Yesterday, we released a new version of Pretty Good Solitaire.
Immediately after making the new version live, I tested the download as I always do. I used Edge on Windows 10, as that is the most common browser/OS configuration these days (as well as Chrome/Windows 10).
The download went normally. Edge did its security scan. Then it says that the file "is not commonly downloaded and could harm your computer". When you click on run, it comes up with another window.
The headline in the window says "Windows protected your PC", then "Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk." There is a small 'More info' link and the default "Don't run" button in the bottom right corner.
The only way to install after this is to click on the 'More Info' link, which pops up a "Run Anyway" button.
All this is very scary and very few people are probably going to install after seeing this. What is going on here?
Microsoft, in their incredible stupidity, is simply blocking the file because it hasn't been downloaded enough. Note that the security scan didn't find any viruses or malware, it is just that the file hasn't been downloaded enough to suit Microsoft. It is a way that Microsoft is using to try to block malware. Except it does nothing to block malware (I doubt not a single malware has ever been really stopped by this), all it does is make life difficult for small developers.
I had never seen this before, so I did some searching. I found this What is this 'FILE is not commonly downloaded' which explains it a little bit. Apparently SmartScreen builds a reputation for each file. Until the file has been downloaded some number of times, this message comes up. In my case, it ended up taking over a day and hundreds of downloads before the message went away.
But I wondered, why had I not seen this before? I update my files all the time.
Then there is this: Renewed Code Signing Certificate Not Trusted by SmartScreen Filter. So the system doesn't build the reputations by file, but rather by the digital certificate that signs the files. Each file signed by the same certificate builds the reputation for that certificate.
But here is the thing: certificates expire. Often in as little as a year. So every time you renew a certificate, you have to build a new reputation for it. As explained in the comments in that link, this is insanely stupid. The reputation should carry over to the renewed cert, but as also made clear in those replies, Microsoft doesn't give a damn about small developers and has no interest in changing their stupid system, even though it probably hasn't stopped a single malware, while damaging legitimate small developers.
So this explains why this happened to me yesterday. I had just renewed my certificate because the previous one expired, so I had to build reputation again from zero. And apparently it takes a lot of downloads (and possibly time) to do it, although Microsoft doesn't say what their criteria are, so everything is just a guess.
Fortunately, my new certificate is for 3 years, so I won't have to worry about this again until 2020. And when that happens, I have a new item on my new certificate checklist: sign an insignificant file or two with the new cert and give it downloads until the stupid message goes away, before ever using the new cert for an important file.
Anyway, happy downloading now that things are back to normal.
Unfortunately things will likely get worse with "Windows S". That will block all downloads except from the Microsoft Windows Store, further damaging the marketplace for small, independent developers that don't want to pay the "store tax".
Posted by: M McCulloch | March 08, 2018 at 03:09 PM
True. However, Windows 10 S as a standalone OS has already failed:
http://www.digitaljournal.com/tech-and-science/technology/microsoft-confirms-the-demise-of-windows-10-s/article/516704
Posted by: Gregg Seelhoff | March 10, 2018 at 04:28 AM