Windows 10 alert on some machines

Today I sent out the demo of my current project to several testers, and a handful returned to me with a scary image: https://s9.postimg.io/cjqo9ey1b/uhoh.png

I know this is due to windows' overzealous defender, but is there something I can do to prevent it from happening?

Thanks!

 

No, that's Windows 10, that's it; there's nothing you can do.

 

How is that possible? 10-15% of my users have this issue, and for some reason, using Unity's default icon lowers that number to under 3%.

There HAS to be something I can do...

 

Contact Microsoft and thell them that your app is not harmful. Good luck!

https://support.microsoft.com/en-us/help/17443/windows-internet-explorer-smartscreen-filter-faq

 

Thanks, I'll try that

 

In the meantime, tell your friends to deactivate the Smartscreen and ask them why they don't trust you and believe that you are sending them harmful code.

 

Called microsoft. After speaking with 3 outsourced "techs", noone could tell me how to certify the app. The problem is that I cannot directly ask thousands of people to "trust" me, either they run it or not

There has to be a solution...

 

There is none; if people trust you, they'll dismiss what the stupid Smartscreen says; if not, well, good for them.

 

I got curious about this and searched around a bit. The best info I've found so far is this StackOverflow Q&A

http://stackoverflow.com/questions/...triggering-windows-10s-this-app-has-been-bloc

It basically says that the only reliable way to get SmartScreen to stop blocking your installer is to have enough end users report your installer as safe - you have to build up a reputation for being safe and then you won't get blocked. Which kind of sucks for someone just starting out.

Here's an older post (Windows 8 era) from MSDN talking about how to deal with SmartScreen.

https://blogs.msdn.microsoft.com/vs...g-running-this-app-might-put-your-pc-at-risk/

Essentially, it sounds like you are just going to have to convince enough users to install the app anyway in order to establish your reputation as good in the SmartScreen database.

 

You can't completely prevent it from happening without your program becoming widely used enough that SmartScreen learns to recognise and trust it. However, you can make that screen a heck of a lot less doom-and-gloom if you code-sign your application.

The scariest bit of that warning screen that appears is "Unknown Publisher", and you can change that so that it says your name instead. To do this, you buy yourself a code signing certificate and sign your application before you send it to people. That encodes data into your executable that does two things:

• Ties the application to a person. If you're willing to put your name on something saying it's safe then people are more willing to trust it.
• Demonstrates that the data they're receiving is the same data you packaged up, ie: it hasn't been messed with somewhere in the middle.

Code signing is a little fiddly, but it's easy enough. Certificates cost in the vicinity of $100 at the entry level, and you can look up instructions/tutorials on the commands used to perform the signing.

This stuff is a pain, but in the long run it's a good move in terms of computer security.

 

If you are using Unity 5.3.5f1 or previous, you can avoid this problem by simply removing the Default Icon on the Player Settings. If you have a newer version, the only workaround I know is to downgrade to 5.3.5f1.

Unity says this is not a bug, but if this is not a bug, then why you can completely skip this problem on Unty 5.3.5 and previous?... I say and insist, this is in fact a bug, and it was introduced in version 5.3.6f1.

Ok... You can argue whatever security reasons you like. But seriously speaking, if I had evil purposes like messing with your data or breaking your hard disk I wouldn't think in Unity as the tool for that... a Trojan horse you say?... may be, but if my main goal was to cause damage with Unity I wouldn't care for the latest features, I could do it bypassing Smart Screen completely with any Unity version prior to 5.3.6, as they are available for anyone to download.

On the other hand, if I already have an account at the Windows Store I don't see any reason why I should be forced to buy an additional certificate, to distribute my application elsewhere... But of course that's a discussion for a Microsft's forum.

The point here is: if Unity is intentionally forcing us to pass through Smart Screen, they also have the OBLGATION to provide a way to sign your application as safe, either by linking it to your Unity ID, or by providing your Windows Store account data, or by providing a certificate you bought. So if Unity intentional just pulled the plug without at least a warning message in the console, this an irresponsable act. If this is not intentional then it is obviously a bug. But in either case it is an error that requires Unity's attention.

 

They aren't. It has nothing to do with Unity. It's a protective measure built into Windows by Microsoft which Unity has no control over.

Which Microsoft does - see my previous post. As noted, though, it doesn't immediately remove the whole warning straight away because that would defeat the purpose of the whole system. If anyone who writes malware can just sign it and remove the warning then that's worse than not having a warning system in place.

It's also worth noting that OS X has had this system in place for quite some time as well.

If this is true, then my guess would be that the Unity 5.3.5 executable has been downloaded enough times without causing issues that SmartScreen recognizes it... exactly as per the explanations above.

It is not an "error" or "bug" in Unity. Unity did not change or add anything to make this happen. Unity can not do anything to make it go away.

• It's not about what you or I or other well intentioned people do. It's about what dodgy people do. If your code is signed then it makes it much harder for a 3rd party to inject something into it without it being noticed. That's good for you, it's good for me, it's good for our users, and it's good for security in general.
• It's not about things being used as "tools", it's about things being used as "vectors", in the context of "infection vectors". (Not just for infections, but any kind of security breach.)
• SmartScreen isn't about Unity, it's examines all executables downloaded to a Windows machine. If they whitelisted on the naive basis that "most" people wouldn't use something as a "tool" to do dodgy stuff then the whitelisted stuff would immediately become a really useful tool for exactly that, precisely because it's whitelisted.

 

If Unity can not do anything to make it go away, then explain WHY if you build you game with Unity 5.3.5.f1 or previous, the problem simply goes away, and why it only occurs if you build your game with Unity 5.3.6 or latter.

As far as I'm concerned, if you get different result from different versions then it is definitively a BUG.

I have 2 computers, one has Windows 10 Home edition installed and the other has Window 10 pro, and I get the same result in both. download a game built with Unity 5.3.5f1: no Smart Screen, download a game built with Unity 5.3.6f1 or latter Smart Screen appears. There is definitively a change in the code that causes this different behavior, otherwise I would had been seen this Smart Screen since Unity 5.0 and I haven't until 5.3.6f1...

Why don't you do a simple test:

1) Build a simple project with Unity 5.3.5f1.
2) Pack it on a ZIP file.
3) Upload the ZIP file to a web server (itch,io or whatever)
4) Download the ZIP file
5) Unzip the files
6) Run the exe file
7) Witness Smart Screen does not appear!

Just to make it clear, I made the version numbers bigger, underlined them and made the bold for you to notice, because nobody seems to pay attention to these "little" details.

What I say is what I've seen in my own experience with my own eyes and on my own computer... can you say the same?... or are you just discarding my words just because an "expert" form Microsoft told you so?

 

Your big text and ironic accusations don't change the fact that your questions are already answered if you only take the time to understand what's going on.

Nobody from Microsoft told me any of what I shared above. I learned it by doing my own research and from experience of successfully releasing many applications over many platforms over the course of many years, to many PCs and devices in addition to my own. As things changed over time that necessarily meant learning about code signing and the effect it has on my users and players, which I've shared above for the benefit of whomever it may help.

 

I agree that the wording shown is far too overzealous. I would be cautious and scared if I saw that message displayed to me.
"Windows protected your PC". Well, you didn't protect my PC if the APP is harmless.
"Running this app might put your computer at risk". How do they arrive at that conclusion? They know nothing about the app, so how can they suggest that it might put your computer at risk? It makes no sense.
Microsoft needs to rework the language used on this screen to make it less alarmist.

 

I think they use the alarmist language because they know that there are far too many users out there who will run anything without a second thought. As in "Oh! This pop up message says my computer is infected with a virus, but if I click the disinfect button everything will be fixed. That's peachy!" Using over the top language is the only way to get some people's attention.

 

You're thinking about it on a case-by-case basis for an individual application, though. Microsoft and Windows (and Apple and OS X and so on and so forth) can't do that - they have to think about all executables that everyone downloads.

An individual app may indeed be harmless. Heck, most of them are. But there's no way in advance for MS to distinguish between harmless ones and harmful ones. So, unless something is known to be safe by the SmartScreen system - by being in the whitelist or coming from a trusted source - it's considered to be potentially harmful. Not because MS necessarily think that app in particular will do something nasty, but because statistically speaking some of them will and they can't tell which ones. That's why they use the words "might" and "risk". They specifically are not saying "this application is harmful". They're saying that it might be, and that they can't tell one way or the other.

If you got it from someone you trust then you'll probably tell it to carry on. If it's some random thing you downloaded somewhere online... well, it's meant to make you think twice about it, because once the app is running there's no telling what it might do.

 

Windows system (well, desktop part of it) is designed with an assumption that the user is most likely an incompetent idiot. Therefore every unsigned applicaiton and every application that is signed by a "non-reputable" certificate is a risk to the computer.

 

For the average consumer are they incorrect?

 

I suspect that they might be using a median average, and therefore they might be correct. However, that doesn't make annoying error messages less annoying, especially when you REALLY know what you're doing.

 

You are missing my whole point!

The subject has changed!, this is not about security anymore, this is about 2 versions of Unity behaving differently! (sorry I couldn't make that part of the text bigger)

If I am wrong then I am wrong, and I am man enough to admit it publicly, but you haven't proof me wrong yet, and I do feel offended by the fact that you just thought "this foolish stubborn guy knows nothing about security" and started typing your answer, when I said not a single word about security and when I provided you with enough data make you own tests.

Why don't you download my game: https://georgeq.itch.io/tanksmash and tell me if you see the Smart Screen or not, if you are not warned then there is a bug whether it is inside Unity or inside Smart Screen itself. If you get warned then it is not a bug but something in my environment. Tell me you did see the Smart Screen after you tried running my game and I will admit I am wrong.

Proof me wrong, and I'll admit it publicly.

 

The main issue I have is the "Windows protected your PC" portion of it. This suggests that the App is harmful and that running the app would cause your PC to be unprotected. It's unnecessary wording. There's no reason to display that on the screen. Windows didn't do some enormous feat of protecting the PC, all it's doing is asking me if I want to run the app. It's not anymore complicated than that. If someone didn't realize that it is simply a generic message, they would not run the App and then go complain to the OP that windows needed to "protect my computer" for some reason, then the OP has to explain what the message really means. Which is exactly what appears to have happened here in this situation. So I think the message does more harm than good. This is my main gripe with the message.

 

You could go the enterprise route and simply say 'You are not authorised to run this app'. That would be genuinely protecting the PC. And it would make the message in tune with the action.

 

Or you could assume your user is not a complete idiot and use something along the lines of "Please verify that the company information below matches the information on the website you downloaded this application from".

 

We are talking Windows users here...

 

Murphy's law says he is and murphy's law is right by default.

I just wish Microsoft had proper separate windows edition for advanced users without this kind of nonsense.

 

You don't have to be an idiot to do dumb things. One of my co-workers likes to tell a story of a time when the company he worked at had just had a security training that taught people to be wary of phishing attempts and suspicious attachments in email. As a test he sent everyone in the (small) company a message with an attachment that was really a trojan horse program he'd written that just popped up a "you've been had" message. Only one person in the company thought the attachment was suspicious. Everyone else merrily clicked away because the email seemed to be coming from someone they knew. This was a tech company where you expect people to be more computer savvy, and they had all just had security training telling them not to open suspicious attachments, and they still went ahead and did it anyway.

Even the smartest people can be fooled.

 

If there was an "advanced Windows" edition then everyone would want it, because almost everyone thinks they are smart enough for it.

But another approach is simply to have the security settings configurable. Have all security turned on by default and let people turn them off if they want to. Then if someone get bitten it's his own fault.

 

Most phishing stuff is very obvious. But some of it is cleverly done. One that comes to mind is a Gimp download site which has bundled GIMP with adware. Surprisingly, this is not flagged by the SmartScreen. This website is still up and running for years now. I don't want to post the link, but I almost fell victim to this. The give away was the following text on the webpage: "Transform dull photos into exciting images."
This was the red flag for me, because this statement does not really make a whole lot of sense, but I almost fell victim to this, until I started questioning the download site. Do a search for "gimp download" and you'll see the site come up as the first search result in yahoo and google.

Edit: It only comes up on first search result for yahoo, not google, for some reason

 

That site looks more professional then the actual GIMP page.

For me it wasn't even on the first page of results, I had to add in your phrase to find it.

 

Hasn't that already been explained? There's two ways to avoid it: have your app signed by an authority who's trusted, or have your app used enough that SmartScreen recognises it as safe. One or the other of those things was true with previous versions of Unity, but isn't true with 5.3.6.

In this thread, someone from Unity explains that some versions of Unity were signed, and also why icon files make a difference. You yourself point out executables for 5.3.6 aren't signed any more. SmartScreen also doesn't recognise the executable as safe*, so it gets flagged.

Clearly there's an issue there with the signing, since Unity can't sign it themselves and have it work with custom icons. Is the change a "bug"? I'm inclined towards "no" myself, because I don't think we should be distributing stuff they've signed anyway, but I guess that's open to debate. I understand it's a pain any which way, but much like the retirement of native web plugins it's a change I think we'll all have to get on board with in any case.

* I am unclear on whether this is done based on just the executable or also on other things like where it was downloaded from.

 

I'm pretty sure I installed a "toolbar" (read: "browser hijacker") along with a piece of common open source software from a usually trustworthy site. I understand that they need funding to be able to work on their software, so I can't find it in me to be angry at them, but it's sure made me wary of any installer these days.

 

Just disable the smart screen and the UAC and you'll have your advanced edition.

 

Or better yet find a way to slipstream in those features already disabled.

 

Ok: I was wrong, sorry... nothing more to say

 

I was probably also wrong where I suggested that SmartScreen recognised the older versions. It appears that instead they had been signed by Unity.

 

So is there a solution?

 

We kept sharing builds and eventually the alerts stopped. No active solution, just patience. Cool, huh?

 

Ya it worked for us

 

Hi, I've got a similar issue, and since I am not entirely sure how the certificates work, I'll be necroing this thread.
I used unity to create a certificate by Edit->Project Settings->Player->click windows tab->Create. I now have the certificate in my project. I am aware that certificates need to be signed, but is the default certificate signed? does it get signed when the project builds a windows build? Is the default unity certificate enough or do I need to pay for a certificate from a certificate authority?
Basically, I have the certificate but I am still getting the windows security warning (it also is still saying "unknown publisher" rather than the name on the certificate). Is there anything more I need to do? I don't want to tell users "yeah just trust us" if I have missed a step and the error will not eventually go away.