Exploring How to avoid 'Unrecognized Application' on Windows
Recently, I started writing a small video game usying Python Arcade. In order to distribute it to my friends I started compiling it into a single .DLL using Nuitka. In fact, you can download an early version here.
If you do download the game, and try to run it on Windows (sorry Linux and Mac users), your Windows defender will produce a “Windows Protected Your PC” warning and prevent the application from running (if you click ‘More Info’, you’ll be giving the option to run the application).
This mechanism is driven by Window’s Defender’s SmartScreen.
A bit of annoying warning from a developer’s perspective, but it’s a warning I think we can all agree is needed for preventing malware execution.
But the question then comes, what are the steps that are needed to be preformed to become a ‘recognized’ app in Microsoft’s eyes?
In this blog post, I will go into the research I’ve done to preform such a task. While, I have not come to a solution now, I wanted to have a place to hold my research and have a place to share it with others.
I’ll provide as much links to documentation as I can, so you can find it on your own.
Likewise, I plan on updating this document when I return to this topic.
- TLDR
- Running an Unrecognized Application via ‘Run Anyway’
- How Window’s Defender determines if a Executable is ‘Unrecognized’ - Reputation
- Submitting your Application For Review by Microsoft
- Certificates
- Is there any easy way, like through Let’s Encrypt?
- Other things I’ve found…
TLDR
TLDR: You application gains reputation as it is downloaded and ran by people. You can increase the reputation by submitting it to Microsoft for malware evaluation, but this takes time.
Extended Validation (EV) certificates cost a crap ton of money and can only be issued to organizations, but they allow the SmartScreen warning to instantly go away.
Organization Validation (OV) and Individual Validation (IV) certificates cost less (but still a lot), but don’t automatically remove the SmartScreen. You still need to gain reputation organically; however, your certificate will gain reputation alongside your application. Thus you can use it to sign other applications, which will gain reputation from your certification.
Running an Unrecognized Application via ‘Run Anyway’
First, I wanted to make a note about allowing an application to run by clicking on the ‘Run Anyway’ button on the ‘Windows protected your PC’. Mainly, I wanted to see if there was a way to undo this action.
However, from a decent bit of searching, I have not found a way to undo this action. Google has found nothing of use, and I’ve searched through the Window’s Registry Editor and haven’t found anything related with applications that I’ve clicked ‘Run Anyway’ on.
I know I should at least have some applications that I’ve allowed, but perhaps Microsoft has hid the ability to undo to disable people from repeatedly accepting an executable to increase it’s reputation (we’ll get into reputation shortly).
If anyone does find a way to disable it, let me know. It would be nice to have a way to test locally if a Window’s Defender SmartScan accepts an application or not.
How Window’s Defender determines if a Executable is ‘Unrecognized’ - Reputation
Note: Here, I referrer to executable and application interchangeably. By executable/application I refer to a program that executes commands on a computer without the need to be compiled.
Application’s and executables are accepted based upon the executable’s reputation and the reputation of the certificate that has signed it.
From what I’ve discovered, this reputation is based on the number of times Window’s Defender/Microsoft has seen the executable and the number of times that application has been submitted and identified as malware.
Microsoft provides a way to submit an executable for malware analysis. From what I’ve seen, this site is the same for when you want to report a malware executable or you want to submit your application to be flagged as not malware. You can submit your application yo microsoft here: https://www.microsoft.com/en-us/wdsi/filesubmission/. See, here for more submission guidelines: https://learn.microsoft.com/en-us/defender-xdr/submission-guide
It appears that this site will automatically scan your application and will probably make a determination on that scan. After that scan, it is placed into a queue, and based on priority, it will be analyzed by a human at Microsoft to determine if it is malware or not. If your application is accepted here, it will gain reputation.
On top of that, the reputation of your application is based on the certificate that was used to sign it. As we will go into detail in another section, this certificate must be purchased. The certificate itself has reputation. If a signed executable is found to be malware, other executables signed with that certificate will be negatively effected.
Using an Extended Validation (EV) Certificates on your code will automatically allow your executable to pass the Smart Screen Scan. See the Certificate section for more info.
See:
Submitting your Application For Review by Microsoft
To gain reputation for your application, you can submit your application to Microsoft to gain additional reputation, but it appears this can take a long time. I believe if you are an enterprise customer (i.e. pay to play) you will go faster through the priority.
Submit your application here: https://www.microsoft.com/en-us/wdsi/filesubmission/ Additional Guidelines: https://learn.microsoft.com/en-us/defender-xdr/submission-guide
Certificates
Extended Validation (EV) Certificates
Now, onto certificates. There are a number of certificates out there for the choosing, but again, only executables signed with a Extended Validation (EV) Certificates will immediately pass the SmartScan. However, the EV Certificate comes with some caveats.
First, an EV certificate can only be issued to an Organization, so single individuals cannot get obtain an EV certificate. However, I’m guessing any individual with an LLC should be able to obtain one.
Second, your issued EV certificate private key it’s self is shipped and must only be stored on an encrypted USB hardware token (such as a Yubi Key). This is to prevent keys being stolen. (There also appears to be a way to sign from the cloud).
Lastly, EV certificates are expensive. This is because they require a higher standard for authenticating the identify of the certificate requester’s legal identity. Hence the name, Extended Validation.
EV certificates seem mostly geared towards truly enterprise organizations.
NOTE: EV certificates a required for developing a Windows 10 Driver.
List of Code Signing Authorities (There’s probably more):
EV Requirements
From what I’ve found going through a few different sites, CA’s require the following when applying for an EV certificate (It looks like there are some differences between different issuers):
- Organization Name, Trade Name, etc.
- Business Address
- Telephone numbers
- Verification of the Business owner
- Dun & Bradstreet (DUNS) number
- Attestation letter from a licensed professional
Some requirements listed above appear that they can be substituted for each other (e.g. DUNs number instead of a letter from a licensed professional).
See:
EV Expiration
Like all good Certificates EV’s expire. Any renewed certificate will require you to go through the same validation as you did with the first one.
I believe using an expired EV certificate to sign code decreases it’s reputation.
EV Cost
Here are some costs I grabbed from a list of CA’s. They all offer discounts for longer certificate duration.
- Digicert 1 Year - EV w/ DigiCert-Provided Hardware Token: $648.00
- Entrust 1 Year - EV w/ Entrust-Provided Hardware Token: $399.00
- GlobalSign 1 Year - EV w/ GlobalSign-Provided Hardware Token: $410
- SSL.com 1 Year - EV w/ SSL.com-Provided Yubikey: $628
For the SSL.com, the YubiKey’s are $279 each…
Please see each site for a further breakdown. Also, these prices are probably out of date by the time you read this.
Some Links to More Info on EV:
- SSL What is EV Code Signing?
- SSL.com’s Requirement for an EV Certificate
- Extended Validation Certificate Wikipedia Article
Organization Validation (OV) and Individual Validation (IV) certificates
OV and IV certificates are similar to EV, but are not as rigours in their validation. They are also similar to a Domain Validation (DV) certificate, but require more validation.
OV certificates are issued to organizations, while IV certificates are issued to individuals
It appears that, OV and IV certificates offer the same amount of trust to the user, but they just
When compared to EV certificates, OV and IV offer the same amount of trust, and have similar needs for validation, the only difference is varying a business vs an individual.
These certificates are cheaper since they require less validation then EV; however, they do not offer the same trust as EV certificates and thus, unfortunately, do not grant immediate Window’s Defender SmartScreen acceptance.
However, they allow the ability to use a certificate to help your applications gain some reputation, but SmartScreen reputation still has to be obtained organically, by the number of downloads.
It seems that over time, as your application becomes reputable, so to will the certificate become reputable. Thus, new applications signed with your certificate will gain some reputation just from being signed from a ‘trusted’ certificate.
As quoted from this Microsoft Article:
Reputation is also generated for digitally signed downloads based on the digital certificate used to sign the file. Digital certificates allow reputation to be assigned to a single identity (digital certificate) across multiple files. If you are not signing your programs, reputation will be built independently for each file you distribute. In contrast, signed programs may inherit the reputation of your digital certificate.
For some real good information on the difference between all three certifications see this ssl.com article.
Requirements for OV and IV Certificates Validations
Requirements for both (I’m only listing some here for brevity):
- Identifiable information
- Physical Address
- Phone Numbers
- etc.
Requirements for Individuals:
- A Scan copy of a government-issued photo ID
- Photo of yourself with your ID
Requirements for Organizations:
- DUNS number
- Other records of Organization existence
Renewing OV/IV Certificates
New OV/IV certificates will lack reputation, essentially they start over. To give new certifications reputation you can sign your applications with both the new certificate and the old one. (Taken from this stack over flow answer).
OV/IV Cost:
- Digicert 1 Year - OV w/ DigiCert-Provided Hardware Token: $648.00
- Entrust 1 Year - OV w/ Entrust-Provided Hardware Token: $299.00
- GlobalSign 1 Year - OV w/ GlobalSign-Provided Hardware Token: $289
- SSL.com 1 Year - OV w/ SSL.com-Provided Yubikey: $408
Again, this is just from a quick glance of the above website. Please see their sites for real and current pricing.
Is there any easy way, like through Let’s Encrypt?
Let’s Encrypt is a non-profit Certificate Authority that allows individuals and organization to obtain free SSL/TLS certificates. For those not familiar with Web Development, it’s the easiest way to obtain an SSL/TLS certificates to enable secure communication over HTTPS. Fun fact, this website is using a Let’s Encrypt verified SSL certificate!
However, to quickly answer the header of this section, no, Let’s Encrypt does not provide, or plans to provide, EV certificates.
Other things I’ve found…
- Creating Temporary Certificates for use during development - Apparently you can use development certifications, but I think this is mostly for testing, and for distributing your code as you develop it through an intranet. Those who use your application during development can probably add the certificate to a trust store.
- Windows Win32 Certification - There apparently used to be a Windows Certification program, but it now appears deprecated.
- Window’s Sign Tools - I have not included any information on how to
sign an application, but it should be pretty trivial if you have interest in
this page. But it appears on windows you can use the
SignTool
command line-tool to do so.