Installer seems to trigger Win8.1 Antimalware Service Executable

[patrickhlauke]

Not sure why, but trying to run, or even simply right-clicking (to get context menu) the rubyinstaller-2.2.2-x64.exe (and I seem to recall the 2.0.0... one as well) sends the Antimalware Service Executable in Windows 8.1 into overdrive. Windows Explorer freezes for up to a minute, the Antimalware Service runs up to 10% CPU time and eats up about 100MB memory...and stays like that for minutes on end. Sometimes, double-clicking the installer will seemingly have no effect, and 5 minutes later (once ASE has finished doing whatever it's frantically trying to do) the installer will actually kick in and show the installation dialog.

[patrickhlauke]

[patrickhlauke]

Same also happens when trying to then delete that rubyinstaller-2.2.2-x64.exe - this also seems to trigger some checks by ASE...

[patrickhlauke]

I should also add that this happens only when Windows Defender's real-time protection is turned on.

[Azolo]

Yeah, this is something I have no idea how to fix. I'll look into it when I get a chance.

[np100]

This problem isn't specific to rubyinstaller. Looking for a solution for exactly the same problem with another product I stumbled upon this thread. I developed a software product which I sell from the internet. The product installer uses inno setup to package up my various components into an exe file. The problem is that the FIRST TIME (and only the first time) a particular version is downloaded from my site by a user they experience a delay before the UAC warning comes up and installation can start, of around two minutes when they double click the exe file to run the installation. The same delay occurs even if they right click the file downloaded and select properties, or delete, or even try to move the file to another location. During that extended delay the antimalware service is showing about 6% CPU usage. This stops once the UAC dialog box opens up.

If, you try this a second time (even after a re-boot or after several weeks have elapsed), there is no delay: the installation starts immediately; there is no delay selecting properties from the right click menu etc.

I downloaded rubyinstaller-2.2.2-x64.exe to see if the problem is the same as the one I have been experiencing, right clicked the file downloaded and selected properties. The delay was well over five minutes before the properties information box came up. During that time the antimalware service remained at around 6% CPU usage. There was nothing I could do to get out of the "hang".

This problem occurs on Windows 7, Windows 8.1 and the latest developer pre-view build of windows 10. In the windows 10 case no other software has been installed -- it's a brand-new installation.

Note that you do NOT get this problem unless you download the file from the internet. eg if you try this on the installation file that has never been posted to the internet there is no delay. If I upload my exe file to my web site, then download it using a browser then try to run it or bring up properties, there is the long delay.

Whether it's related to inno setup (does rubyinstaller use inno setup?) or what I haven't a clue. If anybody can shed some light on this I'd be grateful. I've been looking for a solution for months.

[reybango]

I don't have an answer but I'll ping someone in the Windows Defender team to take a look. I'll do my best to get an answer but just know that Microsoft teams sometimes take a bit to respond, even internally.

[patrickhlauke]

thanks @reybango ... appreciate it :+1:

[reybango]

Hey all, it looks like a signature update was needed and it's now pushed out. Could you recheck to see if you still have the issue?

[Azolo]

@reybango Thanks for the update. =)

Do you know if there is a way to expedite executable checking and inclusion in the signatures?

I'm guessing the best way is to probably digitally sign the installers, which is something I would need some time to get done.

[reybango]

Not that I know of but feel free to ping me if you have more issues. I'm happy to escalate. reybango at microsoft

[patrickhlauke]

@reybango just wondering though...is it normal behavior then for the Antimalware Executable Service to pretty much churn through extensive...checks?...for 5 minutes when a signature is not recognised/present, often crashing Explorer in the process?

[np100]

reybango, could you please explain what you mean by "signature update required" and what exactly was pushed out and to where? Are you referring to something related to the antimalware service? Is it a general fix (ie will it stop the "hang" occurring on all exe files downloaded from the internet), or is it specific to rubyinstaller?

[reybango]

@patrickhlauke @np100 the info I shared is pretty much all the Windows Defender team was willing to give me and all I can offer. In terms of the signature update, it's the malware signature associated to Windows Defender which gets updated regularly like any other AV product.

[np100]

Thanks @patrickhlauke . I appreciate your help and understand you are dealing with another team in MS (I worked in MS for eight years). But I hope you can appreciate our problem: When we (and I'm talking about many thousands, possibly hundreds of thousands) of developers put a new version of our products on our internet site for people to buy and download, the experience that the purchaser gets when they try to run the program is around five minutes of absolutely nothing. ie a hang. There is no message like ("checking your file. please wait"), often no spinning hour glass. Just nothing. This can't be normal behaviour for any product, never mind one from MS. At the end of the five minutes of "hang" the exe runs as normal. This happens on literally dozens of products I've downloaded in the past few months from the internet. It's not specific to our products. The reason you may not have heard about it is, as I described in my first post above, it only happens the first time you download a particular exe version, so it's hard to test. Windows obviously remembers that it's checked the file and doesn't do it again. I've had lots of feedback about it. My customers are understandably nervous about using our software as they have no idea what it's possibly doing on their computer.

Can you provide me (happy to do this off-line) with a contact or avenue to get this resolved in MS. I stress: this is clearly a bug in the antimalware service. In anybody's books: a multi-minute "hang" with absolutely no feedback to the user is a bug. Just updating a signature to handle a specific product version is not a solution.

[reybango]

@np100 I'll pass along your feedback to that team. They're fine with me being the go between which from experience is the main way they communicate externally. Not ideal and I personally wish more teams would open up but it's the way they work at the moment. If you know someone at MS that can tie you in directly then I would certainly encourage you to try that as well.

Note I'm not trying to be a blocker here. Unfortunately, not all teams are setup to communicate externally. I'll do my best to help though.

[Azolo]

@np100 @reybango Thanks for the info and work.

I did look around the Microsoft site and found this: https://www.microsoft.com/security/portal/mmpc/developer/resources.aspx

Either way it looks like the best avenue for RubyInstaller is start digitally signing the releases again. Luis handled that in the past but had problems obtaining a certificate recently. I haven't ever signed them and don't know how. I'll likely open up a new ticket asking for some information on the best ways to get Open Source Software signed sometime this week.

[reybango]

Got another update:

"The signature update SHOULD mitigate this so no need for any further action for users. The Windows Defender team identified a performance regression with its handling of the Inno installer specifically, so it could in theory affect any package created with this installer. Digitally signing in some cases will mitigate, Defender has the ability to tune its behavior based on the presence/absence of a valid, trusted certificate, and will perform deeper emulation and/or scanning of the files, in cases where no signature is present.”

@Azolo I'm trying to see if I can find a resource to point you to for digitally signing this.

[Azolo]

@reybango Thanks! The problem is really finding a place to get a trusted cert that can be used in these circumstances. That's a huge hurdle from what I understand.

[np100]

Re trusted certificate: This should not be necessary to stop antimalware from hanging and timing out. There are positives and some significant negatives for getting a trusted certificate (eg it gives people downloading pirated copies of software illegally posted on file sharing sites confidence that the files they download haven't been tampered with (ie don't contain viruses) and this is a big negative for software vendors). So we chose not to use a trusted certificate which is a valid option for us to select. But that shouldn't cause users' PCs to effectively hang for five minutes when they download and try to use our software from our site (which they trust). ie Defender/antimalware should work correctly whether there is a certificate or not. From reybango's comments I gather this should be the case?

[Azolo]

@np100 Yes @reybango mentioned there was a regression with Inno. However, this is more about the best way for RubyInstaller to work with the current situation.

While digitally signing may not be your choice solution it is something that I think would work for RubyInstaller. The alternatives would be to switch to a WiX packaged MSI or other install method not managed by Inno. Which I may do in addition to signing the installers. See #136.

Those are the solutions that RubyInstaller is going to consider instead of waiting for the Microsoft Security Team to fix a regression that they said they were aware of.

[jasonconradt]

Hey all I work on the Windows Defender team and have been coordinating with @reybango .

@np100 , digital signing is orthogonal to the Inno installer handling issue in Defender . You certainly shouldn't need a digital signature in order to prevent Defender from hanging, I was only pointing out we do modify our scanning and emulation behavior, informed (in part) by digital signatures. , I asked Rey to mention it as an FYI, not that it was in any way implicated or a solution in this specific case. We've fixed the Inno installer issue in signatures.

Digital signing has a lot of advantages however, and just because a package is offered from your site that as you say, users would generally trust, they can also be offered from other sources. There have also been countless instances of distribution points being compromised, and modified packages wind up being unwitting distribution vectors for malware authors. By signing with a certificate, it helps ensure the integrity of the package, which is a benefit to both you as a software developer and also the end-user.

If you're still having issues with installation packages hanging when using Defender, please submit a sample to the site below, and send me the submission ID so I can prioritize an investigation. (deleted wrong URL)

[np100]

jasonconradt and @reybango : Thanks for helping with this. Great service from MS. Unfortunately the problem is still there for the inno installation package for our software products. I've tested this today using the latest defender definitions (1.99.2288.0) on a Windows 8.1 PC where all available windows updates have been applied. The hang is still around 2 minutes when you right click an exe file downloaded from the internet and then click "properties" , "delete" etc. or double click the file to run. During that time antimalware shows 8% CPU usage which immediately drops to zero once the "hang" times out. I'm happy to submit a link to the file on our site so you can download it, or the file itself, but the link you gave above doesn't work. If you could please provide another link I'll submit full details. Thanks again.

[jasonconradt]

Hey sorry @np100 , I sent the internal link by accident, external link is: https://www.microsoft.com/security/portal/submission/submit.aspx

Please send me the submission ID and I'll have a look. Thanks!

[np100]

To jasonconradt: Thanks for the link. Submission ID is MMPC15061148257863

[np100]

jasonconradt and @reybango : I submitted our file. Submission ID MMPC15061148257863 but haven't had a response. Would appreciate it if you could confirm that this is being looked at.

[reybango]

@np100 There's a ton of submissions to this group daily so I'm going to ask for a little patience. I know that @jasonconradt is out of the office and I;m sure he'll respond when he's settled back in.

[Azolo]

Honestly, I'm pretty happy with the response from @jasonconradt. I'm going to go ahead and close this issue.

@jasonconradt @reybango Thank you for your awesome responses and insight.

@np100 I hope you get your problem solved, but if you could please move your troubleshooting to private communication at your earliest convenience.

[Azolo]

@massagetut I mean, that's a suggestion. But it's an issue that should be fixed and if it isn't then it should be handled with the Windows Defender team.

Likewise, there are problems that pop with third parties that have occurred too. In those cases it usually requires a similar process.