GExperts and virus scanners

[dummzeuch 1505]

I have been made aware that several of the GExperts installers are classified as malware by some virus scanners, one of them being Windows Defender. Depending on the installer, VirusTotal reports 2 to 17 virus scanners classifiing it as malware, e.g:

 

https://www.virustotal.com/gui/file/63a9c732ca62d8c31a6b7b6ba15bf4e94e26aa862489ad317b0b612745bd795c/detection

 

No idea what I can do about it.

[Attila Kovacs 629]

Just lean back, not your fault. And it's always the installer's code which ends up in the signatures, not the RTL.

[David Hoyle 68]

Thomas,

After reading this (and installing GExperts yesterday) Norton decided to remove the setup programme from my backups (currently being written) a few minutes ago.

Its a generic trojan signature from 2014 (see link below).

Are you using an old installer, say an INNO Setup from a few years ago (not saying there is anything wrong with INNOSetup as I use it myself) as I've had issues with Norton and INNOSetups for my application in recent months and I've had to submit false positives to prevent the removals?

 

https://www.symantec.com/security-center/writeup/2014-042811-4408-99?ssdcat=118&vid=42878&product=Norton+Internet+Security&version=22.19.8.65&plang=sym%3aEN&layouttype=Retail&buildname=Retail&heartbeatID=858F9723-5766-47AE-B1EA-A12BC01D7C8D&eapenabled=false&env=prod&vendorid=1000&plid=2&plgid=2&skup=20991804&skum=21376863&skuf=20985775&endpointid=858F9723-5766-47AE-B1EA-A12BC01D7C8D&partnerid=1000&lic_type=2&lic_attr=17059858&psn=DPR7Y49F6VQ9&puid=5039&templatecat=SBU_W_1000_5039_NIS_Retail_2&schemacat=SBU_W&schemaver=1.0.0.0&olpchannel=RETAIL&osvers=10.0&oslocale=iso%3aGBR&oslang=iso%3aENG&os=windows

[David Hoyle 68]

Thomas,

I've submitted a False Positive to Norton so hopefully that will help in a day or two.

[Vincent Parrett 750]

Digitally signing the installers and binaries may help, but we do that and still get the occasional false positive. We submit the false positive report and it typically resolves itself in a few days (except for windows defender, that takes ages). 

[dummzeuch 1505]

I let Windows Defender do a full scan of my computer (excluding the source directory which contains the installers in question). It found nothing.

Unfortunately that has a very limited meaning because any good virus will be able to prevent detection while it is active.

I'm still quite sure these are false positives.

 

Yes this is an old version of InnoSetup, don't remember when I downloaded it, but it was at least a year ago.

 

About digitally signing the installers (and probably the executables): I've never done that. As I understand it, it would require a certificate which

1. Costs money

2. Is valid for a limited time only

3. Then will cost money again to renew

 

The only advantage for me would be to learn how this works.

Edited November 27, 2019 by dummzeuch

[David Hoyle 68]

Norton have reported back to me that this is a false positive and they will remove the detection from their signatures.

[dummzeuch 1505]

I just submitted all installers to Kaspersky and the ones for 10.3 and 2007 to BitDefender (I won't submit the other 14 to Bitdefender because they make it too difficult).

I guess I also need to submit them to Microsoft.

[dummzeuch 1505]

OMG, Microsoft is even worse than BitDefender, it takes several minutes to provide all the "information" they want. I submitted the installers for 10.3 and 2007 there too but that's it. If anybody else wants to submit any others, go ahead.

[dummzeuch 1505]

Kaspersky just started replying that these were false positives and will be corrected. There are stil about 10 replies outstanding.

[FredS 138]

2 hours ago, dummzeuch said:

replying that these were false positives

Sure doesn't increases my confidence, what about False Negatives.. 🙂

[dummzeuch 1505]

Just got an Answer from Microsoft:

Quote

gxrs10.3_1.3.15_experimental-twm_2019-11-23.exe

Submission ID: 9b7297aa-da98-4127-936c-3cc33c275442

Status: Completed

Submitted by: <my email>

Submitted: Nov 27, 2019 17:05:41

User Opinion: Incorrect detection

Analyst comments:

The submitted files do not meet our criteria for detection. No detection will be added for these files. More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here: https://www.microsoft.com/en-us/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria   Thank you for contacting Microsoft.

---

Now that's useful ... not!

[Fr0sT.Brutal 900]

Maybe using new Inno versions will help?

[dummzeuch 1505]

Apparently Microsoft has changed something. I just updated to the current virus definitions and the installers are no longer classified as a virus.

 

So that takes care of Microsoft and Kaspersky and possibly Norton / Symantec.

 

Which other virus scanners are popular and currently detect false positives with GExperts?

[Anders Melander 1783]

On 11/27/2019 at 8:15 AM, dummzeuch said:

About digitally signing the installers (and probably the executables): I've never done that. As I understand it, it would require a certificate which

1. Costs money

2. Is valid for a limited time only

3. Then will cost money again to renew

Completely OT but in Denmark every citizen has a personal certificate issued by the state for verification of online identity etc. This was introduced 20 years or so ago.
In theory this certificate can be used for code signing (and I used to do so) but about ten years back the state outsourced the whole operation, implementation and infrastructure, to a private company (Nets DanID) which then introduced a solution called NemID (rimes with GlemID and SlemID = ForgetID and BadID). NemID is still based on certificates but it's so idiotically implemented that both the public and private keys are stored on the Nets servers. In other words: I don't have access to my own private keys and I have no control over who has access to them.
Sorry. I get really pissed off every time someone mentions certificates 🙂