Executive summary: Our customers may run into a Microsoft SmartScreen warning. The warning claims that by running OpenLM, you put your device at risk. That’s a misleading statement coming from Windows Defender. We have an Organization Validated (OV) code signing certificate. So, rest assured our application is digitally signed.
OpenLM has finalized the process of renewing the Organization Validated (OV) code signing certificate. Despite completing this procedure, our customers may encounter a warning message on computers running Windows 10 and 11 . This labels the OpenLM software as not trustworthy.
The prompt appears due to the way Microsoft Windows Defender SmartScreen works with OV code signing certificates. It unfortunately sends the wrong message to our customers.
Hence, we would like to communicate and emphasize that OpenLM takes security very seriously. Our new OV code signing certificate is valid. All our installers are correctly signed. We will explain further down why the mislabeling is in place.
What is an OV code signing certificate?
In this hyperconnected era, technology has become a core ingredient of our daily workflow. Hence, the only way to bridge the damage done by malicious software is by rebuilding trust. And the best way to do that is by establishing identity.
Certificate Authorities therefore play a critical role. Because they issue a digital SSL certificate – like the one you get in real life. This is to certify that the software you are downloading is from a trusted source.
Certificate Authorities (CAs) such as DigiCert or Sectigo issue multiple types of SSL certificates. Among these, Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates play an important role for organizations, such as OpenLM.
By owning a DV, OV, or EV certificate, an organization/software developer gives customers a clear picture of who they are. For website/domain owners, they provide real-time protection. Also, it ensures that the software they provide is safe and can be trusted when visiting a website or downloading software.
Every software developer or organization aspiring to be a trusted source of OV code signing certificates is checked by Microsoft Defender SmartScreen.
What is Windows Defender SmartScreen?
Malware and phishing attacks are common and frequent. To address this threat, operating systems include a basic utility to protect users against malware attacks or malicious software. In the Windows operating system this is called Microsoft Defender SmartScreen. This checks the websites users visit for potential suspicious behavior.
It also performs a reputation check of applications. This is by verifying that the downloaded software is digitally signed or, in technical terms, has a valid OV code signing certificate. SmartScreen also checks whether the application has an established reputation.
Application reputation is actually a method used by SmartScreen to differentiate bad and good software. Reputation is gained in a similar way that we build trust in people surrounding us. We study them during our encounters. Or, if we don’t have experience with them, ask others who are familiar with these people.
Why does SmartScreen mark OpenLM as an untrusted application?
OpenLM’s software is signed digitally using the standard OV Code signing certificate our organization owns.
- The certificate is valid, and we have recently renewed it.
- However, during the scan, the Windows Defender SmartScreen utility looks at our software. It then checks whether it has been blacklisted or whitelisted in a huge database of code. The code it collects from Windows machine.
- Though our software is digitally signed with our standard OV code signing certificate, our target market (software license management) prevents us from getting millions of downloads.
- Therefore, Windows Defender SmartScreen will arrive at the conclusion that this application is not commonly downloaded from the internet. Hence, it has not established a reputation.
- For this reason, it will automatically label our software as potentially harmful, which is incorrect.
OpenLM takes security very seriously
We at OpenLM take security very seriously. We would like to take this opportunity to assure you that our new OV code signing certificate is valid. Also, our installers are correctly signed.
So, if you run into such issues, you can be rest assured that your information is protected. And, the end users are running a safe application developed with love from OpenLM. Just press the “Run anyway” button. Start governing your expensive engineering licenses.
If you would like further information and/or to address any concerns, please contact us. Or, write to us at firstname.lastname@example.org.