2.6.0 Windows Installer ist detected as PUA:Win32/Packunwan by Windows Defender

[lycis]

Describe the bug Windows Defender identifies the severe PUA:Win32/Packunwan threat for DrMemory-Windows-2.6.0.msi.

To Reproduce Steps to reproduce the behavior:

1. Download https://github.com/DynamoRIO/drmemory/releases/download/release_2.6.0/DrMemory-Windows-2.6.0.msi

Expected behavior The installer should not raise red flags with Windows Defender.

Screenshots or Pasted Text

Versions

• What version of Dr. Memory are you using? 2.6.0
• Does the latest build from https://drmemory.org/page_download.html#sec_latest_build solve the problem? For some reason 2.6.0 gets flagged everytime, but the latest build less often.
  • What operating system version are you running on? 10.0.22631 Build 22631
  • Is your application 32-bit or 64-bit? irrelevant as I don't get that far

[lycis]

I checked a bit further. It seems that it is only the installer that gets flagged, not the installed application itself afterwards.

[derekbruening]

The installer is created by WiX 3.14 and so is not directly in our control. We have seen AV products flag various installers or uninstallers in the past, through no fault of our own: xref #1608 on NSIS which is one reason we switched to WiX in #1620.

It's not clear what could be done here without further information on where this signature is exactly and whether it's possible to avoid with WiX parameters. The theory would be that some actually malicious program used a WiX-built installer as part of itself and the AV signature looks at essentially the wrong thing, the WiX installer, and now flags any WiX-built installer?