zim-wiki team mailing list archive

[Marcio Segura <marciopps@xxxxxxxxxxxx>]

I contacted Microsoft about this issue and following is their answer:
Please note, Microsoft does NOT offer whitelisting for vendor’s products.

Reputation for products offered is established by how your download is used by the Internet Explorer, Edge and the SmartScreen® Service intelligence algorithms.  Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past anti-virus results and URL reputation.  This reputation may be based on the downloaded program or can also be assigned to the publisher, based on digital certificate information.  Downloads that are digitally signed allow a publisher’s reputation to be applied to all of their signed downloads.

All certificates, renewed as well as new, need to establish reputation. However, a renewed certificate, especially one that uses the same details as the old certificate, will gain reputation more quickly than a new one. Many signing certificates are valid for long periods, so certificate renewals are not typically very frequent.

While reputation is being gained, users are able to download and install your applications despite the message that the application is unrecognized. To do so:

   
   - Edge browser – View downloads -  access the Hub (Favorites, reading list, history and downloads), click Downloads and then right-click on the file listed and select Run anyway.   


   - IE browser -  View downloads and select Run under Actions for the listed downloaded file.   


Once the certificate has gained reputation, any applications signed with it will have the benefit of that reputation, so no warning will be shown to users downloading or installing the application. A certificate can be used to sign multiple applications. 

Another option you may want to explore is obtaining an EV Authenticode certificate. An application signed with an EV Authenticode certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or Authenticode certificate. EV code signing certificates are now being issued by Symantec, DigiCert, and GlobalSign.

The feedback tool for SmartScreen is still in place to report possible false warnings about phish or malware.  Those warnings include a link to a form to submit a report.

Application Reputation warnings are meant to inform end users when applications do not have known positive reputation. This doesn’t mean that the application is definitely malicious, only that is “unknown”.  In many cases, especially if a certificate has been renewed, reputation is gained very quickly, and don’t require any review or intervention.

Here are some references that may provide more information:

   
   - https://blogs.msdn.microsoft.com/ie/2011/03/22/smartscreen-application-reputation-building-reputation/   


   - https://blog.digicert.com/ms-smartscreen-application-reputation/   


   - https://blogs.msdn.microsoft.com/ie/2011/05/17/smartscreen-application-reputation-in-ie9/   


   - https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx.   


Sincerely, 

Microsoft Malware Protection Center

      De: Marcio Tibirica <marcio.tibirica@xxxxxxx>
 Para: zim-wiki@xxxxxxxxxxxxxxxxxxx 
 Enviadas: Terça-feira, 9 de Maio de 2017 0:15
 Assunto: Re: [Zim-wiki] Zim Desktop Wiki 0.66 for Windows is ready to download
   
Brendan,


I downloaded the installer file of desktop version and tested it for 
virus infection in two different ways.

The first test was a local scan using Windows Defender that is installed 
in my machine (Win10 32-bit).  The second test was an on-line scan with 
Kaspersky VirusDesk.

In both scans no trace of infection was found, but if I try to run the 
installer it is blocked by Windows Defender which informs the following:
Application: ZimDesktopWikiPortable_0.66.paf.exe
Supplier: Unknown Supplier

Maybe it is just a case of registering the software supplier in MS 
database? Or, maybe some information that must be embedded in the 
package? I don't know how this work.

Anyway, I have sent the suspicious installer file to the Kaspersky virus 
lab and they probably will be able to find any "harmful code", if any.

I'll keep you informed in case they send me an answer.

By the way, who is going to take over Windows package creation for next 
Zim release?

Regards,

mtibbi
===========

Em 08/05/2017 00:47, Brendan Kidwell escreveu:
> VirusTotal.com reports non-zero "probably harmless" scores for many of
> the dependencies of my Windows build process, even though I'm almost
> certain the sources of those dependencies are not tainted.
> VirusTotal.com reports that (as of today) Baidu and Bkav virus scanners
> find "harmful" code in these Zim installer. Other than abandoning all of
> my tools, I do not know how to move forward with this problem.
>
> Starting with this release I am no longer signing the installer
> packages, and while I believe they are free of harmful code, I can't
> promise that I am correct. You must make your own determination about
> whether you should use my packages or not.
>
> Special thanks to Stephen Dintaman for assistance with this build cycle.
>
> I have posted the Desktop and Portable installer packages, such as they
> are, on http://www.glump.net/software/zim-windows .
>
> The packages were built on a fresh Windows 7 64-bit virtual machine, and
> they should work on any 32-bit or 64-bit version of Windows that is
> still supported by Microsoft.
>
> Brendan Kidwell
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~zim-wiki
> Post to    : zim-wiki@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~zim-wiki
> More help  : https://help.launchpad.net/ListHelp
>

_______________________________________________
Mailing list: https://launchpad.net/~zim-wiki
Post to    : zim-wiki@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~zim-wiki
More help  : https://help.launchpad.net/ListHelp