Setup.exe done in v8 is detected as a virus

[SteveDude]

When I build an app I am also code signing, Trend Micro PC-cillan is detecting it as a POSSIBLE_MOVLY-1 / TROJ_DELF virus. I use the same signcode.exe in other apps without any problems, so my guess is it is something setup 8. Never ran into the problem in 7.

This is the link to the virus description...

http://www.trendmicro.com/vinfo/viru...LY%2D1&VSect=P

[jassing]

Quote:

Originally Posted by SteveDude

When I build an app I am also code signing, Trend Micro PC-cillan is detecting it as a POSSIBLE_MOVLY-1 / TROJ_DELF virus. I use the same signcode.exe in other apps without any problems, so my guess is it is something setup 8. Never ran into the problem in 7.

This is the link to the virus description...

http://www.trendmicro.com/vinfo/viru...LY%2D1&VSect=P

Have you informed TrendMicro of hte false positive?
Most virus vendors are very responsive to dealing wth false positives.

[Darryl]

Hi Steve,

Yes, you should contact the company distributing the virus definition about the false positive. The more people that notify them, the quicker they will react.

Could you also describe the circumstances of the report? Does this happen on any setup generated with Setup Factory 8.0 (like the defaults), or only given certain settings in a generated install?

[SteveDude]

It's being detected no matter what type of setup I am doing. It is also saying the IRDATA.ARC file conatins the virus.

[SteveDude]

Pain in the tail submitting a case to Trend, but this problem pretty much makes Setup Factory useless for me. I don't have time to wait and cannot have customers telling me I sent them a virus.

Personally I think, since this kind of thing has happened before Indigo should take the responsibility of sending each build to all Security vendors. It shouldn't fall on my shoulders.

I now have to resort to using another installer.

[jassing]

Quote:

Originally Posted by SteveDude

Pain in the tail submitting a case to Trend, but this problem pretty much makes Setup Factory useless for me. I don't have time to wait and cannot have customers telling me I sent them a virus.

Personally I think, since this kind of thing has happened before Indigo should take the responsibility of sending each build to all Security vendors. It shouldn't fall on my shoulders.

I now have to resort to using another installer.

I had a customer last year call to say that one of his customers called to say that some obscure freeware virus scanner flagged the install as a virus.
He commented/instructed that I should test the installers on each and every virus scanner out there before I release it -- after 3 weeks of testing with various flavours of each of the many scanners I found; he got the bill and blew a gasket.

No one can be expected to test for EVERY possible software compatibity -- asking a company to do that just isn't fair. Do you test your installers on each and every flavour of windows? For each service pack? for each hot fix? Or should IndigoRose or Microsoft do that for you?

When I contacted the virus vendor, they had a fix in place that day; and it never returned. Subsequently I have found all virus scanner (except Mcafee/symantec) to be very interested and responsive in reducing false positives.

IMHO -- Not reporting it to the virus vendor yourself puts you in partial (if not full) blame for why you need to "use another installer". Why not use SUF7? if you don't have a license for suf7 see about downgrading your version.

FWIW -- I just used TrendMicro's "online scanner" and scanned my development directory -- 18 current SUF8 installers, not one flagged as a virus.

I downloaded their demo scanner (they have a few types) and it didn't flag the 3 installers I put on the test machine as viruses. (BTW: most virus scanners have different "flavours" of the engine which do different things; even tho they may be using the same signature database, they may flag things differently -- It may be that since .arc is a archive file "type" that it's complaining because it cannot decompress the data as a stanard ARC file -- but then I would have gotten false positives here.....)

-josh

[jcuster]

Quote:

When I contacted the virus vendor, they had a fix in place that day; and it never returned. Subsequently I have found all virus scanner (except Mcafee/symantec) to be very interested and responsive in reducing false positives.

Mentioned here are two very large companies, who at very least I agree that Indigorose should be testing their software against

On the other hand for the cheap and free stuff thats at the the end user's responsiblity. There have been a few times that I personally had to exclude a known good file from my virus scanner.

[Ulrich]

Sorry to disagree. It is not a mistake on Indigo Rose's part if a virus scanner flags a file as suspicious or gives a false positive. Virus definition files are updated several times a day, and there are dozens of virus scanners in the open. For each of them you will find a horde of users that swear that their scanner is a top quality product, even if it is clear that it isn't - a good product should not give a false positive.

It is impossible to check if some buggy virus scanner and/or virus definition got released that could cause a problem, several times during the day, for each of those supposed quality products. I prefer the IR team spending their time correcting actual problems in the software under their control and implementing new features. IR does its best to assure that their products work well, I expect other vendors to do the same.

If somebody uses a virus scanner which gives false positives, then complaints certainly shouldn't be posted here, but in the proper channels of the anti-virus vendor (file submission, technical support). I see no point in coming here (a user-to-user forum for SUF) to complain about false positives, saying that it would be too much trouble to report the false positive to the vendor. Serious anti-virus vendors pay attention to their customers and fix the definitions in a few hours. If you wish to continue to use the buggy software, then actively help the vendor to correct the problem. I can't see how somebody would prefer changing the software deployment solution after paying ten times the cost of the buggy anti-virus for it. For my part, I certainly would make sure that I can use the software I paid for, which hasn't a problem in the first place, starting with reports of the problem at the proper place.

Ulrich

[SteveDude]

Quote:

Originally Posted by jassing

No one can be expected to test for EVERY possible software compatibity -- asking a company to do that just isn't fair. Do you test your installers on each and every flavour of windows? For each service pack? for each hot fix? Or should IndigoRose or Microsoft do that for you?

-josh

Actually, yes I do test my software on every flavor of an OS I support before release, with most current updates. That is standard practice and only a service to your customers. If you don't don't that yourself, i consider that not very reponsible. It's not my software being detected as a Virus, it is IR's, it has happened before, so yes I would expect them to release the signature to the main Virus detection companies. If it was a one time incident I could understand, but it is not, search the forum.

I have never run into any false positives with any of the other installers I use, so who's to say it really is a false positive?

[Ulrich]

Quote:

Originally Posted by SteveDude

I have never run into any false positives with any of the other installers I use, so who's to say it really is a false positive?

I believe that Darryl from Indigo Rose, as one of the programmers of the product, said it is.

[jassing]

Quote:

Originally Posted by SteveDude

Actually, yes I do test my software on every flavor of an OS I support before release, with most current updates. That is standard practice and only a service to your customers. If you don't don't that yourself, i consider that not very reponsible.

Just so any potential customers reading this know: I do test all my installs on all os's that are supported, but only with the latest service packs and HotFixes -- unless otherwise specified.

The question was supposed to be if you did that on all os's with each service pack and each combintation of hotfixes & service packs.... There's just no way to do that.

Quote:

Originally Posted by SteveDude

It's not my software being detected as a Virus, it is IR's, it has happened before, so yes I would expect them to release the signature to the main Virus detection companies. If it was a one time incident I could understand, but it is not, search the forum.

I have never run into any false positives with any of the other installers I use, so who's to say it really is a false positive?

You're right then. if it's a very common experience then you shouldn't use it. I have been creating installs, patches, etc for customers for years. I've heard of 3 false positives; and the vendors fixed it that day (except for the symantec experience, they did not even respond; but in a few days it was no longer detected as a virus)

Althought; curious; how not one of my suf8 installers was detected by trend micro as containing a virus.

Good luck -- don't think there's anything else left to say that can be positive in this dicussion for either side w/o deteriorating into a flame.

Cheers
-josh

[SteveDude]

Quote:

Originally Posted by jassing

Althought; curious; how not one of my suf8 installers was detected by trend micro as containing a virus.
-josh

I'nm using Trend PC-Cillan Internet Security 14.60.1206 Engine 8.900.1001 Pattern 5.485.00

Happens every build for me and points to the generated EXE, the temp stub IR creates, plus another one it's temp files.

[jassing]

Another developer pointed me to
http://www.virustotal.com/
free service that checks your exe against 30 popular scanners....

[jassing]

Was your SUF8 project using "built in" compression or the LZMA?

[SteveDude]

Quote:

Was your SUF8 project using "built in" compression or the LZMA?

I was using the built in compression. I just got an email from Trend yesterday saying it is under investigation, but the latest profiles do not log the EXE as a virus anymore, but the ARC files are, so I'm sure your prior comment is probably correct.

It only happpens during the build process and not when a user is running the exe now, which is a very good thing .

Thanks for all of your input and sorry about being a bit testy earlier on.