How can I make SmartScreen Filter trust a self-signed certificate

Question

Microsoft\'s SmartScreen Filter under Windows 8 is a small developer\'s worst nightmare.

While I realize the benefits to end users and the effectiveness at stopping

Answer 1

Old question but I recently had the same issue where I needed to download a small installation package down to a user's pc for them to execute. But as always SmartScreen was blocking the download...

A workaround that I discovered is to package your installer file in a .zip (or the likes) and then have the user download this compressed file and execute the installer within. This is at least the "prettiest" solution that I had to use in my scenario.

This method saves you from having any kind of certificates assigned to your files. You just need your users to trust you, but this will bypass the SmartScreen Filter.

I hope this can be used as a workaround for your issue.

Answer 2

Here is good explanation how to turn off the SmartScreen:
- Windows SmartScreen - Turn On or Off in Windows 8
- Uncheck option in Folder Options

What I used and what worked for me? It was "option one" from first link:

1. Open the Control Panel (icons view), and click/tap on the Action Center icon.
2. In the left pane of Action Center, click/tap on the Change Windows SmartScreen settings link.
3. If prompted by UAC, then click/tap on Yes.
4. Select (dot) the option for how you want Windows SmartScreen to handle unrecognized programs, then click/tap on OK.
   NOTE: The default option is to Get administrator approval before running an unrecognized app from the internet.
5. When finished, you can close the Action Center if you like.

I hope that this is what you were looking for. :)

Answer 3

I have found a really easy way to bypass the filter even without admin privileges. What you need to do is:

1. Open notepad
2. Type in the following line: @%*
3. Save the file as "SkipSmartScreen.bat" (yes, with the quotes) in the same folder as your app. You can rename the batch file later
4. To launch your app, drag your exe on to the batch file

This will then bypass smartscreen filter.

Tested on Windows 10 Home, Pro, and Enterprise, and Windows 8 Pro.

How it works:

• @ - This is just for looks, it hides the name of the command being executed
• %* - This expands to all command line arguments passed (e.g. the file you dropped on the batch file
• The whole thing: It executes the file through the batch file as if it was a line in the batch file. For some reason, Windows does not do any check on files which are executed from a batch file.

Answer 4

To quote from MSDN's website:

Detractors may claim that SmartScreen is “forcing” developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.

In other words, EV (paid) validation is just one factor in a large algorithm that determines whether the SmartScreen warning is displayed or not. If you have a lot of people that download your program, or if your program download link has not changed in a while, with some work you can get your program not to show the warning. Also, by digitally signing your code, you can increase your Appication Reputation. This is straight from Microsoft's webpage on the topic.

Answer 5

Using a 90 day trial of Windows 8 from Microsoft, I've been able to verify that my workaround does indeed work. If you want to pay for a code signing certificate once and only once instead of paying annual fees, this method should work for you as well, but I can't make any guarantees. My solution is per-machine, but should be easy to convert to work per-user.

This is my solution:

1. Set up your own certificate infrastructure.
2. Publish copies of your root CA certificate, any intermediate CA certificates issued by your root, and any code signing certificates issued by your intermediate CA's to your website as .cer files.
3. Install an SSL certificate on your website that was issued by your Root CA.
4. Create an installer/downloader application that performs the following tasks:
   • Installs the root CA certificate (from your website, step 2) into the Trusted Root Certification Authorities store for the end user's machine.
   • Disables SmartScreen Filter for the Trusted Sites internet zone by setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 to 0.
   • Adds your website to the zone map by adding the registry key(s) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourdomain.com\yoursubdomain.
   • Maps your domain to the Trusted Sites zone by creating a DWORD named https with a value of 2 in the key created in the previous step.
5. Purchase a code signing certificate from a member of Microsoft's Trusted Root program, preferably an EV certificate.
   • Before your purchase, make sure the certificate and timestamping scheme used by the CA for your code signing certificate will not result in OID's 1.3.6.1.4.1.311.10.3.13 or 1.3.6.1.4.1.311.10.3.14, as these would make the signature expire when the certificate expires, whether it's timestamped or not.
6. Sign and timestamp your downloader/installer with the certificate purchased in step 5. Verify the absence of lifetime limitations on the signature. If everything is ok, you can put your purchased code signing certificate in a safe place and lock it away.
7. Publish your downloader/installer program to your website. Make it a pre-requisite download for all your products.
8. From this point on, you can use code signing certificates (and other certificates, for that matter) issued by your own internal certificate authorities without SmartScreen Filter being a nuisance.

The worst warning I’ve received using this method so far has been “This type of file could harm your computer.” That's the typical "You're downloading an executable file!" warning. It doesn’t hide the Run option and does not appear for ClickOnce deployments using the bootstrap webpage generated by clicking “Publish” in VS2010.

Thanks for all the comments and links.