Inno Setup is Flagged as Trojan?
-
Have you named your installer setup.exe or a custom name? Apparently calling it setup.exe will raise the probability of a false positive.
You gotta appreciate the brain power and excellence that went into developing antivirus software, that‘s some peak genius move.
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
@Christoph-Hart I tried it on another computer, instantly flagged. No files at all inside, just a blank installer, no changes to the script.
That one won't event build one. I'm scanning with VirusTotal.
I just need to ask the user where they want the samples, then put the vst3 into the right folder, and create the LinkWindows file. That can be done with HISE, right? Had a brief look at the file and filesystem api...
So we use (from time to time) a single custom installer for MacOS and Windows written in HISE, it seems to work fine. This shows the user the EULA and gets them to agree then installs the plugins (VST3, AU, AAX) as required by each OS, asks the user where they want the samples placing - and puts them there - and creates the LinkOS file. It puts the factory presets in the correct folder, the HISE HWT files in the correct folder and all the wav files (Convolutions and file player stuff) in the correct location. Finally it puts a bunch of meta data in the APP folder (usually json and js files).
Basically it uses an internal manifest file - that lists a series of zip files (renamed as something other than .zip to get around Safari) with a destination for each of the unzipped contents. Here's an example with a lot of samples in it..
var manifest = [ { "DataType" : VST3, "Location" : VST3LOCATION, "WindowsZipName" : ["Atmosia25Data01.cra"], "MacOSZipName" : ["Atmosia25Data02.cra"], "MegaBytesRequired" : 1 }, { "DataType" : AU, "Location" : AULOCATION, "WindowsZipName" : ["UNUSED"], "MacOSZipName" : ["Atmosia25Data03.cra"], "MegaBytesRequired" : 1 }, { "DataType" : CHFILES, "Location" : EXISTINGLOCATION, "WindowsZipName" : ["Atmosia25Data04.cra","Atmosia25Data05.cra","Atmosia25Data06.cra"], "MacOSZipName" : ["Atmosia25Data04.cra","Atmosia25Data05.cra","Atmosia25Data06.cra"], "MegaBytesRequired" : 2600 }, { "DataType" : METAFILES, "Location" : PRESETLOCATION, "WindowsZipName" : ["Atmosia25Data07.cra"], "MacOSZipName" : ["Atmosia25Data07.cra"], "MegaBytesRequired" : 1 }, { "DataType" : WAVFILES, "Location" : AUDIOFILESLOCATION, "WindowsZipName" : ["Atmosia25Data08.cra"], "MacOSZipName" : ["Atmosia25Data08.cra"], "MegaBytesRequired" : 26 }, { "DataType" : PRESETFILES, "Location" : PRESETLOCATION, "WindowsZipName" : ["Atmosia25Data09.cra"], "MacOSZipName" : ["Atmosia25Data09.cra"], "MegaBytesRequired" : 13 } ];
Then it uses the file system API to get the locations and the File.extractZipFile() to put things in the correct place
So the customer has to download these renamed zip files and a zip containing the installer - then run the installer. If you dont want the user doing these multiple downloads(the example above is 9 .cra files) you can even add that into the installer app and then the user downloads and unzips the installer - runs it and follows the instructions in the installer...
On MacOS you will need to codesign the plugins and the installer App and also notarize the Installer App - to be honest we notarize the plugins too...AU and VST3..
-
@Lindon
Have you never had writing permission problems? And if you did, how did you solve them? -
@Oli-Ullmann On Windows there is a checkbox in HISE preference to enable admin permissions. Doesn't work from plugins though, only standalone. No issue on MacOS as far as I'm aware.
-
@d-healey said in Inno Setup is Flagged as Trojan?:
@Oli-Ullmann On Windows there is a checkbox in HISE preference to enable admin permissions. Doesn't work from plugins though, only standalone. No issue on MacOS as far as I'm aware.
on the Mac you may well need to turn on the sandbox authorisation...
-
@d-healey
Thank you for the tip! :-) -
@Lindon
Many thanks for the information! Can you tell me where I can do this? In the HISE Preferences? -
@d-healey i still get users having issues with permissions on windows even with this checked. Not often but it happens and is annoying. Do you not?
-
@DanH I haven't had any issues in a standalone build.
-
@Oli-Ullmann said in Inno Setup is Flagged as Trojan?:
@Lindon
Many thanks for the information! Can you tell me where I can do this? In the HISE Preferences?if I remember correctly its in projuicer
-
Let's see if we can't fuck over the mafia, at least the one dealing certs for Windows.
Does extractzip work on split zip files?
How do I point to the folder where the standalone is currently located? I don't see a Filesystem.special for this.
I'm thinking of having a very generic installer that works for all. Server interfacing, if necessary, is then up to each individual project to be done from inside the plugin.
I'm working on one right now.
- deliver one zip, when unpacked contains setup.exe (built in HISE), Plugins.zip, Samples.zip, etc.
- check current exe directory (how?) extract Plugins.zip to FileSystem.temp, check for each extension, if it exists, move it to the correct place
- extract Samples.zip, which can contain all the big files, to a folder the user specified
- write the linkfile for the user specified folder
- if there are files you'd like in a different place, simply zip them into a different archive.
- this also allows the user to do a manual install if they wish
- ship a text file that stores CompanyName and ProjectName so that the correct base path, title etc. can be displayed.
This kind of installer can then be shipped with any HISE-based plugin and just work out of the box.
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
Does extractzip work on split zip files?
There is no split zip in the zip standard, I think programs like winrar might have their own version. But you can loop over multiple zip files and call extractZip in a loop.
deliver one zip, when unpacked contains setup.exe (built in HISE), Plugins.zip, Samples.zip, etc.
Be sure to change the file extension otherwise it will automatically be extracted if the user is using Safari, or has enabled the auto-extract setting in their browser.
check current exe directory (how?)
What are you checking for?
@aaronventure said in Inno Setup is Flagged as Trojan?:
I'm thinking of having a very generic installer that works for all.
This guy had the same idea ;) - https://forum.hise.audio/topic/8707/rhapsody-plugin-installer
-
@d-healey said in Inno Setup is Flagged as Trojan?:
There is no split zip in the zip standard, I think programs like winrar might have their own version. But you can loop over multiple zip files and call extractZip in a loop.
Alright, do you think would be necessary in the first place? In what situations, other than FAT32, are large archives an issue?
Would be somewhat weird to ship an 80GB Samples.zip, but if it works, who cares.
Not being able to simply zip up all the samples into a split archive with a single task makes it a bit problematic, no?
If I split a zip file using 7zip, it creates file.zip.001, zip.002, and 7zip has no issues extracting from these files if the extraction is initiated on the .001 file.
@d-healey said in Inno Setup is Flagged as Trojan?:
Be sure to change the file extension otherwise it will automatically be extracted if the user is using Safari, or has enabled the auto-extract setting in their browser.
That's great, didn't know about that. Can I just change it to anything and HISE will still unzip it? the .002, .003 split system from 7zip bypasses this issue, no?
@d-healey said in Inno Setup is Flagged as Trojan?:
What are you checking for?
The idea is to script the installer to extract the archives that are in the same directory as the installer itself. So I need a constant that will always return the current standalone .exe directory.
@d-healey said in Inno Setup is Flagged as Trojan?:
This guy had the same idea ;)
Haha that's great! Do you think a dedicated project that's then licensed as MIT, would be a good default option for HISE on Windows? That way anything we make here can still go into Rhapsody under GPL and anywhere else.
-
@d-healey said in Inno Setup is Flagged as Trojan?:
@aaronventure said in Inno Setup is Flagged as Trojan?:
Does extractzip work on split zip files?
There is no split zip in the zip standard, I think programs like winrar might have their own version. But you can loop over multiple zip files and call extractZip in a loop.
deliver one zip, when unpacked contains setup.exe (built in HISE), Plugins.zip, Samples.zip, etc.
Be sure to change the file extension otherwise it will automatically be extracted if the user is using Safari, or has enabled the auto-extract setting in their browser.
check current exe directory (how?)
What are you checking for?
@aaronventure said in Inno Setup is Flagged as Trojan?:
I'm thinking of having a very generic installer that works for all.
This guy had the same idea ;) - https://forum.hise.audio/topic/8707/rhapsody-plugin-installer
so did this guy:
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
Alright, do you think would be necessary in the first place? In what situations, other than FAT32, are large archives an issue?
I wouldn't provide a file larger than 2GB. Some users have dodgy internet connections and if it goes down during a 2GB file it's not a problem but a 10GB file that they've been downloading for hours will be annoying. 4GB is probably ok, but I like to keep it to 2. I also suspect some browsers might have limitations on the download size for a single file, though I've not looked into it.
Not being able to simply zip up all the samples into a split archive with a single task makes it a bit problematic, no?
I make my own multi-part zips (HISE will do this for you automatically for samples). It's just a case of bundling the samples into multiple zip files and adding part1, part2, etc. to the name. Before you extract them you can sort the files alphabetically so that they will be extracted in order, which is sometimes necessary.
Can I just change it to anything and HISE will still unzip it?
Yup
@aaronventure said in Inno Setup is Flagged as Trojan?:
The idea is to script the installer to extract the archives that are in the same directory as the installer itself. So I need a constant that will always return the current standalone .exe directory.
Why? I just ask the user to select the location of the files.
@aaronventure said in Inno Setup is Flagged as Trojan?:
Do you think a dedicated project that's then licensed as MIT,
Can you release JUCE/HISE code under the MIT license without paying a license fee?
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
@d-healey said in Inno Setup is Flagged as Trojan?:
There is no split zip in the zip standard, I think programs like winrar might have their own version. But you can loop over multiple zip files and call extractZip in a loop.
Alright, do you think would be necessary in the first place? In what situations, other than FAT32, are large archives an issue?
File.extractZip is problematic (fails) on very large files - so just zip your contents up into a number of zip files and loop over them in your HISE app...
Would be somewhat weird to ship an 80GB Samples.zip, but if it works, who cares.
- it wont (likely) about 2Gb seems to be the limit..
Not being able to simply zip up all the samples into a split archive with a single task makes it a bit problematic, no?
no just loop over them in your app extracting one at a time...
If I split a zip file using 7zip, it creates file.zip.001, zip.002, and 7zip has no issues extracting from these files if the extraction is initiated on the .001 file.
@d-healey said in Inno Setup is Flagged as Trojan?:
Be sure to change the file extension otherwise it will automatically be extracted if the user is using Safari, or has enabled the auto-extract setting in their browser.
That's great, didn't know about that. Can I just change it to anything and HISE will still unzip it? the .002, .003 split system from 7zip bypasses this issue, no?
yes - pick your own extension...
@d-healey said in Inno Setup is Flagged as Trojan?:
What are you checking for?
The idea is to script the installer to extract the archives that are in the same directory as the installer itself. So I need a constant that will always return the current standalone .exe directory.
Assume the zips are in the users download folder - go there and look for them - if not found ask the user to point you at them.
@d-healey said in Inno Setup is Flagged as Trojan?:
This guy had the same idea ;)
Haha that's great! Do you think a dedicated project that's then licensed as MIT, would be a good default option for HISE on Windows? That way anything we make here can still go into Rhapsody under GPL and anywhere else.
-
@d-healey said in Inno Setup is Flagged as Trojan?:
I wouldn't provide a file larger than 2GB. Some users have dodgy internet connections and if it goes down during a 2GB file it's not a problem but a 10GB file that they've been downloading for hours will be annoying. 4GB is probably ok, but I like to keep it to 2. I also suspect some browsers might have limitations on the download size for a single file, though I've not looked into it.
That would be for delivery of the package which contains the installer and these different zips the installer extracts to get to the samples, plugins etc.
Also, if you're downloading from S3, any kind of download manager will let you resume downloads in case your connection breaks (at least that's how it went when I tested my S3 FastSpring links).
@d-healey said in Inno Setup is Flagged as Trojan?:
Why? I just ask the user to select the location of the files.
It's a silly step to open the installer and then ask the user to point to the folder they just opened it from.
@d-healey said in Inno Setup is Flagged as Trojan?:
Can you release JUCE/HISE code under the MIT license without paying a license fee
Not the compiled .exe generic installer, but the project folder/script. Everyone would then compile the installer themselves and release it however they want or may.
@Lindon said in Inno Setup is Flagged as Trojan?:
no just loop over them in your app extracting one at a time...
Okay, so just check the files for any containing "Samples" and extract them one by one.
@Lindon said in Inno Setup is Flagged as Trojan?:
Assume the zips are in the users download folder - go there and look for them - if not found ask the user to point you at them.
Here's the desired user experience:
- Download Product.arhive
- Extract Product.archive into Product Setup folder
- Product Setup folder contains setup.exe, samples.zip, plugins.zip etc.
- Click on setup.exe
- Base path opens to Program Files/Company/ProductName
- User clicks on the path, directory selection opens up, user selects target folder
- New path now says target/ProductName
- Click INSTALL button
The setup not knowing its own location gives it all a bit of drunken feel that I think doesn't inspire confidence, especially if it's shipped with the files already.
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
It's a silly step to open the installer and then ask the user to point to the folder they just opened it from.
Ah I see you want one installer per product.
I use one installer (Rhapsody) for all products.
I think Window's smart screen filter might flag your smuggled unsigned binary in a zip file.
-
Can you release JUCE/HISE code under the MIT license without paying a license fee?
You can of course publish your code (the installer code you write) under the MIT license, but it doesn't change the GPL license of HISE / JUCE, so the entire installer is still required to be licensed under the GPL license (or the proprietary one). Shouldn't make a big difference though because it mirrors exactly the licensing scheme that you're about to use for your plugins.
I'm thinking of having a very generic installer that works for all. Server interfacing, if necessary, is then up to each individual project to be done from inside the plugin.
But guys, Occam's razor anyone? If the problem is that InnoSetup is throwing false positive virus warnings, then you should either address that or ignore it (Just threw the last UNSIGNED installer I built over to VirusTotal and it flagged it with 6 / 77 with the 6 idiots probably complaining about unsigned state. If I rename it to setup.exe then it already gets flagged by 7/77 so there is one virus scanner that really does
if(name == setup.exe) then return true
).Making a custom installer will just shift the problem to you (and I don't see any reason why a custom installer would go through the detection while an InnoSetup installer doesn't). Plus you get the additional workload of ensuring a seemless installation procedure covering all use cases.
Now if you want to streamline the customer experience, then it's another thing. I've recently built a content installer app with JUCE that I'm packaging with a macOS .dmg image because Packages completely failed to detect the LinkOSX file and use that as default installation directory (which is important if you want to ship expansions). I'm happy to generalize that app and put it in the repository, but I'm pretty confident it won't solve the initial problem of this post.
-
@Christoph-Hart said in Inno Setup is Flagged as Trojan?:
I don't see any reason why a custom installer would go through the detection while an InnoSetup installer doesn't
In the case of Rhapsody it's already codesigned on Windows and installed on a 1000+ systems. But yeah I think a generic exe is going to have issues.