2. NSIS Discussion
  3. Most AV treats nightly as a virus

Archive: Most AV treats nightly as a virus


regs
18th August 2012 20:48 UTC

Most AV treats nightly as a virus
https://www.virustotal.com/file/c5db...is/1345318253/

Most files in Stubs. Possibly false positive, possibly related to start page changer, possibly made in such a brutal way, so more than half of AVs treats it as a malware. But possibly it's there not because developer wished so?


Stable is clean

Anders
19th August 2012 07:48 UTC

I don't know what startpage changer is but a lot of those listed there have generic in the name, this is your clue that it is probably a false positive...

zedzedbeta5
17th September 2012 16:22 UTC

False positives
What stinks about this is that it's not as simple as telling your users, "Don't worry about those warnings just hit the next button" They're not going to do that. NSIS is almost ALWAYS listed in some way or another as a virus.

Have you found any way to mitigate this besides automating false positives emails to the AV vendors?

MSG
17th September 2012 17:11 UTC

Originally posted by zedzedbeta5
NSIS is almost ALWAYS listed in some way or another as a virus.
No. NSIS installers are almost NEVER listed as false positives. You must be doing/including something suspicious with your specific installers.

Afrow UK
17th September 2012 17:28 UTC

The only time I've had a false positive is when my installer has had an ActiveX control or IE browser extension in it. That is not surprising at all.

Stu

zedzedbeta5
21st September 2012 21:34 UTC

Various things
I apologize, I should have clarified what I do with it so as not to be included into the "You must be doing something crappy" bucket.

It's just because a lot of idiots use the installer to install shady crap and it ruins it for the rest of us. I've used nsis to load our company's insurance add-ons in IE silently. While our signed IE dll's install just fine via a "regsvr32 xyz.dll" manually sometimes it does not via a silent installer. Normal Installer is almost 100% of the time fine.

I use the silent to pull/download various installation products via our CDN and once on the users drive, the secondary installation begins.

So:

#1 Run Silent Installer
#2 download materials from our CDN
#3 register dlls or install other software etc
#4 AV sometimes flags it a "w32/generic downloader"
#5 If #4 IT support phones ring

I love this software and I'm not complaining. It is just a thing that we deal with.

MSG
22nd September 2012 07:36 UTC

Well, it's not surprising at all. You're silently installing browser addons, AND you're downloading more content from an online resource. That's a very shady combination, and most AV software will find it shady enough for the heuristic scanner to scream fire. I'm not sure how you could change this to appear less suspicious. The best method might perhaps be to contact the AV companies and ask them to fix the false positive in your software. If you're lucky, you won't need to ask again for every new version as long as you don't make too big changes.

Fork me on GitHub