How can I stop Windows saying my software might be harmful? (Part2)

Follows on from the original question of the same name which was: When my clients download my application, Windows, browsers, Norton et al say my software might be harmful.  How can I stop this?  The application isMS Access deployed as an exe packaged as an exe by SageKey.

I want to buy a certificate from Comodo, as recommended by Scott McDaniel.  
1. I need advice which one to buy?
2. Is a certificate relatively easy to install/implement?
3. Can the certificate be used for multiple products within my organisation or for only one product?

Thanks in advance.
Clive BeatonAccess DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
1. I need advice which one to buy?
 Code Signing (Comodo)
2. Is a certificate relatively easy to install/implement?
yes can be integrated into Visual studio

3. Can the certificate be used for multiple products within my organization or for only one product?
Any product  for your company name
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
If you're doing this entirely in Access, see the MSFT article below:

The section titled "Package, sign, and distribute an Access 2010 database" is the one that's most relevant. Basically, you package the file, and you sign that package.

You also mention using SageKey, so you might contact them to determine if there's a way to integrate your certificate into their process.
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
Just to add to what Scott said a bit; it's not only the package that needs to be signed, but your VBA code as well and that's covered in the first part of the article.

Note however that you cannot use a self-signed certificate.   Self signed certs are only for use within your own organization.   Other people can't use them because they can't verify the certificate, so they would still get messages.

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

We need a little more context.  

1. Are you distributing an Access FE?  You included Access in your topic list but this is only relevant if your application is written in Access.  Using "Access" (which is actually Jet/ACE) to store data doesn't constitute an Access application.
2. Is this an internal distribution or are you distributing to the public?
3. If you use a product such as SageKey to create your distribution package, it will automatically install the correct registry keys to satisfy the Office security prompts.
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:

I believe this is the prompt you get when you download an executable from the internet, and Windows doesn't know who the author is (no security certificate). It's not the Office security prompts.
That was quite an important sentence I missed when I read the question.
Clive BeatonAccess DeveloperAuthor Commented:
Some clarification:
1.  My software comprises a frontend and backend database both created in Access 2010.

2. I package and deploy both databases using SageKey.  I have emailed SageKey for their advice.

3.  I deploy the frontend and backend databases separately so there is only 1 database per install package.

4.  I have clients all over Australia so I need a commercial certificate.

5.  One potential problem is that I have changed the extensions on the databases to .app and .dat.  I suspect that I may have to rename these to .accde and .accdb.  I would appreciate comments on this.

Thanks for all your responses.
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
On point #5,  Access doesn't really care what the extension is, except for accdr, which puts it in runtime mode.

Of course you need to account for that (i.e. table re-linking) in your app.

Clive BeatonAccess DeveloperAuthor Commented:

Thanks.  That's a relief and very good to know.  Linking is fine.  

".dat" is considered by Access to be "dangerous".  That change got made around 2003 and caused chaos with an installed product of mine.  It was inputting files created by a scanner and the scanner named it's files xxx.dat.

Try changing the .dat to something else.
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
Worked fine here with A2010 other than getting a "enable" warning on the DB.  Added in the location as a trusted location and no warnings at all.

JET/ACE has never cared about the extension up until the .accdr was recognized as forcing run-time mode.  It always reads the database header page to figure out if it's a JET/ACE database or not.

But to Pat's point, Windows and other programs might think differently about a .dat extension, which is the old "data file" extension.

In fact on my system here, the registered program to handle that is media player.

Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
FWIW, the article I tagged in my earlier comments seems to indicate that you do NOT sign the VBA code, even though the option appears to exist. It would seem you'd use the method where you sign the entire package, and not the database. See this section from that earlier link:

You can use the Package and Sign tool only with databases saved in a newer file format (.accdb, .accde,...). Access 2010 also provides tools to sign and distribute databases that have an earlier file format. You must use the digital signature tool that is appropriate for the database file format that you are using.
The emphasis is mine. If you're distributing a 2010 (or later) format application, then you sign the package, not the VBA code.

I haven't distributed any signed apps other than 2010, and that's what I did - sign the package. When I was delivering signed apps in 2003, I would use the option in the VBA Editor to sign those packages.
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
Huh...I wonder if that's because of the addition of trusted locations or just changes in the package wizard.

You've got me curious now.....when I have a chance, I'll look in VBA 7 to see if you still have the option to digitally sign or not.

Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
In 2013 the option is still there, but if you try to use that method it won't work. You'll get to the last page (or so) of the wizard, and it'll error out and tell you to use the Package and Sign method (if I recall).

My take from the whole process when I was learning was this:

You sign the entire package with Access 2007 and newer, and deploy that to a Trusted Location on the target machine. The only point of the code signing in this case is so that when users download your installer from the web they won't get the security warning about an "unknown publisher".

Note the format of the file you're working with is the key, and not necessarily the version of Access you're doing this in. If you want to sign an .mdb/.adp file in 2007+ you do so with the VB Editor - Tools - Digital Signature method. If you want to sign an .accdb file, you do so using the Package and Sign method.

Oddly enough, I believe Excel still allows you to sign the VBA project - but I could be wrong about that.
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
That article is a little confusing....on one hand it talks about new database format, but then only refers to A2010 and up.   Was wondering why A2007 was left out in the cold (when did trusted locations come in?  thought it was with 2007).  It's also unclear what happens if your working with a .mdb in A2007, A2010, or A2013

 It seems rather that it just matters what version of Access, which is 2007 and up and the version of the DB really doesn't matter.  

 Has been a while since I had to sign anything (think the last time was with A2000), which left me with the impression that VBA code always had to be signed.

 Sorry for the confusion.

Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
Yes, that's what I recall. I haven't signed an Access project in a while, but it seems when I tried to sign an .accdb, I would get that error message and would have to sign the "package". If I tried to sign an .mdb, regardless of the version of Access I was using, I was able to sign the code.
Clive BeatonAccess DeveloperAuthor Commented:
Can I ask a simple question?

Do I sign the the accdb before creating the accde?

Thanks in advance.

Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
You don't sign the .accdb OR the .accde - you create the .accde, then create the package and then sign that package.

A code signing cert exists to (hopefully) reassure the recipient that what they have downloaded has not been tampered with, so you sign <whatever it is they download>. In your case, it would be most helpful if you could sign the Sagekey package that's created, but I don't know if you can do that, or how you would do it (ask Sagekey about that, however).

But the best you can do in Access 2007 and above is use the "Package and Sign" process.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Clive BeatonAccess DeveloperAuthor Commented:
Thanks to all.  This is a question where I wish there were more points to give.  I'll take it from here.  If I need any more help, I'll post another question.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Access

From novice to tech pro — start learning today.