Inno Setup is Flagged as Trojan?

Dan Korneff

I'm looking into this tonight. I have the EV certificates, and for some reason NORTON hates my installers. Specifically, the files created for uninstallation.

aaronventure

@Dan-Korneff tried InstallForge, now my main computer also detects that setup as a virus, and it's flagged 11/72 on VirusTotal.

That custom HISE installer idea looking better and better with every moment...

d.healey

@aaronventure said in Inno Setup is Flagged as Trojan?:

custom HISE installer idea looking better

But the user still has to install the installer

aaronventure

@d-healey do they? I tried exporting a standalone exe and it scans fine.

Is there a reason distributing that wouldn't work?

DanH

@aaronventure I supply just a standalone and don't have any issues, other than permissions issues (unrelated to virus scanning)

aaronventure

@DanH right then, a standalone app that will do the simple installation of samples + vst3.

I imagine the mac version still needs to be notarized

DanH

@aaronventure for Mac I put the app in a DMG file, and notarise the DMG. The app needs to be codesigned obviously

I use DMG Canvas

https://www.araelium.com/dmgcanvas

Christoph Hart

@aaronventure I'm not 100% sure, but I think that any binary that you compile on your system is automatically considered trustworthy on your system (that's at least how it works on macOS).

But there are other reasons that might flag a Innosetup installer:

• requires admin access for copying files to places which wouldn't be accessible
• writes something into the registry to be listed in the "Uninstall App" window of System control
• tries to write files somewhere (this is a more suspicious activity than rendering audio)

I don't think any kind of custom-made installer will fix that problem. But are you sure that's a problem at all? You wouldn't be the first person that distributes an app with InnoSetup and the others seem to be fine.

aaronventure

@DanH do you need to do that for the vst3 or au as well?

DanH

@aaronventure codesign? Of course :)

DanH

@Christoph-Hart Yup my InnoSetup installers only very occasionally get flagged on a users system (I suspect more than I know because users are used to this and simply install them anyway), so I would send some out to beta testers and see what happens @aaronventure

d.healey

@DanH There's also browsers which have their own system for flagging suspicious binaries and preventing the user downloading them.

DanH

@d-healey haven't had any issues with those thus far far :crossed_fingers:

aaronventure

@Christoph-Hart I tried it on another computer, instantly flagged. No files at all inside, just a blank installer, no changes to the script.

That one won't event build one. I'm scanning with VirusTotal.

I just need to ask the user where they want the samples, then put the vst3 into the right folder, and create the LinkWindows file. That can be done with HISE, right? Had a brief look at the file and filesystem api...

DanH

@aaronventure yes that can all be done with a Hise app, but perhaps try building your inno stuff on a different computer first

Christoph Hart

Have you named your installer setup.exe or a custom name? Apparently calling it setup.exe will raise the probability of a false positive.

You gotta appreciate the brain power and excellence that went into developing antivirus software, that‘s some peak genius move.

Lindon

@aaronventure said in Inno Setup is Flagged as Trojan?:

@Christoph-Hart I tried it on another computer, instantly flagged. No files at all inside, just a blank installer, no changes to the script.

That one won't event build one. I'm scanning with VirusTotal.

I just need to ask the user where they want the samples, then put the vst3 into the right folder, and create the LinkWindows file. That can be done with HISE, right? Had a brief look at the file and filesystem api...

So we use (from time to time) a single custom installer for MacOS and Windows written in HISE, it seems to work fine. This shows the user the EULA and gets them to agree then installs the plugins (VST3, AU, AAX) as required by each OS, asks the user where they want the samples placing - and puts them there - and creates the LinkOS file. It puts the factory presets in the correct folder, the HISE HWT files in the correct folder and all the wav files (Convolutions and file player stuff) in the correct location. Finally it puts a bunch of meta data in the APP folder (usually json and js files).

Basically it uses an internal manifest file - that lists a series of zip files (renamed as something other than .zip to get around Safari) with a destination for each of the unzipped contents. Here's an example with a lot of samples in it..

var manifest =  [
	
	{	"DataType" : VST3,
		"Location" : VST3LOCATION,
		"WindowsZipName"  : ["Atmosia25Data01.cra"],
		"MacOSZipName" : ["Atmosia25Data02.cra"],
		"MegaBytesRequired" : 1
	},
	{
		"DataType" : AU,
		"Location" : AULOCATION,
		"WindowsZipName"  : ["UNUSED"],
		"MacOSZipName" : ["Atmosia25Data03.cra"],
		"MegaBytesRequired" : 1
	},
	{
		"DataType" : CHFILES,
		"Location" : EXISTINGLOCATION,
		"WindowsZipName"  : ["Atmosia25Data04.cra","Atmosia25Data05.cra","Atmosia25Data06.cra"],
		"MacOSZipName" : ["Atmosia25Data04.cra","Atmosia25Data05.cra","Atmosia25Data06.cra"],
		"MegaBytesRequired" : 2600
	},
	{
		"DataType" : METAFILES,
		"Location" : PRESETLOCATION,
		"WindowsZipName"  : ["Atmosia25Data07.cra"],
		"MacOSZipName" : ["Atmosia25Data07.cra"],
		"MegaBytesRequired" : 1
	},
	{
		"DataType" : WAVFILES,
		"Location" : AUDIOFILESLOCATION,
		"WindowsZipName"  : ["Atmosia25Data08.cra"],
		"MacOSZipName" : ["Atmosia25Data08.cra"],
		"MegaBytesRequired" : 26 
	},
	{
		"DataType" : PRESETFILES,
		"Location" : PRESETLOCATION,
		"WindowsZipName"  : ["Atmosia25Data09.cra"],
		"MacOSZipName" : ["Atmosia25Data09.cra"],
		"MegaBytesRequired" : 13
	} 
];

Then it uses the file system API to get the locations and the File.extractZipFile() to put things in the correct place

So the customer has to download these renamed zip files and a zip containing the installer - then run the installer. If you dont want the user doing these multiple downloads(the example above is 9 .cra files) you can even add that into the installer app and then the user downloads and unzips the installer - runs it and follows the instructions in the installer...

On MacOS you will need to codesign the plugins and the installer App and also notarize the Installer App - to be honest we notarize the plugins too...AU and VST3..

Oli Ullmann

@Lindon
Have you never had writing permission problems? And if you did, how did you solve them?

d.healey

@Oli-Ullmann On Windows there is a checkbox in HISE preference to enable admin permissions. Doesn't work from plugins though, only standalone. No issue on MacOS as far as I'm aware.

Lindon

@d-healey said in Inno Setup is Flagged as Trojan?:

@Oli-Ullmann On Windows there is a checkbox in HISE preference to enable admin permissions. Doesn't work from plugins though, only standalone. No issue on MacOS as far as I'm aware.

on the Mac you may well need to turn on the sandbox authorisation...