How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting" warning
As a vendor, you may often receive user complaints about the “Windows Defender SmartScreen prevented an unrecognized app from starting" warning whenever they download your installer.
This is common to happen if you are hosting the download kit of your application on a website (as most vendors do) - causing recurring tickets where users complain about SmartScreen.
However, this warning doesn't prevent users from installing your software, but it could make them think it's not safe to do so.
In this article, we’ll show you how to prevent SmartScreen from appearing.
Can your software still be installed if the SmartScreen warning appears?
Yes! As mentioned above, SmartScreen does not fully block your installation, and it gives you the option to continue with the installation if you click on “More info”.
However, your users may stop running your installer when they see "Running this app might put your PC at risk".
Even though they got this warning message, they are still able to install your software. Here’s a quick workaround:
- Right-click the installer
- Select “Properties”
- Check “Unblock”
- Click “OK”.
With this option, the user will also be able to install the software, but it won't go as smoothly as we'd like.
However, keep in mind that if you are having issues within your infrastructure with these kinds of scenarios, if you unblock the executable on one device, it doesn't mean it will apply across the whole infrastructure, and there's not an option to whitelist the installation using Group Policies.
It is possible that with time and many “unblocks” by the users, SmartScreen gathers the data and considers the installer safe, but it’s unsure when or whether this will happen.
Even though users can continue to install the software successfully, we want to try and avoid this warning message.
How can you prevent SmartScreen?
As a user, there is no way to influence which apps will show up on SmartScreen. There are some steps you can take as a developer to prevent SmartScreen from appearing to your users.
The reason SmartScreen shows up is because your application does not have enough reputation with Microsoft SmartScreen yet.
To build trust and gain that reputation, start by:
- Submitting your application to Microsoft for malware analysis
- Purchasing an EV code signing certificate
- Purchasing a standard code signing certificate
- Waiting for SmartScreen to detect that your installer is does not represent a threat
Submit the application for malware analysis to Microsoft
Microsoft offers a submission of a file for malware analysis to all developers. If your installer and application have been validated successfully, then the SmartScreen warning will disappear either in a short time or instantly.
SmartScreen gets all of its information from the Cloud, so to submit a request for app review you need to have a Microsoft account.
For each release of a new version of your app, you need to request a new review from Microsoft.
Purchase an EV code signing certificate
If you don't want to go through the Microsoft validation, a safe and guaranteed method to immediately and permanently get verified with SmartScreen is to buy an EV (Extended Validation) certificate. Microsoft has a list of approved certificate authorities which you can check out.
An EV certificate costs between $250 and $700 per year, but this is only issued to registered businesses. If you are an independent developer, the only way to get an EV is to have an active business license. Find more information on EV Code Signing Certificate Guidelines here.
Purchase a standard code signing certificate
If you are an independent developer and don't own an active business license, then you should go for a standard code signing certificate.
Standard code signing certificates are cheaper, costing between $100 and $500/year, and they can be used permanently on your installers.
However, when it comes to avoiding SmartScreen, this option is not instant, as it is with EV certificates; it will take some time until Microsoft takes action.
After some time, your standard code signing certificate has built up a reputation, and that's when the SmartScreen will go away.
Unfortunately, Microsoft doesn't have a published, specific timeline for approval of a standard code certificate. Unofficial numbers report somewhere between two and eight weeks.
An additional issue to consider is when your current standard code signing certificate expires and you apply for a new one. In this case, the certificate reputation will NOT automatically carry over to the new certificate. The new certificate will need to build trust with SmartScreen just as the previous one did.
To "bypass" this inconvenience, you can re-sign a previously released installer already signed with a trusted certificate with the new renewed certificate.
This means your installer will have two signatures. The original signature will continue to have trust with SmartScreen and bypass it, and the new signature will help the new certificate build up trust with Microsoft.
My suggestion is to start this exercise before your old certificate expires so that your new certificate becomes trusted before your old certificate expires.
It is also important to timestamp your signed installers. This will allow the signed installer to remain valid after the certificate itself has expired.
Wait for SmartScreen to detect that your installer does not present a threat
If your installer and application are safe, you can always choose to take no further action. Eventually, your application will gain enough trust that SmartScreen will be bypassed.
However, this can take months to achieve or thousands of downloads of your application. Also, keep in mind that if you update your application, the same amount of time or number of downloads will need to take place again.
For this reason, this is probably not the best solution to take.
As you can see, there are a few options to bypass the SmartScreen warning.
It is entirely up to you which strategy you choose, as long as you don’t leave the SmartScreen issue unsolved. This decision will have a major influence on the trust of your current and prospective users.