Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

The publisher could not be verified. Are you sure you want to run this software ?

Posted on 2006-05-09
12
Medium Priority
?
16,025 Views
Last Modified: 2013-12-04
We run our own application through a share as follows:

     \\server\share\app.exe /cmdline

At one site we get this windows security warning...

       'The publisher could not be verified. Are you sure you want to run this software'

Now we tried adding a version/manufacturer stamp to the exe through the c compiler - but that doesnt fix it. At the site where the warning is produced the server is in the domain, and the problem even happens when you try it from the server itself (doesnt happen when you do c:\share\app.exe but does through the share as above)

Questions.

1. How easy is it to get an EXE stamped with a digital signature
2. Any way of stopping this warning message without access to GP, and without adding the share to trusted sites on each computer ?

thanks
Paul

0
Comment
Question by:plq
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:Dariusz Dziara
ID: 16640637
Do you mean authenticode ?

I am not sure about details but:

> 1. How easy is it to get an EXE stamped with a digital signature

There are some utlility applications used in signing procedure.
You will have to acquire certificate from Certification Authority like Verisign or Thawte.
In general technically it is quite simple procedure.

see this:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/creating_viewing_and_managing_certificates.asp

============================
http://www.mvps.org/marksxp/WindowsXP/SP2/common.php#publisher

"After downloading a program from the Internet I am shown a message saying 'The publisher could not be verified. Are you sure you want to run this software?'

This message is shown when you download an application from the Internet and the publisher of the software has not digitally signed the application. This does not necessarily mean the file is a fake or virus but files which come from large companies such as Microsoft should be signed so you can be certain of their origin. "

I found this suggestion to disable such warning - Windows XP SP 2

http://www.teamsoftwaresolutions.com/phpBB2/viewtopic.php?p=2175&
(see below)
********
To disable this dialog set or add the following string in the Windows Registry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".exe"
********
0
 
LVL 8

Author Comment

by:plq
ID: 16640717
thanks for this.

Do you think that creating a certificate on a local 2003 box and then running it through sign.exe would stop the error ? I'm wondering if there's a reason for having thwate or verisign certs as opposed to generating your own ?
0
 
LVL 8

Author Comment

by:plq
ID: 16640811
Also we don't want the exe to load more slowly because its code is encrypted ! It must perform 100%. I'm thinking certifying an exe would slow down its opening process ? exe is 80kb
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 8

Expert Comment

by:Dariusz Dziara
ID: 16640858
Certificates for Verisign or Thawte are build-in operating system. You can use own certificates but you will have register your Certification Authority on every machine you want to use it.
It will then appear in Internet Explorer:
Tools->Internet Options...
tab "Content" button "Certificates" and then tab "Root Trusted Certification Authorities"
0
 
LVL 8

Assisted Solution

by:Dariusz Dziara
Dariusz Dziara earned 500 total points
ID: 16640918
"Also we don't want the exe to load more slowly because its code is encrypted".
I think that signing code doesn't implies encryption (I won't give my head).
It is only to show who has published executable & that nobody tampered with it later.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 500 total points
ID: 16643033
Yes, that's correct. Signing the code does not encrypt or slow it down (other than the initial overhead of checking the signature).
0
 
LVL 8

Author Comment

by:plq
ID: 16645650
One more question..

How can I get my systems to reproduce the problem. When I download the file from a webserver and just run it, it runs first time without warning. I have domain and non-domain test environments ????

thanks
0
 
LVL 1

Expert Comment

by:rbvoigt
ID: 16648373
Creating your own certificate using server 2003 and signing with sign.exe is the best option.  Make sure you do the advanced usage... certificate for code signing thing, by default you get an SMIME certificate.  The user will still be prompted once, but by checking the "always trust from YourCompany" box they'll never be asked again.  Or, you can add yourself to the Trusted Publishers list by doing a push through SMS.

The reason for the prompt is, when using a UNC path, your program is running in the Local intranet zone instead of My computer zone.  You could also adjust the settings for the Local intranet zone (in Internet Explorer).... but don't mark .exe "low-risk" or you'll be infected by every worm on the internet.
0
 
LVL 8

Author Comment

by:plq
ID: 16648781
Thanks for this. Any ideas why it doesn't happen on my local network ? or how to change settings to make it happen ?
0
 
LVL 39

Assisted Solution

by:itsmeandnobodyelse
itsmeandnobodyelse earned 500 total points
ID: 16655926
>>>> Any ideas why it doesn't happen on my local network ?

Didn't you read the last comment of rbvoigt? The local network runs in the 'My computer zone' which has different security limitations.

>>>> or how to change settings to make it happen ?

You could try to define a local mapping by

    net use x: \\server\share

or

    subst x: \\server\share

what should work if 'x' isn't used and the current user has permission (normally via domain login) and run the app from x:\ after that.

You could make it programmatically by using the system call:

   #include <process.h>
   ...

   system("net use x: \\\\server\\share");

Note, you need to duplicate \ character if used in a literal.

Regards, Alex
0
 
LVL 8

Author Comment

by:plq
ID: 16655956
>> Didn't you read the last comment of rbvoigt? The local network runs in the 'My computer zone'

Yes. Even when I run from domain server across to workgroup pc it works ok on our network. The site where the problem happens is running on a local network with client and server inside the same domain. What I need to get to is being able to make the problem happen on my local network so I can experiment with different settings etc.

At the site where the problem happens we added \\server\share as a trusted site and the problem did not go away
0
 
LVL 1

Accepted Solution

by:
rbvoigt earned 500 total points
ID: 16663467
It is possible to tighten settings on the Trusted Sites zone to block unsigned apps as well... use the Internet Tools dialog to configure.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Loops Section Overview
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question