How can I stop Windows saying my software might be harmful?

When my clients download my application, Windows, browsers, Norton et al say my software might be harmful.  How can I stop this?

Thanks in advance.
Clive BeatonAccess DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Clive BeatonAccess DeveloperAuthor Commented:
When my clients download my application, Windows, browsers, Norton et al say my software might be harmful.  How can I stop this?

Thanks in advance.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
One way is to sign your application with a certificate that is from a trusted root certificate provider or from a self-signed certificate where your certificate is trusted on the client's PCs.
JohnBusiness Consultant (Owner)Commented:
Have you approached Symantec Support?

There is some software I have to exclude from Symantec (Cain/Abel, Unlocker and a couple of others) but nothing major.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Brian MurphyIT ArchitectCommented:
So you compiled a Windows binary or installation and every machine shows it has harmful?

On your corporate Network do you have a Enterprise Management Tool for Norton to exclude that binary file?

Does is show up as harmful before or after the installation?

If the user has permissions, they can right click the install or the binary EXE and "Add to Exclusion List" for Norton but on most business networks this is disabled.

Depending on internal Group Policy settings and both Norton it may not accept a "self-signed" certificate.

You would need a Internal CA like Microsoft CA to generate a software signing certificate but depending your Domain version you might not have the option for SHA2 only SHA-1 which is deprecated leaving a third-party vendor certificate like Verisign.

You would need minimum of SHA256 and prefer a private key generated prior to CSR that is RSA256 then 2048 Bit on the SSL Certificate when you submit your CSR.

On the self-signed certificate or Microsoft CA there are Group Policy settings to "allow" or set those as Trusted Root Authorities so they show up properly from the Microsoft CRYPTO API perspective.

MMC Console > Add Remove Snap-in > Certificates > Local Machine (not user) > Trusted Enterprise Root Certificate Authorities and any Intermediates go in the Trusted Intermediate Store.

On the self-signed you could try exporting to PFX from the source where you generated the original CSR and having the private key.  Depending on where you created the private key, CSR then obtained the CER or CRT you could use the DIGICERT Utility to extract the private key and CRT key file to separate files if you have the P7B or PFX file that is the certificate with Private key.
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
If you are distributing software "in the wild", you would need to obtain a trusted code signing certificate, as suggested by Mohammed Khawaja and others. Using a self-signed won't work in many cases, and you'll have to distribute the cert and key (and install/validate them) in order for that to work. Plus, if you don't build them exactly right, they'll be flagged as invalid anyway, or may die prematurely, etc etc. All if all, if you're trying to build trust with your potential users you certainly don't want them to be exposed to the nasty underbelly of code signing!

You can buy a cert from one of the Trusted Authorities, such as Symantec, Thwate, Comodo, etc. Those typically aren't cheap, but they're virtually guaranteed to not flag your software. I use the one from Comodo, which runs around $175/yr. You can buy from resellers for less than that, but be careful of the policies and terms of that reseller. Some of them die at the end of the term, which means your software will be flagged as invalid after your subscription expires. Others require that a specific "root" certificate be installed, which can be very confusing for users.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Clive BeatonAccess DeveloperAuthor Commented:
Thank you, Scott, and all others who have contributed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Access

From novice to tech pro — start learning today.