SmartScreen is part of Windows Defender. It is a reputation based filter from Microsoft that Windows and many modern browsers use. You can get the details here if you want to read about the justification for it, or how it can supposedly help. In the end it prevents 'unknown' programs from running without a prompt to the user first. That's kind of a good thing, unless you're releasing a new version of your software and signing with a brand new certificate. Right? Well...
While an EV Code Signing Certificate does get you instant reputation with SmartScreen, it is relatively easy to gain reputation using a standard certificate too. You need a computer, Internet Explorer or Edge and a bit of time.
Use IE or Edge and download the untrusted file multiple times and when the SmartScreen warning comes up click “More” or “More Info” and “Run Anyway”. Do that about multiple times and the the messages will go away relatively quickly. How quickly, you ask, with how many downloads? No one can tell you for sure as Microsoft has kept how SmartScreen works a closely guarded secret. From contact with hundreds of customers and experience with K Software's own products we can tell you what we have seen directly and indirectly (from others). Here are a few additional tips :
- Make sure you are downloading your signed file! I know this sounds strange but it's an easy mistake to upload the wrong file to your web server. To verify the file is signed you'll want to download it from the link you made public, then right-click the file and choose Properties, click the Digital Signatures tab and make sure there is at least one signature listed.
- Host on your own domain if at all possible. We've had many reports of links in to DropBox and AWS take much longer to gain reputation, which leads us to believe that Microsoft is taking the reputation of the web site hosting the file in to account as well.
- Check your site and file with VirusTotal.com - it's free and scans your file and site with over 60 different antivirus software applications. Use it to spot false positives quickly!
- Be sure you use IE or Edge if you're downloading your own file. While there is good evidence that Chrome reports back to the SmartScreen reputation system too, we know Microsoft browsers like IE and Edge do for sure.
- Remember that EV certificates are an alternative and completely remove all of this hassle. They are more expensive and a bit less flexible since they're delivered on a hardware token but they do guarantee instant SmartScreen reputation.
Though it hasn't been confirmed, submitting your file(s) to the Microsoft malware analysis team for white-listing certainly can't hurt - https://www.microsoft.com/en-us/wdsi/filesubmission.
Additional links :
** There is also a bug in certain versions of Windows 10 (1709) that will cause SmartScreen to not properly display the publisher of a properly signed file. As of this writing we cannot confirm if or when a patch will be issued. You can read more about that at this link on MSDN.