Microsoft Defender SmartScreen is hurting independent developers

栏目: IT技术 · 发布时间: 4年前

内容简介:Let us say you are an independent developer and it is time to publish your app to the world. To make it easier, you build an installer and start distributing it. A courageous early adopter downloads and runs it, only to be greeted by this strongly worded w

Let us say you are an independent developer and it is time to publish your app to the world. To make it easier, you build an installer and start distributing it. A courageous early adopter downloads and runs it, only to be greeted by this strongly worded warning:

Microsoft Defender SmartScreen is hurting independent developers
Windows SmartScreen blocking an executable from running

Indeed, in today’s Windows environment, Microsoft actively blocks binaries from running; thanks to “SmartScreen”.

But what is SmartScreen?

SmartScreen collects installation data from all Windows users in order to establish “reputation”. If the program does not have an established good reputation, you get this big warning message. By this time most users have deleted the .exe already thinking it is a malware, but SmartScreen can be bypassed by clicking on “More info” then “Run anyway”.

The digital signature racket

But how do you build reputation? First of all, Microsoft needs to be able to gather information on who has published the app, and this is done by a code signing certificate. The most obvious implication is that unsigned apps will always trigger SmartScreen. The more insidious implication is that acquiring a code signing certificate is a big expense for an individual developer. There is currently no “Let’s Encrypt” equivalent to code signing certificates; so you have to purchase it from trusted authorities. The price range is wide but a certificate only valid for a year will typically go for about $100.

Microsoft Defender SmartScreen is hurting independent developers
SSL.com offer one of the “cheapest” code signing certs on the market, at $129 a year.

But let’s say you bite the bullet, you buy yourself an overpriced piece of prime numbers generated by a computer, sign your code and re-publish your application. You can now start getting users to install your app right? Wrong.

Building reputation is a catch 22

Even with your newly digitally signed application, SmartScreen will still trigger. After all you are an unknown new publisher, and the “building up reputation” part of SmartScreen is a complete blackbox. So here’s the catch 22: to build up reputation, you need people to install your software so that Microsoft collects data. To get users to install your software, they need not be greeted by a message that strongly suggests your piece of code will harm their computers.

It gets worse.

If you try to publish your piece of software with WinGet (in a nutshell: what will probably replace the Windows Store once it gets out of beta), you will get this message from Microsoft:

Microsoft Defender SmartScreen is hurting independent developers
Microsoft WinGet considers triggering SmartScreen is an “error” and your software is classified as “malware”

In the words of Microsoft, your application is considered a malware if it triggers SmartScreen. They link to a potential solution in the form of submitting your file for review through a dedicated link. If you follow all this process, this is the response you will get:

We’ve reviewed your submission and we’ve confirmed that the submitted files are clean. Windows Defender Antivirus doesn’t report them as malware. The message you observed is a notification from Windows Defender SmartScreen indicating that the application does not have known reputation in our system. Application reputation warnings are meant to inform end users when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown”. Please note that users can still proceed to download and run the application. In most cases, a digitally signed application will establish reputation organically, unless something has happened to denigrate existing reputation such as being used to sign malware. We will investigate this issue further and contact you if we need additional information.

In essence: your app is clean but we won’t do anything about the SmartScreen error. Our cloud bots overlords will decide when it is fine for you to be trusted.

And it still gets worse.

Let’s say you finally get accepted by the algorithms that be as a trusted publisher. Your certificate is about to expire and you renew it. Simple “business as usual” in the world of the Internet. In the world of Windows software though, that means that your reputation is reset back to nothing. Certificate renewal is not recognized by SmartScreen, it considers yourself as a new publisher again you have to go through this painful process yet another time.

This can be mitigated by purchasing a certificate with a longer validity period, but at this point the cost simply becomes an insurmountable barrier for most independent developers.

EV Code Signing Certificates

For independent developers, this is the end of the road. For publishers, there is another solution: Extended Validation Code Signing Certificate. Signing code with one of these will automatically bypass SmartScreen. It is reserved for corporations only and as the name suggests it is subject to additional background checks done by certificate authorities.

Digicert.com, a popular CA for code signing certificates, sells them for a whopping $699 a year.

As an independent developer, a solution would be to go through the troubles of incorporating a sole proprietary company and fork out the outrageous prices that these certificates command. Of course, that isn’t a realistic endeavor for most.

“Developers, developers, developers!”

Microsoft Defender SmartScreen is hurting independent developers

“Developers, developers, developers!” was a cry from Steve Ballmer and one of the speeches that defined him as CEO of Microsoft. These infamous words were uttered back in 2006. Fourteen years later, under Satya Nadella, Microsoft is being praised for becoming more open than ever. Ironically, it seems that Microsoft made its Windows environment extremely hostile towards their beloved developers. A change in SmartScreen or on the way certificates work is needed to turn around this dire situation.


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

人工智能

人工智能

Peter Norvig、Stuart Russell / 姜哲 / 人民邮电出版社 / 2004-6 / 85.00元

《人工智能:一种现代方法》(第2版中文版)以详尽和丰富的资料,从理性智能体的角度,全面阐述了人工智能领域的核心内容,并深入介绍了各个主要的研究方向,是一本难得的综合性教材。全书分为八大部分:第一部分“人工智能” ,第二部分“问题求解” ,第三部分“ 知识与推理” ,第四部分“规划” ,第五部分“不确定知识与推理” ,第六部分“学习” ,第七部分“通讯、感知与行动” ,第八部分“ 结论” 。一起来看看 《人工智能》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

Markdown 在线编辑器
Markdown 在线编辑器

Markdown 在线编辑器