Old 22nd November 2014, 18:18   #1
heatheralexea123
Junior Member
 
Join Date: Nov 2014
Posts: 7
Mcafee problems continues

Still Mcafee rarely respond to a false positive if it's combined with NSIS. Modertors say in the Mcafee community that NSIS owner should talk to Mcafee regarding this issue. Here is where those threads are located :

https://community.mcafee.com/message/358068#358068

https://community.mcafee.com/message/358561#358561

and there are many more, however hopefully Sourceforge will notice this and take an action.
heatheralexea123 is offline   Reply With Quote
Old 22nd November 2014, 19:23   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,014
NSIS only calls documented Windows API functions AFAIK. I think it is getting flagged because some people use NSIS to create malware but that is not our fault. The A/V should detect when a NSIS executable does something harmful to the system, not just that it is a NSIS executable. They don't really go into details so it is hard to know what they classify as suspicious.

Submitting every installer is hopeless, the A/V vendor needs to whitelist the NSIS stubs and then add the actual malware that uses NSIS to their virus database. Meaning; the first 35kb or so of the NSIS stubs (and do nothing minimal installers) should not be marked as a virus, ever (It is the same for every installer of that type (zlib/bzip/lzma)+(Ansi/Unicode)). Their detection should focus the parts after that which is the data controlled by the people that wrote that particular installer.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 22nd November 2014, 21:43   #3
heatheralexea123
Junior Member
 
Join Date: Nov 2014
Posts: 7
Thank you for the detailed reply and I have forwarded this thread to Mcafee community as well. Hopefully an action will be taken soon
heatheralexea123 is offline   Reply With Quote
Old 25th November 2014, 04:08   #4
heatheralexea123
Junior Member
 
Join Date: Nov 2014
Posts: 7
We have asked Mcafee about what you said. here is there reply to it.

"Asking us to whitelist "NSIS" is impossible - There's already malware built using it, so looking at the NSIS "stub" and saying, "well, it must be ok then." - seriously?

The very nature of anti-malware is a combination of signature and behavioural based detection. Generally for performance reasons most people use signature based with behavioural backup. It's this which is causing NSIS problems - unique, new NSIS programs are not known, so have no signature based "blessing", but exhibit behaviour similar to known malware. Thus, they are flagged.

It's not EVERY NSIS installer which is getting flagged, it's ones with particular characteristics. I'm not going to tell you what those are as it would only help malware authors game the system, but tiny files with minimal content like the one people mentioned on this forum are of course a good example.

There's lots of posts on how to submit programs to McAfee for evaluation/whitelisting - just create an account and follow the rules and your application will be evaluated."
heatheralexea123 is offline   Reply With Quote
Old 26th November 2014, 15:39   #5
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,014
I did not say that detecting a NSIS stub means it is harmless, I said that they need to focus on the data that is unique to each installer. Mcafee probably know how to unpack NSIS installers and should be able to look at the included files and possibly the NSIS scripting code.

I call bullshit on this behavior excuse, an executable that does no harm is clearly harmless and if their product believes otherwise then their detection system is buggy/broken by design.

It is unlikely that we (NSIS developers) can make any changes that will make it seem less suspicious. NSIS installers are script based and at run-time it uses a small instruction decoder that reads and executes each instruction and it also contains code to decompress data to memory/disk. This is a common thing for installers to do...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 28th November 2014, 05:40   #6
heatheralexea123
Junior Member
 
Join Date: Nov 2014
Posts: 7
Arguing in Mcafee community isn't gonna fix anything for NSIS developers. Is there an official party we could write to in NSIS where they might intercept with Mcafee and get this issue solved
heatheralexea123 is offline   Reply With Quote
Old 29th November 2014, 19:03   #7
Theresias
Junior Member
 
Join Date: Jun 2006
Posts: 48
The problem with all the AV companies is that they are not interested in working with small developers. Our company is using an Eastern European anti-cracking solution which works quite OK for our purposes but is also quite common for malware. Since the AVs can't look inside the files they flag the general signature of the anti-cracking solution instead, no matter what content you have inside the package.

Some do a better job and actually look for unique indicators but one specific AV company has been getting complaints about false positives from us for the better part of 5 years now. All they do is whitelist our files, that takes time on their end, then more time to get the updated signatures out to their customers and during all that time our tech support crew is bothered with angry customers just because they are using some shitty AV software.

I like Anders's comment on what not to look at, sadly not many seem to actually do that.
Theresias is offline   Reply With Quote
Old 13th January 2015, 22:59   #8
aerDNA
Senior Member
 
aerDNA's Avatar
 
Join Date: Feb 2007
Location: Rijeka, Croatia
Posts: 225
I ran a compiled script through VT and it passed 55/56 AVs. The one it didn't pass was - surprise, surprise - McAfee. Apparently, my exe behaves like Win32.Downloader.lm, which presumably downloads something, while my file does nothing of the kind and does nothing suspicious at all. I think that people whose business doesn't depend on it should refrain from submitting files for whitelisting because it means acceptance of them doing a halfass job. It really shouldn't be our problem that their heuristics is generic crap.

PostEnd:
aerDNA is offline   Reply With Quote
Old 20th May 2016, 00:57   #9
BFeely
Junior Member
 
Join Date: Mar 2016
Posts: 15
False positive BehavesLike.Win32.Tool.dc by McAfee-GW-Edition

Most of the installers I have generated for my project DXGL (https://www.dxgl.info) have recently been flagged by the antivirus scanning engine McAfee-GW-Edition.
Only the installer is flagged, and none of the extracted executables.
I use the following plugins:
nsDialogs.dll
System.dll
sha512-nsis.dll (custom port of code from https://github.com/WaterJuice/CryptLib/tree/master/lib as a NSIS plugin, generated by my build system)

Source code for the installer, the program files, and the custom NSIS plugin can be found at https://www.dxgl.info/download/dxgl-src-0.5.8.zip
The most recent detected installer is https://www.dxgl.info/download/DXGL-0.5.8-win32.exe and it was built using version 2.50 of NSIS.

I have contacted McAfee about the problem, and am still waiting for a response.

NOTE: This isn't the regular consumer McAfee product, but a firewall scanning solution that was bought out by McAfee.

Last edited by BFeely; 20th May 2016 at 03:11.
BFeely is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Tags
antivirus

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump