I have a .NET application written in C# using Visual Studio 2012. I'm promoting the application through my own website and have it available for download. When downloading it in Chrome I get a message stating that my application is "not commonly downloaded and could be dangerous". Additionally, when I download my own application and execute it Avast sees it as suspicious and wants to run it in the sandbox.
Is there anyway I can prevent this from happening (without purchasing a certificate for signing)? I don't want potential users to run into this issue.
Edit: I am not doing anything malicious or using any hooks in my application. The application is just a small simple tool as you can see here.
Either you code-sign the App or you wait until a few thousands of people download your App, install it, not report it as garbage and then you get good-will grant from providers.
Even if your application is signed with a certificate issued by one of the CA's participating in Microsoft's Trusted Root Certificate Authority program, it could still face some issues unless you use an EV Authenticode code signing certificate and/or continue to renew the same certificate in perpetuity. See "IE9 SmartScreen Warning, Despite Following All Recommendations" for an example. In short, you're paying for reputation as a software publisher.
Related
I am trying to get my silverlight application running with elevated privileges in browser. However, no matter what I do, it doesnt get elevated.
I have tried to add registry key AllowElevatedTrustAppsInBrowser (as DWORD with value 1), and signed the XAP file using VS 2012. I also came across a blog that mentioned the clientaccesspolicy.xml file, but I was not able to allow elevated privileges with this either. I put the xml file inside the web project hosting the html file that displays the XAP.
Has anyone actually managed to get this to run?
I also tried following this: http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2011/04/27/silverlight-5-beta-rough-notes-trusted-apps-in-the-browser.aspx but im unsure about where to run the commands he runs on windows.
There is a good summary on how to enable in-browser elevated trust by Mister Goodcat here, where he also provides some troubleshooting tips:
One thing to keep in mind is that even if your application runs as trusted in-browser app, it is still subject to the security restrictions the browser itself imposes. That means that its possibilities may be much more restricted than if they ran out of browser, for example by Internet Explorer's Protected Mode. In addition, the Silverlight runtime itself restricts use of certain features for in-browser trusted apps, for example you cannot use the Window class and/or create additional windows when you're running in the browser.
If none of the above applies to you and you still run into problems, one thing to do is check whether your certificate(s) have been installed correctly. There's a snap-in for the management console for this. Here is an article that describes how to get there (note that you should add a snap-in for your user account, not the computer account as in this description).
You can also check whether your registry key is actually and successfully queried, for example by using a tool like Process Monitor from the Sysinternals Suite. Watch for operations of type "ReqQueryValue" of your browser executable that access the key we created above, and make sure the Result is "SUCCESS".
I want to run an exe on client system from my c# asp.net website. When I use Process.Start()
it throws an error:
The requested operation requires elevation.
How do I set permissions to run that exe?
You can't spawn processes on the client machine from server-side code.
When you use Process.Start in server-side code, it is attempting to execute the process there, on the server where the website is hosted. If you wanted to create processes on the clients computer then you would need to expose a download for them (and not in employing subterfuge, like malign sites might do to install software - supply it gracefully, and normally (and with permission)), or a Silverlight application or something along those lines.
The bottom line is that the code you want to execute (even if that is just to spawn a process) must reside on the client, and be executed there.
You can't run an application from a web server like that. You will have to have the user download the application by supplying the EXE, a setup file or using ClickOnce.
Or you can develop an ActiveX control that you can have the browser automatically download from a Trusted Internet Zone.
Once downloaded, proper signing with a certificate (signed from the trusted (corporate) root certificate) will avoid the user getting a prompt to ask whether he wishes to allow the ActiveX control to install/be activated -
The ActiveX control can subsequently do anything the interactively logged on user could. This means that to actually install a program you'd need to elevate (UAC on Vista+); But if the goal was just to run a standalone executable, you should be good to go.
This all assumes white-hat purposes in a (larger) corporate setting, because it relies on PKI infrastructure and central browser policies, to name just two.**
This would, really, lead to some excellent questions on serverfault or superuser
I noticed you said you wanted to run an exe file on the client, but you didn't say explicitly that the exe is on the server and you want to push it to the client. Everyone seems to be assuming that is the case.
You CAN accomplish this fairly easily with a small JavaScript if you have a few prerequisites:
The executable is already present on the client machine.
All of your clients are running IE
You can enforce a policy to put your site in the Intranet or Trusted
Sites zone.
So basically this means it's a corporate intranet application. I am assuming this is probably the case since, well, if you were expecting to do this with a public app, I would be surprised.
For the script to accomplish this, please see my answer to this question:
How can I get a program on a client machine to run from an ASP.NET page?
Background: ClickOnce app that is bundled with the web server of an embedded device. Customers access the web interface, like you would access your router's configuration pages, and hit a button there to launch the ClickOnce app.
Problem: One customer claims he is getting signing error "Cannot continue. The application is improperly formatted. Contact the application publisher for assistance." And in the details, "Your Web browser settings do not allow you to run unsigned applications." This happens before ClickOnce even gets to the part where it downloads the app. Just click the "launch" button and the error is immediately thrown. Customer is running Windows XP and IE8.
The application and deployment manifests are both signed with our VeriSign Class 3 Code Signing certificate. I have check and retested a dozen times with different IE settings, and every time it downloads the application, successfully verifies, and launches. We've had him reflash his device and same thing. No one else has this problem, just him, so I can only conclude that there is nothing wrong with the manifests or their signatures.
His IT department is freakish about security so I strongly suspect that he has some IE settings interfering with ClickOnce, either trying to enforce stricter signing requirements, or blocking it altogether. What could be causing this? Are there some group policies somewhere that are maybe shutting him down?
Try clearing the browser cache.
Go to Internet Options -> Advanced, then click Reset...
For me worked check in Internet Options -> Advanced -> "Allow Software to run or install even if the signature is invalid"
I want to know how many users installed my software successfully.
But: I do not want to open a website link after installation.
The only way you could do this would be if your software had to be installed using some installer, and that installer "called home" to some server of yours as part of the installation process. But:
You have to have already set all of this up. If you've released your software already, it is too late ...
It is easy for someone to defeat measures like this; e.g. by disabling the machine's networking while installing the software. And a serious software pirate is likely to try to modify your installer to disable the "call home" code.
A lot of legitimate users of your software would consider "call home" during installation to be an invasion of their privacy. You are likely to get loud complaints and there's a risk of bad publicity that will damage your company's reputation.
As #Pierre 303 points out, recording information about people who (for example) install your software may be limited by privacy laws in your country.
You could use a WebRequest for a simple pingback.
int serial = 123456;
WebRequest request = WebRequest.Create(string.Format("http://yourserver.com/pingback.aspx?serial={0}", serial));
var response = request.GetResponse();
Call this on the first startup of your application and store a flag in registry to remember if the pingback is already send.
Note: It is usually not appreciated by end users to have applications silently "phone home". You should provide some kind of notification with an accept button.
If you don't want to open a website after the installation, you should consider using a custom function that will be called by either the installer after the installation is finished or by the application at startup.
That function would call the website silentely without opening a browser.
I'm working on an open source project that will help you in that task. I'll publish the link in a week or two in this answer.
I've written a simple C# console app that gets executed by SQL Server Integration Services as part of a datawarehouse load (on Windows Server 2003).
Unfortunately the step that calls the .exe is failing because a Open File security warning dialog "The Publisher Could Not Be Verified. Are you sure you want to run this software" is shown.
I think I need to sign my console app, but this seems a little overkill for an internal application. Can I sign it without having to get an externally recognised certificate?
Thanks.
Yes, signing is easy, Just look up Project|Options|Signing. The combobox will let you pick a key-file or create one. It is always a good idea.
But signing may not be enough, the server may impose stricter rules so that you will need a certificate. I'm not 100% sure but you may be abkle to create your own and tell the server to trust it.
But try the signing first.