70
votes

I created an application which comprises a number of *.exe files. I've packaged these up into an NSIS installer which I hosted on my website. When I try to download it Chrome reports it as potentially malicious. At first I thought it could be the URL/site I was hosting on not being recognized so I signed up for Amazon S3 storage and moved the file there. Same problem. I then thought that packing the executables might cause this, so I tried without.
Same issue.
After some more reading I decided to try signing the executables as well as the installer package EXE.

I created a dev cert as follows:

makecert
pvk2pfx 
signtool"http://timestamp.verisign.com/scripts/timstamp.dll" *.exe

Still malicious... I check the exe's even after download and confirmed they have a digital signature tab, granted it's not a fully verified commercial certificate but I can't believe the only way around Chromes half-baked code analysis is to spend $200 a year to have a verisign etc. code signing cert issued?

Any ideas how I can change what I'm doing to avoid this nasty message?

6
I have the same issue. Jotti tells me there are no viruses found, so why is Google Chrome not happy? Chrome's learn more links goes to support.google.com/chrome/bin/… but it's typically unhelpful. Any ideas?svandragt
Yes, the answer is to sign up to Google Webmaster Tools, because for your website to be accepted by the public, it must first be accepted by Google, our glorious leader. All hail our glorious leader.ADJenks

6 Answers

102
votes

I had exactly this problem with an exe file that is downloadable from my web site. Whenever I tried to download the file using Chrome it gave the warning.

The solution I found was to sign up to Google Webmaster Tools and add my site. It took several days for Google to crawl my site, and fill in any information, but I went back today and finally found loads of information there.

Now I can download my file, and there is no malicious warning any more.

It seems that once Google has checked out your site and determined that you are not a bad person, the problem goes away.

7
votes

Well, anonymous .exe are potential threats, Chrome is preventing users about this.

You are signing the exes, but I'm not quite sure your certificate is backed by a Certification Authority, like Verisign. They sell this services. But yet, I'm not sure signing will make any difference. Chrome reads the files' names inside the zip, but I don't think it decompress the entire file to read the sign.

I can tell you one or two workarounds, I'm pretty sure you know them:

  1. Change the file extension, and ask the user to rename the files back to .exe
  2. Password protect your zip, rar, or whatever, so Chrome won't be able to look inside, and supply the password to users: it's not a secret password
2
votes

I also had the same issue, and tried the options described above as well,but no luck. I guess I was just too impatient to wait for Google to crawl my site.

I ended up registering with Softonic and CNET's Upload.com, and submitted my application for review and inclusion on their sites. After their approval, I added the link to my site, the file downloaded fine.

The only bad thing is that you need to download the Softonic downloader to install your application on softonic, but CNET offers a "direct download link" that allows you to download your original installer.

1
votes

I ran into this issue. The simplest work around: use another [insert browser name here]. eg. firefox.

1
votes

If you have a domain with a non-standard domain suffix such as .one, Chrome will complain. So will FireFox for that matter. I don't think this was the OP's problem but if you land here because you're searching madly trying to figure out why a commom file like a .zip file is giving you a warning in Chrome or FF when downloading, it could very well be that you need to use a common domain suffix such as .com

0
votes

I also had this issue. I am using a certificate generated from my own CA which is installed to the Trusted root certification authorities. At first signing wasn't enough, but then I added file version with my name on it and also an icon. Now Chrome is happy to download and run it.