* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Chrome - "This file is not commonly downloaded" message

Hi,

I distribute my software as a exec installer contained within a .zip.

If I download the file using Chrome I get a message:

" xxxxx is not commonly downloaded and could be dangerous"

Is there anyway to prevent this message?

Cheers
TomTomAgain Send private email
Wednesday, November 11, 2015
 
 
Why are you putting your exe installer inside a zip file? Most people have no idea what a zip file is, and it makes no difference to those that do.

And have you signed the exe installer?
Marlee Ammon Send private email
Wednesday, November 11, 2015
 
 
Some people (me included) are analysing any new installer on virustotal.com

Maybe it helps because Google is somehow involved in this service.
xmlbuddy Send private email
Thursday, November 12, 2015
 
 
Why am I putting the exe inside a zip?

Because it's a package, including some documentation, EULA, set up instructions, test data.

That's beside the point.

If I had a self-extracting .EXE would Google still warn that the file was potentially dangerous  and recommend discarding it?
TomTomAgain Send private email
Thursday, November 12, 2015
 
 
I can't give a definitive answer but an .exe inside of something else certainly can raise red flags.

Maybe software download sites still have some use, if they help prevent this message?




AC
Reluctantlyregistered Send private email
Thursday, November 12, 2015
 
 
Regarding zip:  Can't you put all the EULA, etc., inside the installer? Isn't that the point of an installer?

Regarding the message: is that coming only from Chrome, or do other browser's generate a similar message? Or is it coming from Windows?

Can you Google about it and see if code signing your application  ($$) will prevent this?
Racky Send private email
Thursday, November 12, 2015
 
 
Some guy was selling info on how to fix this some time back, not sure if it was any good.
Bring back anon Send private email
Thursday, November 12, 2015
 
 
I'm still selling it.
Philipe Bonezi Send private email
Friday, November 13, 2015
 
 
Haha! Nice. Fucking Google.
Bring back anon Send private email
Friday, November 13, 2015
 
 
I just released a public beta and I discovered a lot of people use chrome...
They get the message and since the program is for a small niche of not-advanced users, they get scared.
More, avast and probably symantec report it as a possible malware since they never saw it before, but users don't read why and get scared...
Finally, windows 8 and probably 10 report it as coming from an untrusted source so you have to double confirm...

On mac, since the app is not signed, users need to use finder, ctrl-click to open... etc etc etc....
fp615 Send private email
Saturday, November 14, 2015
 
 
>On mac, since the app is not signed, users need to use finder, ctrl-click to open... etc etc etc....

IIRC the default on Mac OS X has been not to allow people to run software unless it is either downloaded from the App store or signed using a certificate purchased from Apple.

Code signing is a bit of a racket. But, IMHO, if you are serious about your downloadable software, then you should sign it.

I have a Comodo cert for Windows (purchased from ksoftware.net) and an Apple cert for Mac (which comes with an annual developer sub).
Andy Brice Send private email
Saturday, November 14, 2015
 
 
I'm in a small niche and I'm having difficulties to find beta testers since they are mostly "facebook" users, having them download and install the software with all those warnings is really difficult.

Just 2 friends installed, but they just installed not being potential users... they commented on the gui, asking for changes that were radically divergent!

Buying a certificate now is not a smart move, unless it is very cheap...
fp615 Send private email
Monday, November 16, 2015
 
 
So ......

          Wrapped everything into a self-extracting 7Zip file.

        Bought a code-signing certificate

        Signed the new Installer

        Uploaded it to a dummy ASP.NET site hosted on Azure

        Downloaded it into Chrome.

        Warning Gone.  Rejoice.
TomTomAgain Send private email
Thursday, November 19, 2015
 
 
It is generally recommended to sign the .exe inside the download, in addition to the download.
Andy Brice Send private email
Thursday, November 19, 2015
 
 
.... Update.

Tried to download the signed EXE today.

Guess what?  The message is back.

Thanks a flipping lot Google.

Anyone got any other ideas?
TomTomAgain Send private email
Friday, November 20, 2015
 
 
A gentlemen has order my solution two days ago, but now is requesting a refund claiming that it doesn't work. I'm currently waiting for feedback how closely were my instructions followed, but anyway I still believe that it must work.
Philipe Bonezi Send private email
Friday, November 20, 2015
 
 
@Philipe Bonezi

Well it wasn't me.
TomTomAgain Send private email
Friday, November 20, 2015
 
 
I looked into this "VirusTotal" thing.  Apparently a Google subsidiary.

Anyway the offending piece of software was given a full bill of health by the online scan.

So much for corporate joined-up thinking. 

Next to try .... signing the setup.exe contained within the signed executable zip.
TomTomAgain Send private email
Friday, November 20, 2015
 
 
TL/DR;

It now works.  I have no idea why.  But I spent £hundreds on SSL certificates and spent most of last night and today trying to resolve it.

----------------------------------------------------------
Hopefully a final update.

I took my "ZIP" file and turned it into a self-extracting EXE  and bought an SSL certificate and signed the installer.  Scanned it through "VirusTotal".  Uploaded it to my site.

Still had the same damn message.

So I checked my Google WebMaster ( and Bing WebMaster ) tools. 

Everything was OK.  Under the security section Google said words to the effect of: "Everything on your site is fine.  We can see no problems or Malware". 

Bing said"Everything on your site is great.  We can see no malware or problems"

So I bought an SSL certificate and moved the whole site onto SSL.

And still the message appeared.  At which point I nearly cried.

But instead I went back into Google Web master tools.

And this time it said "Severe error on your site.  Malware or Unwanted Software detected".  But gave no details ( in fact it said "We cannot work out where the problem is" ).

BUT there was now a "Request Review" button.  So I pressed it and filled in a form saying all the things I had done, and how the site was not misleading and that we were a ISV selling software and asking what needed to be done.

And after a few hours the request was rejected ... with no explanation at all, no hint about what was wrong.

So I re-submitted with a slightly terser message.

And when I came back the security message was no longer there AND now my software downloads without the message!

So I put back the original "zip" downloads.  And they now work fine too.

So a frustrating few days.  But I am glad it is now sorted out and also I am pleased that it pushed me into getting the installer signed and moving the site to SSL which is something I had intended to do but never could quite prioritise.
TomTomAgain Send private email
Saturday, November 21, 2015
 
 
This is a breakthrough in this field (breakthrough for MISVs trying to sell downloadable software and there is no one at google who cares to show the Request Review button when you are on http) . I will definitely use your solution if mine stops to work one day ...
Philipe Bonezi Send private email
Monday, November 23, 2015
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz