One of the two named binaries, the .exe, is Synchronous (Check Exit Code), Deferred Execution, MSI Type Number 1058.

The other named binary is a .dll, which detects the presence of a third-party app.  It runs in both the UI and Execute sequences.

The Custom Actions are comprised of primarily C# Code.

No idea if you're still having issues with this, but I had the exact same issue as you, when compiling through Visual Studio, and deploying a package to another machine. Defender would block those CA files. Knowing how much frustration I went through trying to figure out a solution to this, I remembered your post and thought I might come back and share.
As you might have guessed, I have solved this issue at our end. I did so by manually adding a rebuild after signing the .dll in a Post-build event. I had to upgrade to WixToolset 4. But other than that, it now works like a charm.

I found the final hint on this page:
https://wixtoolset.org/docs/tools/dtf/

I figured out what happens when Wix builds those CA projects, which sadly doesn't work with signing (not in Visual studio at least):
When visual studio builds a CA project, it first makes the CustomAction.dll, then Wix uses MakeSfxCA.exe to create a file called CustomAction.CA.dll which contains CustomAction.dll.
If you have a Post-Build event, that signs both files, it won't work, because the unsigned .dll is already packed into the CA.dll.
Now, the thing I did to solve this, was to delete the CA.dll. Make sure the CustomAction.dll file is signed, then run the MakeSfxCA.exe again Post-Build. This will produce a new CustomAction.CA.dll, which now contains a SIGNED version of your CustomAction.dll. Defender should now have no issues with your CA.

Otherwise, take a look at the article I linked. All the commands for custom compiling are in there.

Good luck!

@Locil95 WOW, that is super helpful and critical information! 

So, you compile, sign the base.dll, delete the baseCA.dll, then run MakeSfxCA to repackage the now signed base.dll.  Did you then sign the resulting baseCA.dll again?

I'll mock up a project to ensure that everything is working properly with the scripted compile of the CA .dll.

Thanks so much for this info!!

@Locil95 

The fun part for me is going to be verifying the changes.  I wasn't able to reproduce the detections seen in the field as I've come to learn we don't have/utilize a robust version of Windows Defender.

So, I have to first mock up something that is detected due to the lack of a signature, make the changes you provided, then test.  If all good, I can proceed to make the changes for our actual installs.  Sadly, mocking up the detection and how-to is beyond the scope of this discussion I'm afraid.

I was able to provoke a block from defender with every freshly build CA/ msi packed file. (We use the CA files in a MSI on install). On install, defender will block the CA file within the MSI Install, but only once. Defender will scan the file, realize that it is harmless, and won't block a file with that SHA256 value again. Rebuilding the CustomAction.dll inside, will renew the SHA256 value and defender will block the file again, once.

So if we ran the installer until defender had scanned all our CA steps, the install would succeed... Until the next version/next build.

The strange thing is that not all of our CAs were flagged by Defender.  We have many and only 4 or 5 were flagged.  Some were listed as the actual .exe name and I think these were from a few SUPPORTDIR CAs.  The others were .tmp which I'm assuming are some actions from the Binary table.

Maybe they we're scanned and already whitelisted. I honestly can't say for sure.

I literally have one MSI installer containing 3 CA, which each has a very simple .dll, which all were flagged by defender with each fresh build (different SHA256 value). So I didn't have the biggest dataset to go by.

Also, I had to contact another department to get to look into our defender.... until they got too bothered by me asking every 2minutes, then they gave me read access. Which is when I really made some discoveries as to what was happening 😅

Can't say for sure what is happening on your end. All I know is that for us, defender blocks .dll and .exe files for sure, that it doesn't know of the first time... scans it... if it's fine, it let's it run from there on 🤷‍:male_sign:

So, I'm finally getting around to trying this out and things are ok to this point.

del /f "$(TargetDir)CustomAction1.CA.dll"
powershell.exe -file "C:\Install Source\Digital Signature\Signer.ps1" -fileName "$(TargetPath)"
C:\Nuget.exe\nuget.exe install WixToolset.Dtf.CustomAction -OutputDirectory $(ProjectDir)obj\.nuget\

The .CA.dll is deleted, the base .dll is signed, and the WixToolset.DTF.CustomAction kit is installed.

I have a question about the next phase....

Is this all one command...

$(ProjectDir)obj\.nuget\WixToolset.Dtf.CustomAction.4.0.2\tools\WixToolset.Dtf.MakeSfxCA.exe "$(TargetDir)$(TargetName).CA.dll" "$(ProjectDir)obj\.nuget\WixToolset.Dtf.CustomAction.4.0.2\tools\x86\SfxCA.dll" "$(TargetPath)" "$(TargetDir)CustomAction.config" "$(TargetDir)WixToolset.Dtf.WindowsInstaller.dll"

When I run the post build with all of that as a single command, I get this...

1>EXEC : error : Invalid argument: No CA or UI entry points found in module: C:\Temp\WiXSigningTest\CustomAction1\bin\Release\CustomAction1.dll

My Custom Action Code looks like this...

namespace CustomAction1
{
public class CustomActions
{
[CustomAction]
public static ActionResult WiXSigningTest(Session session)
{
session.Log("Beginning signed CA test...");

MessageBox.Show("DLL launched!");

session.Log("Test Successful!");

return ActionResult.Success;
}
}
}

I read something about making it a public static class, but that didn't seem to make a difference.

Any idea what might be wrong here @Locil95 ?

Oh and I should mention that the custom action is WiX 3x, I believe, but the toolset is 4.0.3.  I wonder if that could be the issue.  If so, ill have to look into upgrading WiX itself to 4x I guess.  And if I have to do that, is the transition from 3 to 4x seamless?

I see now that...

$(ProjectDir)obj\.nuget\WixToolset.Dtf.CustomAction.4.0.2\tools\WixToolset.Dtf.MakeSfxCA.exe "$(TargetDir)$(TargetName).CA.dll" "$(ProjectDir)obj\.nuget\WixToolset.Dtf.CustomAction.4.0.2\tools\x86\SfxCA.dll" "$(TargetPath)" "$(TargetDir)CustomAction.config" "$(TargetDir)WixToolset.Dtf.WindowsInstaller.dll"

... is all one command.  I did get it to generate the .CA.dll once, but I must have changed something and now its not working again, but I'm getting closer!

I wonder how much the architecture of the SfxCA.dll used in the commands matters.

Dang it!  Stumped!  Here are my current Post-build events...

del /f "$(TargetDir)$(TargetName).CA.dll"
powershell.exe -file "C:\Install Source\Digital Signature\Signer.ps1" -fileName "$(TargetPath)"
C:\Nuget.exe\nuget.exe install WixToolset.Dtf.CustomAction -OutputDirectory $(ProjectDir)obj\.nuget\
"$(ProjectDir)obj\.nuget\WixToolset.Dtf.CustomAction.4.0.3\tools\WixToolset.Dtf.MakeSfxCA.exe" "$(TargetDir)$(TargetName).CA.dll" "$(ProjectDir)obj\.nuget\WixToolset.Dtf.CustomAction.4.0.3\tools\x86\SfxCA.dll" "$(TargetPath)" "$(TargetDir)CustomAction.config" "$(TargetDir)WixToolset.Dtf.WindowsInstaller.dll"
powershell.exe -file "C:\Install Source\Digital Signature\Signer.ps1" -fileName "$(TargetDir)$(TargetName).CA.dll"

The initial .dll is getting signed, toolset is getting installed (or detected as already installed), but making the .CA.dll is crapping out with...

EXEC : error : Invalid argument: No CA or UI entry points found in module: C:\Temp\WiXSigningTest\CustomAction1\bin\Release\CustomAction1.dll

Hmm... I don't remember which errors I got, but I know that I had to upgrade all Wix Projects, including the CustomActions to WiX 4x. I was not able to get it to work with WiX 3x.

I used this tooling/template package called HeatWave from FireGiant to upgrade/recreate the projects:
https://wixtoolset.org/docs/fourthree/
https://www.firegiant.com/docs/heatwave/

Try upgrading and run the commands again. If it's that same, I'll try digging.

Thanks so much for that info.  I've installed the 2019 VS HeatWave extension, but I don't see the Upgrade to WiX v4 menu option.  Thought maybe a VS restart, but still nothing.

I don't think I used a menu option. I used a command for the WiX installation project, and then I recreated the CustomAction projects from scratch using the templates from HeatWave. Then manually copied the logic from the old WiX 3x CA Projects, into the new 4x Projects.

Yeah, after posting the menu option question, I went ahead and recreated my test .dll from scratch with v4.  That compiled successfully but runtime problems so more hunting...

Error 1723. There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor. Action WiXSigningTest, entry: WiXSigningTest, library: C:\Users\BUILDU~1\AppData\Local\Temp\MSI25C4.tmp

I have an InstallShield Basic MSI project and I'm just pointing to the new .dll for the custom action, but failure - is there anything that has to be done to the installation itself I wonder.