loading...
Cover image for VoxPop is not malware: Microsoft Authenticode, and how it’s screwing us.

VoxPop is not malware: Microsoft Authenticode, and how it’s screwing us.

voxpopgames profile image VoxPop Games ☕️🎮🖥💻🌊 ・3 min read

Orignal Posting: https://www.voxpopgames.net/post/voxpop-is-not-malware-microsoft-authenticode-and-how-it-s-screwing-us

Hey everyone, as many of you may have experienced yourself, Windows flags VoxPop as a potentially risky file. When installing, you may get a warning that VoxPop is potentially Malware.

Still, we figured the least we could do is explain the situation.

WHAT IS AUTHENTICODE?

In order for your program to be whitelisted as safe on Windows, you need something called a Code Signing certificate. A Code Signing certificate gives your company a fingerprint, and allows Microsoft to track certain data related to it.

Specifically, Microsoft wants to know how many times that your program has been downloaded and installed. If enough people download and install your program, and none of them report problems, then you’ll be authenticated and thus whitelisted.

Sounds reasonable right? So what’s the program?

Well, the problem is that all the details of the Authenticode program are kept secret!

How many downloads do we need to get verified? No idea. What other variables is Microsoft trying to consider? No idea. Are they even receiving our data right now, or is something about the cert been implemented wrong? NO IDEA.

Meanwhile, because we aren’t whitelisted, Windows flags us as potential malware and ultimately many people are dissuaded from downloading and installing. It’s a negative feedback loop.

We at VoxPop have exactly 0 insight into the whitelisting process, and believe me, it makes us every bit as frustrated as you.

CAN YOU GET AROUND AUTHENTICODE?

The short answer is, no.

We were sold a lot of solutions of course. The most prominent solution was an EV Code Signing certificate. A lot of online articles helpfully informed us that this Extended Validation certificate would give us instant whitelist status, as opposed to forcing us to.

Of course, the company we acquired that certificate from, DigiCert, helpfully informed us it was a myth.

Not only do you STILL have to build up your Authenticode reputation even with an EV Code Signing certificate, because the details of the Authenticode algorithm are a secret, nobody can even tell us HOW much an EV Code Signing certificate helps, if at all.

Worse, because getting a new cert requires getting a new ID, and thus a new hash, it would effectively wipe all of the trust we’ve built thus far. VoxPop would be starting from scratch.

The same company representative informed us as well that Microsoft once had a manual code review service, but that it has since been discontinued.

SO WHAT DOES THAT MEAN FOR VOXPOP?

For now? Nothing. And that’s the unfortunate part.

There’s nothing we can do to remove that warning, except hope that enough people install anyway that we can eventually convince Microsoft we’re okay.

However, the good news is, that also means nothing has changed about VoxPop’s mission.

We are still committed to pushing for a better future for streamers and indie devs. We are once again dedicating 100% of our time and resources into building the best platform we can, and reaching as many people as we can.

If you want to help, maybe download our latest client yourself, and spread the word. If you already have VoxPop installed (www.signup.voxpopgames.net), thank you for doing your part. With your help, we’re still going to shake this industry!

Together.

Posted on by:

voxpopgames profile

VoxPop Games ☕️🎮🖥💻🌊

@voxpopgames

VoxPop Games is a new and exciting peer-to-peer (P2P) game distribution & development platform

Discussion

markdown guide
 

Hopefully it's a short term problem going forward!

When I worked on a desktop app in the past, we needed to sign and strong name each dll before including it in an installer. I'm not sure if that is something you already investigated or might help.

We registered files to the GAC which required that to happen, but I'm not sure if it had anything to do with the validity of the app as well.

 

So it sounds like we can help by installing this on all our machines (and report it as safe)! I look forward to the announcement when windows no longer considers this malware :)

 

Thank you for the support, Robert.

Yes, Unfortunately the way people are accustomed they fear Malware, but this entire process is dictated by Microsoft.

Our application is still in Digicert and MSFT will not provide the details for what their cap is for OS certification, so the more installs on the more Win10 devices the better!