We are a software development company producing commercial software using Microsoft ClickOnce deployment. We have a Level 2 Code Signing certificate we purchased from GoDaddy and sign the manifests with it. We release new versions of our software regularly.
Problem:
Norton's SONAR quarantines our executable every time we release an updated version for our customers. This causes headaches for our customers and lost time and money for us. We do not have time to submit a whitelist request and wait weeks to hear back from Symantec that our new version has been whitelisted before releasing updates for waiting customers.
Question:
We need to know if we purchase a Level 3 Code Signing certificate from Verisign and use that to sign our ClickOnce application will Sonar begin trusting our application? Or, will it continue to Quarantine our software until it is community whitelisted?
We don't want to waste $400 on a new certificate if it's not going to do us any good. We want an iron-clad answer from Norton on this.
Sorry, I don't know the answer to your question, but I will try and find out the answer for you. Since it is the weekend still, it may take a few days to get an answer. Thanks.
Please look at the responses by Symantec employee Barrett. If you look at his 2nd link, it mentions VeriSign. That post was written before Symantec bought VeriSign.
I am also waiting to hear from Symantec from other means to make sure that this is the right answer before we tell you to spend the $400.00.
Hi floplot, thanks for your help on this and the good information. I hope you are able to get us the verification that this is the way to completely prevent the quarantining of our exe without having to pre-whitelist.
I got this response from one of the Symantec employees.
The best advice to give to the poster is to sign installers and binaries, to use a cert from a trustworthy cert authority, to publish installer downloads on a website that belongs to the same vendor, and to participate in the vendor whitelist program.
I am not sure if this is the response that you were looking for as far as having a guarantee.I
I appreciate you working on getting a response for us. Yeah, their response doesn't really do the trick.
If I break it down like this:
1) The best advice to give to the poster is to sign installers and binaries - Yes, we do this.
2) use a cert from a trustworthy cert authority - We do this using a Level 2 CodeSigning cert from GoDaddy
3) to publish installer downloads on a website that belongs to the same vendor - We do this as well
So, we do 1, 2, 3 as suggested, but every new update we send to our customers causes a flurry of issues due to sonar quarantining the exe.
4) and to participate in the vendor whitelist program. - The last part is a real issue for us because we can't wait 3 weeks for our updated versions to get whitelisted.
floplot, do you happen to know or can find out how many users does it take for an exe to become community whitelisted?
We work with many ISV's to help our mutual users have a good software experience.
We cannot make any guarantees as to how we will treat signed files, but consider that class 3 certificates have more stringent owner verification requirements, and class 3 issuers have their own reputation on the line.
Are you aware that Microsoft is running a $99 certificate promotion?
As for the ISV program, please join and get the process started. Once a trust relationship has been established with your company, it is possible to avoid FP's against new instances of your files.
As I am sure you can appreciate, the details of what, how, and when apps are trusted, is proprietery information.