I’ve run into an issue trying to install Pritunl version 1.3.4056.37 onto our systems. Defender is blocking them. From what I have read, about this block, it is because this EXE is not a ‘recognized application’ for MS Defender.
On the otherhand, I was able to upgrade to Version 1.3.3814.40 without any block. The two EXEs have identical Digital Signature Certificates, but it seems that is not all that repution is based on.
I found an article/blogpost a guy wrote about this issue.
He ran into this problem when he was making a video game. He learned that Defender blocks apps as “unrecognized” based on reputation. Reputation is gained as positive basically by how many times people have downloaded it and run it on their PCs, or if the maker of the app has paid MS to register it to be a 'recognized" app.
Does Pritunl not register the application with MS so that it can be installed without Defender blocking it due to reputation?
Is there some other solution that is recommended to simplify installation and avoid the block by Defender?
The software is already being signed with the extended validation certificate on a hardware token. The issue began when the certificate was renewed, when it was renewed it was done with a newer root certificate from Sectigo. There seems to be an issue with that root certificate being missing on some Windows installations causing the warning. I’ve tested several computers with new installations and there is no warning even with Smart App Control enabled.
I did test the latest release on an older Windows computer I have. This installation has always shown the warnings and it continues to show it for the latest release. All the other Windows installations I have don’t show the warning.
Thanks for the info Zach. I attempted install again today, and it was a smooth installation, no block by Defender. IIRC I installed some windows updates in the last few days, since I last got the block msg. Perhaps there was a root cert update included. The issue cleared itself up automagically. Haha.
Thanks for your assistance with this issue.
Once you confirm the prompt it will remember that code signing certificate, any other downloads from the same certificate will no longer show the warning. These seem to remain in memory for some time before resetting. I will be replacing the Sectigo certificate with a DigiCert but the verification process takes several weeks and a physical token needs to be mailed.
These warnings shown are not indicative of any security issues with the software. The builds can also be verified with the .sig file included in the GitHub releases in addition to the SHA256 hashes stored in the repository. The verify release signatures has information on verifying the build with the .sig file. These are signatures made using a separate YubiKey. All builds are done on dedicate systems that are not used for any other purpose.
The Pritunl Client v1.3.4066.51 release uses a new Digicert EV certificate. I did test this build on the system I had that had previously showed warnings and it no longer shows a warning. Chrome may show a warning for the next few days but this has always happened when using a new certificate for the first time.
