New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Defender SmartScreen triggering on rustup-init.exe downloaded from the website #56815

Open
pietroalbini opened this Issue Dec 14, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@pietroalbini
Member

pietroalbini commented Dec 14, 2018

Reported on Reddit. Quickly looking at the issue seems like the website makes you install the 32bit version instead of the 64bit one, and the 32bit one triggers Windows Defender.

cc @rust-lang/infra @ashleygwilliams

@mqudsi

This comment has been minimized.

mqudsi commented Dec 14, 2018

It's not an issue with 32-bit vs 64-bit, it just so happens that the two are flagged differently.

Windows SmartScreen is a pretty nice solution to code signing problems, basically it uses the tuple (code_signing_certificate?, hash_of_download) to determine whether a download is flagged. If the binary in question (as identified by the hash) has been downloaded/scanned without actual malware detected enough times, the warning goes away. If the binary is also signed, if other binaries signed with the same certificate have been downloaded/scanned many times the warning is not shown or goes away (this prevents new binaries by existing publishers from being flagged).

Now in this case, both the 32-bit and 64-bit installers are not signed (this sucks and needs to be corrected - certificates are cheap). But the 64-bit installer is more popular and has been run bypassing SmartScreen or with SmartScreen disabled without event enough times that Microsoft has learned to trust that binary.

rustup team can contact me via email to talk about asap band-aid if interested.

@pietroalbini

This comment has been minimized.

Member

pietroalbini commented Dec 15, 2018

Added this to the agenda for the next infra meeting.

@jethrogb

This comment has been minimized.

Contributor

jethrogb commented Dec 19, 2018

Looks like there was some discussion in the infra meeting about signing for Windows, but I couldn't find a specific issue for signing.

@jseyfried can you share Windows binary signing best practices?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment