I then zipped up all code without using the installer software ( InstallMate is what I use) - IOW, I just packaged up the entire distribution folder minus Installer package that provides the shortcut, registry keys (for IE version and file association) and Environment (adding to path) registration. I had removed all external binaries, and I was still getting errors. This still left me with 3 AV hits one of which was a major vendor - Avast.Īt this point I wasn't sure what to try. Which is ridiculous if you think about it! Installer Woes nevertheless it got flagged and the only way for me to get past this was to use an older version. It's also open source so the code is there for all to see - it'd be hard to hide a trojan in broad view especially in tool with such tightly defined scope and size. After all hunspell is open source and quite popular as it it's used by major pieces of software like most browsers and most open source editors. I uninstalled and installed an older version and AV no longer flagged those particular items. I played around with several different versions of hunspell and found that only the latest version of NHUnspell was flagging AV. Removing hunspell immediately dropped a number of the AV hits (down to 3 from 9). Doing some research I found that another vendor had built a custom version of hunspell.dll that did some monkey business - and that's what got hunspell flagged as a potential trojan. It turns out that one third party library - hunspell spell checker library specifically - has had a problem with a very particular version. To my surprise, after removing all dependencies VirusTotal came down to 3 AV hits, instead of the previous 9 I started with - a definite improvement. I started by removing all DLL dependencies from the installed distribution before compiling into the installer. I figure it might be useful you find yourself in a similar position with your application. In this post I walk through the morass of trying to figure out what was causing the false positives and the workarounds that eventually allowed me to get past the problem - after quite a bit of sleuthing and wasted time. It took a while but I think I'm out of the woods for now. In order to track down the problem I tried a boatload of things to try and isolate where the problem was coming from. One installer platform apparently tagged.One third party library that had been flagged as malicious.How do I know this?Īs it turns out there were a number of factors at play here: In this case however, it turns out that it's definitely a case of false positives. Seeing AV warnings on software is something you generally want to take serious. Brave indeed - I'm not sure I'd do the same. A few were brave and installed anyway - saying they trusted me that there was no malice in these files since they are coming from me. Looks nasty doesn't it? I had to take a closer look.Īnti-Virus false positives are a pain because it's quite likely if you open the package and see a virus warning you're going to be very hesitant to go any further, my assurances aside :-) Several people contacted me in recent weeks and let me know that the installer was flagged by their Anti-Virus tool. But to my chagrin, using VirusTotal - which is used by Chocolatey and other distribution sources - I was coming away with 9 AV failures: After all I know what's in my code and there's nothing threatening in here. My first reaction was - "ah, just a fluke with a false positive". I didn't realize anything was wrong at first, until a few occasional emails came rolling in from users telling me their anti-virus flagged the installer - in many cases completely blocking the install process. It's a standalone desktop application and in recent months I've been plagued with Anti-Virus false positives for the installation executable. I've been working on Markdown Monster for a while now.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |