Windows Defender Flags 4.4.0 Download

I just downloaded Krita 4.4.0. Windows Defender blocked it. This is very unusual. I cannot remember it ever happening with anything I have downloaded, in fact. I just installed updates for two other art programs, and there was no problem.

I trust Defender and am not going to override it. This post is mostly to let you know this is happening. It is very likely there is a problem with the download.

1 Like

This is in bright red on the release page, just above the download links:

NOTE for Windows Users: Microsoft has changed the way applications signed with certificates are handled. Only Digicert certificates are automatically trusted, other certificates will only be trusted if enough people bypass smartscreen to run the signed application. Our builds are absolutely safe, so you can safely do that. If you see the “Windows protected your PC” screen, press “More Info”, then select “Run anyway”.

1 Like

KDE certificates changed recently, so the ones that Krita uses for 4.4.0 are new and that’s probably why our previous builds were fine for Windows Defender.

If you’re afraid of the download, VirusTotal website allows you to submit a link (so you don’t have to download and upload there) to check. I’ve submitted the url just now and it seems like no antivirus get fired: https://www.virustotal.com/gui/url/7054ff7eb030c17d8382b7f58781c4c08ce127d3952a075aa8c7c3a899df095e/detection

1 Like

Thanks for the replies. You seem to be aware of the problem.

I did not see the message on the release page. (I don’t usually look at parts of a page that are out of sight if I think I know what I am doing.)

I’ll wait until it gets fixed before I update.

The only way “it gets fixed” is by having enough people download Krita, install it and bypass the smartscreen warning. In other words, if you wait, you help the problem persisting. If you install Krita and bypass Windows Smartscreen, you help fixing the problem.

Well, I understand the concern.

(The only thing I don’t understand here is why would Windows use such a strategy? It makes no sense to me… Anti-viruses usually scan the executable to find if the program does something suspicious, but just “well, it was signed but I haven’t seen this signature enough times yet so let’s block it” is really weird, how would a program be whitelisted if it always show a scary message when you try to install it?!)

It’s fine if you choose to not update because of that. Let’s hope it will be resolved soon.

This is not helpful.

Because in the first place, as I said this “will not be resolved soon” if people don’t tell Microsoft en masse that they trust these packages.

And in the second place by showing that “understanding” you’re suggesting that it’s okay to think there’s something wrong when there is nothing wrong.

I can understand.
But I think you don’t really know what you’re really trusting about…

The SmartScreen is just warning to inform that you’re about to execute a software that is not really known by Microsoft.
Even if software is signed with a valid certificate

This is not a message to tell that software is bloated or contains viruses…

So, how softwares can pass through this warning?

  1. As @boud said, the more people will trust installation, the more it will be recognized as a known software and then, warning will disappear if enough users trust it
  2. Just paid Microsoft to bypass this warning

So, when you trust defender:

  1. You trust other people (you don’t know them more than the software developer, but ok)
  2. You trust a developer that is able to paid around $660/year to not show you a warning

So finally, as @tiar said, it’s Ok if you choose to not update, it doesn’t help Krita and developer who spent time on it, but that’s your choice :slight_smile:
But, just be aware about how the thing you’re trusting in is really working.

On my side, I prefer to see this $664 used by developers to improve Krita rather to see it used to paid a certificate to not show a useless warning…

And here some reading, if you’re interested by the subject:




Grum999

@Grum999. Thanks for the informative reply. You are correct, I did not understand the situation, and I understand it better now.

The reason I did not understand the situation is that this Defender popup had not ever happened to me before, even though I download a lot of software, much of it free. This would include previous both major and minor version upgrades to Krita.

It remains is that Krita is the only application causing this response for me. It would seem others pay for a better certificate. I do see in the StackOverflow article that it was “$410 vs $289” according to the response (dated Feb 2018). I have not investigated further what it might cost now. This is not necessarily a scam or ripoff. They allegedly do extra checking in return for the higher fee. It is better for the users. And it doesn’t seem as if you are necessarily paying Microsoft. I am not overly enthusiastic about paying Microsoft much of anything myself.

The bottom line is that it is a bad user experience to have this popup appear. Yes, you can choose to put the burden on the user. It is your choice. There is another solution in spite of what @boud said, and it appears to be what most of the rest of the world has chosen.

I come from an organization, a National Laboratory in the US, where you automatically get fired if something like that happens. The US DOE, which runs these laboratories, has been know to shut down the whole laboratory as punishment. It is above my pay grade to determine if this is appropriate, but it does get your attention. I have seen the computers of a whole division been unreachable for a week after being hacked owing to a careless (but not completely stupid) action by a single employee.

So I come from a different perspective than most of you. At this point I consider the probability of problems resulting from installing the new Krita to be low. However, the consequences of a possible virus are very large. Low probability but high consequences is not necessarily a good bet. Not installing it is safe.

Something has changed, perhaps owing to a Windows update. If I start seeing this popup more often, I will reconsider.

I’m not an expert, but as explained in Krita’s 4.4.0 release, Only Digicert certificates are automatically trusted (looking on Digicert website, it’s $664/year to have a valid certificate)

I think that’s apply to all new binaries; old one, already trusted from a long time, might doesn’t loose their trust. But any new binaries, build with a old certificate, are concerned.
Need to be confirmed, but I think that’s what happened to Krita.

This might be because you’re downloading a fresh Krita binary.
Downloading a software built 6month ago may not generate warning, I think.

That’s a point of view.

That’s the same for me in company I’m working to. But on my side, that’s impossible to download and install anything on computer.
I can’t plug an USB key netheir access krita-artist.org website or change desktop wallpaper…
And antivirus is scanning everything you’re doing on your computer.
So, I never saw this window :sweat_smile:

In this case, stop to download files, stop going on internet, and shutdown your computer, that’s totally safe :slight_smile:

More seriously, if you’ve already installed previous version of Krita, this means you’ve already trusted them.

If the Krita’s build you’ve downloaded contains any viruses, your antivirus (Ms Defender) would have told you that downloaded executable was contaminated and put it in quarantine before you’ve tried to execute it.
If the Krita’s build you’ve downloaded contains any viruses, you can be sure that consequences would be much greater for krita.org than for you, so Krita’s team might be much more attentive than you to this.

Anyway, choice is on your side :wink:

Grum999

There is also another choice: apparently portable builds don’t trigger this warning. The same code, since it’s not being installed, I guess it might look a bit safer for Windows :slight_smile:

I’m closing this topic, because it doesn’t seem like a productive discussion, and our certificate is handled by the whole KDE project, so the people making decisions about it are not here.