Getting around Chrome's Malicious File Warning

Question

I created an application which comprises a number of *.exe files. I've packaged these up into an NSIS installer which I hosted on my website. When I try to download it Chrome reports it as potentially malicious. At first I thought it could be the URL/site I was hosting on not being recognized so I signed up for Amazon S3 storage and moved the file there. Same problem. I then thought that packing the executables might cause this, so I tried without.
Same issue.
After some more reading I decided to try signing the executables as well as the installer package EXE.

I created a dev cert as follows:

makecert pvk2pfx  signtool"http://timestamp.verisign.com/scripts/timstamp.dll" *.exe 

Still malicious... I check the exe's even after download and confirmed they have a digital signature tab, granted it's not a fully verified commercial certificate but I can't believe the only way around Chromes half-baked code analysis is to spend $200 a year to have a verisign etc. code signing cert issued?

Any ideas how I can change what I'm doing to avoid this nasty message?

Answer 1

I had exactly this problem with an exe file that is downloadable from my web site. Whenever I tried to download the file using Chrome it gave the warning.

The solution I found was to sign up to Google Webmaster Tools and add my site. It took several days for Google to crawl my site, and fill in any information, but I went back today and finally found loads of information there.

Now I can download my file, and there is no malicious warning any more.

It seems that once Google has checked out your site and determined that you are not a bad person, the problem goes away.

Answer 2

Well, anonymous .exe are potential threats, Chrome is preventing users about this.

You are signing the exes, but I'm not quite sure your certificate is backed by a Certification Authority, like Verisign. They sell this services. But yet, I'm not sure signing will make any difference. Chrome reads the files' names inside the zip, but I don't think it decompress the entire file to read the sign.

I can tell you one or two workarounds, I'm pretty sure you know them:

1. Change the file extension, and ask the user to rename the files back to .exe
2. Password protect your zip, rar, or whatever, so Chrome won't be able to look inside, and supply the password to users: it's not a secret password