Installer being detected as malware

[Louis]

Hello,

I have the problem that the installers I make are getting flagged as a virus by Windows Defender and Microsoft Edge and users can't download them anymore as Edge blocks them and Windows Defender instantly deletes them. This only happens with version 6.2.1, installers built with 6.2.0 work fine.

Virustotal Scan of the same installer, one built with 6.2.1 and the other one with 6.2.0:

6.2.1 scan: VirusTotal - File - 5d7b37256f4b409d244efaae9041234af3b8a5dbeefbb5cd2ce5cc9bcc4cb1c5

6.2.0 scan: VirusTotal - File - 8f030dfed7b8153c11ddee66b1d74060f3a59e0d8091a2bff1cb74d29727e9d0

As you can see in the scan both get flagged but the newer one gets flagged from microsoft which causes the issues mentioned above. The flags by other antiviruses aren't that important.

Is there any fix to this? Maybe a setting I need to change?

Louis

[Eivind Bakkestuen]

As you will have seen from many previous discussions in this group, the only way forward is to submit your installers to the antivirus vendors, who can then test and whitelist them.

--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/5f31605b-e382-4614-abb1-0a3ae3040c01n%40googlegroups.com.

[Louis]

That's very unfortunate.

But there must have been some change, right? Why does it only get detected when build by the new version?

[Gavin Lambert]

On 12/05/2022 23:57, Louis wrote:
> That's very unfortunate.
> But there must have been some change, right? Why does it only get
> detected when build by the new version?

Because somewhere, someone also used that version of Inno Setup to
package their malware, and the antivirus vendors were not sufficiently
careful when generating signatures for it, so it matches the installer
component and not just the malware payload.

You can reduce false positives somewhat by also signing your installer
(this may not be instant, some vendors accord trust progressively over
time), but officially submitting a sample as a false positive is
recommended whenever something is falsely flagged.

[Bill Stewart]

I would add that there are some very obvious notes right at the top of the web interface of this forum:

Please do not post messages about your antivirus program here but contact its vendor instead.

Before asking a question, please try the Search function.

I guess these notices just aren't big and bold enough...