Unacceptable Virus Issues with IA 19.03

[Sheri_Steeves]

Hello,

We have encountered an unacceptable problem with viruses and InstallAware that is causing us to switch to InstallShield.

This started before Christmas when a client reported a virus detected with our install when scanning with the VirusTotal website. After some investigation we determined that it was an InstallAware file that was causing the virus. We posted and were told then (http://www.installaware.com/forum/viewtopic.php?f=2&t=10184 - Dec 23, 2014) that it was a false positive, but as of today, January 5, 2015, with a brand new install of Avast with updated virus definitions this virus is still detected, and is still detected on the VirusTotal website as well.

Additionally, we are still seeing a virus detected for the file pPin32.cpl, which was reported to the forum back in Dec 03, 2014, and from what I can tell is still causing an issue.

Even worse, with Avast installed, it finds so many viruses with the actual InstallAware setup that I can't even install it. I don't care if these are false positives - this should not be happening at all. It certainly doesn't with InstallShield.

Viruses found when trying to install IA 19.03 with Avast installed.

viruschest1.PNG (29.03 KiB) Viewed 6650 times

We also noticed that NONE of the exectuables, dlls, etc. used by InstallAware are digitally signed. The reason we were given is that the install with runtimes was too large to digitally sign, or to quote:

...the Microsoft signing tool may corrupt the installer when they are larger than approximately 1.9 GB.

What this doesn't explain is why the individual files INSIDE the installer ( mia.exe, etx.) are not themselves digitally signed. I am sure that this is behind many of the false positives that we are seeing.

This is a critical deal breaker for us and is causing us to abandon InstallAware and move to InstallShield if this cannot be resolved.

Sheri

[FrancescoT]

Dear Sheri,

unfortunately Anti Virus Applications sometime can cause problems and although we make every effort to contact the different software vendors, some of them are not very collaborative.

At any rate, you should consider that AV Applications are just software and as any other software, they are not free of errors and they are not the Bible.

As I have already said with other discussions, I have personally stopped to use any commercial AV with my development machine, this due false positives with Microsoft Visual Studio. Currently, I only use Microsoft Security Essentials which is free and doesn't give any problem.

I have already replied to you about the reason why were forced to not sign our application files.
Do you really believe that we are not able to use a digital signature over those files?
If you don't want to believe me, you can try to sign any large EXE over 1.9 GB by yourself (...regardless of the tool used).

This fact doesn't impact the generated setup and anyway, you could digitally sign the files in the Installaware program file folders, in order to avoid any possible file issue with your generated packages.

Finally, it's not my intention to convince you to prefer our product in place of our product competitors ... this is up to you.

Regards

[rosstrusler]

Sheri: I am an InstallAware customer. There is little that InstallAware can do about these false positives, other than contact the AV vendor and ask them to fix their AV products. InstallAware has already contacted them about the issue. It would help yourself and everyone else if you contacted the AV vendor(s) as well. Demand that they fix their false positives or threaten to move on to competing products. My own recommendation for AV is NOD32.

Francesco: missing signatures is an issue even with downloads from InstallAware's site, INCLUDING installations much smaller than 1.9GB. InstallAware used to sign their executables. When I downloaded X2 recently, I noticed the lack of signature and had to assume that InstallAware's website had been hacked.

Only by contacting InstallAware's staff was I able to confirm that the file was not bogus, that in fact InstallAware no longer sign their own downloads.

This is a problem. Even if files over 1.9GB can't be signed, all files under 1.9GB should be signed.

[FrancescoT]

Dear Rosstrusler,

currently only our web installer package is digitally signed

Obviously due the reasons I mentioned earlier, this is limited to the installer itself and not to the installed files.

I understand that this may seem a simple matter, but it's not in reality.
For obvious reasons, both installers have to install the same identical files and consequently, the above limitation comes up with the large EXE.

Anyway, we are working to find out if there is any possibility to make this possible in future.

Regards