Thanks for the explanation. The weird thing is that the .exe in my installation does not appear to be signed. If I run this command in a powershell window: PS C:\Program Files\DB Browser for SQLite> Get-AuthenticodeSignature -FilePath '.\DB Browser for SQLite.exe' I get the status "NotSigned". Right-clicking on the .exe and checking the properties also does not show a "Digital signatures tab", so it really appears to be unsigned. Very odd indeed, because if my computer lacked some root certificates I guess it should still say the file was signed? And if it really is unsigned, why does TinyWall show it as "possibly compromised"? Edit: I figured it out, and it seems it's a packaging problem when they created the installers. I used the 64-bit MSI installer, but I now checked the files in the .zip-version, and in that package the files are actually signed. So I just replaced the exe in my installation with the one from the zip, and now TW recognizes it and gives the green banner. Still doesn't explain the red banner in TW with the unsigned files, though. It should have been blue, I think, as per your explanation.