Problem
When Velopack applies an update, it downloads the new build as a .nupkg (ZIP archive), extracts the updated .exe, and writes it to disk to replace the current binary. On Windows 10 and 11, Windows Defender Antivirus scans executable files as they are written to disk. Because the replacement .exe is unsigned and carries no SmartScreen reputation — every new release hash starts at zero — Defender's heuristic engine treats it as elevated risk. Defender can quarantine the newly-written binary before Velopack finishes the swap, leaving the installation in a broken or inconsistent state: the old binary has been partially removed, the new binary is quarantined, and the app may fail to launch entirely.
This is distinct from the SmartScreen warning shown at first install. SmartScreen triggers when a user manually runs a downloaded file. Velopack's update applies silently in the background via the already-installed Update.exe, so no SmartScreen dialog appears — but Defender AV operates independently and scans files written to disk regardless of how they arrived, making it the primary runtime risk for unsigned Velopack-managed apps on Windows 10 and 11.
Supporting references
Resolution
Code signing via Authenticode is the fix. The CI pipeline already has a placeholder for this in build.yml. The recommended path for an indie app at this stage is Azure Artifact Signing (~$9.99/month) — it provides instant SmartScreen reputation from day one and integrates directly with GitHub Actions without a hardware token.
Problem
When Velopack applies an update, it downloads the new build as a
.nupkg(ZIP archive), extracts the updated.exe, and writes it to disk to replace the current binary. On Windows 10 and 11, Windows Defender Antivirus scans executable files as they are written to disk. Because the replacement.exeis unsigned and carries no SmartScreen reputation — every new release hash starts at zero — Defender's heuristic engine treats it as elevated risk. Defender can quarantine the newly-written binary before Velopack finishes the swap, leaving the installation in a broken or inconsistent state: the old binary has been partially removed, the new binary is quarantined, and the app may fail to launch entirely.This is distinct from the SmartScreen warning shown at first install. SmartScreen triggers when a user manually runs a downloaded file. Velopack's update applies silently in the background via the already-installed
Update.exe, so no SmartScreen dialog appears — but Defender AV operates independently and scans files written to disk regardless of how they arrived, making it the primary runtime risk for unsigned Velopack-managed apps on Windows 10 and 11.Supporting references
Updater.execoinciding withPermissionDeniedfailures mid-update: Rare sporadic PermissionDenied breaking the installation velopack/velopack#159.nupkg: Setup.exe from squirrel.windows.2.0.0.nupkg triggers malware warning from Windows Defender (Trojan:Win32/Fuery.C!cl) Squirrel/Squirrel.Windows#1653Resolution
Code signing via Authenticode is the fix. The CI pipeline already has a placeholder for this in
build.yml. The recommended path for an indie app at this stage is Azure Artifact Signing (~$9.99/month) — it provides instant SmartScreen reputation from day one and integrates directly with GitHub Actions without a hardware token.