False Security Issue on Urho3DPlayer in Windows

I recently tested one of my projects in Windows 10. I don’t think this occurred with 7 but I got a security pop up saying that it was from an unknown publisher and potentially dangerous. I don’t use windows as my daily OS. Clicking “run anyway” was fine and it ran like normal.
This isn’t the first time windows (or an antivirus) gave false positives or a warning for stuff like this. Gmail will delete my email if I try to send the game zip to a friend (because it has an .exe in it).
Anyway, I don’t want this security pop-up to be off-putting for users (the vast majority which are on windows).

Is there a way to “sign” the urho3dplayer.exe to at least put “Evol Games” as the publisher on this warning? (no idea where windows looks for that info)
Anyone else deal with this and figure something out as far as packaging? Do I need to do something different? Or just leave as is and promise the users it’s safe? :slight_smile:

That’s not issue or the point of this thread at all. I already said I have no problem running it. Most users will click run anyway and it’s trivial to run it. The point is that it’s not “signed” and shows up as an unknown publisher which is off-putting to users.
I don’t need a workaround for the user end. I need it not to show up in the first place.

What IDE do you use?

I suspect it could be a way to motivate developers to spread M$ spyware by compiling in VS.

I don’t compile. I write the scripts in lua and point the urho3dplayer to them via the commandline.text file. IDE is geany but I could just as easy use any text editor.

I don’t think the pre-built player is compiled in VS either.

Mac has a similar thing for downloaded executables, where third-party apps are ‘soft-locked’ and the only way to open them is with ctrl-click->‘Open’, then ‘Open anyway’ for the dialogue pop-up. It implies there is no easy way to get approval (at least on old OSes, which I use). Probably… only things distributed by the app store can be opened straight up. (not completely relevant I know)

1 Like

Probably similar brand-locking logic though; they crave data.

You either need to wait for MS to have received enough data (# of users) to clear your program or sign it with an EV cert.

EV certs are going to cost you, but if you sign your program with an EV cert it’ll clear smart-screen (because they strongly identify you so if you do something heinous it comes back to you).


And again with each update? M$ FOSS FUD :fu:

Oh okay this is interesting. So what I take from this is after enough users have hit run anyway and MS has that data, it’ll stop marking it like that.

This is curious though because how would MS distinguish between my project, which is just the Urho3DPlayer.exe running lua scripts VS. someone else’s?
Or, maybe enough users running Urho programs in general I guess?
So I assume you all have similar errors?

Hm yeah, I’ll do an EV cert only if I have a serious commercial product.

I should say, you all have similar errors for your users? The vast majority of my downloads are for Windows. I have data for 14,700 downloads since 2014 and it’s probably 14k+ for Windows.

I don’t provide binaries for Spy Systems either. I’d rather have one person try Linux than a 100 downloads.

Well to each their own

Own or be owned. :see_no_evil:

Close enough. It’s referred to as “organic reputation” if you need to google around to understand it. It’s a giant confusing mess, but where they downloaded it from counts too. So if MS hypothetically gave itch.io a pass as trusted (doubt it due to no curation) most everything coming from there is probably going to pass.

You can use other certs to tie the reputation, otherwise the cert is against a “fingerprint” which could very well change between versions of your program, nixing your existing reputation - though it seems uncommon.

As long as you’re not showing up as the red “malware” message. If it’s the blue message that’s not bad and to be expected. At the least complete all the metadata and sign against a generated cert to tie the reputation.

I don’t think I’ve ever not had access to an EV to sign (if I didn’t then it was something I had to tell IT to tie into the distro-script) outside of personal project junk. Of those I’ve never had a problem with things I write a WIX installer for with the UAC prompt being the only hoop, though others seem to have tons of problems. SmartScreen is weird.

1 Like

Do you get the message, or your friend only? I have a little experiment: go to the exe’s properties and see if it has a checkbox about it being “blocked”.
And research self signing if you’re looking for certs

There’s no blocked properties. It’s the exact same Urho3dplayer.exe that comes in the Urho1.8 release.
My win10 install also shows a warning (have to click more info and then run anyway).

Wether you like it or not windows is the most popular OS in the world and DX is the most popular graphics API used by games. I understand your hate and delusional conspiracy theories about MS but calling 99%of developers , gamers , average users fools , is just unacceptable. Even your poll clearly shows how popular is windows among open source developers (by which i was shocked btw i thought linux will win in a landslide…)

1 Like

It is clear you are under-informed; a common trait of preoccupied proxy-cannibals. A quick glance at history should tell you popularity is by no means a measure of a wise “decision”. Ever noticed how the SS comes preinstalled? And, where do you get this 99% from, btw? Steam statistics? :sheep:

:musical_note: It’s all about the pentiums, baby :penguin: