How to Pass the Windows Defender Smartscreen Protection

How to avoid the Windows Defender SmartScreen prevented an unrecognized app from starting warning

If you have a standard code signing certificate, some time will be needed for your application to build trust. Microsoft affirms that an Extended Validation (EV) Code Signing Certificate allows us to skip this period of trust-building. According to Microsoft, extended validation certificates will enable the developer to immediately establish a reputation with SmartScreen. Otherwise, the users will see a warning like "Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", with the two buttons: "Run anyway" and "Don't run".

Another Microsoft resource states the following (quote): "Although not required, programs signed by an EV code signing certificate can immediately establish a reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals."

My experience is as follows. Since 2005, we have been using regular (non-EV) code signing certificates to sign .MSI, .EXE and .DLL files with timestamps, and there has never been a problem with SmartScreen until 2018, when there was just one case when it took 3 days for a beta version of our application to build trust since we have released it to beta testers. It was in the middle of the certificate validity period. I don't know what SmartScreen might not like in that specific version of our application, but there have been no SmartScreen complaints since then. Therefore, if your certificate is a non-EV, it is a signed application (such as an .MSI file) that will build trust over time, not a certificate. For example, a certificate can be issued a few months ago and used to sign many files, but for each signed file you publish, it may take a few days for SmartScreen to stop complaining about the file after publishing, as was in our case in 2018.

We didn't submit our software to Microsoft malware analysis. Microsoft started to provide this service in 2017. It may be a viable alternative to an Extended Validation (EV) certificate.

In conclusion, to avoid the warning altogether, i.e., prevent it from happening even suddenly, you need an Extended Validation (EV) code signing certificate, and/or, you can submit your software to Microsoft malware analysis.

How to pass the smart screen on Win8 when install a signed application?

If you signed the installer with a purchased certificate from a CA, you are supposed to contact the CA for explanation on why they failed to work with Microsoft to get rid of this warning.

If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA.

Microsoft has most information published on its Windows team blog already,

https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/

Best Practices
Developers should still follow the best practices we’ve suggested in past blog posts. We have added to that guidance the additional options of distributing apps thru the Windows Store and the option of EV code signing:
Distribute your apps through the Windows Store

Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.

Digitally sign your programs (Standard or EV code signing)

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

At this time, Symantec and DigiCert are offering EV code signing certificates.

Don’t sign or distribute malicious code

Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate – even if signed with an EV code signing certificate.

Apply for a Windows Logo or Windows 8 Desktop App Certification

Learn more about these programs here:
Windows 8 Desktop App Certification (required for Windows Store submissions)
Windows Logo Program

Proper way of releasing software and creating an installer for it

Deployment Tool: Here is a piece on common MSI tools, and links to other, non-MSI deployment tools. The links to Stefan Kruger's site installsite.org shows the full list of available tools for MSI and non-MSI. The most common tools are: WiX (open source, learning curve - hints here), Advanced Installer (great tool, lots of smarts), Installshield (market leader), and others. Have a look.

SmartScreen: Windows now features "SmartScreen" - which is a trust based system where your binaries have to "earn reputation" through use. Essentially you need to buy a Extended Validation Certificate to "buy trust" outright (Interesting concept... Who smells a racket?):

How to add publisher in Installshield 2018 (About the certificate: EV code-signing certificate)
How to pass the Windows Defender SmartScreen Protection?

VirusTotal.com: I like to upload my binaries to VirusTotal.com. They check the binaries with a plethora of malware scanners and you can see if any scanners flag your binaries as suspicious. An important step to check both for genuine malware in your release files (happens), and also - and just as importantly - for false positives - that would otherwise cause your users problems and you a lot of support calls.

Reputation: Note that I am not sure whether uploading helps with the binaries reputation for SmartScreen. I don't think it does - at least not in a quick way. You need an EV code-signing certificate to "buy trust" for large scale distributions. I should add that the vetting and approval for such certificates involve verifying the company's existence (like normal certificates), but also dongles or hardware keys - I think - and hence is quite a bit of fuss to get, and hence does "prove" that the distributor must at least be well-organized.

Links:

Installshield Custom Dialogue Installer
How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting warning"

How can I stop my installer from triggering Windows 10's This app has been blocked for your protection error?

You can improve your reputation by signing with a trusted code-signing certificate. Established businesses resolve this chicken-and-egg problem by having previously used code-signing (i.e., back when Microsoft was less draconian). The expensive way to resolve this chicken-and-egg problem is to buy an EV code-signing certificate. Assuming this blog post applies to Windows 10:

Programs signed by an EV code signing certificate can immediately
establish reputation with SmartScreen reputation services even if no
prior reputation exists for that file or publisher. Other factors are
considered when generating reputation and determining product
experiences and EV-signed programs will be closely monitored over
time. We think the improvements in the vetting and security of these
certificates are a great development for both users and developers.

...

The presence of an EV code signing certificate is a strong indicator
that the file was signed by an entity that has passed a rigorous
validation process and was signed with hardware which allows our
systems to establish reputation for that entity more quickly than
unsigned or non-EV code signed programs.

This is not guaranteed to work.

Running a process and getting the Windows protected your PC message

This feature is built to protect users. Running other "unsigned" programs can be very dangerous for users. Maybe this helps you bit: http://blog.aha-soft.com/windows-smartscreen-prevented-an-unrecognized-app-from-running/