NSIS created setup file contains suspicious code

[dhesmer]

I'm using the "AVIRA" anti virus software. Since last update of the signature file I get the message "MyProgram_setup.exe contains suspicious code: HEUR/Malware".
MyProgram_setup.exe is created by NSIS, the source is VB.Net2008 code. This is the only program I created by NSIS. All older versions of the program, located in different zip-files, are also indicated by above message and only these programs are listed, no others.
Is something wrong with NSIS?
Thanks for your help.
Diedrich

[fabian.rap.more]

it is just another false positive. contact them about it

[Joel]

nsis should be for installation tasks not detecting bad signatures to AntiVirus

[fabian.rap.more]

I agree with Joel but we must atleast contact them about or new users will get frightened away

[kichik]

We need a server that'd upload all versions of NSIS including the plug-ins to daily tests on all known Anti-Virus products. Jotti and friends can be used for that. Once a false positive is detected, an automatic mail can be sent out.

[ionut_y]

Scan your .NET exe there : www.virustotal.com
(virustotal.com)

[dhesmer]

Quote:

Originally posted by ionut_y
Scan your .NET exe there : www.virustotal.com
(virustotal.com)

I checked my setup file (available at www.hesmer.name\ofb\files\ofb-setup_5.0.1.exe) by virustotal. 2 of 32 (AntiVir from AVIRA and Webwasher-Gateway) found Heuristic Malware. All programs packed in this setup are with no result.
Regards Diedrich

[dhesmer]

Quote:

Originally posted by Joel
nsis should be for installation tasks not detecting bad signatures to AntiVirus

Sorry ... ,
I use NSIS for setting up a distribution file. But the resulted setup file was marked suspicious by an antivirus scanner.

[dhesmer]

Quote:

Originally posted by kichik
We need a server that'd upload all versions of NSIS including the plug-ins to daily tests on all known Anti-Virus products. Jotti and friends can be used for that. Once a false positive is detected, an automatic mail can be sent out.

Dear kichik,
I need some advise what to do from a developer. In the meantime several users of my software informed me about finding heuristic malware after downloading the setup file from the server. The results of a check by virustotal.com you can find at the answer to ionut_y some minutes ago. Only the setup file created by NSIS is find faulty, not the files packed into the setup file.
Thanks in advance
Diedrich

[kichik]

You should contact the relevant anti-virus company and notify them of their mistake. They usually fix it within a few days.

[seg_telltale]

Checking in that we had a few of our users noticing this problem. And by noticing, I say that they were blaming us for distributing a virus.

We all agree here that it's nothing that NSIS has done wrong and is simply security software developers not checking the differences between NSIS running and the offending software. However, this causes problems because users have no concept of this. What we're asking users is to say that the program that protects them from the cyber-baddies is incorrect. While we certainly aren't trying to infect people with bad stuff, I don't see how they would trust us saying that.

So how do we fix this problem? Should we have a generic NSIS installer setup for security software manufactures to check against? An installer where it compiles all the elements of NSIS but is already known as a safe program. Then security manufactures can check against the known clean NSIS and see if the signature they are detecting is a false-positive.

This has been the third time this calendar year that something like this has come across our studio, so I'd like to start ways to make sure these false-positives don't happen.

[Joel]

Or you can change antivirus

There are good ones, without nsis complainment, I never had problems with avast, nod32, both are commercial if that's what you want. There are also free ones.

[seg_telltale]

Quote:

Originally posted by Joel
Or you can change antivirus

Saying "Your antivirus sucks" is not a solution to give people contacting your support lines.

[fabian.rap.more]

Quote:

Originally posted by seg_telltale
Saying "Your antivirus sucks" is not a solution to give people contacting your support lines.

I agree with that but why are the antivirus companies detecting NSIS as malware? If it doesnt fix it then arnt they neglecting the reports sent in?

[dhesmer]

Quote:

Originally posted by kichik
You should contact the relevant anti-virus company and notify them of their mistake. They usually fix it within a few days.

I sent the affected file to AVIRA yesterday and got the answer right now. "No virus, just a false alarm. Will be eliminated within one of the next updates of the signature file".

Thanks to everybody
Diedrich

P.S. NSIS is an excellent product !!

[kichik]

seg_telltale, handing them a ZIP file with all of the files from all of the versions isn't good enough. They don't care. I have talked with some companies in the past and non of them were cooperative in any way. They will only fix the errors in their current definitions. And those are sometimes updated in a semi or even fully automatic fashion.

What we need is to make an automated system of our own that would notify them instantly of false positives in their database. If we create something good enough, we can even offer it to other open source projects that suffer from the same problem.