签署可执行文件是否会阻止SmartScreen警告用户？ [英] Will signing an executable prevent SmartScreen from warning the user?

问题描述

当用户第一次启动我的应用程序时，他们会收到警告，例如这个 [ ^ ]。





签署申请会阻止这个吗？

解决方案

经过一些研究使用谷歌搜索使用搜索键windows smartscreen阻止了无法识别的应用程序启动，看起来像使用代码签名证书签名并没有摆脱它立刻。根据Google搜索结果中的某些信息，可能会检查Microsoft数据库（通过Internet连接），并在每次安装程序时进行更新。签名证书的信誉分数会随着时间的推移而增加，最终SmartScreen警告会消失。以下是一些解释此问题的搜索结果。最后一个显示了如何禁用SmartScreen功能，尽管不建议这样做。



MSDN博客

< a href =http://blogs.msdn.com/b/vsnetsetup/archive/2013/01/09/windows-smartscreen-prevented-an-unrecognized-app-from-running-running-this-app-might- put-your-pc-at-risk.aspx> Windows SmartScreen阻止了无法识别的应用程序运行。运行此应用程序可能会使您的PC面临风险 [ ^ ]



Stackoverflow.com

如何在安装签名应用程序时通过Win8上的智能屏幕？ [ ^ ]



如何禁用

如何在Windows 8中禁用SmartScreen筛选器？ [ ^ ]

签署应用程序（我希望你的意思是签署应用程序以使其强名称）从不修改其行为，至少如果应用程序未被修改。这回答了你的问题：它对你没有帮助。



但是，如果你要部署它们，我建议你签署所有的程序集。



签名的目的完全不同。在某种程度上，它保护应用程序免受修改。如果某些病毒试图修改原始文件，则系统不会执行该应用程序。但是，可以对应用程序进行逆向工程，重新编译和签名，替换原始应用程序。签名无法防止这种情况，但如果您单独存储其公钥哈希值的强名称并且可以进行比较，则可以检测到该技巧。此签名使用公钥加密：

http：// en .wikipedia.org / wiki / Public-key_cryptography [ ^ ]。



此外，强名称用于全局程序集缓存的程序集。强名称可以被视为世界独特的装配身份。请参阅：



http://en.wikipedia.org/wiki / Strong_name [ ^ ]，

http://en.wikipedia.org/wiki/Global_Assembly_Cache [ ^ ]，

http://msdn.microsoft.com/en-us/library/wd40t7ad.aspx [ ^ ]，

http://msdn.microsoft.com/en-us/library/yf1d93sz.aspx [ ^ ]。



< DD> -SA

来自 IE博客存档 [ ^ ]



桌面应用



桌面应用程序仍然是Windows体验的重要组成部分，Microsoft仍致力于保护桌面体验和用户的安全。我们认识到Internet Explorer（IE）不是用户从Internet下载应用程序的唯一方式，因此Windows 8现在使用SmartScreen在用户首次启动从Internet下载的应用程序时执行应用程序信誉检查。



从仅IE到系统范围的SmartScreen的发展是Windows用户的重大改进。我们已经在IE9中看到了这个功能令人难以置信的结果（更多这里和这里）。由于这些新的体验，数以亿计的用户避免了恶意软件感染，我们很高兴为Windows用户提供这种保护，无论浏览器选择如何。有关IE9应用程序信誉功能和数据模型的更多详细信息，请阅读此文章。有关安全性和安全性的更多信息Windows 8中的安全功能（包括Windows SmartScreen）阅读了这篇文章。



SmartScreen应用程序信誉的深层集成也意味着桌面应用程序开发人员有额外的动机来签署他们的代码和建立声誉。我们过去曾谈到过数字签名代码对于建立声誉和证明程序真实性的重要性。我很高兴地说开发社区已经回应了这一行动呼吁。自从IE9发布SmartScreen应用程序信誉以来，我们看到全球签名下载量增长了10％，从IE9 RTM的73％增加到今天的83％。



正如我们过去所讨论的，SmartScreen为单个程序和用于签署该代码的证书建立了声誉。代码签名对我们的声誉智能很重要，因为这种更高级别的身份使我们能够在发布者签署的多个程序中建立声誉。这对发布者也很重要，因为签名的程序会继承签名的证书的声誉;这意味着发布商分发的每个程序都不需要单独建立声誉。



EV代码签名



今天我们宣布支持代码签名的重要进展 - EV代码签名证书的可用性。我们还宣布EV代码签名证书将与Internet Explorer 9，Internet Explorer 10和Windows 8中的SmartScreen应用程序信誉技术集成。



Microsoft已经过去一年与CA行业合作，帮助制作EV代码签名证书。从安全和身份的角度来看，此代码签名标准有几个关键的进步。首先，它们需要更严格的审核和身份验证过程，类似于当前使用的EV SSL证书。此过程需要为每个开发人员提供全面的身份验证和身份验证过程其次，EV代码签名证书需要使用硬件来签署应用程序。此硬件要求是防止盗窃或无意使用代码签名证书的额外保护。



由EV代码签名证书签名的程序可立即建立SmartScreen信誉服务的声誉即使该文件或发布者不存在先前的声誉。在产生声誉和确定产品体验时会考虑其他因素，并且将密切监控EV签署的计划。我们认为这些证书的审查和安全性的改进对用户和开发人员来说都是一个很好的发展。



从今天开始，赛门铁克和DigiCert正在发行EV代码签名证书，并且与SmartScreen的集成已经存在（IE9，IE10和Win8）。



批评者可能会声称SmartScreen强迫开发人员在证书上花钱。应该强调的是，使用SmartScreen不需要EV代码签名证书来建立或维护声誉。使用标准代码签名证书甚至未签名文件签名的文件继续建立声誉，因为自去年在IE9中引入了Application Reputation以来。但是，EV代码签名证书的存在是一个强有力的指标，表明该文件是由一个已经通过严格验证过程并通过硬件签名的实体签署的，该实体允许我们的系统比未签名或非签名更快地为该实体建立声誉。 -EV代码签名程序。

When users start my application for the first time they get a warning like this[^].


Will signing the application prevent this?

解决方案

After some research using Google search using search key "windows smartscreen prevented an unrecognized app from starting", it looks like signing with a code signing certificate doesn't get rid of it immediately. Based on some of the information in the Google search results, it looks like a Microsoft database is checked (via an Internet connection) and updated with each install of your program. The reputation score for your signing certificate increases over time and eventually the SmartScreen warning goes away. Below are a few of the search results that explain this. The last one shows how to disable the SmartScreen feature although that is not recommended.

MSDN Blog
Windows SmartScreen prevented an unrecognized app from running. Running this app might put your PC at risk[^]

Stackoverflow.com
How to pass the smart screen on Win8 when install a signed application?[^]

How to disable
How to Disable SmartScreen Filter in Windows 8?[^]

Signing of the application (I hope you mean signing the application to make it strong named) never modifies its behavior, at least if the application is not modified. This answers your question: it won't help you.

However, I recommend to sign all your assemblies if you ever deploy them.

The purpose of signing is absolutely different. To some extent, it protects application from modification. If some virus tries to modify the original file, the application won't be executed by the system. However, one can reverse-engineer, recompile and sign the application again, replacing the original one. The signing cannot protect from this, but it's possible to detect the trick if you store the strong name of its public key hash value separately and can compare. This signing uses public-key cryptography:
http://en.wikipedia.org/wiki/Public-key_cryptography[^].

Also, strong name is used for assemblies of the Global Assembly Cache. The strong name can be considered as world-unique assembly identity. Please see:

http://en.wikipedia.org/wiki/Strong_name[^],
http://en.wikipedia.org/wiki/Global_Assembly_Cache[^],
http://msdn.microsoft.com/en-us/library/wd40t7ad.aspx[^],
http://msdn.microsoft.com/en-us/library/yf1d93sz.aspx[^].

—SA

From the IE Blog archive[^]

Desktop Apps

Desktop applications remain an important part of the Windows experience and Microsoft remains committed to the safety of the desktop experience and our users. We recognize that Internet Explorer (IE) isn’t the only way users download applications from the Internet, so Windows 8 now uses SmartScreen to perform an application reputation check the first time users launch applications that were downloaded from the Internet.

This evolution of SmartScreen from IE-only to system wide is a significant improvement for Windows users. We have seen incredible results with this feature in IE9 (more here & here). Hundreds of millions of users have avoided malware infections due to these new experiences and we’re happy to bring this protection to Windows users, regardless of browser choice. For more details on the IE9 application reputation feature and the data models read this post. For more information on security & safety features in Windows 8 (including Windows SmartScreen) read this post.

The deeper integration of SmartScreen Application Reputation also means that desktop app developers have an additional motivation to sign their code and establish reputation. We’ve talked in the past about the importance of digitally signing code for both establishing reputation and proving the authenticity of programs. I’m happy to say the development community has responded to this call to action. Since the release of SmartScreen Application Reputation in IE9 we’ve seen a 10% global increase in signed downloads, from 73% at IE9 RTM to >83% today.

As we’ve discussed in the past, SmartScreen builds reputation for both individual programs and for the certificate used to sign that code. Code signing is important to our reputation intelligence because this higher level identity allows us to build reputation across multiple programs signed by a publisher. It is also important for publishers because signed programs inherit the reputation of the certificate with which they are signed; this means every program a publisher distributes doesn’t need to build reputation individually.

EV Code Signing

Today we are announcing our support for an important advance in code signing - the availability of EV code signing Certificates. We’re also announcing that EV code signing certificates will integrate with the SmartScreen Application Reputation technology in Internet Explorer 9, Internet Explorer 10 and in Windows 8.

Microsoft has been working with the CA industry over the past year to help make EV code signing certificates available. This code signing standard has a couple of key advancements from a safety and identity perspective. First, they require a more rigorous vetting and authentication process similar to that of EV SSL certificates that are in use today. This process requires a comprehensive identity verification and authentication process for each developer. Secondly, the EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of a code signing certificate.

Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. Other factors are considered when generating reputation and determining product experiences and EV-signed programs will be closely monitored over time. We think the improvements in the vetting and security of these certificates are a great development for both users and developers.

Starting today, EV code signing certificates are now being issued by Symantec and DigiCert, and the integration with SmartScreen is already live (IE9, IE10 & Win8).

Detractors may claim that SmartScreen is "forcing" developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.

这篇关于签署可执行文件是否会阻止SmartScreen警告用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！