InstallAware

Home of The Next Generation MSI Installer
https://www.installaware.com/forums/

Single exe and F-Secure = Virus found

https://www.installaware.com/forums/viewtopic.php?f=2&t=3472

Page 1 of 1

Single exe and F-Secure = Virus found

Posted: Tue Feb 26, 2008 2:44 pm
by SysRq
I've compiled a compressed single exe and it works fine on my test systems.

However, my client has F-Secure antivirus and they can't start the setup.
As soon as they try to run it, F-Secure will interrupt and claim that it contains "W32/DLoader.DWRN"?!?!
(more info: http://www.f-secure.com/v-descs/dloader.shtml)
The file DOES NOT contain any virus, I've tried almost every other major antivirus software out there and none of them warns.

If I try the uncompressed version of the setup, everything works as it should.

Are you aware of any "bugs" in F-Secure and how it handles LZMA compression? (don't know my client's version but I tried F-Secure 2008)

Thanks
Roger

Posted: Tue Feb 26, 2008 10:35 pm
by Chris Miller
Does this happen with any compressed installer that you have created or does it require a specific set of files? If you can get to happen with a minimal installer, make one up that installs a readme.txt file and then submit the .exe to F-Secure and ask them to update their virus definitions.

Posted: Wed Feb 27, 2008 5:16 am
by SysRq
Does this happen with any compressed installer that you have created

No, it doesn't.
I've tested several smaller dummy setups as you suggested, but none of them will trigger F-Secure, even when I include my files and the Application Runtimes used in my real setup.

I then tried to upload the setup (87MB) to F-Secure but I don't think they're prepared for files that big so it timed out.

When my setup is built using "single exe" (with or without compression) F-Secure will scream. The CD/DVD-setup however, works ok.

Another thing I noticed: InstallAware uses the zlib, but an old version, that is known to have vulnerabilities in it.
IA uses 1.1.3 and the latest is 1.2.3, could this be the cause?
Read about the case here:
http://www.zlib.net/advisory-2002-03-11.txt

Posted: Wed Feb 27, 2008 6:52 am
by sinan
You should contact the anti virus manufacturer for help with this issue. Your compressed data stream might be resembling a virus signature.

We do not use zlib at InstallAware. We use 7zip. zlib is a very poor data compression algorithm.

Posted: Wed Feb 27, 2008 7:12 am
by SysRq
Yes, I'll contact them, seems to be the only solution.
Thanks anyway.

Not zlib? Then why is this string in the generated setup file?
"deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly 1.1.3"
All times are UTC-05:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/