Inno Setup 6.0.3 triggers virus alert (Trojan.Dropper)
1,423 views
Skip to first unread message
Mike Dogan
Nov 17, 2019, 5:11:33 AM11/17/19
to innosetup
Some users let us know that our installer (Inno Setup 6.0.3) triggers a virus alert with Malwarebytes 4.0.4. We already confirmed this.
The detected malware is supposed to be "Trojan.Dropper" -> https://blog.malwarebytes.com/detections/trojan-dropper/
We did a full scan of our systems, of course and it showed that the original version of our software does NOT trigger the alert. Only if Inno Setup is used to wrap it, the resulting installer file triggers this alert, so it is related to Inno Setup.
Is this a known issue yet?
Kind Regards,
Mike
Mike Dogan
Nov 18, 2019, 4:35:39 AM11/18/19
to innosetup
We are using version 6.0.2 now which does not trigger a virus alert. This happens on 6.0.3 only.
Eivind Bakkestuen
Nov 18, 2019, 7:41:07 PM11/18/19
to inno...@googlegroups.com
First - somebody really should put this as the top entry in the InnoSetup FAQ.
There is a never ending number of false detections, which happen because virus and malware authors also use InnoSetup. And the anti-virus/malware authors bungle the detection; they detect the presence of the installer instead of the bad payload.
The only thing that can be done is for you to supply your installer to the errant anti... authors so they can fix the false detection. Nobody else can fix it for you.
On Mon, Nov 18, 2019 at 7:35 PM Mike Dogan <m...@europe.com> wrote:
We are using version 6.0.2 now which does not trigger a virus alert. This happens on 6.0.3 only.
--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/2f4b77cf-62f0-4c48-84f5-d739f306104f%40googlegroups.com.
mark...@gmail.com
Feb 29, 2020, 12:59:13 PM2/29/20
to innosetup
Eivind...
I'm new at this, could you possibly explain how to accomplish what you suggest with regard to notifying the anti-authors?
Also, would you suggest using another installer besides Inno and if so, do you have any recommendations?
I can't get my users to download the installation file (Inno created) for our program that on it's own does not trigger any Detections of malicious code
Thanks in advance,
Mark
On Monday, November 18, 2019 at 6:41:07 PM UTC-6, Eivind Bakkestuen wrote:
First - somebody really should put this as the top entry in the InnoSetup FAQ.There is a never ending number of false detections, which happen because virus and malware authors also use InnoSetup. And the anti-virus/malware authors bungle the detection; they detect the presence of the installer instead of the bad payload.The only thing that can be done is for you to supply your installer to the errant anti... authors so they can fix the false detection. Nobody else can fix it for you.
On Mon, Nov 18, 2019 at 7:35 PM Mike Dogan <m...@europe.com> wrote:
We are using version 6.0.2 now which does not trigger a virus alert. This happens on 6.0.3 only.--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to inno...@googlegroups.com.
Bill Stewart
Mar 3, 2020, 11:23:49 AM3/3/20
to innosetup
On Saturday, February 29, 2020 at 10:59:13 AM UTC-7, mark...@gmail.com wrote:
I'm new at this, could you possibly explain how to accomplish what you suggest with regard to notifying the anti-authors?
That depends on the vendor of the software that is triggering the false positive.
Search the web for "vendorname report false positive" (replace "vendorname" with the vendor's name, naturally).
A number of vendors (such as Symantec) have a form you can fill out and a way to submit the false positive.
As Eivind pointed out - this is not really an Inno Setup question and something you need to do on your own.
Bill
mark...@gmail.com
Mar 3, 2020, 11:56:25 AM3/3/20
to innosetup
Thanks for the response Bill... I did some searches and discovered a few things that might help others looking to solve a similar issue
First off, Google runs a website called VirusTotal that you can run your program through and it uses 72 AV engines from the various vendors to analyse your code and then presents the results for you to see which Vendors are detecting your code as a false positive
If you sign up (free) with VirusTotal they then send you a list (via email) of all the vendors and their submission links to report false positives. So far I've cleared 7 out of 23 Vendors in less than 48 hours and the process while a bit cumbersome is relatively painless. I selected the largest recognizable names first and submitted to them which I assume covers 80% of the market at least. I will apply next to the smaller names that I don't recognize just to be thorough but I assume their market share is minimal.
I was also able to determine that my MC_Setup.exe file was the one generating the detections and not my actual program which I ran through in a separate test with zero false positive detections
Each Vendor's submission process has its own quirks and idiosyncrasies but aside from being tedious, presented no real challenge
Hope this helps someone else struggling with this...
I had hoped that VirusTotal might be a central clearing house where you could submit once and all of the Vendors would then be notified (which is really what's needed) but in their email to me they made it clear they were a monitoring test bench only and zero reporting to any of the Vendors, however they DID SUGGEST using the virustotal urlink generated for your code examination in your submissions to the Vendors, which I did.
Reply all
Reply to author
Forward
0 new messages