Dear Avast,
I am a developer of award-winning music software, which I distribute on a not-for-profit basis. Recently, I learnt that my program, reViSiT, originally a plugin (.dll) but also now available as a standalone program (.exe), is automatically sandboxed by your AV software - the reason given is "The file prevalence/reputation is low." In other words, it is not popular enough to be allowed to run. This is unacceptable.
Searching your forums, two workarounds have been proposed, each with issues for developers:
1) The user manually allows the program to run.The default "Auto" AutoSandbox mode means that the program is terminated as, or even before, the user can click the "Continue" button. Worse still, the user is able to interact with the program for 10-15 seconds before it is abruptly terminated. The "Ask" mode is not much better - intervening to tell the user that the program is "suspicious" and "potentially harmful", even before it has run. In either case, the user not only gets the impression that the software is malware, but must jump through hoops simply to run it - not to mention users who might attribute the termination to a fault of the software, rather than to Avast.
Presumably, once the software becomes more popular, the reputation goes up. But perhaps you've forgotten what it's like for a small developer to introduce a new product: how important that first impression is; how the first few seconds and minutes of interaction will determine whether users stay interested or not. I have spent hours and hours refining the installation process to be as seamless as possible, only to have your software make that absolutely worthless.
Bottomline: Many users will abandon the software, rather than risk "malware"; or be otherwise disinclined to manually authorise it. The very presence of AutoSandbox makes it harder for programs to build a reputation.
2) The developer signs their executable with a code signing certificate.On the face of it, this seems quite reasonable - and I'm more than happy to sign my name on my program. I'm very proud of it. I want people to know who made it. I even want people to know who to turn to when they have problems.
But, of course, it's not that simple. Someone else has to sign that certificate. A Certificate Authority, specifically one trusted by services like Avast. This costs money, potentially a lot. Here's some examples:
Thawte - $299/year.
Verisign - $499/year.
Comodo - $199/year.
Supposedly, there are a couple of more affordable routes (but not really):
* Intel's AppUp programme generously offers a "free" Comodo certificate - but good luck getting past Comodo's validation process and abysmal customer service if you're not a (paying?) business customer. As an individual, I repeatedly receive requests from Comodo for validation documents I do not have (and keep telling them I don't have).
* CACert offers certificates signed by other (already trusted) developers. However, many browsers (e.g. Chrome), systems (e.g. Windows) and services do not themselves trust CACert certificates (as Chrome ironically warns you when you try to log into the secure part of the CACert website).
* StartSSL is a young firm that only charges for the verification process, not the certificates, and will verify your identity for only $59.90. However, while this enables you to sign your executable, you can't timestamp it, which means that when your certificate expires, any program signed with it (even if released while the certificate was valid) is no longer certified. And if you then renew your certificate, you'll need to re-sign, re-release and redistribute old versions of your software for users to carry on using it. To enable time-stamping on StartSSL certificates, you need to pay for Extended Validation (an EXTRA $140 = $199 total). They're probably still cheaper than their competitors, and the customer service also appears better, but it's still an expense many developers can't afford.
Bottomline: Developers must pay to lift the Avast embargo on their software. Is it not enough that developers spend hours (years, in this case) developing software only to give it away? I now have to pay to permit others to use it?
---
Unless there's a solution I've missed, your AutoSandbox feature will kill small, independent developers. All newly-released unsigned (yet legitimate) software will appear as malware. This is a False Positive of epic proportions. I urge you to reconsider this feature, the language it uses, have it default to disabled, and instead adopt an "innocent until proven malware" approach.
I look forward to Avast's reply, but I would also urge all developers (and affected users) to post here with your own experiences, comments and opinions.
Yours faithfully,
Chris Nash
Developer
http://revisit.info