Jump to content
HelpNDoc

Any other Delphi download tagged as "Harmful Download" from Google ?

Recommended Posts

Hello everyone,

 

A few hours ago, Google sent us a warning e-mail saying that HelpNDoc's installer was tagged as a "Harmful Download". Google chrome (and Firefox) now blocks the download page: https://www.helpndoc.com/download

Obviously, the software is signed using a valid paid certificate, and considered safe according to:

 

We have requested a review from Google but a few hours later, we received a "Review failed" e-mail. It looks like we are not the only ones based on the posts on the official Google webmaster forum: https://productforums.google.com/forum/#!forum/webmasters

 

I see that the Delphi shop "greatis" seems to have the same problem (we do not use any of their component) but that makes me think that some other Delphi application might be targeted: https://productforums.google.com/forum/#!topic/webmasters/CThwZ6Oq9Ck;context-place=forum/webmasters

 

Did you receive similar security issue from Google ?

 

Best regards,

 

John, HelpNDoc team.

Share this post


Link to post

We at PowerArchiver got hit thursday afternoon. At first, google search console did not show much info, so we were not sure what was happening, but soon after all of our pages and downloads were blocked via Chrome and Firefox for most users. I know Beyond Compare was hit as well, and one of their installers is still tagged.

 

From little we can find out by our own analysis:

- Might be based on bad heuristics that is tagging many Inno Setups

- Only 2 inno setup based installers were tagged, 7-8 others on same page were not including Inno and MSI. One of them was portable installer that just copied either x86 or x64 files to your folder. So it cant be doing anything smart to analyze installers.

- Certificate was fine. We contacted Digicert, they told us certificate is valid, no complains and they even re-issued a new one.

- By morning next day, every file signed by our certificate was blocked by Chrome and Firefox as dangerous, no matter what it was.

- We deleted executables specified in our search console report and put up MSI based installer

- Review passed after that (took 10 hrs)

- At the same time we tried personal connections to many people at Chrome and Google security team. Might have helped as well as our previous installers were not tagged anymore. But it is a weekend, and we have not received any feedback directly.

 

In this new world when company controlling 75% of the Internet can block software vendors with over 20 years of business experience and trusted publisher by all Antivirus companies with whitelisting service setup, and give you no way to even complain about "unwanted software" or explain the problems, we are now afraid to use anything open source that can be misused by someone else, such as Inno Setup or Nullsoft Installer.

 

We are looking to switch to only commercial MSI based installer but there are features we need:

1. Bundle x86 and x64 in same bootstrapper. (MSI by default cant)

2. Multiple language support for bootstrapper (MSI by default cant)

 

We used to use AI exclusively, and it is great looking with advanced boot strapper but we have had issues that users reported that could never be reproduced by us and AI team, which lead to us to start using much simpler Inno Setup.

 

Anyone has any suggestions with something they deployed to 100,000 of users with above features? I know InstallAware has those, but it does not look too professional. Installshield Express might be safe bet, but not sure if it has all the features?

 

 

Thanks!

 

 

 

  • Like 1
  • Thanks 1

Share this post


Link to post

I had a lot of issues with Norton/Symantec's SONAR technology and InnoSetup a few years back (it reported suspicious activity but would not say what) and submitted false positives to Norton/Symantec to get the issues fixed.

I think because Delphi is used by some to write viruses the security firms are being lazy and just identifying portions of RTL code rather than the actual virus code.

I did report what I had experience to the maintainer of InnoSetup but I didn't get a response.

Share this post


Link to post
3 hours ago, David Hoyle said:

I had a lot of issues with Norton/Symantec's SONAR technology and InnoSetup a few years back (it reported suspicious activity but would not say what) and submitted false positives to Norton/Symantec to get the issues fixed.

I think because Delphi is used by some to write viruses the security firms are being lazy and just identifying portions of RTL code rather than the actual virus code.

I did report what I had experience to the maintainer of InnoSetup but I didn't get a response.

 

Usual false positive is not really a problem, since you can report it to every AV company, even Chinese ones, and they will clear it fast... plus they take 2-3% of the market and only block exe installation or in our case, a file in installation every 3 years. It is not a big deal, there are rules how to handle it and it gets fixed.

 

Google blocks 75% of your internet users when it flags you and there is no way to find out why or to report it to anyone. There is simply no way to talk to anyone, and all of these cases I heard over the weekend are old school reputable companies that have been developing software for 10+ years, have thousands or hundreds of thousands customers and have great standing in the community and with AV vendors.

 

They added some new functionality to block malware last week and did not even consider that it would affect legitimate software vendors nor build a way to report issues with it.

Share this post


Link to post
15 hours ago, dummzeuch said:

GExperts also uses InnoSetup. So far there are no problems that I am aware of.

 

8 hours ago, David Heffernan said:

Does that do msi? 

No, but somebody above mentioned problems with InnoSetup installers. That's why I wrote this.

Share this post


Link to post
Quote

I know InstallAware has those, but it does not look too professional.

The price is very professional ... Got an advertise today. Very, very pricey.

Share this post


Link to post

Thank you for your feedback. I can confirm that HelpNDoc's download page and setup EXE was cleared by Google yesterday, after our third review request and more than 48 hours blockage.

 

We didn't get any explanation as to what was problematic in the first place and Google's recommended Virus Total web-site didn't even report anything problematic with dozens of anti-viruses. As mentioned by spwolf, this Google decision blocks every users from Chrome AND Firefox (as they are using the same database) from downloading the software and accessing the download page, showing a scary red "malware detected" page instead. It doesn't help the software vendor understanding what is wrong in any ways.

 

Here is how Google (bots!) handled this issue:

  • On the 30th of November 10:09 GMT, we received multiple alerts from Google webmaster console that "Malicious or unwanted software were detected" on our company (ibe-software.com) and software (helpndoc.com) pages. It didn't include any explicit instructions or details about the problem and by browsing through the help pages, it was mentioned that VirusTotal.com was a trusted source for Google bots
  • We confirmed that everything was fine with the download (MD5 + VirusTotal check) and immediately requested for a review
  • 3 hours later, the review failed for helpndoc.com only. This was the exact same message without any additional information. No news from ibe-software.com requests. We made some changes based on user supported Google webmaster forums such as removing redirects to CDN, creating a new release (re-build, re-package, re-sign...) and therefore changing the file name... and requested another review
  • 6 hours later, the review finally came back and was successful for ibe-software.com, which linked to the exact same file. 
  • 24 hours later, the review failed again for helpndoc.com yet is was clear for ibe-software.com. Once again, there wasn't any explanation from Google's automated e-mail message
  • We had to wait another 24 hours for the third review on helpndoc.com to succeed and we do not even know why!

As we were clueless and it impacted multiple software vendors, we were able to make the following observations. Perhaps this could help other software vendors in case this happens again (fingers crossed):

  • The installer doesn't seem to be the problem: we are using Inno Setup but other reports suggest that other installers were impacted as well (Wise, nullsoft)
  • The code signing certificate doesn't seem to be the problem: we are using a recently renewed Comodo code signing certificate and have came across other applications using Comodo without this problem, and other applications using other certificate issuers with the same problem
  • The programming language COULD be the problem: we are using Delphi 10.1 Berlin and it looks like most applications are written using Delphi. Another impacted software vendor is using C++ Builder
  • Web-site technology such as SSL, redirections... doesn't seem to be the problem: only the download file is marked as malware (and therefore the pages linking to it) while Virus Total confirms that the download is fine

Here is the "most official" thread for this problem. Other software vendors are still waiting to get clearedhttps://productforums.google.com/forum/#!topic/webmasters/CThwZ6Oq9Ck;context-place=starred

 

I fully understand that false positive happens from time to time and this wouldn't be such as problem if it only impacted some anti-virus software. But it is important to keep in mind that this decision from Google was blocking all users from Chrome and Firefox, which currently represents more than 71% of our trafic! I believe that software vendors should be concerned about this hegemonic Google situation. If you have any contact at Google, it might be worth raising this issue or talk about it to other software vendors to be able to better fight Google bots decisions in the future.

 

Thanks to anyone who tried to help here, on Facebook or the Google thread.

  • Like 2

Share this post


Link to post
7 minutes ago, HelpNDoc said:

If you have any contact at Google, it might be worth raising this issue

Might be worth to ping @Allen Bauer with that. I doubt there is anyone at Google with more knowledge about Delphi and the RTL.

Share this post


Link to post
1 minute ago, Uwe Raabe said:

Might be worth to ping @Allen Bauer with that. I doubt there is anyone at Google with more knowledge about Delphi and the RTL.

Thanks. Already did that as this is the only person I knew with both Delphi and Chrome experience. Didn't receive any answers from him yet. Not sure he has the time or ability to help but who know...

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×