如何避免“Windows Defender SmartScreen 阻止无法识别的应用程序启动警告" [英] How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting warning"
问题描述
我的公司通过我们的网站向客户分发安装程序.最近,当我通过网站下载并尝试运行安装程序时,我收到警告消息:
My company distributes an installer to customers via our website. Recently when I download via the website and try to run the installer I get the warning message:
Windows 保护您的 PC
Windows protected your PC
Windows Defender SmartScreen 阻止了无法识别的应用程序从一开始.运行此应用程序可能会使您的 PC 处于风险.
Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
如果我右键单击安装程序并选择属性,我会注意到以下内容:
If I right-click on the installer and choose Properties I note the following:
我们的安装程序已签名.
Our installer is signed.
如何找到 Windows Defender SmartScreen 警告的原因?
我没有找到任何 Windows Defender 的日志文件,也没有在事件查看器中找到任何东西.
I have not managed to find any log file for Windows Defender nor found anything in the Event Viewer.
推荐答案
如果您拥有标准的代码签名证书,则您的应用程序需要一些时间来建立信任.Microsoft 确认扩展验证 (EV) 代码签名证书允许我们跳过这段信任建立阶段.根据对于 Microsoft,扩展验证证书将使开发人员能够立即在 SmartScreen 中建立声誉.否则,用户将看到类似Windows Defender SmartScreen 阻止了无法识别的应用程序启动"的警告.运行此应用程序可能会使您的 PC 处于危险之中.",使用两个按钮:无论如何都要运行"和不要跑".
If you have a standard code signing certificate, some time will be needed for your application to build trust. Microsoft affirms that an Extended Validation (EV) Code Signing Certificate allows us to skip this period of trust-building. According to Microsoft, extended validation certificates will enable the developer to immediately establish a reputation with SmartScreen. Otherwise, the users will see a warning like "Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", with the two buttons: "Run anyway" and "Don't run".
另一个 Microsoft 资源 声明如下(引用):虽然不是必需的,但由 EV 代码签名证书签名的程序可以立即使用 SmartScreen 声誉服务建立声誉,即使该文件或发布者之前没有声誉.EV 代码签名证书还具有唯一标识符,可以更轻松地在证书续订期间维护声誉."
Another Microsoft resource states the following (quote): "Although not required, programs signed by an EV code signing certificate can immediately establish a reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals."
我的经验如下.自 2005 年以来,我们一直使用常规(非 EV)代码签名证书来签署带有时间戳的 .MSI、.EXE 和 .DLL 文件,直到 2018 年 SmartScreen 才出现问题,当时只有一个案例自从我们向 Beta 测试人员发布以来,我们的应用程序的 Beta 版本花了 3 天时间来建立信任.当时正处于证书有效期的中间.我不知道 SmartScreen 在我们应用程序的特定版本中可能不喜欢什么,但从那时起就没有 SmartScreen 投诉.因此,如果您的证书是非 EV,它是一个签名的应用程序(例如 .MSI 文件),它将随着时间的推移建立信任,而不是证书.例如,一个证书可以在几个月前颁发并用于对许多文件进行签名,但是对于您发布的每个签名文件,SmartScreen 可能需要几天的时间才能在发布后停止抱怨该文件,就像我们在2018.
My experience is as follows. Since 2005, we have been using regular (non-EV) code signing certificates to sign .MSI, .EXE and .DLL files with timestamps, and there has never been a problem with SmartScreen until 2018, when there was just one case when it took 3 days for a beta version of our application to build trust since we have released it to beta testers. It was in the middle of the certificate validity period. I don't know what SmartScreen might not like in that specific version of our application, but there have been no SmartScreen complaints since then. Therefore, if your certificate is a non-EV, it is a signed application (such as an .MSI file) that will build trust over time, not a certificate. For example, a certificate can be issued a few months ago and used to sign many files, but for each signed file you publish, it may take a few days for SmartScreen to stop complaining about the file after publishing, as was in our case in 2018.
总而言之,为了完全避免警告,即防止它突然发生,您需要一个扩展验证 (EV) 代码签名证书.
In conclusion, to avoid the warning altogether, i.e., prevent it from happening even suddenly, you need an Extended Validation (EV) code signing certificate.
这篇关于如何避免“Windows Defender SmartScreen 阻止无法识别的应用程序启动警告"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
