casterhaa.blogg.se - Installmate trojan

I played around with several different versions of hunspell and found that only the latest version of NHUnspell was flagging AV. Removing hunspell immediately dropped a number of the AV hits (down to 3 from 9). Doing some research I found that another vendor had built a custom version of hunspell.dll that did some monkey business - and that's what got hunspell flagged as a potential trojan. It turns out that one third party library - hunspell spell checker library specifically - has had a problem with a very particular version. To my surprise, after removing all dependencies VirusTotal came down to 3 AV hits, instead of the previous 9 I started with - a definite improvement. I started by removing all DLL dependencies from the installed distribution before compiling into the installer. I figure it might be useful you find yourself in a similar position with your application. In this post I walk through the morass of trying to figure out what was causing the false positives and the workarounds that eventually allowed me to get past the problem - after quite a bit of sleuthing and wasted time.

It took a while but I think I'm out of the woods for now. In order to track down the problem I tried a boatload of things to try and isolate where the problem was coming from.

One installer platform apparently tagged.

One third party library that had been flagged as malicious.

How do I know this?Īs it turns out there were a number of factors at play here: In this case however, it turns out that it's definitely a case of false positives. Seeing AV warnings on software is something you generally want to take serious. Brave indeed - I'm not sure I'd do the same.

A few were brave and installed anyway - saying they trusted me that there was no malice in these files since they are coming from me. Looks nasty doesn't it? I had to take a closer look.Īnti-Virus false positives are a pain because it's quite likely if you open the package and see a virus warning you're going to be very hesitant to go any further, my assurances aside :-) Several people contacted me in recent weeks and let me know that the installer was flagged by their Anti-Virus tool. But to my chagrin, using VirusTotal - which is used by Chocolatey and other distribution sources - I was coming away with 9 AV failures: After all I know what's in my code and there's nothing threatening in here. My first reaction was - "ah, just a fluke with a false positive". I didn't realize anything was wrong at first, until a few occasional emails came rolling in from users telling me their anti-virus flagged the installer - in many cases completely blocking the install process. It's a standalone desktop application and in recent months I've been plagued with Anti-Virus false positives for the installation executable. I've been working on Markdown Monster for a while now.