How to avoid the “Windows Defender SmartScreen prevented an unrecognized app from starting warning”

by

TL;DR

This warning is shown if your app doesn’t have enough reputation with Microsoft SmartScreen yet. In order to gain reputation, you can either

  • submit your app for malware analysis to Microsoft,
  • buy an “Extended Validation” code signing certificate,
  • buy a standard code signing certificate, or
  • just wait for a long time.

Read on for the details about these different options.

Option 1: Submit your app for malware analysis to Microsoft

Microsoft allows software developers to submit a file for malware analysis. According to Microsoft, this will help developers to “validate detection of their products”. If the review was successful, the Microsoft SmartScreen warnings will go away faster, or sometimes even instantly (it worked instantly for one of my own apps). You need to have a Microsoft account to submit your app for review.

However, note that if you release an updated version of your app, then you’ll also have to request a new review again. To overcome this problem, you’ll either have to use an “Extended Validation” or a standard code signing certificate (see below).

Option 2: Buy an “Extended Validation” code signing certificate

A guaranteed way to immediately and permanently get rid of the Microsoft SmartScreen warnings is to buy an “Extended Validation” (EV) code signing certificate from one of the Microsoft-approved certificate authorities (CA’s), and to sign your app with that EV certificate.

Such an EV certificate will cost you somewhere between 250 and 700 USD per year, and will only be issued to registered businesses. If you’re a single developer, you must be a sole proprietor and have an active business license. You can read more about the formal requirements for EV code signing certificates in the EV Code Signing Certificate Guidelines.

An EV certificate will typically be shipped to you by physical delivery on a hardware token.

Option 3: Buy a standard code signing certificate

The cheaper “standard” (i.e. non-EV) code signing certificates can also be used to permanently, but not instantly, get rid of the Microsoft SmartScreen warnings. Standard code signing certificates will cost you between 100 and 500 USD per year, and can also be issued to private developers without an active business license. Some CA’s also offer discounts for open source projects.

No instant solution

The problem with standard code signing certificates is that they do not instantly silence Microsoft SmartScreen. Instead, some time will be needed for your certificate to build reputation before the warning will go away. However, once your certificate has built enough reputation, all applications signed with that certificate will be permanently trusted by Microsoft SmartScreen and won’t trigger the warning anymore.

How long will it take?

So, how long will it take until the Microsoft SmartScreen warning will disappear when using a standard code signing certificate? Unfortunately, this is difficult to answer, since Microsoft itself refuses to publish any details about this. And since there is a whole bunch of information that Microsoft SmartScreen might use to decide upon trustworthiness, your mileage may vary greatly. According to inofficial numbers reported by various sources (see below), it usually takes between 2 and 8 weeks until the warning will permanently go away. However, keep in mind that this will also depend on how many downloads and / or installs your app has.

The inofficial numbers are:

  • 42 days and about 1.400 app installs. Source: my own certificate (Feb 2021)
  • 16 days and about 2.000 app installs. Source: my own certificate (May 2020)
  • One month and more than 10.000 downloads. Source: here (Jan 2020)
  • Between a few weeks and a month. Source: here (Dec 2019)
  • About 2-3 weeks. Source: here (Dec 2019)
  • About 3.000 downloads. Source: here (Dec 2013)

What you also need to know

Note that there is another catch with standard code signing certificates: When your old certificate has expired, the certificate reputation will not automatically carry over to the new certificate. What you can do in this case, however, is to re-sign a previously released product already signed with an already trusted certificate with your new/renewed certificate (resulting in two signatures). The original signature will continue to bypass SmartScreen and the new signature will help the new certificate to build up trust. You’d ideally even start this dual-signing phase well before your old certificate expires, so that your new certificate will become trusted before your old certificate expires.

Note that it’s still strongly recommended to buy a standard code signing certificate with a long validity term in order to avoid the hassle with transferring your existing certificate reputation for as long as possible.

As a final note, always make sure that you’re timestamping your signed apps. Timestamping is extremely important, as it will allow the signed app to remain valid after the certificate itself has expired. Make sure to use an SHA-2 digest algorithm (e.g. SHA-256) for both the file and the timestamp signatures. Also see this question for further details.

Option 4: Just wait for a long time

If you don’t take any measures at all, the Microsoft SmartScreen warning will also go away eventually. This might however take a ridiculous amount of time (months) and / or downloads (tens of thousands). Another big problem is that each time you’ll release an updated version of your app, the waiting period will start all over again. So, this probably isn’t the solution you’re looking for.

More Related Contents:

  1. WIX Installer with modern look and feel
  2. Uninstall and Install App on my Computer silently
  3. How do I add/update a property inside an MSI from the command-line?
  4. How do I install and use cURL on Windows? [closed]
  5. Application does not work when installed with Inno Setup
  6. Windows Application Startup Error Exception code: 0xe0434352
  7. Issue installing Tensorflow — not a CUDA/CuDNN issue
  8. Node.js/Windows error: ENOENT, stat ‘C:\Users\RT\AppData\Roaming\npm’
  9. How can I uninstall an application using PowerShell?
  10. How to create a simple install system for VB6 on XP/Vista and newer? [closed]
  11. Installing application for currently logged in user from Inno Setup installer running as Administrator
  12. How to install Poppler on Windows?
  13. How to install mongoDB on windows?
  14. ‘node’ is not recognized as an internal or external command
  15. WMI “installed” query different from add/remove programs list?
  16. Uninstall without an MSI file
  17. Best way to have crash dumps generated when processes crash?
  18. Combine exe and msi file in one installer
  19. How to create a robust, minimal installer for Windows? [closed]
  20. How to install Qt on Windows after building?
  21. How can I stop my installer from triggering Windows 10’s “This app has been blocked for your protection” error?
  22. How to prevent that java.exe is installed in Windows’ system32?
  23. Run batch file in Windows Installer Commit
  24. Batch file v PowerShell script
  25. How to make win32 console recognize ANSI/VT100 escape sequences?
  26. Iterate all files in a directory using a ‘for’ loop
  27. What is the difference between Cygwin and MinGW?
  28. Open Excel on Jenkins CI
  29. Difference between $? and $LastExitCode in PowerShell
  30. Do high-integrity tokens *have* to have the Administrators group enabled?

Leave a Comment