Windows SmartScreen Problem

Posts   
 
    
Posts: 12
Joined: 11-Aug-2017
# Posted on: 09-Jun-2023 11:12:25   

Good day.

Our company has Microsoft 365 licenses for all employees and all management is performed in and from the cloud, using all of the available Microsoft's apps. This includes Security and Compliance via Endpoint and Defender.

Part of the baseline security and compliance policies for Windows 10/11 is that Windows SmartScreen will not allow you to install applications with an "Unknown Publisher". It actually won't even complete the download when using Edge - it does in Chrome.

This means that I can no longer run the LLBLGen Installer.

Do you have any plans to sign your installer?

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39797
Joined: 17-Aug-2003
# Posted on: 10-Jun-2023 08:37:45   

No, we don't have plans to sign the installer as we think code sign certificates are a bit of a scam as they serve no purpose (e.g. malware authors sign their code with genuine certificates so windows uses other means to determine 'this is ok'; signing the exe has no other purpose but to satisfy arbitrary rules in virusscanners. Also, you need an EV certificate, a 'standard' one still brings up smartscreen issues, and e.g. individual developers can't get an EV certificate, which shows how silly it all is. It's still the case that with an EV certificate you can run into smartscreen issues due to 'lack of reputation'... Hence we decided for now not to go that route).

That said, there's a solution of course: It's an nsis installer however, so you can unzip it with 7zip. Once unzipped, copy over what's unpacked except the $PLUGINSDIR to a folder of your choosing and run the installer from there. What you miss with that approach is the .llblgenproj extension assignment to the project files.

If 7zip is also a forbidden program by your organization, let us know, so we'll see if we can solve it in a different way.

Btw, will you be able to run the designer as it's also not signed? (Well, it has a strong name and is signed but that's also not enough nowadays)

Frans Bouma | Lead developer LLBLGen Pro
Posts: 12
Joined: 11-Aug-2017
# Posted on: 14-Jul-2023 13:48:19   

HI Otis,

Sincere apologies for not getting back to you sooner. A whole month! Time flies when you having fun, or working hard...

I understand the feelings about signing installers. We have to go down the same route for some of our client apps.

What about publishing it via the Windows Store? I haven't had a deep dive yet but I read that it automatically signs installers for the store. I assume you would have a similar verification process as the EV certificate though.

That said, there's a solution of course: It's an nsis installer however, so you can unzip it with 7zip. Once unzipped, copy over what's unpacked except the $PLUGINSDIR to a folder of your choosing and run the installer from there. What you miss with that approach is the .llblgenproj extension assignment to the project files.

I will try this with the next update.

If 7zip is also a forbidden program by your organization, let us know, so we'll see if we can solve it in a different way.

I'm not sure, I actually haven't had a good look at the Microsoft Security/Defender baseline policy defaults properly.

Btw, will you be able to run the designer as it's also not signed? (Well, it has a strong name and is signed but that's also not enough nowadays)

It seems to run fine once installed.

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39797
Joined: 17-Aug-2003
# Posted on: 15-Jul-2023 08:40:51   

simple_smile

Publishing in the windows store requires us to give Microsoft 30% of what we earn there. So we're not going to do that. It's indeed a way to work around this issue but it also feels like Microsoft artificially created this solution for a problem they're also very happy to keep alive. disappointed

Frans Bouma | Lead developer LLBLGen Pro