Liner Notes
Red Guitar Pick
The FATpick Blog

Installing FATpick on Windows is simple. Just download the set-up program and run it.

But some users may encounter a strongly-worded message of one form or another that warns the app is "potentially harmful".

This post explains why that happens, and walks through the messages you might encounter, step by step.

Contents

Why this article exists

FATpick moves fast. We've released an update a little more often than once every 2 weeks, on average, for more than 18 months running.

We keep this pace for a reason. Several reasons actually, but one stands above the rest: Frequent releases help FATpick respond quickly, iteratively, sometimes even collaboratively, to users like you. Responding to user feedback - both direct and indirect - is necessary to achieve our goal of creating the world's greatest guitar practice tool. We couldn't do it without you. It's a critical part of our strategy.

We have discovered one unfortunate consequence of this release frequency, however, and it's related to Microsoft's aggressive efforts to protect end-users from malware.

Windows 10 and other Microsoft products include a federation of policies, software and services - including Windows Defender, SmartScreen, URL blacklists and Code Signing Certificates - to protect users from computer viruses, phishing attacks, ransomware, and other forms of malware. Protecting end-users from dangerous software is absolutely the right stance to take. And this formidable collection is probably appropriate given the valuable target and wide "attack surface" represented by a product with the scope and scale of Microsoft Windows. But some argue that the overall policy is over-protective - or even hurting independent software developers. At the very least it's clear that Microsoft prefers false positives (flagging safe software as "potentially harmful") to false negatives (allowing unsafe software through), and is a bit heavy-handed in the way these warnings are presented to the end-user.

The concept of "reputation" plays an important role in Microsoft's implementation of this strategy. That is, Microsoft relies on "social proof" - the number of people visiting a web site or downloading an application - to establish trust in an application or publisher. Programs and websites that haven't been seen often enough are flagged as "potentially harmful", by default.

This creates some challenges for independent software developers, which the Wikipedia article on Microsoft SmartScreen summarizes this way:

Another criticism is that SmartScreen makes non-commercial/small end software development unaffordable. Developers either have to purchase standard code signing certificates or more expensive extended validation certificates. Extended validation certificates allow the developer to immediately establish reputation with SmartScreen but are often unaffordable for people developing software either for free or not for immediate profit. The standard code signing certificates however pose a "catch-22" for developers, since SmartScreen warnings make people reluctant to download software, as a consequence to get downloads requires first passing SmartScreen, passing SmartScreen requires getting reputation and getting reputation is dependent on downloads.

But the most salient concern for our purposes is this one:

SmartScreen Filter creates a problem for small software vendors when they distribute an updated version of installation or binary files over the internet. Whenever an updated version is released, SmartScreen responds by stating that the file is not commonly downloaded and can therefore install harmful files on your system.

That is, since each release modifies the installer and application code, each version is treated as brand new. (Well, sorta. There's some nuance to it.) Our release cadence makes it harder - especially for a company of our size - to establish the "reputation" that SmartScreen and Microsoft Edge demand.

This is not a long-term concern for our team. (And frankly we don't find it to be a major deterrent for users anyway, although it's not without impact.) Each release is cryptographically signed with the appropriate certificates that both ensure the integrity of the application and identify FATpick as the publisher. We even provide additional ways to verify the authenticity of our software. Microsoft Defender and other anti-virus and anti-malware scans identify the application as safe. We're doing everything right, and the Microsoft team assures us that even with our aggressive release schedule SmartScreen will organically learn to "trust" FATpick as an application, as a website and as a publisher over time. But in the meantime some users may encounter some strongly-worded warnings when they first download and install FATpick. To help you feel more at ease we'll walk you through what to expect below.

End-to-End Installation Process

To keep it simple, we'll cover all of the warnings you are likely to encounter when installing FATpick on Windows 10. But depending on the tools you are using and the security policies you or your computer administrator have configured you may seem some, all or none of the following screens during the installation process. We'll also include screenshots of virtually every step of the process. You can scan down the page, find the challenge you've been presented with and start reading there.

Download the Installer

To download FATpick for Windows, go to FATpick.com/downloads and click the "Download for Windows" button. This will download the FATpick set-up program (installer) triggering your browser's familiar file-download process.

"Not Commonly Downloaded" Warning

This is where you might encounter your first challenge. If you are using the Microsoft Edge browser, once the download is complete you may find a warning in the lower-left corner of the browser window that reads "FATpick-win-latest.exe was blocked because it could harm your device."

MS Edge Download Blocked Warning

Ignore the big Delete button and click on the ellipses (...) instead. This will open a pop-up or context menu, with three options: "Keep", "Report this file as safe" and "Learn more". Feel free to report the file as safe if you want - you'd probably be doing us a favor - but we won't cover that process in detail here.

Tell MS Edge to keep the file

Select the "Keep" option. Since the file in this case is an executable program, this will open a dialog box with a similar warning: "This app might harm your device."

This dialog identifies the publisher that has signed the application, in our case "FATPICK LLC".

Might Harm Your Device Warning

Click the "Show more" button to expand three options: "Keep anyway", "Report this app as safe" and "Learn more".

Tell SmartScreen to keep the app

Again, feel free to report the app as safe, but ultimately you will want to click on the "Keep anyway" link.

This will (finally) download the file in the manner that you are used to.

Open the Installer

From the Microsoft Edge browser's download status page you'll see that FATpick-win-latest.exe has been fully downloaded.

Show in folder

Click "Show in folder" to view the program in the File Explorer. You'll see a big, red pick icon that represents the FATpick installer.

Installer icon in File Explorer

If you hover over the icon briefly a "tooltip" will pop-up with more information about the file and its publisher. You can confirm that the app was created by FATpick LLC and see some other details about the file. You can also right-click to see additional details. When you are satisfied, double click the icon to launch the installer.

"Windows Protected your PC" Warning

This is where you might encounter another challenge. When you launch the installer you may see a SmartScreen warning message that reads "Windows protected your PC".

Windows Protected your PC Warning

To bypass the warning and tell SmartScreen that you trust the application you must click the "More Info" link text.

This will expand to reveal (once again) the publisher of the application (FATPICK LLC), and expose a new button at the bottom that reads "Run anyway".

Click Run anyway

Click the "Run anyway" button to tell your computer that you truly, honestly want to run the app. In this case the application is an installer program that will set-up FATpick on your computer.

Complete the Installation

FATpick Setup is a simple program that will install FATpick on your computer. It's a "one-click" installer. There are no choices to make. Just wait a few seconds for the installation process to complete.

FATpick Setup.exe

Once installation is complete the FATpick app will launch automatically and you're ready to go.

Note that once the actual FATpick app has been installed you can delete the "FATpick-win-latest.exe" installation program. You don't need it anymore. The next time you want to open FATpick you can use the Start Menu or the desktop shortcut.

Upgrades are Automatic

Now that you've installed FATpick you don't need to worry about the update process or even keeping track of new releases.

When you run FATpick the application will check for updates and quietly install them in the background when they are available. The next time you open the app you'll be running the new version, automatically.

Sample MS Security Analysis Response

Should you choose to use the "Report this App as Safe" action in response to the SmartScreen/Windows Defender challenge, you can submit the installer (fatpick-win-latest.exe) to be scanned by their cloud-based anti-virus software and reviewed by the Microsoft security team.

There's a short form to fill out, and the scanning takes a while, but at the end of the process you will receive a report that confirms that neither Windows Defender Antivirus nor the MS security analyst consider the software to be threat to your computer.

For example, here's a screenshot of the response we received when submitting the file for review:

We've confirmed that the submitted files are clean.

The text reads, in part:

We've confirmed that the submitted files are clean. Windows Defender Antivirus doesn't report them as malware.

[...]

The message you observed is a notification from Windows Defender SmartScreen indicating that the application does not have known reputation in our system. [...] This doesn't mean that the application is malicious, only that it is unknown.

But you don't have to take our word for it. If you are at all concerned about the integrity or safety of the FATpick installer or the FATpick application itself we encourage you to submit the file for analysis directly and see the response for yourself.

As before, this is a problem that will eventually resolve itself, but due to our high-frequency release cadence and your early-adopter status it is possible you will encounter this sort of warning.

Feel free to contact the FATpick support team if you have any questions about this or any other aspect of the application.

FATpick
Also see more posts by or tagged , , , or .
Or, visit the tag index or view the latest posts from the Liner Notes blog.