We’ve launched a small plugin app. Pretty basic setup, but packaged in innosetup, and the .exe signed with a cert obtained via a sectigo reseller.
The exe is hosted on amazon s3, and distributed through an expiring s3 URL.
It seems even through all of this, windows smart defender is blocking downloads on windows machines. Seems we’ve done everything correctly on our end – does anyone have an idea on how to assess / prevent this issue?
So when you create an expirable URL with the amazon s3 SDK, it does indeed generate https – and our server is running on heroku which is using the auto managed SSL certs.
Totally scratching my head on this one… submitted it to Microsoft for review and it came back as clean but still happening
What type of cert did you get? I believe there are multiple ‘levels’, the cheaper one is strange in that it doesn’t just ‘work’ when you start using it. Some sort of ‘number of downloads’ or something needs to happen before it starts being recognized. We went through this at work, and had to update to the more expensive one to have immediate cert recognition. Be aware, I am talking about this from a very unknowledgeable perspective, only arising from observing our process.
We recently experienced Smartscreen alerts too even though we were already using pretty expensive code signing certificates with no troubles at all. Had an enlightening talk with a Microsoft employee after we submitted our installer to report false detection: Smartscreen and/or Defender use a notoriety score associated with every encountered code signing certificate’s thumbprint. When releasing new binaries signed with a fresh new certificate, it may take some time before it gains decent notoriety. Sometimes, with bad luck, the false-detection/yet-unknown-cert combo will trigger Smartscreen alerts. With relatively low impact, in our case, based on our estimation. As long as you submitted your file, this should be fixed quickly.
The most infuriating part is I keep getting messages from Microsoft – this software has passed requirements and users should no longer see this warning. Meanwhile the warning is still there.
MS is a racket with how they handle certs… never had such a sketchy experience buying something than a cert online and downloading in an old IE it’s like I’m on the dark web or something lol