2. NSIS Discussion
  3. MUI_PAGE_LICENSE and Virus False Positive

Archive: MUI_PAGE_LICENSE and Virus False Positive


skiyaladerer
27th February 2009 04:30 UTC

MUI_PAGE_LICENSE and Virus False Positive
I am using NSIS 2.44 and whenever I include the

!insertmacro MUI_PAGE_LICENSE "License.txt"

in my script, my AntiVir Personal (Free) v.8.2.0.337 (on Windows XP SP3) claims the newly created setup file "Contains recognition pattern of the DR/Dldr.DNSChanger.Gen dropper".

I have changed the contents, removed any special characters (copyright symbol, quotes, etc.) from the License.txt file, and have changed the file format to a RTF file but with no success/change.

The only way to avoid the virus warning, that I have found, is to comment out the !insertmacro MUI_PAGE_LICENSE command altogether.

I have seen on the web that there are false positives when using NSIS, but that is not going to make a user feel any more confident when installing a piece software.

Does anyone have any idea of a solution, other than not including the license dialog?

Many thanks.

Animaether
27th February 2009 04:48 UTC

submit a skeleton installer with just whatever triggers the problem to AntiVir; that's the best solution because they should be able to have a new definition file out within a few days and you needn't worry about it anymore (until the next false positive, at least).

Unfortunately I don't know of a full work-around, but could, maybe, write your own license dialog using some of the stuff from this thread on reading .RTF files into a display window of a custom (nsDialogs) page;
http://forums.winamp.com/showthread.php?threadid=288129

( Note that the last message suggests this was added to nsDialogs - it hasn't been, as of yet, as far as I know. )

jaromanda
27th February 2009 09:14 UTC

here is my n00b thought ....

have you tried a different license.txt file? different text would compress to a different combination of bytes ... therefore not "match" some obscure virus?

skiyaladerer
27th February 2009 11:36 UTC

Could it be possible that the license macro is infected?

Animaether: Thanks, I will look into that post. I have created a skeleton installer and will submit that to AntiVir. AVG also reports the same issue so I will submit to them as well. No other anti-virus programs report it according to several online scanners.

jaromando: Yes, I have tried all sorts of different sized files and different formats (txt vs rtf). Some files had as little as one word and no words.

Nothing seems to make a difference except commenting out the line.

Animaether
27th February 2009 19:12 UTC

it's possible, but unlikely. Try a fresh download and install, etc. also try submitting it to one of those online virus scan sites that test it against a myriad of scanners and see which ones think it's infected.

kichik
14th March 2009 22:51 UTC

No, no no and again no... It's impossible the macro is infected. What is possible and even likely is that they have a signature for an installer with the license page in it. When you don't use the license macro, the license page is removed from the installer and therefore modifies the installer's signature.

skiyaladerer
14th March 2009 22:56 UTC

Ok, thanks kichik.

On another note. Not a peep from AVG or AntiVir concerning the skeleton installer I sent to them for testing....

sad...

Fork me on GitHub