2. NSIS Discussion
  3. Suspicious.Cloud.2 False Positive

Archive: Suspicious.Cloud.2 False Positive


zenpoy
20th February 2011 16:42 UTC

Suspicious.Cloud.2 False Positive
Hi all,

Though this is my first post I use this forum quite a lot and this is the time to thank all the great people here.

And now to the sad news - I'm using nsis installer to install and distribute my software, and I recently received emails from users that have Norton installed, saying that my program is classified as Suspicious.Cloud.2 virus. According to Norton this is a "heuristic virus" based on what the code does and not based on a signature.

My installer consists on two parts - the first one is a small wrapper that checks the type of OS, browser etc. and then downloads and executes the second part which is the actual installer. Norton classifies the first wrapper as Suspicious.Cloud.2 and blocks it.

Does anyone of you have any idea of how to change the method of installation in order to not be classified as a virus?? I'm pretty clueless regarding this issue - and it's also damaging my business. :cry:

Thanks,

J

parasoul
20th February 2011 18:27 UTC

Update NSIS to the most current version and perhaps use a different compressor. That worked for me in the past with other false-positive detections.

zenpoy
20th February 2011 18:37 UTC

Thanks for the reply!

Currently I use default compression, what compression are you suggesting?

Takhir
20th February 2011 18:52 UTC

Sometimes virus uses NSIS plug-in for internet access. If you use nsisdl or inetc - update it to latest version. Or to previous version. You need version which is not marked as "Suspicious".

MSG
21st February 2011 06:10 UTC

Originally posted by zenpoy
Thanks for the reply!

Currently I use default compression, what compression are you suggesting?
LZMA gives the best compression, so...

But concerning your real problem: If your installer is flagged as a virus, submit it to Symantec security as a false positive. If your application is flagged as a virus, submit that to Symantec security as a false positive. (Try googling for 'symantec false positive'.)

zenpoy
21st February 2011 08:25 UTC

Originally posted by Takhir
Sometimes virus uses NSIS plug-in for internet access. If you use nsisdl or inetc - update it to latest version. Or to previous version. You need version which is not marked as "Suspicious".
I use inetc. Do I need to compile with all sort of versions and try with Norton to see if it shouts or is there a place where I can read about what version counts as virus?

BTW - Takhir - thanks for a great plugin :)

parasoul
21st February 2011 17:05 UTC

if inetc is getting tagged with a false positive, I'd tell symantec first. and while you wait, you can also download the source and recompile it, which usually will get rid of any false positive detections. make sure you're using the latest version, though

Fork me on GitHub