Download warnings

You still need to do something about that usoft warning about downloading Vassal. I’m happy with the 2 step process to keep it as a download, but is everyone else? Also, is this strictly a windoze issue?

There is a related woe for MacOS users who try and actually run VASSAL, but the Microsoft “security” regime that warns upon download is more aggressive. It’s weighing up the choice between paying several hundreds of dollars per year for what is tantamount to a digital receipt that you paid someone for a mark of trust (not actual inspection of your app and its code, mind you) vs. providing users a couple quick steps to get around the faux warnings. I’m satisfied with them saving the money.

EDIT: I have collected some fresh screenshots of what Windows users can see when downloading a newly-released installer with Edge and Chrome, and have submitted edits to the Troubleshooting page with guidance.

Let’s not have this discussion on the News item announcing the release of 3.7.0.

What warning, specifically?

Just try doing a download with a windoze PC.

As you’re reporting a problem that you’re seeing, we need to know what you’re seeing. I could try it myself, but there’s no guarantee I would be seeing the same thing as you are.

If you’d like us to pursue this, show us what you’re seeing. Sreenshots are best for this.

Cannot now. As I’ve already accepted the Vassal download and decided to ‘keep it’, downloading again does nothing Just appends a (1) to the download. Try with another windoze user who has yet to download 3.7.

What Paladon is seeing is probably this.
I just down loaded 3.7.0.


I don’t think it’s a big deal but some do get freaked out when they see these kind of warnings.

What would be an effective solution for each of these?

For #1, I just hit the 3dots. It brings me to number 2.
#2, I hit Keep. Then it goes to number 3.
#3, I hit keep anyways.
#4, I select run anyways.
#5, Select Run Program.

Bit of a pain but it works.
I don’t know if there is any simpler ways or if there is anything you can do from your end.

That works around them, but that’s not what I was asking. What would we need to do for these dialogs not to appear at all?

The options are:

  • Submit applications/code to MSFT (involves waiting)
  • Buy an Extended Validation cert for many hundreds of USD per year (presumably can’t do if not a registered business)
  • Buy a standard code signing cert for some hundreds of USD per year (involves waiting for reputation to build)
  • Wait for more downloads, after some unknown number occur users will stop seeing the warning

Going through the options:

I looked at this one and was faced with the following question:
I haven’t used a Microsoft security product to scan the file, and “None” isn’t on the list. “Microsoft Defender Smartscreen” is on the list. I might try it to see what happens.

With this one, the name shown would be a person, not an organization. Presumably that person would be me or Brent. If “Joel Uckelman” showed up as Publisher in the Defender dialog, how much better would that be than “Unknown”? My guess is that the vast majority of users don’t know our names off the tops of their heads, so this falls down on the “make it clearer to the user that they’ve downloaded what they expected to” hurdle.

A necessary condition for getting an EV code signing certificate is having a legal entity to be the certificate owner. I’ve had it in the back of my mind to look into setting up a legal entity for the project for a few years now anyway. (E.g., being a US 501(c) nonprofit organization would potentially make sense, as the bulk of our donations come from the US.) This isn’t trivial to undertake; it’s hard to justify doing it solely to have an entity to own a code signing certificate.

We’re already doing this one, by default. We do know how many downloads we’ve had. It would be interesting to know what the threshold is, but we’re unlikely to get reports from people who don’t see these dialogs about not seeing them.

More from Microsoft’s malware analysis submission form:

“Detection name” is a mandatory field, with which I have nothing to fill it.

Probably better to just stick with the ‘work around’, it works, albeit in a round about way.

Email from bitdefender:

Thank you for your patience and I hope my email finds you well.

Our Malware Research team has finished analyzing your case.

The URL is clean and has been unblocked.

Should there be anything else I can assist you with, please let me know.

Have a great day!

As for suggestions re changing my OS, you are quite welcome to use whatever YOU like. Me I like win doze. Do not preach your preferences to me.

Also, if Win doze ask you to send a report to usoft, do that.