That’s not very Smart of you, Microsoft - Fri, 7 May 2021

I’ve been an Independent Software Vendor (ISV), i.e. single developer operation, for over 15 years. I have had my products Behold and Double Match Triangulator available for download for the many versions of each of them.

I never put adware, spyware, viruses or anything bad in my programs. I pay money each year to code sign them so that users and Windows itself can be assured that the program they are installing is the one that I distribute and has not been modified by anyone else.

From time to time, one specific antivirus tool has a false positive with one of my programs and declares it bad. When a user tells me about that, it’s usually not difficult for me to go to the antivirus company’s website and fill out a form to ask them to check my program. They’ve never taken very long to whitelist my program and the problem is solved.

Microsoft Smart Screen

Not too long ago, Microsoft made enhancements to it’s SmartScreen component that it uses on Windows 10 to help protect users against potentially malicious software. Up until a few months ago, the code-signing I added to my Behold and Double Match Triangulator setup programs was good enough for SmartScreen to accept them.

But over the past few months, the following has started to happen. Clicking on the downloaded setup program for either Behold or DMT now pops up the following window which is reminiscent of the dreaded blue screen of death:

Notice there is only one option: “Don’t run”.

You have to know enough and be willing to click on the non-obvious “More info” link to have it allow you to execute the program:

This will display the app information, and they know that I am the publisher because the program is code signed.

And now a “Run anyway” button is available.  Yeah, right. "Run anyway” sounds reassuring – not!

Clicking on “Run anyway” now takes you to the User Account Control window, which is the standard Windows safety procedure for any installation program, and at this point everything is normal:

(I had to take a photo of this window, because it takes over your screen until you answer Yes or No and you can’t screen capture it.)

Smart Screen and Microsoft Edge

Even worse, if you are using Microsoft Edge, then it gives you several additional ominous warnings. First, when you click the download link:

“behold-setup.exe was blocked because it could harm your device” – is not a very friendly download message.

If you hover your mouse over the download box, you get this:

It now shows a garbage can, so that you can delete the download, and three dots. This obviously is more suggestive that you click on the garbage can rather than the three dots.

If you do decide to click on the three dots, you get this:

Once again the first option is Delete. The second is Keep.

“Report this file as safe” takes you to a page where you can report the download as safe, either as a user, or as the developer (see below in this post).

“Learn more” takes you to a page about Microsoft Defender Smart Screen.

“See more” just lists your other downloads.

Clicking on “Keep” brings up yet another scary warning:

So how do you feel about installing a program which “might harm your device” when the only two options appear to be Delete and Cancel.

You have to know enough to click on “Show more” to proceed with the download. Doing so will give you this:

Notice they display my personal information. That is available in my setup program because it is code-signed. They pull out that information and don’t even display it well, showing my name twice, and giving my personal address (not nice of them) when my name, email address, company name (I use Behold Genealogy) and website address would have been much better.

You have to then realize that you must click on “Keep anyway”, and the setup file will finally appear in your Downloads with the ability to Open (i.e. run) it:

If you then try running it, you will get the blue “Windows protected your PC” box described earlier.

So that’s 3 additional ugly warnings that Microsoft Edge adds as obstacles to ensure that you really want to install my program. That even scares me and I know that my program is safe, so I imagine it must stop everyone else in their tracks preventing who knows how many people from wanting to try my programs.

Having my code signed used to be enough for Edge and it always had earlier allowed the download without problems. Try downloading in Google Chrome or Firefox and there are no obstacles. Installation still gives the blue “Windows protected your PC” box, but that’s a Windows thing, not a browser thing.

Report this file/app as safe

Clicking on one of the “Report … as safe” links takes you to this page:

There are two options, to report a program safe as a user, or as the developer.

Clicking the first button results in this:

Clicking on the 2nd option as the owner expands that form to ask more information:

I have submitted this several times in the past few months for both my programs.

After submitting this form as a developer, I get this email back:

 

And the next day, I get a similar email saying “Your file has been analyzed”. I click on the “View your submission” link in it and it takes me to this page:

If I read that correctly, they seem to be confirming that :

“behold-setup.exe has since established reputation and attempting to download or run the application should no longer show any warnings”.

They then say the signing certificate is still establishing reputation. That should be for other programs I sign it with. Behold and DMT should now be okay.

But they aren’t. Downloads still are going through all the above rigmarole.

I’d be okay if this procedure worked and cleared my program. Unfortunately it did not. I can keep trying, but this is more than frustrating I have to say.

Extended Validation (EV) Code Signing.

There does appear to be one way to get rid of these horrendous messages. That is to upgrade my level of Standard Code Signing to Extended Validation Code Signing.  For only $200 more a year, I can get an EV Code Signing certificate:

Supposedly from what I read, an EV Code Signing certificate will alleviate all these SmartScreen warnings as soon as I start using it.

So a week ago, I purchased a new EV Code Signing for 3 years. For some reason, they were taking a long time to validate my phone number. Yesterday, I found that EV certificates are only available for businesses, and they confirm your signer information by verifying that your organization is valid and that the phone number corresponds with the organization.

I call my software development “Behold Genealogy” but it is not an incorporated business. I declare my earnings on my personal income tax every year. For me to register Behold Genealogy as an official business involves many complications and is more than I want to do.

I’ve now sent in my EV Code Signing refund request.

So What to Do?

As an Independent Software Vendor (ISV), I am somewhat screwed here. Microsoft is putting up roadblocks to my users making them distrust my programs so that they’ll be reluctant to download and install them. And the reputation of my programs is only able to get better if there are users downloading my programs, A bit of chicken and egg here.

All I can really do is add some explanatory info at my two download links to help assure downloaders, try to get their trust, and give them instructions on how to avoid the obstacles and download my programs.

And I hope that Microsoft takes a closer look at the problems this is causing to ISVs like me, and at least mean it when they say my programs have now “established reputation”.

---

Update: June 3, 2021:  It looks like my Code Signing Certificate must have achieved the “reputation” required by Microsoft. Downloads now happen freely in Edge and there no longer are any “Windows Protected Your PC” blue windows during install.

I am very relieved that this happened on its own in less than a month.  My Code Signing Certificates should now retain their reputation at least until I have to renew them which is 2 and a half years from now.

It would have been nice to have received notice when my “reputation” was achieved. I had been working on other ways to package my software so that Microsoft might approve it. e.g. build it as an MSIX package and submit it to the Microsoft Store, but even that wouldn’t have guaranteed anything.

None-the-less, this still was not a nice thing for Microsoft to do, and for the past month (and I’m not sure how many before that), it caused me a lot of anxiety and unnecessary effort to attempt to find a solution. If Microsoft’s “Report a Download” page resulted in a confirmation of established reputation and no more warnings that actually was true at the time, and not a month later, I would feel much better about it.

---

Update: October 1, 2021: 
I’m wondering if 2 1/2 years from now when my code signing certificate expires and I have to purchase a new one, whether I’ll be going through this once again.