A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
Some people (me included) are analysing any new installer on virustotal.com
Maybe it helps because Google is somehow involved in this service.
Thursday, November 12, 2015
Why am I putting the exe inside a zip?
Because it's a package, including some documentation, EULA, set up instructions, test data.
That's beside the point.
If I had a self-extracting .EXE would Google still warn that the file was potentially dangerous and recommend discarding it?
I can't give a definitive answer but an .exe inside of something else certainly can raise red flags.
Maybe software download sites still have some use, if they help prevent this message?
Thursday, November 12, 2015
Regarding zip: Can't you put all the EULA, etc., inside the installer? Isn't that the point of an installer?
Regarding the message: is that coming only from Chrome, or do other browser's generate a similar message? Or is it coming from Windows?
Can you Google about it and see if code signing your application ($$) will prevent this?
I'm still selling it.
Friday, November 13, 2015
I just released a public beta and I discovered a lot of people use chrome...
They get the message and since the program is for a small niche of not-advanced users, they get scared.
More, avast and probably symantec report it as a possible malware since they never saw it before, but users don't read why and get scared...
Finally, windows 8 and probably 10 report it as coming from an untrusted source so you have to double confirm...
On mac, since the app is not signed, users need to use finder, ctrl-click to open... etc etc etc....
>On mac, since the app is not signed, users need to use finder, ctrl-click to open... etc etc etc....
IIRC the default on Mac OS X has been not to allow people to run software unless it is either downloaded from the App store or signed using a certificate purchased from Apple.
Code signing is a bit of a racket. But, IMHO, if you are serious about your downloadable software, then you should sign it.
I have a Comodo cert for Windows (purchased from ksoftware.net) and an Apple cert for Mac (which comes with an annual developer sub).
Saturday, November 14, 2015
I'm in a small niche and I'm having difficulties to find beta testers since they are mostly "facebook" users, having them download and install the software with all those warnings is really difficult.
Just 2 friends installed, but they just installed not being potential users... they commented on the gui, asking for changes that were radically divergent!
Buying a certificate now is not a smart move, unless it is very cheap...
It is generally recommended to sign the .exe inside the download, in addition to the download.
Thursday, November 19, 2015
A gentlemen has order my solution two days ago, but now is requesting a refund claiming that it doesn't work. I'm currently waiting for feedback how closely were my instructions followed, but anyway I still believe that it must work.
Friday, November 20, 2015
I looked into this "VirusTotal" thing. Apparently a Google subsidiary.
Anyway the offending piece of software was given a full bill of health by the online scan.
So much for corporate joined-up thinking.
Next to try .... signing the setup.exe contained within the signed executable zip.
It now works. I have no idea why. But I spent £hundreds on SSL certificates and spent most of last night and today trying to resolve it.
Hopefully a final update.
I took my "ZIP" file and turned it into a self-extracting EXE and bought an SSL certificate and signed the installer. Scanned it through "VirusTotal". Uploaded it to my site.
Still had the same damn message.
So I checked my Google WebMaster ( and Bing WebMaster ) tools.
Everything was OK. Under the security section Google said words to the effect of: "Everything on your site is fine. We can see no problems or Malware".
Bing said"Everything on your site is great. We can see no malware or problems"
So I bought an SSL certificate and moved the whole site onto SSL.
And still the message appeared. At which point I nearly cried.
But instead I went back into Google Web master tools.
And this time it said "Severe error on your site. Malware or Unwanted Software detected". But gave no details ( in fact it said "We cannot work out where the problem is" ).
BUT there was now a "Request Review" button. So I pressed it and filled in a form saying all the things I had done, and how the site was not misleading and that we were a ISV selling software and asking what needed to be done.
And after a few hours the request was rejected ... with no explanation at all, no hint about what was wrong.
So I re-submitted with a slightly terser message.
And when I came back the security message was no longer there AND now my software downloads without the message!
So I put back the original "zip" downloads. And they now work fine too.
So a frustrating few days. But I am glad it is now sorted out and also I am pleased that it pushed me into getting the installer signed and moving the site to SSL which is something I had intended to do but never could quite prioritise.
This is a breakthrough in this field (breakthrough for MISVs trying to sell downloadable software and there is no one at google who cares to show the Request Review button when you are on http) . I will definitely use your solution if mine stops to work one day ...
Monday, November 23, 2015
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz