Search code examples
securitywhitelistqdesktopservices

Whitelist my desktop application in user's machine

I have a desktop application built by InstallJammer. The application is not a problem but when it is installed on user's machine, the anti-virus on user's machine stops the services created by my application and so it stops communicating with my server. I need to get it whitelisted so that it won't be treated as a risk to the machine and the anti-virus won't stop it.

What I've known so far is

  • Adding a 'Publisher' to the application may help it to be treated as not risky as this process has steps of authenticating my application with a certificate. (Though I don't know if this is correct. I've refereed this link)
  • Googling about it I found some anti-viruses site asking me to register with my application there.

My questions:

  • Adding 'publisher' would serve my purpose? If yes, how would it whitelist my application?
  • If the above option doesn't work, do I need to get whitelisted with each and every anti-virus software product?
Solution

  • Answer after I achieved all that I wanted to for this.

    tl;dr;

    For the people directly reading the answer:

    I had an installer for windows(built using InstallJammer) that creates windows services on the user's machine, which got frequently blacklisted by anti-virus programs and firewall. Also downloading it in your browser would show a message like the picture below.

    enter image description here

    Why does this occur:

    This occurs because the anti-virus softwares and the firewall does not recognise your code(that is, it cannot verify that it has come from a trustworthy source). Hence it attempts to block the download or blacklist the services(services because I'm referring to my application) by stopping it or does not allow it to communicate through the network.

    Solution:

    You'll need to get your code verified(i.e. get your code digitally signed) by a code signing certificate(from here forward will be refereed to as CSC). These certificates are provided by Certificate Authorities(from here forward will be refereed to as CA).

    Some the examples of CA(s) are : Symantec(the one that I used, because we had our SSL certificate for webapp from this CA), GlobalSign, DigiCert, Comodo, etc.)

    This page shows a pricing list of CSC from different CAs.

    The process to get the certificate:

    This is a bit tedious process, as it has certain standards and rules to adhere to. The process of acquiring a certificate typically takes a few days. For instance, the validation process requires to fax a copy of license and a few utility bills to the Certificate Authority, for reasonable proof of my identity. They also validate phone number and there might be a need to speak to a representative.(I'm a little unsure about this process as it was done by my client back in USA).

    After you get CSC:

    You'll need to save the certificate as a .p12 file which will then be used to sign your code.

    How to sign:

    Microsoft SDK includes a the tool(signtool.exe) that can be used to sign your code (generally located at C:\Program Files (x86)\Windows Kits\8.0\bin\x86, depending upon the version of SDK installed, '8.0' can be different in our machine.

    If you are a newb and have either not reached to a time where you need automation in your process of signing files(ambiguous to signing code) or have very a few files to sign(max 3 or 4) or have a lot a files to sign and are a crazy person with plenty of time, you might want to use this excellent utility provided by DigiCert that provides a really good UI(might be sarcasm) to sign and also check if your files are actually signed. Thank you DigiCert people.

    How to check if your files are signed:

    Of course the simplest process would be to check the properties of your file whether it contains a tab for digital signature. Other way is that Microsoft has tools that can check if your code is digitally signed, it can be found out by easy googling.

    How I did my CODE Signing(automation):

    For the main windows executable application that I build, it has quite some binaries and executables. So I created a batch file that does the following signing and building tasks. (I've used Microsoft's SignTool to sign the files from command line)

    1. Asks me what environment do I want to make a build for(dev, staging or production).
    2. Copies all those required(for build) files to a main folder.
    3. Signs all the inner binaries and executables.
    4. Performs an InstallJammer build from the command line itself(as I mentioned earlier, my application is built using InstallJammer). It outputs the final Setup.exe file.
    5. And then Setup.exe too gets signed.

    P.S. : After code signing, the success and failure of your software getting whitelisted(authenticated or verified by anti-virus software and firewall) depends upon the reputation of your certificate. This reputation is determined heuristically and a good reputation means lesser chances of your application getting blocked.

    Tip for Geeky people lurking out there Try to buy a CSC subscription with a longest time period. This will help you avoid certificate rollover.

    What is certificate roll over? Certificate rollover occurs when your old certificate expires and you begin signing your code with a new replacement certificate; all of your reputation that was gained against the old certificate might be hampered, and hence there may be a time lag for your new certificate to acquire a good reputation.

    So for the conditions when your CSC expires and you want to avoid mishaps, you might want to sign your software from the start using timestamp. Googling about it's(signing using timestamp) will make you 5 inches smarter.

    For the people, blogs and sites that helped me throughout; more details can be found on Didier Stevens's blog.

    Also a detailed explanation all about this and the mighty friend of all web developers, Internet Explorer's smart filter can be found on MSDN blog.