2. NSIS Discussion
  3. protection for installer ?

Archive: protection for installer ?


o_owd
13th August 2008 06:46 UTC

protection for installer ?
Hey,

In the last few weeks the server where my installer is, was hacked twice and a virus/trojan was injected in my installer.

How can I protect my installer to display an error or warning message if the size / others / MD5 / had been changed ?

Thanks,
OJi.

Yathosho
13th August 2008 15:25 UTC

use the CRCCheck command. however, it happens quite often that antivirus software reports nsis installers as malware, even if not true. you will find many postings of false positives in this forums.

Sheik
14th August 2008 05:28 UTC

Also, you can use signcode/signtool to Authenticode sign your binary, to ensure it is not tampered with.

To read up on it:

http://www.microsoft.com/technet/arc....mspx?mfr=true

Sheik
14th August 2008 05:30 UTC

Or perhaps, a better link:
http://msdn.microsoft.com/en-us/library/ms537360.aspx

o_owd
14th August 2008 13:27 UTC

thanks for replies.

if i understand correctly, i need to buy a certificate. what if i do not have any company or money to pay for one ?

a tutorial is (really) missing for all the signing/certificate stuff.

thanks,
OJi.

demiller9
14th August 2008 18:57 UTC

NSIS installers are already protected by CRC checks. It would have to be a clever virus to recognize that the executable it is about to infect is a NSIS installer, and to infect it and to correct the crc so that it passes (or to disable the crc check but still leave the installer functional).

Don

o_owd
14th August 2008 20:17 UTC

my installer was virused and still did not displayed any crc error.
crc check is not disabled in my installer.

Sheik
15th August 2008 03:32 UTC

I think you can self-sign the binary with the AuthenticCode stuff, but I think then it doesn't help you, as someone could self-sign your Installer with a virus...

But if you are willing to pay for a cert, its the way to go.
If you download winamp for example, you will notice that its signed by "AOL", specifically:
Publisher: America Online, Inc

Also, for my company (Digi), we do pay for the cert each year, and then we sign literally every windows binary we release with it.

If paying for the cert isn't an option...

Another thing you can do, is what some people do...
Whether its really perfect or not, I don't really know.
But you can post your binary and then also post the md5sum of the binary image.
You can tell user's to compare the binary's md5sum against the one you post.
The only gotcha there, is if someone hacked into your server to add a virus to your binary, they surely can hack in and change the md5sum value as well.

Fork me on GitHub