Inno Setup is Flagged as Trojan?
-
Tried it in a sandbox, same thing.
Again, I just click through the wizard and create an empty installer with no files of my own, I even set the flag that it doesn't contain an .exe file.
Same flags pop up when I upload the file to Virus Total.
On my laptop (Win10), it won't even compile, it stops the Inno compilation saying it's detected a virus.
Inno 6.2.2. Can anyone check, if you're on windows? Download Inno 6.2.2, just run through the script wizard, don't even change any names, don't include any files.
-
@aaronventure If you search innosetup false positive in your favourite search engine you will see this a lot. They want your money to make the nasty warning go away.
:money-mouth_face:
-
@d-healey I've read through all the threads on stackoverflow, yeah.
Well, if I sign it with Limelighter, the number of flags goes down from 17 to 7, one of them still being Microsoft.
-
I'm looking into this tonight. I have the EV certificates, and for some reason NORTON hates my installers. Specifically, the files created for uninstallation.
-
@Dan-Korneff tried InstallForge, now my main computer also detects that setup as a virus, and it's flagged 11/72 on VirusTotal.
That custom HISE installer idea looking better and better with every moment...
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
custom HISE installer idea looking better
But the user still has to install the installer
-
@d-healey do they? I tried exporting a standalone exe and it scans fine.
Is there a reason distributing that wouldn't work?
-
@aaronventure I supply just a standalone and don't have any issues, other than permissions issues (unrelated to virus scanning)
-
@DanH right then, a standalone app that will do the simple installation of samples + vst3.
I imagine the mac version still needs to be notarized
-
@aaronventure for Mac I put the app in a DMG file, and notarise the DMG. The app needs to be codesigned obviously
I use DMG Canvas
-
@aaronventure I'm not 100% sure, but I think that any binary that you compile on your system is automatically considered trustworthy on your system (that's at least how it works on macOS).
But there are other reasons that might flag a Innosetup installer:
- requires admin access for copying files to places which wouldn't be accessible
- writes something into the registry to be listed in the "Uninstall App" window of System control
- tries to write files somewhere (this is a more suspicious activity than rendering audio)
I don't think any kind of custom-made installer will fix that problem. But are you sure that's a problem at all? You wouldn't be the first person that distributes an app with InnoSetup and the others seem to be fine.
-
@DanH do you need to do that for the vst3 or au as well?
-
@aaronventure codesign? Of course :)
-
@Christoph-Hart Yup my InnoSetup installers only very occasionally get flagged on a users system (I suspect more than I know because users are used to this and simply install them anyway), so I would send some out to beta testers and see what happens @aaronventure
DHPlugins / DC Breaks | Artist / Producer / DJ / Developer
https://dhplugins.com/ | https://dcbreaks.com/
London, UK -
@DanH There's also browsers which have their own system for flagging suspicious binaries and preventing the user downloading them.
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@d-healey haven't had any issues with those thus far far :crossed_fingers:
-
@Christoph-Hart I tried it on another computer, instantly flagged. No files at all inside, just a blank installer, no changes to the script.
That one won't event build one. I'm scanning with VirusTotal.
I just need to ask the user where they want the samples, then put the vst3 into the right folder, and create the LinkWindows file. That can be done with HISE, right? Had a brief look at the file and filesystem api...
-
@aaronventure yes that can all be done with a Hise app, but perhaps try building your inno stuff on a different computer first
DHPlugins / DC Breaks | Artist / Producer / DJ / Developer
https://dhplugins.com/ | https://dcbreaks.com/
London, UK -
Have you named your installer setup.exe or a custom name? Apparently calling it setup.exe will raise the probability of a false positive.
You gotta appreciate the brain power and excellence that went into developing antivirus software, that‘s some peak genius move.
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
@Christoph-Hart I tried it on another computer, instantly flagged. No files at all inside, just a blank installer, no changes to the script.
That one won't event build one. I'm scanning with VirusTotal.
I just need to ask the user where they want the samples, then put the vst3 into the right folder, and create the LinkWindows file. That can be done with HISE, right? Had a brief look at the file and filesystem api...
So we use (from time to time) a single custom installer for MacOS and Windows written in HISE, it seems to work fine. This shows the user the EULA and gets them to agree then installs the plugins (VST3, AU, AAX) as required by each OS, asks the user where they want the samples placing - and puts them there - and creates the LinkOS file. It puts the factory presets in the correct folder, the HISE HWT files in the correct folder and all the wav files (Convolutions and file player stuff) in the correct location. Finally it puts a bunch of meta data in the APP folder (usually json and js files).
Basically it uses an internal manifest file - that lists a series of zip files (renamed as something other than .zip to get around Safari) with a destination for each of the unzipped contents. Here's an example with a lot of samples in it..
var manifest = [ { "DataType" : VST3, "Location" : VST3LOCATION, "WindowsZipName" : ["Atmosia25Data01.cra"], "MacOSZipName" : ["Atmosia25Data02.cra"], "MegaBytesRequired" : 1 }, { "DataType" : AU, "Location" : AULOCATION, "WindowsZipName" : ["UNUSED"], "MacOSZipName" : ["Atmosia25Data03.cra"], "MegaBytesRequired" : 1 }, { "DataType" : CHFILES, "Location" : EXISTINGLOCATION, "WindowsZipName" : ["Atmosia25Data04.cra","Atmosia25Data05.cra","Atmosia25Data06.cra"], "MacOSZipName" : ["Atmosia25Data04.cra","Atmosia25Data05.cra","Atmosia25Data06.cra"], "MegaBytesRequired" : 2600 }, { "DataType" : METAFILES, "Location" : PRESETLOCATION, "WindowsZipName" : ["Atmosia25Data07.cra"], "MacOSZipName" : ["Atmosia25Data07.cra"], "MegaBytesRequired" : 1 }, { "DataType" : WAVFILES, "Location" : AUDIOFILESLOCATION, "WindowsZipName" : ["Atmosia25Data08.cra"], "MacOSZipName" : ["Atmosia25Data08.cra"], "MegaBytesRequired" : 26 }, { "DataType" : PRESETFILES, "Location" : PRESETLOCATION, "WindowsZipName" : ["Atmosia25Data09.cra"], "MacOSZipName" : ["Atmosia25Data09.cra"], "MegaBytesRequired" : 13 } ];Then it uses the file system API to get the locations and the File.extractZipFile() to put things in the correct place
So the customer has to download these renamed zip files and a zip containing the installer - then run the installer. If you dont want the user doing these multiple downloads(the example above is 9 .cra files) you can even add that into the installer app and then the user downloads and unzips the installer - runs it and follows the instructions in the installer...
On MacOS you will need to codesign the plugins and the installer App and also notarize the Installer App - to be honest we notarize the plugins too...AU and VST3..
HISE Development for hire.
www.channelrobot.com
