Old 20th February 2011, 16:42   #1
zenpoy
Junior Member
 
Join Date: Feb 2011
Posts: 38
Suspicious.Cloud.2 False Positive

Hi all,

Though this is my first post I use this forum quite a lot and this is the time to thank all the great people here.

And now to the sad news - I'm using nsis installer to install and distribute my software, and I recently received emails from users that have Norton installed, saying that my program is classified as Suspicious.Cloud.2 virus. According to Norton this is a "heuristic virus" based on what the code does and not based on a signature.

My installer consists on two parts - the first one is a small wrapper that checks the type of OS, browser etc. and then downloads and executes the second part which is the actual installer. Norton classifies the first wrapper as Suspicious.Cloud.2 and blocks it.

Does anyone of you have any idea of how to change the method of installation in order to not be classified as a virus?? I'm pretty clueless regarding this issue - and it's also damaging my business.

Thanks,

J
zenpoy is offline   Reply With Quote
Old 20th February 2011, 18:27   #2
parasoul
Senior Member
 
Join Date: Aug 2007
Posts: 117
Update NSIS to the most current version and perhaps use a different compressor. That worked for me in the past with other false-positive detections.
parasoul is offline   Reply With Quote
Old 20th February 2011, 18:37   #3
zenpoy
Junior Member
 
Join Date: Feb 2011
Posts: 38
Thanks for the reply!

Currently I use default compression, what compression are you suggesting?
zenpoy is offline   Reply With Quote
Old 20th February 2011, 18:52   #4
Takhir
Major Dude
 
Join Date: Feb 2004
Location: Moscow, Russia
Posts: 1,220
Sometimes virus uses NSIS plug-in for internet access. If you use nsisdl or inetc - update it to latest version. Or to previous version. You need version which is not marked as "Suspicious".
Takhir is offline   Reply With Quote
Old 21st February 2011, 06:10   #5
MSG
Major Dude
 
Join Date: Oct 2006
Posts: 1,892
Quote:
Originally Posted by zenpoy View Post
Thanks for the reply!

Currently I use default compression, what compression are you suggesting?
LZMA gives the best compression, so...

But concerning your real problem: If your installer is flagged as a virus, submit it to Symantec security as a false positive. If your application is flagged as a virus, submit that to Symantec security as a false positive. (Try googling for 'symantec false positive'.)
MSG is offline   Reply With Quote
Old 21st February 2011, 08:25   #6
zenpoy
Junior Member
 
Join Date: Feb 2011
Posts: 38
Quote:
Originally Posted by Takhir View Post
Sometimes virus uses NSIS plug-in for internet access. If you use nsisdl or inetc - update it to latest version. Or to previous version. You need version which is not marked as "Suspicious".
I use inetc. Do I need to compile with all sort of versions and try with Norton to see if it shouts or is there a place where I can read about what version counts as virus?

BTW - Takhir - thanks for a great plugin
zenpoy is offline   Reply With Quote
Old 21st February 2011, 17:05   #7
parasoul
Senior Member
 
Join Date: Aug 2007
Posts: 117
if inetc is getting tagged with a false positive, I'd tell symantec first. and while you wait, you can also download the source and recompile it, which usually will get rid of any false positive detections. make sure you're using the latest version, though
parasoul is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump