Microsoft Trusted Certificate signing

Question

My main question is regarding Microsoft Trusted Certificate signing for Windows desktop apps.

This is my first foray into the world of signing.

I have developed 2 Windows applications, installed via a wix toolset v4 msi package. I have signed all generated executables and DLL files as well as the msi package with an EV certificate obtained from GlobalSign using the command:

signtool sign /a /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /fd SHA256

The signtool indicates the certificate and chain verifies from command:

signtool.exe verify /v /pa

After uploading to webserver and downloading, Windows SmartScreen indicates malware. AV Software and virtustotal.com all indicate no issues with the downloaded .msi files.

From the following blog posts:

https://www.advancedinstaller.com/prevent-smartscreen-from-appearing.html https://www.advancedinstaller.com/trusted-signing-integration.html

my understanding is that EV certificates are no longer a guarantee of passing SmartScreen checks and have seen other posts on stackoverflow indicating same.

I understand that over time reputation can be gained with SmartScreen by download and installs but can also be affected negatively by malware reports.

My main question is, will switching to Microsoft Trusted Certificate signing get rid of the SmartScreen issues ? I have submitted all msi packages to Microsoft for analysis but I understand this could take some time so am researching the alternate route.

Many thanks.

Signed msi package with EV certificate and expected no download issues. However, encountered SmartScreen false positives.