I have created a Setup.exe file that is generated from a Visual Studio setup project. I have a code signing certificate that my company purchased from Digicert, and we have used for other products, so it should be good. I have set a post-build event to sign my application, and I use signtool.exe to sign the resulting .msi and setup.exe, so everything should be successfully signed. If I run any kind of signing verification, or look at the file properties, it shows my digital certificate.
If I host this Setup.exe file in IIS (8.5), allow directory browsing, and setup my MIME type to allow the file to be downloaded, I am able to download this Setup.exe file to my computer from a browser. If I run it, then I get a Windows SmartScreen filter saying it is an unrecognized app. Under that it says that the publisher is Unknown. If this same setup.exe file is not downloaded via IIS, and say for example was copied from one computer to another and executed, there is no Windows SmartScreen filter. So it seems that this issue is being caused by the download from IIS. Is there a way to get around this issue?
I discovered what the issue was. According to this article: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
It explains that starting on 1/1/2016 MS will no longer trust new code signed with SHA-1 code signing certificates, which is what I was using. I switched to a new cert and the problem was resolved.