Windows 8’s application SmartScreen: speed bump for desktop apps

After installing the Windows 8 Consumer Preview, one of the first things I tried was to install and run MetroTwit Loop. To my dismay, my screen darkened. “Windows protected your PC” it read. “Oh good” I thought, that is before I realized it stopped me from running my own application.

I knew I could click “More info” and then “Run anyway”, but most common users are probably going to see this and freak out. After all, “Running this app might put your PC at risk”.

Ironically I should have known this might happen because I first uncovered the existence of “Windows SmartScreen” almost a year ago when the first builds of Windows 8 leaked. Of course it didn’t actually work then so it was hard to say what the impact is. Having seen it in action now, this is quite worrying from the perspective of a desktop app software developer.

Microsoft has been integrating SmartScreen into various products including Windows Live Messenger, Internet Explorer 9 and now Windows 8 to protect users from malicious links, content and now apps.

It all works on “reputation”, which is about as transparent as a brick wall. Microsoft briefly explains it is assigned to unique downloaded files and your digital certificate, but how you gain reputation, how quickly you gain reputation and the current reputation of any app or certificate is unknown.

As I’ve also found, the act of signing your installer & application with a code signing certificate (which costs up to $499 a year from Microsoft’s recommended certificate authority Verisign) doesn’t automatically grant you “enough” reputation either.

In comparison, Apple recently stirred up a bit of controversy for its new “Gatekeeper” feature in OS X Mountain Lion. It too is a new security feature that limits what “non-Store” apps you can run. The difference however is that any registered Apple Developer could get a free Developer ID to sign their apps with and be granted permission. Code signing on Windows 8’s SmartScreen doesn’t seem to have such an (immediate) effect.

Although I understand one day, MetroTwit and our company’s digital certificate might/will earn “enough” reputation for it to be automatically accepted. But until then, it’s not a good feeling your application will prompt such a strong disheartening message to an unknown number of users.

This also raises a chicken-and-egg issue, would lesser known apps ever gain enough users to trust it with such an intimidating roadblock for new users? It’s hard to tell behind the smokescreen that is Windows SmartScreen.

Update: How-to Geek has an article on how to disable Windows 8’s SmartScreen, however the fact is it’s still enabled by default for the common user.

32 insightful thoughts

  1. I guess things will be even worse for developers who can’t afford code signing certificates.

    At least SmartScreen for files in Windows 8 can be disabled (for now), which is more than can be said about SmartScreen in Windows Live Messenger. The deleterious effects of the former are greater, of course.

  2. This is one of those things that sounds nice to most people. “oh, they’re keeping us safe.”

    In reality this is a dangerous path. It will likely hurt the openness of the platform and drive developers away.

    It creates risk and fear for developers and development companies.

  3. I’m wondering if putting your Desktop app “in” the Windows Store (even though that’s just a link) gets you an automatic bump up in reputation. It would be a great way for Microsoft to encourage developers to build the store quickly while helping them over the reputation hump. This of course presumes that they are going to apply any science to Desktop app submissions to the Store. For example, running not just the Microsoft Anti-Malware engine against submissions but the entire suite of tools they use when someone reports a suspicious image to the MMPC. Those tools include techniques that are too slow, or produce too many false positives (that they have to manually check), to include in the Anti-Malware engine itself.

  4. Wow, so there’s no “let me run it anyway” button? That’s an idiotic move by Microsoft.

      1. In Windows 9 after you click “More info” there will be “More advanced info” and from there you can run program. 😉

  5. >As I’ve also found, the act of signing your installer & application with a code signing certificate (which costs up to $499 a year from Microsoft’s recommended certificate authority Verisign) doesn’t automatically grant you “enough” reputation either.

    You can get a much cheaper code signing cert from tucows (from verisign, thawte, comodo etc) @ https://author.tucows.com//

    1. If we’re plugging code signing certificate resellers, I can recommend K Software (http://codesigning.ksoftware.net/) – they resell Comodo certs. I think Tucows’s advertised price is a bit cheaper, but if you contact them they’ll beat it.

      In any case, there’s no reason to buy from Comodo or Verisign directly – they charge a huge premium for exactly the same product.

  6. True. K Software is pretty good as well. In any case, I think code signing is a good practice – the easiest way to authenticate that the software comes from the publisher and hasn’t been tampered with. In this case, MetroTwit will be doing a much needed public service by signing the app – not just the initial downloader.

  7. dude – you only sign the initial installer!!! the installer then downloads metrotwit from the internet, and you don’t sign it metrotwit – the real app.

    your initial installer doesnt get smartscreen block – good for you – propably means your certs got rep. but your unsigned download gets the warning, as it should. i know you’re not a bad guy – but if you decided to download something else from your installer – say some adware ohh say you wann make more $$$$ 🙂 – hee hee – or mebbe slip a lil somethin’ somthin’ in one of yo nightly builds.. 🙂

    just sign that thang and turn that frown upside down.

  8. (fixing a typo, and a minor edit)

    You sign MetroTwitLoop – and it installs and runs without any smartscreen prompt. No problems.

    You DO NOT sign MetroTwit.exe (http://i.imgur.com/jGdR8.png) – and so the user gets the SmartScreen prompt.

    So, SIGN MetroTwit.exe – you’ve complained about MetroTwit.exe in your post – and that should address the problem.

    1. Yep. Signing EXEs for ClickOnce is not supported by default. I spent about 6 hours last night figuring out a workaround. We implemented this for MetroTwit Loop but still have a SmartScreen prompt.

  9. My bad – you did talk about metrotwitloop at the start of your blog. I do not see a SmartScreen prompt when I install MetroTwitLoop any more.

  10. Neither can SmartScreen download reputation checking be turned off in Internet Explorer. There too, it scares average users away by warning good apps as potentially malicious. I guess it’s a Microsoft decision to bring more business to its partners, VeriSign etc. In IE, SmartScreen for web browsing can be disabled but not separately for the download app reputation feature AFAIK.

  11. Stuff like this isn’t bad. Especially when I come across malware ridden computers all the time. It’s a problem many face.

  12. Can you share with us how you signed your application please. We have two installers, one is an msi (for Chrome and Firefox users) and one is ClickOnce. The warning isn’t displayed for the msi installer which is signed. But we see the warning for the ClickOne application.

    1. Spent about 6 hours working on this problem 😛

      In short, I have a custom build script that does
      – MSBuild /target:build,publish
      – Copy the EXE from /bin/ to /publishdir/ (which is signed by build)
      – Rename all files in publishdir to strip the .deploy extension
      – Use Mage.exe to rebuild the manifest with the new EXE
      – Rename all files in publishdir to add .deploy extension (except .manifest)
      – Use Mage.exe to rebuild .application manifest with the new hashes

  13. It’s mostly about monetization! Free use of another’s work product? However, IMHPO, MS has carried itself way too far down that road. Yikes, HUNDREDS OF DOLLARS!!!!!!

  14. I just downloaded MetroTwit to see if you have a good reputation. There is still a security warning but it shown in a way that I have never seen before. Your Smartscreen reputation is apparently high enough to get past the Windows 8 dire risk warning but the install still doesn’t happen immediately and some new warning box appears. It is a mild warning and does have an “install” button visible and easy to access.

    This is interesting because I am trying to gain reputation with a signed app that people can download (that I won’t shamelessly plug) and once I get past the Smartscreen filter, there are no messages displayed and my installer dialog box appears.

    I suspect that I will never get enough downloads to get a good reputation. People just don’t like those security warnings.

  15. It’s a shame that Microsoft is doing this. They are really hurting new and small devs who don’t want to either pay for a cert or the annual dev fee for the Windows store.

  16. To gain immediate reputation you can use an EV certificate from VeriSign or DigiCert. The cost is again higher but does gain you immediate reputation.

    Sadly, using an EV cert seems to be incompatible with TeamBuild and will create havoc in a scripted build environment. EV certs require that your cert is installed on a hardware Token. The only vendor for signing tokens is Safenet. Their software requires a password prompt for signing. So you can imagine when something like teambuild executing as a service tries to pull up a dialog box things do not go well. Additionally, Safenet’s drivers are design to prevent access from anything but the console. Again, problematic because you can’t even sign from a remote desktop session.

  17. The following may be a workaround for the problems faced in this thread. If the deployed clickonce software is used in house, if you have a small customer base, or can control the computers via group policy, but want to keep the clickonce deployed on an internet url for easy access outside of the company network this may be a viable solution.
    One way I found that works well for small-scale deployments is to add the clickonce url to the trusted websites security zone in Internet Explorer. Installing from the internet url does not trigger the smartscreen warnings. This has so far prevented the smartscreen from interfering with signed clickonce applications (manifest and program).
    I found this thread while looking for ways to prevent smartscreen from interfering with automatic updates on remote, unmanaged (no active directory) devices where a user is not present to allow the update all the time.
    This is tested on Windows 8.1. We use our own PKI with our own root ca installed as trustedpublisher (added to a base image), eliminating the need for third party certificates for inhouse software.
    To prevent unnecesary risk, the trusted clickonce url should be as specific as possible (not complete domains whitelisted) and should use SSL.

  18. I would highly other code signing certificate reseller, and the name is CodeSignCert.com, why this specific website recommendation from me as software developer because there are plenty of reasons that i had while buying from them a code signing certificate.

    CodeSignCert.com offers a COMODO code signing certificate for only $59/year, yes..!! It’s only 59$ for per year. Even i was surprise when i heard that price but it’s true.

    They claim they are Platinum Partner Re-seller of Comodo, and it’s true after short of research i got plenty of recommendation for this company.

    I had saved plenty of buck when i bought this certificate from them, and they had excellent and friendly support team and i would say that’s literally BONUS FOR ME.

    Here is there website;
    https://codesigncert.com/

Comments are closed.