Takhir
21st February 2008 08:04 UTC

2.35 nsExec Trojan.Win32.Agent.fqk Kaspersky false positive
Just to keep you informed - I've sent a report to Kaspersky labs, and they confirmed 'false positive' situation, promised to fix this soon. Can be reproduced on simple script

Name "nsExec Test"
OutFile "nsExec Test.exe"
ShowInstDetails show
Section "MakeNSIS commands help"
;  ExecDos::exec '"c:\qstar\bin\helper.exe" inssvc stop' "" "$EXEDIR\helper.log"
nsexec::exec '"c:\qstar\bin\helper.exe" inssvc stop'
Pop $0
DetailPrint " c:\qstar\bin\helper.exe      Return value: $0"
SectionEnd

ExecDos not caused any problems (today :) ).
Antivirus alert was on tmp file during nsExec.dll extraction to the temporary dir.

kichik
22nd February 2008 09:25 UTC

Will this automatic stuff ever stop? We should add all NSIS files into the default Windows installation or something...

Takhir
22nd February 2008 14:28 UTC

False positive fixed in today's update form Kaspersky.
If I correctly understood KichiK' note about 'c:\qstar\...' Now in script

#InstallDir "$PROGRAMFILES64\${SHORT_NAME}"
InstallDir "C:\${SHORT_NAME}"

both root and $PROGRAMFILES tested, and I am realy don't like all these Pithon's, MinGW and other installing to disk root, but executive director says this is better and so it is. :)

kichik
22nd February 2008 14:36 UTC

I wasn't referring to your script. I was complaining about the automatic process anti-virus companies use that cause all of these false positives. Then I went on to "suggest" a solution of including all NSIS files in the default installation of Windows because surely they check for false positives on those.

kalverson
16th April 2008 18:00 UTC

Several of our testers are getting a hit on Trojan.Win32.Agent.jkv. Is there a way to identify/capture the tmp file to send in to Kaspersky? We need to get past this if it is a false positive.

From AV Log
C:\DOCUME~1\lmeadows\LOCALS~1\Temp\nsb32.tmp\ns33.tmp;is a Trojan
Trojan.Win32.Agent.jzv;4/15/2008 9:34:31 AM

This seems to be repeated for 10 temporary files during the install. An AV scan of the machines HD, once the install completes, does not seem to find any trace of this virus.

kalverson
16th April 2008 19:18 UTC

A co-worker has identified that nsExec.dll is the problem. A quote from my co-worker:
We've secretly replaced our fine ground nsExec coffee with Folger's ExecWaits. Let's see if Kaspersky notices...

Nio, Kaspersky isn't complaining at all. No ugly red windows popping up.

kalverson
21st April 2008 13:19 UTC

In case anyone is interested, we resolved this problem by extracting the nsExec.dll from NSIS 2.36 and using that instead of the one from NSIS 2.29. There was a fix, so apparently it is no longer identified as a false positive in version 2.36 by Kaspersky.

kalverson
21st May 2008 13:51 UTC

This worked for awhile. A new virus report has come in from the latest build today. Here is the information reported: I received anti-virus alert that trojan program "Trojan.win32.Agent.muq" was detected.
file ns88.tmp

nsfis
29th July 2008 12:27 UTC

Same happens here. Our users are reporting problem with Avast antivirus. Currently we are using NSIS 2.37, it is OK when we use nsexec.dll from NSIS 2.29. In fact, the problem is not with nsexec.dll but with its temporary copy (e.g. ns6A.tmp) which is different only in 4 bytes. Does anyone know why NSIS creates modified temporary copy of nsexec.dll?

Anders
29th July 2008 12:49 UTC

IIRC the nsexec copy is a exe and not a dll