* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Installer accused of being a virus. How to detect it early?

recently one of my customers contacted me claiming that my installer is infected by a virus. It turned out to be a false alarm. Unfortunately it was not the first time - it was a second case in last three years. First time it was Kaspersky, this time Avast. In both cases several other antivirus apps reported claimed that everything is OK.

You can bet that it's not a pleasant to hear such info from customer. Who knows for how long this alert was displayed for potential new clients. Moreover it looks like it's not tied to a release of a new version if my software. Timing looks rather like update for the antivirus engine was the primary cause.

Have anyone in this forum suffered similar situation?
How do you fight it? How to detect it early? Manual testing of my installer with top 10 antivirus engines every week seem to be a bit exaggerated. I would prefer spending more time on something more useful for my users.

Any suggestions?
jl Send private email
Monday, May 05, 2014
I use virus total multi engine scanner to scan my files before release.
anonagain Send private email
Monday, May 05, 2014

That's a handy tool - and you don't need to check every week.

Obviously check with every released update, and if you see anything weird like a sudden drop in sales, downloads or a sudden flurry of refund requests.

If you have an email list of customers - and you should - this issue is worth a reassuring note to let them know it's a false alarm.

Reluctantlyregistered Send private email
Monday, May 05, 2014
>> "Have anyone in this forum suffered similar situation?
How do you fight it?"

To fight it:

1. Don't use "compressors" or "wrappers" like UPX or any of the billion alternatives. That means don't use it on your app and don't use it on your installer. Don't use it on anything. In this day and age programs like UPX are worse than useless.

2. Always code-sign your app and your installer and your uninstaller with a proper code signing certificate. No self-signing, and none of the cheap or free certificates (because Windows doesn't recognize those certificate authorities). So stick with a well known name (Verisign, Comodo, Thwate, etc.).
Wyatt O'Day Send private email
Monday, May 05, 2014
I also check all my releases with virustotal.com (both the installer and the program).
Andy Brice Send private email
Monday, May 05, 2014
In my case codesigning solved the problem.

In addition I have added the program to Kaspersky "Whitelist".

I have heard that Symantec has a White list program as well.
MatrixFailure Send private email
Tuesday, May 06, 2014
Thanks all for suggestions.

Virustotal.com seems like a way to go. It has both Kaspersky and Avast. I've found https://www.metascan-online.com/ but currently they don't test with Avast.

Codesigning: I'm already using code signing certificate from Verisign.

Kaspersky Whitelist: Good suggestion. I'm already using it.

Periodic testing vs testing only new release: It looks like the error was triggered by change in antivirus definition database rather than by change in my software. The error surfaced few months after the release of a new version. Error was thrown in the middle of the installation process. Installer itself seemed to be OK, but while installer tried to copy one specific file the alarm went up.

This why I'm thinking about periodic testing of version downloaded from my web page. 

The service would get a list of urls. Will download installation packages and run it. All files will be scanned with antivirus sw. It will test both files and installer behavior.

I would be willing to pay a small monthly fee for such service. So far I failed to find a ready to use service. I'm thinking about building it and offering it to other vendors. Would you find it useful?

(I'm not sure, because both my false alarms would be probably detected by scanning installed files and installer itself using virustotal API. However using API you would not detect false alarm cased by suspicious behavior while installer is being run).
jl Send private email
Tuesday, May 06, 2014
Wanted to add one more point.Dont Blindly Trust Virus Total.
Last time they had wrong detection for the updated versions of some AV Engines.I reported the false positive to the vendors,they said nothing was wrong.Then i went ahead to MetaScan they had the correct results.My point is dont stick with just one.

@jl Does VirusTotal Provide their API for commercial use? I dont think the AV vendors will allow this.VT sends all the files flagged as malware to the Labs of the vendors they support.
anonagain Send private email
Wednesday, May 07, 2014
@anonagain  I've found nothing in VirusTotal TOS which would prohibit this, but have to ask them to be sure. Metascan allows this, you only have to pay if you want to scan more than few files per minute.

Question is: would such service be considered useful? Maybe my view is obscured by our recent false alarm. Others may find it useless.
jl Send private email
Wednesday, May 07, 2014

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz