SmartScreen becomes less of a pain when people start downloading the software more. In fact, if you don't have a lot of downloads, SmartScreen will block your executable even if you pay for the privilege of signing your executables! If you sign your executable + config files on the fly, you end up with SmartScreen warnings all over the shop!
A possible solution would be to distribute the client through something like the Windows Store on Windows, and a URL connection handler. The support-receiving website (or intranet support page) could work by opening a URL like remote-support://internal.domain.eu/listen from a web page and if that fails, link to the Windows Store and install directions instead. An unsigned, backup download of unsigned executables can be added to that download page if you so desire.
Theoretically, you could also set up some kind of DHT or TOR-like network where nodes can just find each other. You wouldn't want to send standard Bittorrent or TOR traffic without warning in corporate networks, of course, but the technology exists.
For businesses, the unsigned executable with config could just be distributed by the IT department with their own certificate or the necessary exemptions, and launch an autoconnect daemon, if necessary.
The _real_ challenge, I think, for building such a tool is that if it works well, scammers will use it and slander your product. Some might even patch out any warnings or alerts that you add to protect innocent people from scams. Scammers aren't intelligent enough to make their own RAT, but just one tech-savvy criminal could make loads of money with some slight modifications.
> In fact, if you don't have a lot of downloads, SmartScreen will block your executable even if you pay for the privilege of signing your executables!
There's more nuance here which OP is alluding to. If you form a corporation and get an EV cert, you will not get a SmartScreen block, not even on your very first download. Immediate SmartScreen reputation is the point of getting an EV cert for this; Microsoft says this explicitly. If you get an OV cert (the only kind that an individual developer can get!), you will get blocked and will have to build reputation.
As an individual open source developer, I have an OV signing cert :( At least it shows my name on the SmartScreen prompt.
A possible solution would be to distribute the client through something like the Windows Store on Windows, and a URL connection handler. The support-receiving website (or intranet support page) could work by opening a URL like remote-support://internal.domain.eu/listen from a web page and if that fails, link to the Windows Store and install directions instead. An unsigned, backup download of unsigned executables can be added to that download page if you so desire.
Theoretically, you could also set up some kind of DHT or TOR-like network where nodes can just find each other. You wouldn't want to send standard Bittorrent or TOR traffic without warning in corporate networks, of course, but the technology exists.
For businesses, the unsigned executable with config could just be distributed by the IT department with their own certificate or the necessary exemptions, and launch an autoconnect daemon, if necessary.
The _real_ challenge, I think, for building such a tool is that if it works well, scammers will use it and slander your product. Some might even patch out any warnings or alerts that you add to protect innocent people from scams. Scammers aren't intelligent enough to make their own RAT, but just one tech-savvy criminal could make loads of money with some slight modifications.