Microsoft Defender bloks my installer and apps

Hi there.
Here my situation: I build an app with Xojo latest version on my Mac, then in a virtual machine with Windows updated to the latest version, I run innosetup to build the installer. Then I zip the installer.

So when my customers try to run the installer, a message appears “Protected pc… Windows defender stopped an unknown app. The execution can be dangerous for the pc”. And only one button is available: “Not run” (my Windows is in Italian language, so the original English message may be different).

So, I’ve searched a lot on this forum and on the web, before asking. I found old solutions that is not applicable to newer windows version. The most recent (and not very helpful) document I found is from 2017: https://scispec.ca/index.php/books/34-build-an-appx-installer-for-microsoft-store-with-xojo

That tutorial ends when I have to download and install " Windows Desktop App Converter Base Images" from this url https://www.microsoft.com/en-us/software-download/dac#! - I have a lot of errors during install, I think because of the different windows version (supported 17763 or 17134 and my installed Win is 19042).

So, anyone can help me on how to solve that problem? I think I have to create and install Microsoft certificates but how? And I’ll have to codesign the exe and the installer too, but how?

Many thanks in advance…

Is your application and installer code signed?

1 Like

Even if your app is code signed, you will run into this problem , both with Windows defender, and with a variety of so-called ‘reputation services’ built in to virus checkers.
(Essentially: we have never heard of you so we will just delete your app because we assume our customers dont know what they are doing)

For Windows Defender, there would normally be a ‘Run Anyway’ option, and sometimes you need to go through ‘More Info’ to reach it.

Some systems are so tightly tied down that even this is not available.
And you need to get the recipient to allow installs.

To fix that problem, open Windows Defender and go to App & Browser Control. Under ‘Check apps and files’, select the ‘Warn’ option instead of the ‘Block’ option.

Then you should be able to access ‘Run Anyway’

3 Likes

If this is the message your users are seeing, they can click the “More Info” link and a button will appear at the bottom allowing them to run the installer. As @kevin_g says, you should sign your app and isntaller.

image

No. How can I codesign the app and the installer? It was my question…

Ok but, I think if we want to distribuite an application, we can’t explain that to every single customer. Don’t you think?

Here’s a thread with info on that:


And another (recent)

1 Like

Ok, but I can’t explain that to every customer…

I’ve also asked that the documentation on this page be updated to include steps to codesign Windows applications:
https://documentation.xojo.com/topics/application_deployment/desktop/desktop_app_deployment.html

3 Likes

You need to purchase a MS-Windows code signing certificate and then use a tool / command line to code sign your application executable before it is added into InnoSetup and then the installer executable after it has been created by InnoSetup. I’m sure there will be various postings on the forum describing the exact steps.

NOTE. Even when code signed, your download can still be blocked until it has earned trust which I think is based on how many people have downloaded it. To avoid this problem you can purchase a more expensive EV Code Signing Certificate which normally comes with some kind of USB Dongle.

1 Like

It’s a good starting point. So I have to buy an yearly certificate, right? And then with the “signtool” I can sign my exe and installer too, right?

That’s correct.

1 Like

Heads up, EV certificates are not issued to individuals only companies.

1 Like

Sadly, you will find that you will have to.
I’ve been selling software to end users for 30 years, and it only gets harder every year.
All my stuff is code signed and notarised, and I get a question like this at least twice a week.
As soon as you sell to end users, you will find yourself having to diagnose every kind of problem they have with their machines.

1 Like

Thanks to all for now. You all make the situation a little bit more clear for me. So I’m going to buy the OV certificate (cheapest, for my projects I can’t spend 349$)…

I’ll let you know soon. I think I’ll have more doubts in the next future.

1 Like

If it’s any consolation, my Xojo tools suffer the same fate because I don’t have an EV cert. I have to explain Smart Screen at least once every month :frowning:

2 Likes

Terrible :frowning:

Time to make a company, I have an LLC now and though it’s just the two of us, it was enough to quality for an EV cert. And the EV does stop Windows from screaming too much - it just shows the name of the company and lets you continue.

1 Like

Im in the UK
I have a Limited company but its not apparently ‘good enough’ for the authorities. The paperwork they ask for is all American stuff, last time I looked.

1 Like

That sucks, maybe there’s a UK or EU-based company that might be more helpful?