How to avoid the “Windows Defender SmartScreen prevented an unrecognized app from starting warning”

by

TL;DR

This warning is shown if your app doesn’t have enough reputation with Microsoft SmartScreen yet. In order to gain reputation, you can either

  • submit your app for malware analysis to Microsoft,
  • buy an “Extended Validation” code signing certificate,
  • buy a standard code signing certificate, or
  • just wait for a long time.

Read on for the details about these different options.

Option 1: Submit your app for malware analysis to Microsoft

Microsoft allows software developers to submit a file for malware analysis. According to Microsoft, this will help developers to “validate detection of their products”. If the review was successful, the Microsoft SmartScreen warnings will go away faster, or sometimes even instantly (it worked instantly for one of my own apps). You need to have a Microsoft account to submit your app for review.

However, note that if you release an updated version of your app, then you’ll also have to request a new review again. To overcome this problem, you’ll either have to use an “Extended Validation” or a standard code signing certificate (see below).

Option 2: Buy an “Extended Validation” code signing certificate

A guaranteed way to immediately and permanently get rid of the Microsoft SmartScreen warnings is to buy an “Extended Validation” (EV) code signing certificate from one of the Microsoft-approved certificate authorities (CA’s), and to sign your app with that EV certificate.

Such an EV certificate will cost you somewhere between 250 and 700 USD per year, and will only be issued to registered businesses. If you’re a single developer, you must be a sole proprietor and have an active business license. You can read more about the formal requirements for EV code signing certificates in the EV Code Signing Certificate Guidelines.

An EV certificate will typically be shipped to you by physical delivery on a hardware token.

Option 3: Buy a standard code signing certificate

You can also buy a cheaper “standard” (i.e. non-EV) code signing certificate, and sign your app with that certificate. This will also permanently, but not instantly, make the Microsoft SmartScreen warnings disappear. Standard code signing certificates will cost you between 100 and 500 USD per year, and can also be issued to private developers without an active business license. Some CA’s also offer discounts for open source projects.

No instant solution

The problem with standard code signing certificates is that they do not instantly silence Microsoft SmartScreen. Instead, some time will be needed for your certificate to build reputation before the warning will go away. However, once your certificate has built enough reputation, all applications signed with that certificate will be permanently trusted by Microsoft SmartScreen and won’t trigger the warning anymore.

How long will it take?

So, how long will it take until the Microsoft SmartScreen warning will disappear when using a standard code signing certificate? Unfortunately, this is difficult to answer, since Microsoft itself refuses to publish any details about this. According to inofficial numbers reported by various sources (see below), it usually takes between 2 and 8 weeks until the warning will permanently go away. It seems that the exact duration also depends on the reputation of the website from which your app is downloaded.

The inofficial numbers are:

  • 18 days and about 430 app installs. Source: one of my own certificates (Dec 2022)
  • 42 days and about 1.400 app installs. Source: one of my own certificates (Feb 2021)
  • 16 days and about 2.000 app installs. Source: one of my own certificates (May 2020)
  • One month and more than 10.000 downloads. Source: here (Jan 2020)
  • Between a few weeks and a month. Source: here (Dec 2019)
  • About 2-3 weeks. Source: here (Dec 2019)
  • About 3.000 downloads. Source: here (Dec 2013)

The problem of certificate rollover

Certificate rollover occurs when your old certificate expires and you begin signing your code with a renewed certificate.

It’s a good idea to buy your standard code signing certificate with the longest possible validity period because when you renew your certificate, the reputation will unfortunately not automatically carry over to the renewed certificate (not even if it’s signed against the same private key as the old certificate).

However, you can mitigate the rollover problem by getting your renewed code signing certificate before your old certificate expires, and then using both the old (but not yet expired!) and the renewed certificate to sign your code, resulting in two signatures. The signature from your old certificate will continue to bypass SmartScreen and, at the same time, the new signature will help the new certificate to build up trust. So, the idea is that your new certificate becomes trusted before your old certificate expires.

If your old certificate should already have expired, then you can (and should!) still add the signature from your renewed certificate to an already released version of your app, in order to gain reputation for the renewed certificate.

To correctly dual-sign your app, first sign your code with the old certificate, and then sign it again with the renewed certificate, using the /as command line option of Microsoft’s SignTool to append an additional signature to the first one (instead of replacing it).

Option 4: Just wait for a long time

If you don’t take any measures at all, the Microsoft SmartScreen warning will also go away eventually. This might however take a ridiculous amount of time (months) and / or downloads (tens of thousands). Another big problem is that each time you’ll release an updated version of your app, the waiting period will start all over again. So, this probably isn’t the solution you’re looking for.

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)