SmartScreen filter saying executable signed with new certificate "not commonly downloaded" RRS feed

  • Question

  • I'm having trouble with a new version of a file that has been in our production ecosystem for years. We made a small tweak to the application and had to update the signature since our code signing certificate was expired. Now when we download it in non-production environments IE says it is "not commonly downloaded" and on Windows 8 when you go to run it there is a big ugly overlay saying that it is potentially unsafe and you have to make a couple clicks before "SmartScreen" will allow the product to install. The filename hasn't changed, nothing in the code has changed (we rebuilt with the new cert to add another type of installer and not change any of the code for the other installers).

    Is there some way to prevent this from happening? I assume after some amount of users download and use the file in question this error will go away, but how long does that take? I looked into the solutions in the FAQ for windows SmartScreen filters but it just said to sign the application (already done) and possibly apply for a windows logo.

    Monday, March 18, 2013 4:09 PM

All replies

  • Yes, the installer is correctly signed and timestamped etc... I'm not getting a 'red' warning indicating an issue with the cert. I'm getting a "this file is not commonly downloaded" which has to do with building reputation. Therein lies the problem, because we should have reputation. The installer I'm mentioning gets downloaded tens of thousands of times a day with the old signing certificate. However, the new cert doesn't have reputation. We would love to make the new version available, but a new cert seems to mean new reputation for SmartScreen and that means nasty messages to users who download. This issue is particularly concerning on Win8 where SmartScreen shows strong warnings on an OS level for a correctly signed and reputable download, it just doesn't have SmartScreen reputation because of a new cert.

    I was hoping someone else on here had a similar experience and perhaps found the right MS person to talk to about gaining reputation for a new cert from a known and well established company. If not, at least some kind of anecdotal data about how many downloads it takes to build enough reputation such that this message goes away for new downloads. As it is now, there is no way to tell whether this error message will go away with 100 or 100,000 downloads and thus we have no way of predicting the impact it might have. We have attempted to contact "technical support" (OAS) about this and seem to only have gotten the run-around so far.

    I find it funny that we have run this installer on a number of machines with different anti-virus software without issue, but the OS and it's packaged browser are the one complaining. If we get some significant update on this I'll try to come back and put any information I can up for other people distressed about a similar situation.

    • Edited by PHott Tuesday, March 19, 2013 4:33 PM
    Tuesday, March 19, 2013 4:16 PM
  • Sorry, but never really got a solid answer. We ended up publishing a version of the installer that gets only a few downloads a day at best to see if it was happening in production. We did a number of test downloads for it and saw the issue last night through this afternoon. Then today once we finally got in contact with someone to help he said it wasn't reproducing on his machine and low and behold it wasn't for us either.

    Can only make guesses about why it stopped flagging. Good luck finding a solid answer, but what we did worked after the download was available for a little over a day.

    Tuesday, March 19, 2013 10:49 PM