When I build an app I am also code signing, Trend Micro PC-cillan is detecting it as a POSSIBLE_MOVLY-1 / TROJ_DELF virus. I use the same signcode.exe in other apps without any problems, so my guess is it is something setup 8. Never ran into the problem in 7.

This is the link to the virus description...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=POSSIBLE%5FMOVLY%2D1&VSect=P

When I build an app I am also code signing, Trend Micro PC-cillan is detecting it as a POSSIBLE_MOVLY-1 / TROJ_DELF virus. I use the same signcode.exe in other apps without any problems, so my guess is it is something setup 8. Never ran into the problem in 7.

This is the link to the virus description...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=POSSIBLE%5FMOVLY%2D1&VSect=P

Have you informed TrendMicro of hte false positive?
Most virus vendors are very responsive to dealing wth false positives.

Hi Steve,

Yes, you should contact the company distributing the virus definition about the false positive. The more people that notify them, the quicker they will react.

Could you also describe the circumstances of the report? Does this happen on any setup generated with Setup Factory 8.0 (like the defaults), or only given certain settings in a generated install?

It's being detected no matter what type of setup I am doing. It is also saying the IRDATA.ARC file conatins the virus.

Pain in the tail submitting a case to Trend, but this problem pretty much makes Setup Factory useless for me. I don't have time to wait and cannot have customers telling me I sent them a virus.

Personally I think, since this kind of thing has happened before Indigo should take the responsibility of sending each build to all Security vendors. It shouldn't fall on my shoulders.

I now have to resort to using another installer.

Pain in the tail submitting a case to Trend, but this problem pretty much makes Setup Factory useless for me. I don't have time to wait and cannot have customers telling me I sent them a virus.

Personally I think, since this kind of thing has happened before Indigo should take the responsibility of sending each build to all Security vendors. It shouldn't fall on my shoulders.

I now have to resort to using another installer.

I had a customer last year call to say that one of his customers called to say that some obscure freeware virus scanner flagged the install as a virus.
He commented/instructed that I should test the installers on each and every virus scanner out there before I release it -- after 3 weeks of testing with various flavours of each of the many scanners I found; he got the bill and blew a gasket.

No one can be expected to test for EVERY possible software compatibity -- asking a company to do that just isn't fair. Do you test your installers on each and every flavour of windows? For each service pack? for each hot fix? Or should IndigoRose or Microsoft do that for you?

When I contacted the virus vendor, they had a fix in place that day; and it never returned. Subsequently I have found all virus scanner (except Mcafee/symantec) to be very interested and responsive in reducing false positives.

IMHO -- Not reporting it to the virus vendor yourself puts you in partial (if not full) blame for why you need to "use another installer". Why not use SUF7? if you don't have a license for suf7 see about downgrading your version.

FWIW -- I just used TrendMicro's "online scanner" and scanned my development directory -- 18 current SUF8 installers, not one flagged as a virus.

I downloaded their demo scanner (they have a few types) and it didn't flag the 3 installers I put on the test machine as viruses. (BTW: most virus scanners have different "flavours" of the engine which do different things; even tho they may be using the same signature database, they may flag things differently -- It may be that since .arc is a archive file "type" that it's complaining because it cannot decompress the data as a stanard ARC file -- but then I would have gotten false positives here.....)

-josh

When I contacted the virus vendor, they had a fix in place that day; and it never returned. Subsequently I have found all virus scanner (except Mcafee/symantec) to be very interested and responsive in reducing false positives.


Mentioned here are two very large companies, who at very least I agree that Indigorose should be testing their software against

On the other hand for the cheap and free stuff thats at the the end user's responsiblity. There have been a few times that I personally had to exclude a known good file from my virus scanner.

Sorry to disagree. It is not a mistake on Indigo Rose's part if a virus scanner flags a file as suspicious or gives a false positive. Virus definition files are updated several times a day, and there are dozens of virus scanners in the open. For each of them you will find a horde of users that swear that their scanner is a top quality product, even if it is clear that it isn't - a good product should not give a false positive.

It is impossible to check if some buggy virus scanner and/or virus definition got released that could cause a problem, several times during the day, for each of those supposed quality products. I prefer the IR team spending their time correcting actual problems in the software under their control and implementing new features. IR does its best to assure that their products work well, I expect other vendors to do the same.

If somebody uses a virus scanner which gives false positives, then complaints certainly shouldn't be posted here, but in the proper channels of the anti-virus vendor (file submission, technical support). I see no point in coming here (a user-to-user forum for SUF) to complain about false positives, saying that it would be too much trouble to report the false positive to the vendor. Serious anti-virus vendors pay attention to their customers and fix the definitions in a few hours. If you wish to continue to use the buggy software, then actively help the vendor to correct the problem. I can't see how somebody would prefer changing the software deployment solution after paying ten times the cost of the buggy anti-virus for it. For my part, I certainly would make sure that I can use the software I paid for, which hasn't a problem in the first place, starting with reports of the problem at the proper place.

Ulrich

No one can be expected to test for EVERY possible software compatibity -- asking a company to do that just isn't fair. Do you test your installers on each and every flavour of windows? For each service pack? for each hot fix? Or should IndigoRose or Microsoft do that for you?

-josh

Actually, yes I do test my software on every flavor of an OS I support before release, with most current updates. That is standard practice and only a service to your customers. If you don't don't that yourself, i consider that not very reponsible. It's not my software being detected as a Virus, it is IR's, it has happened before, so yes I would expect them to release the signature to the main Virus detection companies. If it was a one time incident I could understand, but it is not, search the forum.

I have never run into any false positives with any of the other installers I use, so who's to say it really is a false positive?

I have never run into any false positives with any of the other installers I use, so who's to say it really is a false positive?

I believe that Darryl from Indigo Rose, as one of the programmers of the product, said it is.

Actually, yes I do test my software on every flavor of an OS I support before release, with most current updates. That is standard practice and only a service to your customers. If you don't don't that yourself, i consider that not very reponsible.

Just so any potential customers reading this know: I do test all my installs on all os's that are supported, but only with the latest service packs and HotFixes -- unless otherwise specified.

The question was supposed to be if you did that on all os's with each service pack and each combintation of hotfixes & service packs.... There's just no way to do that.

It's not my software being detected as a Virus, it is IR's, it has happened before, so yes I would expect them to release the signature to the main Virus detection companies. If it was a one time incident I could understand, but it is not, search the forum.

I have never run into any false positives with any of the other installers I use, so who's to say it really is a false positive?

You're right then. if it's a very common experience then you shouldn't use it. I have been creating installs, patches, etc for customers for years. I've heard of 3 false positives; and the vendors fixed it that day (except for the symantec experience, they did not even respond; but in a few days it was no longer detected as a virus)

Althought; curious; how not one of my suf8 installers was detected by trend micro as containing a virus.

Good luck -- don't think there's anything else left to say that can be positive in this dicussion for either side w/o deteriorating into a flame.

Cheers
-josh

Althought; curious; how not one of my suf8 installers was detected by trend micro as containing a virus.
-josh

I'nm using Trend PC-Cillan Internet Security 14.60.1206 Engine 8.900.1001 Pattern 5.485.00

Happens every build for me and points to the generated EXE, the temp stub IR creates, plus another one it's temp files.

Another developer pointed me to
http://www.virustotal.com/
free service that checks your exe against 30 popular scanners....

Was your SUF8 project using "built in" compression or the LZMA?

Was your SUF8 project using "built in" compression or the LZMA?

I was using the built in compression. I just got an email from Trend yesterday saying it is under investigation, but the latest profiles do not log the EXE as a virus anymore, but the ARC files are, so I'm sure your prior comment is probably correct.

It only happpens during the build process and not when a user is running the exe now, which is a very good thing :).

Thanks for all of your input and sorry about being a bit testy earlier on.

Just FYI- I just finished creating a build and tested with Trend Micro and it did not report it as a virus. I have had other false positives with PC-Cillian in the past, though (not setup factory related- it was a purchased OCX file I was using).

just got this today...

Subject
Setup programs built by IndigoRose Setup Factory V8 show up as false positive...

Discussion Thread
Response (DRR Team) 09/09/2008 04:30 PM
We analyzed the following files that you submitted and verified these to be not malicious.
setup.exe-1 (1,243,871 bytes)

This should already be removed from the pattern file. Please let me know if you need anything further.
Response (DRR Team) 08/29/2008 12:36 PM
We are reviewing this now and will update you with details once our review is complete.
Customer 08/15/2008 06:27 PM
Setup programs built by IndigoRose Setup Factory V8 show up as false positive. This includes the temp file IRDATA.ARC.

Reference #080815-000039
Product Level 1: PC-cillin
Date Created: 08/15/2008 06:27 PM
Last Updated: 09/09/2008 04:30 PM
Status: Waiting
Operating System: Windows XP
Pattern/Definition: POSSIBLE_MOVL

Just out of curiosity -- what did you move on to for your installer needs?
How does it compare against SUF (ignoring the false-positive) issue?

For MSI Installs I use both InstallAware (Great Installer - Worlds Worst Support and a bunch of not so happy users) and IR's MSI Factory (So,So Simple to use installer, World's Best Support, and a bunch of Happy users) depending on what the specific project requires. I am not a big WIX fan, so I only use MSI Factory for simple installs, requiring Windows Installer technology.

I do installers for a company that creates digital content CD's/DVD's and those just require copying files from location A to location B. For that I used Wise Non-MSI Installer instead of Setup factory, because of the false positives. Now that the false positives are gone, at least for the EXE's, I am back using SUF 8 again for these types of installs. As far as a comparison, Wise stinks compared to SUF and is very outdated, except I did like the inline scripting much better.

Setup Factory 8 is the only programming tool that I have ever used that came up with as a false positive and I have been writing code for 25 years.

Setup Factory 8 is the only programming tool that I have ever used that came up with as a false positive and I have been writing code for 25 years.

you've been lucky.

I've had FoxPro, VB, C, C++ and .net apps all show up as false positives...
Heck; I've even had a text file show up as a positive with one of the "big bloatware" ones....

They had virus scanners 25 years ago? Truely amazing...
I had a TI machine back then; no virus scanner for it it...
Worked on pdp/11 -- no virus scanners for it either.
then there was the apple, and (oh, let's call it a computer) the atari box; CP/M machines -- I can't recall when I first saw a virus scanenr; but it seems to me it was in the 90's...

well; I was just curious what you dumped suf for -- i've used wise, wouldn't use it now even if I didn't have a license for suf.

-josh

Just a little reminder after 5 days of silence. Our SF setups are downloaded hundreds of times each day from our site and shareware collections all over the world, they are also included on countless CD and DVD archives. Our support is flooded with bazillion of mails from anxious users. Some of them are about to inform computer magazins, reproach us to spread setups with trojaners or threaten us with accusations. Most of the users today don't understand what "false postives" are, their virus scanners are sacred and infallible. So what is IR doing to help us in this situation? Will there be an update ASAP? Is there any official statement of IR or some of the big antivirus companies we can send our customers and downloaders?

Well we have the same problem (with mcaffee antiviral).
Sometimes we need to start the setup twice to get it working or it is so slow that the customer thinks it is hanging.

I'm still waiting for some official response from IndigoRose on this Thread.
Otherwise we will downgrade from 8 to 7. :(

Well we have the same problem (with mcaffee antiviral).
Sometimes we need to start the setup twice to get it working or it is so slow that the customer thinks it is hanging.

I'm still waiting for some official response from IndigoRose on this Thread.
Otherwise we will downgrade from 8 to 7. :(

Yea; I'm still waiting for my .docx files to open faster too. I don't know if I should blame the stars or the moon; but I'm thinking I'll blame IR too.. ;-)

Seirously; the problem that it runs slow isn't IR, it's mcafee; if disabling mcafee "speeds it up" then the problem is firmly on mcafee's scanning engine.

Mcafee and symantec are notorious resource hogs and slow down the loading of everything. Not to mention I see a lot of failure to identify (false negative) on virus files with those two...

I have been contacting antivirus companies regarding these false positives. I have had some success so far.

We are looking at putting up a page to report any false positives so that we can react faster.

For the time being use the Contact Us (http://www.indigorose.com/site/contact.php) page or open a support request through the Customer Portal (https://www.indigorose.com/customers/login.php) and we will act accordingly.

We are acting on any reports that we receive. Also please remember that it is a good idea for you the developer to also raise these up to the AV companies. The more noise that is made the better.

Adam Kapilik

Trend Micro PC-cillan is detecting it as a POSSIBLE_MOVLY-1 / TROJ_DELF virus.

It appears that this has not been resolved.

Trend Micro is still reporting the SUF8.exe as malware and stopping install.

the fact that it is reporting "possibly" should be a sign that they don't know...

Have you reported it to the people that can do something about it?

the fact that it is reporting "possibly" should be a sign that they don't know...

Have you reported it to the people that can do something about it?

They should know!

There are posts here going back to June which report that Trend Micro have been notified, and another post in October that Trend Micro replied with "problem fixed".

And yes we have reported it again about a week ago and we followed up that report yesterday.

If more SUF8 users follow up then they may do something about it.

They should know!

but they don't "Possible virus" = "maybe, we don't know" and shouldn't block it.


If more SUF8 users follow up then they may do something about it.

I just took 1/2 dozen of my sf8 installers and ran it thru their online scanner; not one was flagged as a virus.
My installs are used world wide; with verified "all over the map" as far as virus scanners -- I think in the last year; we've had 1 false positive; reported it; that day an update cleared it up.

I think there must be something common/unique to the few that have these false positives....other than trend micro....

I think there must be something common/unique to the few that have these false positives....other than trend micro....

Well Trend Micro are the only ones calling anything "MOVLY".

It exists to them and no-one else.

That they have ignored that the installer and all of its components are code signed using Authenticode is another mystery!

Well Trend Micro are the only ones calling anything "MOVLY". It exists to them and no-one else.


I downloaded Trend Micro and scanned the computer used for making our installers. It found MOVLY in every installer created since we upgraded to SUF8... 117 of them (of varying content).

It didn't find any threats elsewhere.

So what does this say?

I downloaded Trend Micro and scanned the computer used for making our installers. It found MOVLY in every installer created since we upgraded to SUF8... 117 of them (of varying content).

It didn't find any threats elsewhere.

So what does this say?

I can't help myself... TrendMicro sucks?

I downloaded Trend Micro and scanned the computer used for making our installers. It found MOVLY in every installer created since we upgraded to SUF8... 117 of them (of varying content).

It didn't find any threats elsewhere.

So what does this say?

Hello,

TrendMicro definitions 8.700.0.1004 released on 2009.01.28 do not flag a base-case installer as containing any type of virus.

Please update your definitions to the latest version and scan the files again -- it is possible this false positive has already been resolved by Trend Micro.

Regards,
Desmond.

P.S. For any cases of false positives, please do let us know -- and also let the producers of the virus scanner know. While we certainly will do everything within our power to resolve false positive reports pertaining to our software, sometimes the best way to see fast results is to report false positives to the virus scanner company many times from many sources.

So what does this say?

Well a few weeks have passed and Trend Micro still claims MOVLY virus.

We tracked down what the complaint was about by a process of elimination. We eventually removed all "added" files and tested the installer itself. And this is where the problem lies. It's not to do with code-signing... it's only when an installer has Custom Version Properties selected.

And they call that a virus?

I believe that Trend Micro has been contacted several times by several developers and nothing has been done in all this time. Our first report was sent on the 14th January.

It does'nt help -- but on the 21st one of our exe's was flagged by trendmicro as "possibly movly" we tested everyone of the exe's & dll's -- they were all flagged with "possibly movly" -- we sent them several emails and a fax -- no response back from them. Our feeling is that they just mark everything as "possibly movly" to cover their arse... "Well; we said it MIGHT be this mythical virus called movly"

On the 22nd multiple virus vendors flagged a few of our exe's as viruses; w/o sending any emails in -- on the 23 all exe's were ok -- except trendmicro.

I then uploaded a pdf as a test -- guess what? It was flagged as "possibly movly".

(I did test a text file; it was "clean" for them, so they're not marking everything....)

We just tell people up front - - "If you use trendmicro, it will report possibly movly, contact them to find out what this virus threat might mean before continuing, no other vendor flags us as a virus".

Luckily our market is corporate; and trendmicro is not frequently used in a corporate environment....

Since our exe's are also flagged, changing installers (like at least one user keeps threatening to do) won't help too much (for us anyway) so we just are living with it.

-j

(ps: our exe's and dll's come from VFP, C++, C, Delphi Some are protected with armadillo, some are proected with another scheme; some are not protected at all.... Some have manifests in them, some do not, so there's nothing "consistient" between them, other than being exe's)

It does'nt help --

I don't think it's a popular AV at least not in Australia... I spent most of last year working in a computer shop doing mostly virus removals. But 2 of my remote partners use it and they are worried. Otherwise I have had only a few complaints which is not many considering our plugins are being downloaded by 100s of people around the world each day just for one client's online survey.

But there are a couple people out there that have used it for 10 years and and believe that it is the king of AV :-)

As to why it hasn't been fixed yet... perhaps they can't update. Trend Micro are mainly marketeers and maybe not developers?

I'm guessing that "MOVLY" is a catch phrase for anything they don't know about which to me implies that their R&D is non existent!