Jump to content
dummzeuch

GExperts and virus scanners

Recommended Posts

I have been made aware that several of the GExperts installers are classified as malware by some virus scanners, one of them being Windows Defender. Depending on the installer, VirusTotal reports 2 to 17 virus scanners classifiing it as malware, e.g:

 

https://www.virustotal.com/gui/file/63a9c732ca62d8c31a6b7b6ba15bf4e94e26aa862489ad317b0b612745bd795c/detection

 

No idea what I can do about it.

Share this post


Link to post

Thomas,

After reading this (and installing GExperts yesterday) Norton decided to remove the setup programme from my backups (currently being written) a few minutes ago.

Its a generic trojan signature from 2014 (see link below).

Are you using an old installer, say an INNO Setup from a few years ago (not saying there is anything wrong with INNOSetup as I use it myself) as I've had issues with Norton and INNOSetups for my application in recent months and I've had to submit false positives to prevent the removals?

 

https://www.symantec.com/security-center/writeup/2014-042811-4408-99?ssdcat=118&vid=42878&product=Norton+Internet+Security&version=22.19.8.65&plang=sym%3aEN&layouttype=Retail&buildname=Retail&heartbeatID=858F9723-5766-47AE-B1EA-A12BC01D7C8D&eapenabled=false&env=prod&vendorid=1000&plid=2&plgid=2&skup=20991804&skum=21376863&skuf=20985775&endpointid=858F9723-5766-47AE-B1EA-A12BC01D7C8D&partnerid=1000&lic_type=2&lic_attr=17059858&psn=DPR7Y49F6VQ9&puid=5039&templatecat=SBU_W_1000_5039_NIS_Retail_2&schemacat=SBU_W&schemaver=1.0.0.0&olpchannel=RETAIL&osvers=10.0&oslocale=iso%3aGBR&oslang=iso%3aENG&os=windows

Share this post


Link to post

Thomas,

I've submitted a False Positive to Norton so hopefully that will help in a day or two.

Share this post


Link to post

Digitally signing the installers and binaries may help, but we do that and still get the occasional false positive. We submit the false positive report and it typically resolves itself in a few days (except for windows defender, that takes ages). 

Share this post


Link to post

I let Windows Defender do a full scan of my computer (excluding the source directory which contains the installers in question). It found nothing.

Unfortunately that has a very limited meaning because any good virus will be able to prevent detection while it is active.

I'm still quite sure these are false positives.

 

Yes this is an old version of InnoSetup, don't remember when I downloaded it, but it was at least a year ago.

 

About digitally signing the installers (and probably the executables): I've never done that. As I understand it, it would require a certificate which

1. Costs money

2. Is valid for a limited time only

3. Then will cost money again to renew

 

The only advantage for me would be to learn how this works.

Edited by dummzeuch
  • Like 2

Share this post


Link to post

Norton have reported back to me that this is a false positive and they will remove the detection from their signatures.

  • Thanks 1

Share this post


Link to post

I just submitted all installers to Kaspersky and the ones for 10.3 and 2007 to BitDefender (I won't submit the other 14 to Bitdefender because they make it too difficult).

I guess I also need to submit them to Microsoft.

Share this post


Link to post

OMG, Microsoft is even worse than BitDefender, it takes several minutes to provide all the "information" they want. I submitted the installers for 10.3 and 2007 there too but that's it. If anybody else wants to submit any others, go ahead.

Share this post


Link to post

Kaspersky just started replying that these were false positives and will be corrected. There are stil about 10 replies outstanding.

Share this post


Link to post
2 hours ago, dummzeuch said:

replying that these were false positives

Sure doesn't increases my confidence, what about False Negatives.. 🙂

Share this post


Link to post

Just got an Answer from Microsoft:

Quote

gxrs10.3_1.3.15_experimental-twm_2019-11-23.exe

Submission ID: 9b7297aa-da98-4127-936c-3cc33c275442

Status: Completed

Submitted by: <my email>

Submitted: Nov 27, 2019 17:05:41

User Opinion: Incorrect detection

Analyst comments:

The submitted files do not meet our criteria for detection. No detection will be added for these files. More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here: https://www.microsoft.com/en-us/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria   Thank you for contacting Microsoft.


Now that's useful ... not!

  • Haha 1

Share this post


Link to post

Apparently Microsoft has changed something. I just updated to the current virus definitions and the installers are no longer classified as a virus.

 

So that takes care of Microsoft and Kaspersky and possibly Norton / Symantec.

 

Which other virus scanners are popular and currently detect false positives with GExperts?

Share this post


Link to post
On 11/27/2019 at 8:15 AM, dummzeuch said:

About digitally signing the installers (and probably the executables): I've never done that. As I understand it, it would require a certificate which

1. Costs money

2. Is valid for a limited time only

3. Then will cost money again to renew

Completely OT but in Denmark every citizen has a personal certificate issued by the state for verification of online identity etc. This was introduced 20 years or so ago.
In theory this certificate can be used for code signing (and I used to do so) but about ten years back the state outsourced the whole operation, implementation and infrastructure, to a private company (Nets DanID) which then introduced a solution called NemID (rimes with GlemID and SlemID = ForgetID and BadID). NemID is still based on certificates but it's so idiotically implemented that both the public and private keys are stored on the Nets servers. In other words: I don't have access to my own private keys and I have no control over who has access to them.
Sorry. I get really pissed off every time someone mentions certificates 🙂

  • Haha 1
  • Confused 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×