsoft Edge.

Microsoft Defender SmartScreen overview (Windows) - Windows security
Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

pharo-project / pharo-launcher

Check Windows app signing certificate is working well #528

Some context