So can someone explain to me why this non-codesigned install program
gets accepted just fine by Chrome, and Windows 10? (other than showing
that it's an unknown publisher, but it certainly doesn't look like an
objection). The installed executables are also un-signed.

https://www.7-zip.org/

I downloaded the 64-bit Windows setup.
https://www.7-zip.org/a/7z1900-x64.exe


Thanks.

Jeff Slarve
www.jssoftware.com

Ones and Zeros are my Heroes

Hi Jeff,

I got this (see attached screenshots). The installer did not execute. But
to protect our machines, I have the "Only elevate executables that are
signed and validated" group policy enabled.

Friedrich

Thanks Friedrich - I guess that's not enabled by default.

Seems backwards to be not have chrome or IE complain about the
download, at least.

Jeff Slarve
www.jssoftware.com

Ones and Zeros are my Heroes

>So can someone explain to me why this non-codesigned install program
>gets accepted just fine by Chrome, and Windows 10? (other than showing
>that it's an unknown publisher, but it certainly doesn't look like an
>objection). The installed executables are also un-signed.
>
>https://www.7-zip.org/
>
>I downloaded the 64-bit Windows setup.
>https://www.7-zip.org/a/7z1900-x64.exe
>

Jeff,
maybe its needs some hundred uses for a code-signed program to earn a repution
and some thousand to those unsigned ones.

However, I gave up the idea of Logic in IT quite a while ago.

Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.

What do you mean by reputation? Is this a feature in Chrome when
downloading exe's or something else like not triggering UAC warnings
when its run?

--
Richard
--
Richard

Hi Richard,

> What do you mean by reputation? Is this a feature in Chrome when
> downloading exe's or something else like not triggering UAC warnings when
> its run?

behind the scenes, there is a complex "application reputation feature"
system (aka Windows SmartScreen Filter). IIRC, Microsoft introduced it nine
years ago. Google introduced a similar system a few years later.

Downloads are automatically assigned a reputation rating based on multiple
algorithms that consider many objective criteria, such as anti-virus and
anti-spyware results, download traffic, download history, and URL
reputation. Application downloads without established reputation result in
a warning that the file may be a risk to the computer.

You can build a reputation "per-file" (Application Reputation is assigned by
the hash of the downloaded file) or "per code-signing certificate".

Code-signing certificates allow reputation to be assigned to a single
identity ("per code-signing certificate") across multiple files. If you are
not code-signing your programs, reputation will be built independently for
each file you distribute. In contrast, code-signed programs may inherit the
reputation of your digital certificate.

Note: the problem with "per-file" reputation is that if you upload an update
of your application, you have to build a new reputation - you have to start
the reputation building process all over again.

For new "standard" code-signing certificates, you have to build a reputation
first:
http://www.lindersoft.com/forums/showthread.php?47837

EV Code-Signing Certificates (very expensive!) establish instant application
reputation with SmartScreen:
http://www.lindersoft.com/forums/showthread.php?47948

Friedrich

> behind the scenes, there is a complex "application reputation feature" system
> (aka Windows SmartScreen Filter). IIRC, Microsoft introduced it nine years
> ago. Google introduced a similar system a few years later.
Ah, so this "reputation" is something Chrome has now, do you think
Google are linking in the data from www.virustotal.com as its part of
their portfolio into their reputation calculation on Chrome?

> Downloads are automatically assigned a reputation rating based on multiple
> algorithms that consider many objective criteria, such as anti-virus and
> anti-spyware results, download traffic, download history, and URL reputation.
> Application downloads without established reputation result in a warning
> that the file may be a risk to the computer.

Kaspersky AV has something similar, but when I looked at it and played
around, on the surface it just showed how many people were using said
program in different parts of the world and obviously whatever program
didnt have any known virus in it by virtue of it still be used.
It didnt seem that useful.

Obviously VirusTotal, SmartScreen or reputations calculated by AV
programs are still not reverse engineering files to decide if they are
malicious or not, because AV only searchs for a pattern which matches
known viruses, so its not perfect in that someone could still develop a
new virus or malicious code of sorts and like we saw with Stuxnet,
Kaspersky suggested it had been in the wild for at least 10 years.

Also WikiLeaks listed some programs which AV companies and others would
I hope consider to be malicious as well, when WL announced some of the
programs used by Govt depts like NSA/CIA.
eg https://wikileaks.org/vault7/#Angelfire
https://wikileaks.org/vault7/#Dumbo
https://wikileaks.org/vault7/#Brutal%20Kangaroo
and more...



> You can build a reputation "per-file" (Application Reputation is assigned by
> the hash of the downloaded file) or "per code-signing certificate".

> Code-signing certificates allow reputation to be assigned to a single
> identity ("per code-signing certificate") across multiple files. If you are
> not code-signing your programs, reputation will be built independently for
> each file you distribute. In contrast, code-signed programs may inherit the
> reputation of your digital certificate.

> Note: the problem with "per-file" reputation is that if you upload an update
> of your application, you have to build a new reputation - you have to start
> the reputation building process all over again.

> For new "standard" code-signing certificates, you have to build a reputation
> first:
> http://www.lindersoft.com/forums/showthread.php?47837

> EV Code-Signing Certificates (very expensive!) establish instant application
> reputation with SmartScreen:
> http://www.lindersoft.com/forums/showthread.php?47948


So an EV cert for least hassle especially if you want to produce off
the shelf software for many people, but also for bespoke systems if you
dont want to annoy the customer if the installation doesnt go smoothly.

Std Cert could cause some problems for some people when you least need
it, regardless of if its a bespoke system for one site or an off the
shelf system for many people anywhere in the world.

No Cert, good luck to anyone. You get what you pay for so to speak, but
you could make a few quid if you charge for support calls, which could
then be used to buy an EV cert and reduce that repetative behaviour.
<vbg>

I assume the code signing certs beit std or EV I buy can also be used
for web servers and email servers as well or would they be different
certs I would still need to buy?
Also I have to think, do I want all my eggs in one basket with a std or
EV cert than doesnt expire for at least 12months, ie one cert becomes a
high value target on my computer, even if I keep it in cold storage
like a USB stick when its not in use.

Decisions decisions.<g>

--
Richard
--
Richard

Hi Richard,

> Ah, so this "reputation" is something Chrome has now, do you think Google
> are linking in the data from www.virustotal.com as its part of their
> portfolio into their reputation calculation on Chrome?

IMO, yes!!

> Kaspersky AV has something similar, but when I looked at it and played
> around, on the surface it just showed how many people were using said
> program in different parts of the world and obviously whatever program
> didnt have any known virus in it by virtue of it still be used.
> It didnt seem that useful.

If you monitor your web logs, you'll notice that there will be something
going on after the first downloads. Various protection software vendors
start to download the files from your web again and again (sometimes
simultaneously) to get their hands on your files for "sandbox execution".

> So an EV cert for least hassle especially if you want to produce off the
> shelf software for many people, but also for bespoke systems if you dont
> want to annoy the customer if the installation doesnt go smoothly.
>
> Std Cert could cause some problems for some people when you least need it,
> regardless of if its a bespoke system for one site or an off the shelf
> system for many people anywhere in the world.
>
> No Cert, good luck to anyone. You get what you pay for so to speak, but
> you could make a few quid if you charge for support calls, which could
> then be used to buy an EV cert and reduce that repetative behaviour. <vbg>
>
> I assume the code signing certs beit std or EV I buy can also be used for
> web servers and email servers as well or would they be different certs I
> would still need to buy?
> Also I have to think, do I want all my eggs in one basket with a std or EV
> cert than doesnt expire for at least 12months, ie one cert becomes a high
> value target on my computer, even if I keep it in cold storage like a USB
> stick when its not in use.
>
> Decisions decisions.<g>

The main differences between Standard and EV certificates are that EV
certificates...

- ... are even more expensive ($628 instead of $200 for three years),

- ... you have to use a "dongle",

- ... after you have received the EV certificate, you have instant
application reputation with SmartScreen. With the Standard certificate, you
should build your reputation first (this takes 1-2 days if you do it right
<g>).

IMO, Std Certs are the way to go <g>.

Friedrich