Getting around Chrome's Malicious File Warning

user1242165 picture user1242165 · Mar 1, 2012 · Viewed 66.1k times · Source

I created an application which comprises a number of *.exe files. I've packaged these up into an NSIS installer which I hosted on my website. When I try to download it Chrome reports it as potentially malicious. At first I thought it could be the URL/site I was hosting on not being recognized so I signed up for Amazon S3 storage and moved the file there. Same problem. I then thought that packing the executables might cause this, so I tried without.
Same issue.
After some more reading I decided to try signing the executables as well as the installer package EXE.

I created a dev cert as follows:

makecert
pvk2pfx 
signtool"http://timestamp.verisign.com/scripts/timstamp.dll" *.exe

Still malicious... I check the exe's even after download and confirmed they have a digital signature tab, granted it's not a fully verified commercial certificate but I can't believe the only way around Chromes half-baked code analysis is to spend $200 a year to have a verisign etc. code signing cert issued?

Any ideas how I can change what I'm doing to avoid this nasty message?

Answer

Jeff G picture Jeff G · Mar 15, 2012

I had exactly this problem with an exe file that is downloadable from my web site. Whenever I tried to download the file using Chrome it gave the warning.

The solution I found was to sign up to Google Webmaster Tools and add my site. It took several days for Google to crawl my site, and fill in any information, but I went back today and finally found loads of information there.

Now I can download my file, and there is no malicious warning any more.

It seems that once Google has checked out your site and determined that you are not a bad person, the problem goes away.