security - Whitelist my desktop application in user's machine -
i have desktop application built installjammer. application not problem when installed on user's machine, anti-virus on user's machine stops services created application , stops communicating server. need whitelisted won't treated risk machine , anti-virus won't stop it.
what i've known far is
- adding 'publisher' application may treated not risky process has steps of authenticating application certificate. (though don't know if correct. i've refereed this link)
- googling found anti-viruses site asking me register application there.
my questions:
- adding 'publisher' serve purpose? if yes, how whitelist application?
- if above option doesn't work, need whitelisted each , every anti-virus software product?
answer after achieved wanted this.
tl;dr;
for people directly reading answer:
i had installer windows(built using installjammer) creates windows services on user's machine, got blacklisted anti-virus programs , firewall. downloading in browser show message picture below.
why occur:
this occurs because anti-virus softwares , firewall not recognise code(that is, cannot verify has come trustworthy source). hence attempts block download or blacklist services(services because i'm referring application) stopping or not allow communicate through network.
solution:
you'll need code verified(i.e. code digitally signed) code signing certificate(from here forward refereed csc). these certificates provided certificate authorities(from here forward refereed ca).
some examples of ca(s) : symantec(the 1 used, because had our ssl certificate webapp ca), globalsign, digicert, comodo, etc.)
this page shows pricing list of csc different cas.
the process certificate:
this bit tedious process, has standards , rules adhere to. process of acquiring certificate typically takes few days. instance, validation process requires fax copy of license , few utility bills certificate authority, reasonable proof of identity. validate phone number , there might need speak representative.(i'm little unsure process done client in usa).
after csc:
you'll need save certificate .p12 file used sign code.
how sign:
microsoft sdk includes tool(signtool.exe) can used sign code (generally located @ c:\program files (x86)\windows kits\8.0\bin\x86, depending upon version of sdk installed, '8.0' can different in our machine.
if newb , have either not reached time need automation in process of signing files(ambiguous signing code) or have few files sign(max 3 or 4) or have lot files sign , crazy person plenty of time, might want use this excellent utility provided digicert provides ui(might sarcasm) sign , check if files signed. thank digicert people.
how check if files signed:
of course simplest process check properties of file whether contains tab digital signature. other way microsoft has tools can check if code digitally signed, can found out easy googling.
how did code signing(automation):
for main windows executable application build, has quite binaries , executables. created batch file following signing , building tasks. (i've used microsoft's signtool sign files command line)
- asks me environment want make build for(dev, staging or production).
- copies required(for build) files main folder.
- signs inner binaries , executables.
- performs installjammer build command line itself(as mentioned earlier, application built using installjammer). outputs final setup.exe file.
- and setup.exe gets signed.
p.s. : after code signing, success , failure of software getting whitelisted(authenticated or verified anti-virus software , firewall) depends upon reputation of certificate. reputation determined heuristically , reputation means lesser chances of application getting blocked.
tip geeky people lurking out there try buy csc subscription longest time period. avoid certificate rollover.
what certificate roll over? certificate rollover occurs when old certificate expires , begin signing code new replacement certificate; of reputation gained against old certificate might hampered, , hence there may time lag new certificate acquire reputation.
so conditions when csc expires , want avoid mishaps, might want sign software start using timestamp. googling it's(signing using timestamp) make 5 inches smarter.
for people, blogs , sites helped me throughout; more details can found on didier stevens's blog.
also detailed explanation , mighty friend of web developers, internet explorer's smart filter can found on msdn blog.
Comments
Post a Comment