2. NSIS Discussion
  3. NSIS created setup file contains suspicious code

Archive: NSIS created setup file contains suspicious code


dhesmer
15th April 2008 17:44 UTC

NSIS created setup file contains suspicious code
I'm using the "AVIRA" anti virus software. Since last update of the signature file I get the message "MyProgram_setup.exe contains suspicious code: HEUR/Malware".
MyProgram_setup.exe is created by NSIS, the source is VB.Net2008 code. This is the only program I created by NSIS. All older versions of the program, located in different zip-files, are also indicated by above message and only these programs are listed, no others.
Is something wrong with NSIS?
Thanks for your help.
Diedrich

fabian.rap.more
15th April 2008 18:45 UTC

it is just another false positive. contact them about it

Joel
15th April 2008 22:19 UTC

nsis should be for installation tasks not detecting bad signatures to AntiVirus :)

fabian.rap.more
17th April 2008 02:30 UTC

I agree with Joel but we must atleast contact them about or new users will get frightened away

kichik
18th April 2008 11:14 UTC

We need a server that'd upload all versions of NSIS including the plug-ins to daily tests on all known Anti-Virus products. Jotti and friends can be used for that. Once a false positive is detected, an automatic mail can be sent out.

ionut_y
18th April 2008 12:18 UTC

Re: NSIS created setup file contains suspicious code
Scan your .NET exe there : www.virustotal.com
(virustotal.com)

dhesmer
20th April 2008 09:33 UTC

Re: Re: NSIS created setup file contains suspicious code

Originally posted by ionut_y
Scan your .NET exe there : www.virustotal.com
(virustotal.com)
I checked my setup file (available at www.hesmer.name\ofb\files\ofb-setup_5.0.1.exe) by virustotal. 2 of 32 (AntiVir from AVIRA and Webwasher-Gateway) found Heuristic Malware. All programs packed in this setup are with no result.
Regards Diedrich

dhesmer
20th April 2008 09:37 UTC

Originally posted by Joel
nsis should be for installation tasks not detecting bad signatures to AntiVirus :)
Sorry ... ,
I use NSIS for setting up a distribution file. But the resulted setup file was marked suspicious by an antivirus scanner.

dhesmer
20th April 2008 09:46 UTC

Originally posted by kichik
We need a server that'd upload all versions of NSIS including the plug-ins to daily tests on all known Anti-Virus products. Jotti and friends can be used for that. Once a false positive is detected, an automatic mail can be sent out.
Dear kichik,
I need some advise what to do from a developer. In the meantime several users of my software informed me about finding heuristic malware after downloading the setup file from the server. The results of a check by virustotal.com you can find at the answer to ionut_y some minutes ago. Only the setup file created by NSIS is find faulty, not the files packed into the setup file.
Thanks in advance
Diedrich

kichik
20th April 2008 14:53 UTC

You should contact the relevant anti-virus company and notify them of their mistake. They usually fix it within a few days.

seg_telltale
21st April 2008 01:23 UTC

Checking in that we had a few of our users noticing this problem. And by noticing, I say that they were blaming us for distributing a virus. :rolleyes:

We all agree here that it's nothing that NSIS has done wrong and is simply security software developers not checking the differences between NSIS running and the offending software. However, this causes problems because users have no concept of this. What we're asking users is to say that the program that protects them from the cyber-baddies is incorrect. While we certainly aren't trying to infect people with bad stuff, I don't see how they would trust us saying that.

So how do we fix this problem? Should we have a generic NSIS installer setup for security software manufactures to check against? An installer where it compiles all the elements of NSIS but is already known as a safe program. Then security manufactures can check against the known clean NSIS and see if the signature they are detecting is a false-positive.

This has been the third time this calendar year that something like this has come across our studio, so I'd like to start ways to make sure these false-positives don't happen.

Joel
21st April 2008 03:11 UTC

Or you can change antivirus :)

There are good ones, without nsis complainment, I never had problems with avast, nod32, both are commercial if that's what you want. There are also free ones.

seg_telltale
21st April 2008 03:22 UTC

Originally posted by Joel
Or you can change antivirus :)
Saying "Your antivirus sucks" is not a solution to give people contacting your support lines.

fabian.rap.more
21st April 2008 06:27 UTC

Originally posted by seg_telltale
Saying "Your antivirus sucks" is not a solution to give people contacting your support lines.
I agree with that but why are the antivirus companies detecting NSIS as malware? If it doesnt fix it then arnt they neglecting the reports sent in?

dhesmer
21st April 2008 15:20 UTC

Originally posted by kichik
You should contact the relevant anti-virus company and notify them of their mistake. They usually fix it within a few days.
I sent the affected file to AVIRA yesterday and got the answer right now. "No virus, just a false alarm. Will be eliminated within one of the next updates of the signature file".

Thanks to everybody
Diedrich

P.S. NSIS is an excellent product !!

kichik
21st April 2008 23:47 UTC

seg_telltale, handing them a ZIP file with all of the files from all of the versions isn't good enough. They don't care. I have talked with some companies in the past and non of them were cooperative in any way. They will only fix the errors in their current definitions. And those are sometimes updated in a semi or even fully automatic fashion.

What we need is to make an automated system of our own that would notify them instantly of false positives in their database. If we create something good enough, we can even offer it to other open source projects that suffer from the same problem.

Fork me on GitHub