Archive: Most AV treats nightly as a virus


Most AV treats nightly as a virus
https://www.virustotal.com/file/c5db...is/1345318253/

Most files in Stubs. Possibly false positive, possibly related to start page changer, possibly made in such a brutal way, so more than half of AVs treats it as a malware. But possibly it's there not because developer wished so?


Stable is clean


I don't know what startpage changer is but a lot of those listed there have generic in the name, this is your clue that it is probably a false positive...


False positives
What stinks about this is that it's not as simple as telling your users, "Don't worry about those warnings just hit the next button" They're not going to do that. NSIS is almost ALWAYS listed in some way or another as a virus.

Have you found any way to mitigate this besides automating false positives emails to the AV vendors?


Originally posted by zedzedbeta5
NSIS is almost ALWAYS listed in some way or another as a virus.
No. NSIS installers are almost NEVER listed as false positives. You must be doing/including something suspicious with your specific installers.

The only time I've had a false positive is when my installer has had an ActiveX control or IE browser extension in it. That is not surprising at all.

Stu


Various things
I apologize, I should have clarified what I do with it so as not to be included into the "You must be doing something crappy" bucket.

It's just because a lot of idiots use the installer to install shady crap and it ruins it for the rest of us. I've used nsis to load our company's insurance add-ons in IE silently. While our signed IE dll's install just fine via a "regsvr32 xyz.dll" manually sometimes it does not via a silent installer. Normal Installer is almost 100% of the time fine.

I use the silent to pull/download various installation products via our CDN and once on the users drive, the secondary installation begins.

So:

#1 Run Silent Installer
#2 download materials from our CDN
#3 register dlls or install other software etc
#4 AV sometimes flags it a "w32/generic downloader"
#5 If #4 IT support phones ring

I love this software and I'm not complaining. It is just a thing that we deal with.


Well, it's not surprising at all. You're silently installing browser addons, AND you're downloading more content from an online resource. That's a very shady combination, and most AV software will find it shady enough for the heuristic scanner to scream fire. I'm not sure how you could change this to appear less suspicious. The best method might perhaps be to contact the AV companies and ask them to fix the false positive in your software. If you're lucky, you won't need to ask again for every new version as long as you don't make too big changes.