Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. Join us on Dec 8, 2022, between 7 am & 7 pm EST, in the DOTS Dev Blitz Day 2022 - Q&A forum, Discord, and Unity3D Subreddit to learn more about DOTS directly from the Unity Developers.
    Dismiss Notice
  3. Have a look at our Games Focus blog post series which will show what Unity is doing for all game developers – now, next year, and in the future.
    Dismiss Notice

Windows 10 alert on some machines

Discussion in 'General Discussion' started by InsaneGoblin, Aug 26, 2016.

  1. InsaneGoblin

    InsaneGoblin

    Joined:
    Jun 2, 2013
    Posts:
    239
    Today I sent out the demo of my current project to several testers, and a handful returned to me with a scary image: https://s9.postimg.io/cjqo9ey1b/uhoh.png

    I know this is due to windows' overzealous defender, but is there something I can do to prevent it from happening?

    Thanks!
     
  2. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    4,318
    No, that's Windows 10, that's it; there's nothing you can do.
     
  3. InsaneGoblin

    InsaneGoblin

    Joined:
    Jun 2, 2013
    Posts:
    239
    How is that possible? 10-15% of my users have this issue, and for some reason, using Unity's default icon lowers that number to under 3%.

    There HAS to be something I can do...
     
  4. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    4,318
  5. InsaneGoblin

    InsaneGoblin

    Joined:
    Jun 2, 2013
    Posts:
    239
    Thanks, I'll try that
     
  6. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    4,318
    In the meantime, tell your friends to deactivate the Smartscreen and ask them why they don't trust you and believe that you are sending them harmful code.
     
  7. InsaneGoblin

    InsaneGoblin

    Joined:
    Jun 2, 2013
    Posts:
    239
    Called microsoft. After speaking with 3 outsourced "techs", noone could tell me how to certify the app. The problem is that I cannot directly ask thousands of people to "trust" me, either they run it or not :(

    There has to be a solution...
     
  8. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    4,318
    There is none; if people trust you, they'll dismiss what the stupid Smartscreen says; if not, well, good for them.
     
  9. ErisCaffee

    ErisCaffee

    Joined:
    Nov 26, 2014
    Posts:
    127
    I got curious about this and searched around a bit. The best info I've found so far is this StackOverflow Q&A

    http://stackoverflow.com/questions/...triggering-windows-10s-this-app-has-been-bloc

    It basically says that the only reliable way to get SmartScreen to stop blocking your installer is to have enough end users report your installer as safe - you have to build up a reputation for being safe and then you won't get blocked. Which kind of sucks for someone just starting out.

    Here's an older post (Windows 8 era) from MSDN talking about how to deal with SmartScreen.

    https://blogs.msdn.microsoft.com/vs...g-running-this-app-might-put-your-pc-at-risk/

    Essentially, it sounds like you are just going to have to convince enough users to install the app anyway in order to establish your reputation as good in the SmartScreen database.
     
    Ryiah likes this.
  10. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    You can't completely prevent it from happening without your program becoming widely used enough that SmartScreen learns to recognise and trust it. However, you can make that screen a heck of a lot less doom-and-gloom if you code-sign your application.

    The scariest bit of that warning screen that appears is "Unknown Publisher", and you can change that so that it says your name instead. To do this, you buy yourself a code signing certificate and sign your application before you send it to people. That encodes data into your executable that does two things:
    • Ties the application to a person. If you're willing to put your name on something saying it's safe then people are more willing to trust it.
    • Demonstrates that the data they're receiving is the same data you packaged up, ie: it hasn't been messed with somewhere in the middle.
    Code signing is a little fiddly, but it's easy enough. Certificates cost in the vicinity of $100 at the entry level, and you can look up instructions/tutorials on the commands used to perform the signing.

    This stuff is a pain, but in the long run it's a good move in terms of computer security.
     
  11. georgeq

    georgeq

    Joined:
    Mar 5, 2014
    Posts:
    632
    If you are using Unity 5.3.5f1 or previous, you can avoid this problem by simply removing the Default Icon on the Player Settings. If you have a newer version, the only workaround I know is to downgrade to 5.3.5f1.

    Unity says this is not a bug, but if this is not a bug, then why you can completely skip this problem on Unty 5.3.5 and previous?... I say and insist, this is in fact a bug, and it was introduced in version 5.3.6f1.

    Ok... You can argue whatever security reasons you like. But seriously speaking, if I had evil purposes like messing with your data or breaking your hard disk I wouldn't think in Unity as the tool for that... a Trojan horse you say?... may be, but if my main goal was to cause damage with Unity I wouldn't care for the latest features, I could do it bypassing Smart Screen completely with any Unity version prior to 5.3.6, as they are available for anyone to download.

    On the other hand, if I already have an account at the Windows Store I don't see any reason why I should be forced to buy an additional certificate, to distribute my application elsewhere... But of course that's a discussion for a Microsft's forum.

    The point here is: if Unity is intentionally forcing us to pass through Smart Screen, they also have the OBLGATION to provide a way to sign your application as safe, either by linking it to your Unity ID, or by providing your Windows Store account data, or by providing a certificate you bought. So if Unity intentional just pulled the plug without at least a warning message in the console, this an irresponsable act. If this is not intentional then it is obviously a bug. But in either case it is an error that requires Unity's attention.
     
  12. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    They aren't. It has nothing to do with Unity. It's a protective measure built into Windows by Microsoft which Unity has no control over.

    Which Microsoft does - see my previous post. As noted, though, it doesn't immediately remove the whole warning straight away because that would defeat the purpose of the whole system. If anyone who writes malware can just sign it and remove the warning then that's worse than not having a warning system in place.

    It's also worth noting that OS X has had this system in place for quite some time as well.

    If this is true, then my guess would be that the Unity 5.3.5 executable has been downloaded enough times without causing issues that SmartScreen recognizes it... exactly as per the explanations above.

    It is not an "error" or "bug" in Unity. Unity did not change or add anything to make this happen. Unity can not do anything to make it go away.

    • It's not about what you or I or other well intentioned people do. It's about what dodgy people do. If your code is signed then it makes it much harder for a 3rd party to inject something into it without it being noticed. That's good for you, it's good for me, it's good for our users, and it's good for security in general.
    • It's not about things being used as "tools", it's about things being used as "vectors", in the context of "infection vectors". (Not just for infections, but any kind of security breach.)
    • SmartScreen isn't about Unity, it's examines all executables downloaded to a Windows machine. If they whitelisted on the naive basis that "most" people wouldn't use something as a "tool" to do dodgy stuff then the whitelisted stuff would immediately become a really useful tool for exactly that, precisely because it's whitelisted.
     
  13. georgeq

    georgeq

    Joined:
    Mar 5, 2014
    Posts:
    632
    If Unity can not do anything to make it go away, then explain WHY if you build you game with Unity 5.3.5.f1 or previous, the problem simply goes away, and why it only occurs if you build your game with Unity 5.3.6 or latter.

    As far as I'm concerned, if you get different result from different versions then it is definitively a BUG.

    I have 2 computers, one has Windows 10 Home edition installed and the other has Window 10 pro, and I get the same result in both. download a game built with Unity 5.3.5f1: no Smart Screen, download a game built with Unity 5.3.6f1 or latter Smart Screen appears. There is definitively a change in the code that causes this different behavior, otherwise I would had been seen this Smart Screen since Unity 5.0 and I haven't until 5.3.6f1...

    Why don't you do a simple test:

    1) Build a simple project with Unity 5.3.5f1.
    2) Pack it on a ZIP file.
    3) Upload the ZIP file to a web server (itch,io or whatever)
    4) Download the ZIP file
    5) Unzip the files
    6) Run the exe file
    7) Witness Smart Screen does not appear!

    Just to make it clear, I made the version numbers bigger, underlined them and made the bold for you to notice, because nobody seems to pay attention to these "little" details.

    What I say is what I've seen in my own experience with my own eyes and on my own computer... can you say the same?... or are you just discarding my words just because an "expert" form Microsoft told you so?
     
    Last edited: Sep 6, 2016
  14. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    Your big text and ironic accusations don't change the fact that your questions are already answered if you only take the time to understand what's going on.

    Nobody from Microsoft told me any of what I shared above. I learned it by doing my own research and from experience of successfully releasing many applications over many platforms over the course of many years, to many PCs and devices in addition to my own. As things changed over time that necessarily meant learning about code signing and the effect it has on my users and players, which I've shared above for the benefit of whomever it may help.
     
  15. ArachnidAnimal

    ArachnidAnimal

    Joined:
    Mar 3, 2015
    Posts:
    1,721
    I agree that the wording shown is far too overzealous. I would be cautious and scared if I saw that message displayed to me.
    "Windows protected your PC". Well, you didn't protect my PC if the APP is harmless.
    "Running this app might put your computer at risk". How do they arrive at that conclusion? They know nothing about the app, so how can they suggest that it might put your computer at risk? It makes no sense.
    Microsoft needs to rework the language used on this screen to make it less alarmist.
     
    Perrydotto likes this.
  16. ErisCaffee

    ErisCaffee

    Joined:
    Nov 26, 2014
    Posts:
    127
    I think they use the alarmist language because they know that there are far too many users out there who will run anything without a second thought. As in "Oh! This pop up message says my computer is infected with a virus, but if I click the disinfect button everything will be fixed. That's peachy!" Using over the top language is the only way to get some people's attention.
     
    Perrydotto, Kiwasi and angrypenguin like this.
  17. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    You're thinking about it on a case-by-case basis for an individual application, though. Microsoft and Windows (and Apple and OS X and so on and so forth) can't do that - they have to think about all executables that everyone downloads.

    An individual app may indeed be harmless. Heck, most of them are. But there's no way in advance for MS to distinguish between harmless ones and harmful ones. So, unless something is known to be safe by the SmartScreen system - by being in the whitelist or coming from a trusted source - it's considered to be potentially harmful. Not because MS necessarily think that app in particular will do something nasty, but because statistically speaking some of them will and they can't tell which ones. That's why they use the words "might" and "risk". They specifically are not saying "this application is harmful". They're saying that it might be, and that they can't tell one way or the other.

    If you got it from someone you trust then you'll probably tell it to carry on. If it's some random thing you downloaded somewhere online... well, it's meant to make you think twice about it, because once the app is running there's no telling what it might do.
     
    Socrates, ErisCaffee and Kiwasi like this.
  18. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    12,162
    Windows system (well, desktop part of it) is designed with an assumption that the user is most likely an incompetent idiot. Therefore every unsigned applicaiton and every application that is signed by a "non-reputable" certificate is a risk to the computer.
     
    ErisCaffee and Kiwasi like this.
  19. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    18,260
    For the average consumer are they incorrect? :p
     
    Kiwasi likes this.
  20. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    12,162
    I suspect that they might be using a median average, and therefore they might be correct. However, that doesn't make annoying error messages less annoying, especially when you REALLY know what you're doing.
     
    Ryiah likes this.
  21. georgeq

    georgeq

    Joined:
    Mar 5, 2014
    Posts:
    632
    You are missing my whole point!

    The subject has changed!, this is not about security anymore, this is about 2 versions of Unity behaving differently! (sorry I couldn't make that part of the text bigger)

    If I am wrong then I am wrong, and I am man enough to admit it publicly, but you haven't proof me wrong yet, and I do feel offended by the fact that you just thought "this foolish stubborn guy knows nothing about security" and started typing your answer, when I said not a single word about security and when I provided you with enough data make you own tests.

    Why don't you download my game: https://georgeq.itch.io/tanksmash and tell me if you see the Smart Screen or not, if you are not warned then there is a bug whether it is inside Unity or inside Smart Screen itself. If you get warned then it is not a bug but something in my environment. Tell me you did see the Smart Screen after you tried running my game and I will admit I am wrong.

    Proof me wrong, and I'll admit it publicly.
     
    Last edited: Sep 6, 2016
  22. ArachnidAnimal

    ArachnidAnimal

    Joined:
    Mar 3, 2015
    Posts:
    1,721
    The main issue I have is the "Windows protected your PC" portion of it. This suggests that the App is harmful and that running the app would cause your PC to be unprotected. It's unnecessary wording. There's no reason to display that on the screen. Windows didn't do some enormous feat of protecting the PC, all it's doing is asking me if I want to run the app. It's not anymore complicated than that. If someone didn't realize that it is simply a generic message, they would not run the App and then go complain to the OP that windows needed to "protect my computer" for some reason, then the OP has to explain what the message really means. Which is exactly what appears to have happened here in this situation. So I think the message does more harm than good. This is my main gripe with the message.
     
  23. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,852
    You could go the enterprise route and simply say 'You are not authorised to run this app'. That would be genuinely protecting the PC. And it would make the message in tune with the action.

    :p
     
  24. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    18,260
    Or you could assume your user is not a complete idiot and use something along the lines of "Please verify that the company information below matches the information on the website you downloaded this application from".
     
  25. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,852
    We are talking Windows users here... :p
     
  26. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    12,162
    Murphy's law says he is and murphy's law is right by default.

    I just wish Microsoft had proper separate windows edition for advanced users without this kind of nonsense.
     
    Ryiah likes this.
  27. ErisCaffee

    ErisCaffee

    Joined:
    Nov 26, 2014
    Posts:
    127
    You don't have to be an idiot to do dumb things. One of my co-workers likes to tell a story of a time when the company he worked at had just had a security training that taught people to be wary of phishing attempts and suspicious attachments in email. As a test he sent everyone in the (small) company a message with an attachment that was really a trojan horse program he'd written that just popped up a "you've been had" message. Only one person in the company thought the attachment was suspicious. Everyone else merrily clicked away because the email seemed to be coming from someone they knew. This was a tech company where you expect people to be more computer savvy, and they had all just had security training telling them not to open suspicious attachments, and they still went ahead and did it anyway.

    Even the smartest people can be fooled.
     
    angrypenguin and Perrydotto like this.
  28. ErisCaffee

    ErisCaffee

    Joined:
    Nov 26, 2014
    Posts:
    127
    If there was an "advanced Windows" edition then everyone would want it, because almost everyone thinks they are smart enough for it.

    But another approach is simply to have the security settings configurable. Have all security turned on by default and let people turn them off if they want to. Then if someone get bitten it's his own fault.
     
    Kiwasi and angrypenguin like this.
  29. ArachnidAnimal

    ArachnidAnimal

    Joined:
    Mar 3, 2015
    Posts:
    1,721
    Most phishing stuff is very obvious. But some of it is cleverly done. One that comes to mind is a Gimp download site which has bundled GIMP with adware. Surprisingly, this is not flagged by the SmartScreen. This website is still up and running for years now. I don't want to post the link, but I almost fell victim to this. The give away was the following text on the webpage: "Transform dull photos into exciting images."
    This was the red flag for me, because this statement does not really make a whole lot of sense, but I almost fell victim to this, until I started questioning the download site. Do a search for "gimp download" and you'll see the site come up as the first search result in yahoo and google.

    Edit: It only comes up on first search result for yahoo, not google, for some reason
     
    Last edited: Sep 6, 2016
  30. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,852
    That site looks more professional then the actual GIMP page.

    For me it wasn't even on the first page of results, I had to add in your phrase to find it.
     
    angrypenguin likes this.
  31. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    Hasn't that already been explained? There's two ways to avoid it: have your app signed by an authority who's trusted, or have your app used enough that SmartScreen recognises it as safe. One or the other of those things was true with previous versions of Unity, but isn't true with 5.3.6.

    In this thread, someone from Unity explains that some versions of Unity were signed, and also why icon files make a difference. You yourself point out executables for 5.3.6 aren't signed any more. SmartScreen also doesn't recognise the executable as safe*, so it gets flagged.

    Clearly there's an issue there with the signing, since Unity can't sign it themselves and have it work with custom icons. Is the change a "bug"? I'm inclined towards "no" myself, because I don't think we should be distributing stuff they've signed anyway, but I guess that's open to debate. I understand it's a pain any which way, but much like the retirement of native web plugins it's a change I think we'll all have to get on board with in any case.

    * I am unclear on whether this is done based on just the executable or also on other things like where it was downloaded from.
     
    Perrydotto likes this.
  32. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    I'm pretty sure I installed a "toolbar" (read: "browser hijacker") along with a piece of common open source software from a usually trustworthy site. I understand that they need funding to be able to work on their software, so I can't find it in me to be angry at them, but it's sure made me wary of any installer these days.
     
    Kiwasi likes this.
  33. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    4,318
    Just disable the smart screen and the UAC and you'll have your advanced edition. ;)
     
  34. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    18,260
    Or better yet find a way to slipstream in those features already disabled. :D
     
  35. georgeq

    georgeq

    Joined:
    Mar 5, 2014
    Posts:
    632
    Ok: I was wrong, sorry... nothing more to say
     
    brickshot likes this.
  36. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    14,962
    I was probably also wrong where I suggested that SmartScreen recognised the older versions. It appears that instead they had been signed by Unity.
     
  37. yashkapani

    yashkapani

    Joined:
    Aug 27, 2015
    Posts:
    4
    So is there a solution?
     
  38. InsaneGoblin

    InsaneGoblin

    Joined:
    Jun 2, 2013
    Posts:
    239
    We kept sharing builds and eventually the alerts stopped. No active solution, just patience. Cool, huh?
     
  39. yashkapani

    yashkapani

    Joined:
    Aug 27, 2015
    Posts:
    4
    Ya it worked for us
     
  40. MadboyJames

    MadboyJames

    Joined:
    Oct 28, 2017
    Posts:
    246
    Hi, I've got a similar issue, and since I am not entirely sure how the certificates work, I'll be necroing this thread.
    I used unity to create a certificate by Edit->Project Settings->Player->click windows tab->Create. I now have the certificate in my project. I am aware that certificates need to be signed, but is the default certificate signed? does it get signed when the project builds a windows build? Is the default unity certificate enough or do I need to pay for a certificate from a certificate authority?
    Basically, I have the certificate but I am still getting the windows security warning (it also is still saying "unknown publisher" rather than the name on the certificate). Is there anything more I need to do? I don't want to tell users "yeah just trust us" if I have missed a step and the error will not eventually go away.