cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MarkStansfield
Level 3

VirusTotal.com indicates Virus detection in setup.exe InstallShield Express 2019 R2

We have recently moved to InstallShield Express 2019.

A customer noticed recent setup files we build are flagging on his ESET virus protection as containing Malware. Having researched this I performed a scan on virustotal.com on the setup.exe and it does indeed flag some detected issues.

  1. I  stripped all my files & redistributables, scan still failed on virustotal.com with 5 issues
  2. I started a new project effectively blank of any files and built a single image.
  3. I then scanned this empty build on virustotal.com and it again fails on quit a few.

Old setup files do not have any issue when scanned.

My build PC is running Sophos and I have scanned that, I am pretty sure its a false positive but is going to be an issue for many users.

Anyone else noticed this ? or have a solution

Thanks in advance for any advise.

Labels (1)
0 Kudos
(4) Replies
banna_k
Revenera
Revenera

Hi @MarkStansfield,

Nothing to worry about this, basically anti virus software has its own virus definition and algorithm to identify the threats to the system, and these virus definitions /rules are updated almost daily to cope with the latest threats to the system. Usually, anti virus software continuously monitor the system changes and block the suspicious executable if it is not authorized to do those system changes according to the their definitions. Some of the system changes monitored by anti virus software are copying and creating files, spawning new process, network communication, changing system policies, accessing the system registry, downloading files, etc. Installer software does all of these during the course of installation. So, only way to get rid of this to make it authorize or update the respective antivirus software definitions through their reporting channel. 

  • Ensure to sign the Setup installer and its pay loads to prove the identity where it is coming from, and ensure to renew the certificate in every year. 
  • Report the false-positive detection to the respective anti virus Software company, through their reporting channel. While reporting, start with the with widely used anti virus Software companies. Because, mostly others will follow the leaders in this market.
0 Kudos

Hi,

Thank you for taking the time to replay, it is appreciated.
I did read your suggestion also on other forums.
The issue only seems to have come in with InstallShield Express 2019, the false positive is flagged by a number of providers specifically on the setup launcher (setup.exe) bundled with a setup build.
If a build is done for CDROM where all files are separated & not compress to one setup.exe file, it is the Flexera setup.exe that flags as the suspect file.
I appreciate your suggestions as a possible workaround, but what ever is compileed in the newer setup.exe is causing the problem - so would need to be resolved/updated or registered by flexera as not maliciuos for the good of all.

With regards,

Mark
0 Kudos
Dennis_Marks
Level 4

We are now seeing this with Installshield premier 2019.  We are also seeing it in Cisco AMP.  Not all the setup.exe are basic MSI with no redist added.
Files are flagged under Cisco AMP Endpoint Protect Policy: 6.3.7
 
C:\... STK 11.7.0\STKSEET\v11.7.0\setup.exe
C:\... STK 11.7.0\STKUiPlugins\v11.7.0\ArcGIS_REST\v.11.7.0\setup.exe
C:\... STK 11.7.0\STKUiPlugins\v11.7.0\NavFiles\v11.70\setup.exe
C:\... STK 11.7.0\STKUiPlugins\v11.7.0\SpectrumAnalyzer\v11.7.0\setup.exe
C:\... STK 11.7.0\STKUiPlugins\v11.7.0\STKCSMLExporter\STKCzmlExporter_v11.7.0\setup.exe
C:\... STK 11.7.0\STKUiPlugins\v11.7.0\WMS\v11.7.0\setup.exe
C:\... STK 11.7.0\STK_Engine_Resources\v11.7.0\setup.exe
C:\... STK 11.7.0\STK_Parallel_Computing\v11.7.0\setup.exe
C:\... STK 11.7.0\STK_Planetary_Data_Supplement\v11.7.0\setup.exe

0 Kudos

Flexera are telling me to submit my installs to providers flagging the false positives, which is clearly not a solution.

I have at least 9 setups, by the same token that would mean you should also register all you setups with the growing number that are flagging the setup.exe file generated as part of the setup build as malware.

Flexera need to look into why it is being flagged, I had the same problem once back in the day with a C++ application flagging as an issue with a virus checker. It turned out to be I had some release build compiler settings incorrect leaving some debug symbols in place, and the virus checkers did not like it. Once changed & rebuild all was clear. Something built into that setup.exe is causing the issue.

Mark

0 Kudos