Some AV products raise false positive adware concerns on NSIS-generated Uninstall.exe

[derekbruening]

From stephane...@googlemail.com on August 15, 2014 06:24:00

ClamAV reports Win.Adware.Linkular in DrMemory-Windows-1.7.0-5.exe

So I will do without your tool if you plan to install adware on computers

Regards

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1608

[derekbruening]

From bruen...@google.com on August 15, 2014 10:30:54

We have heard of NSIS-based installers sometimes triggering false positives in some AV programs but have never seen it in our installers. http://virustotal.com claims that ClamAV does not report any problem with DrMemory-Windows-1.7.0-5.exe, where ClamAV was last updated 20140807. When was yours last updated? https://www.virustotal.com/en/file/2a8d456f83eeb7960873b147fda3daee38d9b629dba5a6c02a84c19d654152ba/analysis/

Status: NeedInfo
Labels: OpSys-Windows Usability

[derekbruening]

From stephane...@googlemail.com on August 16, 2014 03:27:54

Ok, I appreciate the feedback. I have an older version (0.98.3) I don't know the date it was released. I think I will have to update a bit my http gateway ;) I downloaded the zip archive and it's clean.

Thanks you. You can close this issue since the problem in on my side.

[derekbruening]

From bruen...@google.com on August 16, 2014 18:12:58

Submitting just the NSIS-created Uninstall.exe (installed onto the target machine by the installer) to virustotal does show ClamAV flagging it: https://www.virustotal.com/en/file/c903ca88c424ba4a6151991b279d696409eb2ede07e081a1dd0e87389d764f84/analysis/1408126130/ SUPERAntiSpyware also flags it, as "Adware.BrowseFox/Variant". None of the other 50+ AV raise any problem with it.

So we do have an AV false positive in an NSIS-generated part of the package.

Options:

1) Report this false positive to ClamAV and SUPERAntiSpyware and hope they update their databases soon.

2) Sign the uninstaller (xref issue #1602 )? That does not look easy to fit into the CPack process: being an auto-generated file it requires special steps with NSIS: http://nsis.sourceforge.net/Signing_an_Uninstaller 3) Switch from NSIS to WiX. CPack 2.8.11+ supports WiX. WiX is MSI-based and so would have built-in uninstall support and also support for automatically replacing an existing installation. It should support everything we're currently doing with NSIS, and may make some things easier like writing the reg keys for the VS External Tool support.

Searching online shows some other complaints about NSIS Uninstall.exe tripping AV false positives (this one includes a dev who switched to WiX: http://stackoverflow.com/questions/4332162/nsis-installer-slow-on-machine-with-microsoft-security-essentials ). NSIS itself seems to maintain a long list of false positives: http://nsis.sourceforge.net/NSIS_False_Positives

Summary: Some AV products raise false positive adware concerns on NSIS-generated Uninstall.exe (was: Win.Adware.Linkular in installation exe)
Status: Accepted

[derekbruening]

From bruen...@google.com on September 08, 2014 12:01:20

Split switching to WiX as issue #1620