F-Secure detects applications compiled with SetupBuilder 7 as 'suspicious'
(W32/Malware!Gemini).

Of course, this is a "false-positive". When a legitimate file is
incorrectly detected as infected by an antivirus product, the anti-virus
system vendors call it a "false positive" or a "false alarm". But let's
call it what it is: it's nothing more than a NASTY BUG in their software and
they did a bad job.

https://analysis.f-secure.com/portal/login.html

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

> F-Secure detects applications compiled with SetupBuilder 7 as 'suspicious'
> (W32/Malware!Gemini).
>
> Of course, this is a "false-positive". When a legitimate file is
> incorrectly detected as infected by an antivirus product, the anti-virus
> system vendors call it a "false positive" or a "false alarm". But let's
> call it what it is: it's nothing more than a NASTY BUG in their software and
> they did a bad job.

Friedrich,

Isn't this a fairly new false positive? So, possibly on a definition update
recently, they introduced it?

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Still detected as "Suspicious:W32/Malware!Gemini" in update 2010.08.27

VERY BAD JOB, F-Secure!

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

Hi David,

> Isn't this a fairly new false positive? So, possibly on a definition
> update recently, they introduced it?

I don't know exactly when they introduced it. But after quite a few reports
from SetupBuilder users it's still there. Other (good) protection software
companies fix such a bug within 2-10 hours. But F-Secure still flags
millions of SetupBuilder created installers/applications as a threat.

Friedrich

What a drag.

Jeff Slarve

BTW, should read Version "9.0.0.851"

Friedrich

That's why I love "copy and paste" <g>. The real version is "9.0.15370.0".
Still flagged even after the latest definition update.

Friedrich

>> Isn't this a fairly new false positive? So, possibly on a definition
>> update recently, they introduced it?
>
> I don't know exactly when they introduced it. But after quite a few reports
> from SetupBuilder users it's still there. Other (good) protection software
> companies fix such a bug within 2-10 hours. But F-Secure still flags
> millions of SetupBuilder created installers/applications as a threat.

Friedrich,

Definitely no reason for them to drag their feet when a Major Setup Tool
company reports the problem.

I'd suggest this (if you feel comfortable doing so) - some Clarion
developers don't read this newsgroup - might help to post this to some
other common newsgroups such as Clarion Third Party and comp.lang.clarion
and ask for all that will to floodgate F-Secure with complaints.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Hi David,

> Definitely no reason for them to drag their feet when a Major Setup Tool
> company reports the problem.
>
> I'd suggest this (if you feel comfortable doing so) - some Clarion
> developers don't read this newsgroup - might help to post this to some
> other common newsgroups such as Clarion Third Party and comp.lang.clarion
> and ask for all that will to floodgate F-Secure with complaints.

Yes, you are right. But I know that quite a few already sent their
installer to F-Secure (and even support messages) and it's still "flagged".

And the thread is mirrored here (already 2,000+ hits)
http://www.lindersoft.com/forums/showthread.php?t=27387

Perhaps the F-Secure guys are on vacation <g>

Friedrich

> Hi David,
>
>> Definitely no reason for them to drag their feet when a Major Setup Tool
>> company reports the problem.
>>
>> I'd suggest this (if you feel comfortable doing so) - some Clarion
>> developers don't read this newsgroup - might help to post this to some
>> other common newsgroups such as Clarion Third Party and comp.lang.clarion
>> and ask for all that will to floodgate F-Secure with complaints.
>
> Yes, you are right. But I know that quite a few already sent their
> installer to F-Secure (and even support messages) and it's still "flagged".

Friedrich,

However, more complaints can only help in the overall situation. Get the
troops alarmed - AS many as possible - Clarion crowd gets very vocal over
issues - many use your product as you well know -

SOME are even better complainers than others - never know what finally
prompts a company to action!

I've done my part - email to corporate - sample under F-Secure Sample
Analysis System - product support complaint

>
> And the thread is mirrored here (already 2,000+ hits)
> http://www.lindersoft.com/forums/showthread.php?t=27387
>
> Perhaps the F-Secure guys are on vacation <g>

Vacation nightmare! :-(

Hope it's resolved soon FOR ALL of us!

BTW, I did have problems with F-Secure and Microsoft Outlook 2010 testing -
the problem was infrequent - finally disabled F-Secure Spam Add-in for
Outlook 2010 (however, I do not depend on Outlook 2010 heavily).

So obviously Big companies and Bigger companies have problems.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Hi David,

> However, more complaints can only help in the overall situation. Get the
> troops alarmed - AS many as possible - Clarion crowd gets very vocal over
> issues - many use your product as you well know -
>
> SOME are even better complainers than others - never know what finally
> prompts a company to action!
>
> I've done my part - email to corporate - sample under F-Secure Sample
> Analysis System - product support complaint

Thanks so much :) Unbelievable but true, it's still not fixed in their
latest virus definition update.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

F-Secure 9.9.15370.0 (false-positive bug) for SetupBuilder installs

IF you use SetupBuilder - you really need to read this carefully AND
register a complaint!

Use F-Secure Sample Analysis System to submit examples (read the following
carefully)
https://analysis.f-secure.com/portal/login.html

Friedrich posted this problem in SetupBuilder newgroup:

"F-Secure detects applications compiled with SetupBuilder 7 as 'suspicious'
(W32/Malware!Gemini).

Of course, this is a "false-positive". When a legitimate file is
incorrectly detected as infected by an antivirus product, the anti-virus
system vendors call it a "false positive" or a "false alarm". But let's
call it what it is: it's nothing more than a NASTY BUG in their software
and they did a bad job."

https://analysis.f-secure.com/portal/login.html

If you submit a SetupBuilder install example - you will get a reply similar
to that below.

"Thank you for bringing this issue to our attention.

The false positive you experienced is caused by our proactive detection
engine.

http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml

I will bring this to the attention of our software engineers so that we can
implement a fix for lindersoft installer characteristics. I hope you can
understand this this will take some time as this requires tuning of the
heuristics routines."

NOTE before reading next part - I simply chose a SetupBuilder example
project, compiled it and sent it to F-Secure Sample Analysis System so
another complaint could be registered - in hindsight - should have sent
them one of my shipping software installs with FULL code signed installs,
etc

thus the admonishment to send code signed installs -

recommmend you send one or multiple shipping software installs so they can
whitelist them - yes a hassle - but temporary work-around.

"As an immediate fix I will whitelist this file you have submitted. If you
have any other setup packages that is being flagged by our product please
submit them to us so that we can implement the whitelisting.

In the long term, we recommend you to sign your executable files with so we
could easily identify your software by the signing key and automatically
fix any false positive problems once they appear. Authenticode signing
would also be very good idea for Windows 7 compatibility.

If you decide to sign your executable files in the future, please send us
one or two signed files so we could prevent any future conflicts between
our Anti-Virus products and your software."

David

--
From David Troxell - Encourager Software
http://www.encouragersoftware.com/profile/microsoft-office-2010.html

Friedrich,

I have been pounding the F-Secure doors with uploads of my present and
recent releases of Encourager Software software products to:

https://analysis.f-secure.com/portal/login.html

and got this email from them.

They have whitelisted my products, which of course, is a temporary measure.

"Thank you for bringing this issue to our attention.

The false positive you experienced is caused by our proactive detection
engine.

http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml

I will bring this to the attention of our software engineers so that we can
implement a fix for lindersoft installer characteristics. I hope you can
understand this this will take some time as this requires tuning of the
heuristics routines."

MY NOTE - before reading next part - initially - I simply chose a
SetupBuilder example project, compiled it and sent it to F-Secure Sample
Analysis System so another complaint could be registered - in hindsight -
should have sent them one of my shipping software installs with FULL code
signed installs, etc

thus the admonishment to send code signed installs -

recommmend to all SetupBuilder users - send one or multiple shipping
software installs so they can whitelist them - yes a hassle - but temporary
work-around.

"As an immediate fix I will whitelist this file you have submitted. If you
have any other setup packages that is being flagged by our product please
submit them to us so that we can implement the whitelisting.

In the long term, we recommend you to sign your executable files with so we
could easily identify your software by the signing key and automatically
fix any false positive problems once they appear. Authenticode signing
would also be very good idea for Windows 7 compatibility.

If you decide to sign your executable files in the future, please send us
one or two signed files so we could prevent any future conflicts between
our Anti-Virus products and your software."

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Hi David,

> I have been pounding the F-Secure doors with uploads of my present and
> recent releases of Encourager Software software products to:
>
> https://analysis.f-secure.com/portal/login.html
>
> and got this email from them.
>
> They have whitelisted my products, which of course, is a temporary
> measure.
<SNIP>

Thank you for the information and all your help. I really hope they'll fix
it soon. There are literally millions of SetupBuilder 7 generated
applications (installations, web update clients, helper tools, etc.) out
there and it's not acceptable that a protection software vendor is unable to
fix such a major bug in their software within 1-2 days.

Friedrich

The sample I submitted (yes, code-signed <g>) appears as "suspicious" but
"no detection"... which I guess is what you guys have been getting.

jf

The text comment I submitted with the sample:

> Subject: false-positive
>
> Description:
>
> This is my latest software update patch, created with the SetupBuilder
> installation system. It is manifested and digitally code-signed.
> According to virustotal.com, yours is the only protection product that
> flags it as potential malware.
>
> Please update your heuristics!
>
> Jane Fleming
> Shell Beach, California

Another plus for code-signing...
Received an hour or so after posting my false-positive example.

Jane Fleming

-----
Hello,

Thank you for your submission.

We will fix the false positive problem for the file that you sent to us.

As you have digitally signed your files, this will allow us to avoid future
false alarms on your software.

If you have any further questions, please do not hesitate to contact us
again.

Best regards,
--------
F-Secure Security Labs http://www.f-secure.com/weblog/
F-Secure Corporation http://www.f-secure.com/

Oh sure, show them a little leg... <bg>

Appreciate it Jane! Thanks for getting their attention. I've not had any reports
on my stuff yet, but if I do I know how to handle it.

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

Jane,

> We will fix the false positive problem for the file that you sent to us.

You gotta wonder though, are they white-listing your install or fixing
the false positive for -all- SB installs?

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Enhanced Reporting: http://www.cpcs-inc.com

Lee,

At this point, they are only white-listing what you send them through their
analysis program - I keep checking - they definitely have not fixed the
false positive for all SB installs (as of the time this message was sent).

Another point - they promised to Jane (and me) -

"As you have digitally signed your files, this will allow us to avoid
future false alarms on your software."

Not true for my company so far. My current and recent Encourager Software
software install files I uploaded - they whitelisted -

but the same code sign certificate I used on the uploaded ones - it was
applied to Profile Exchange Data Version installs - and they are still
getting false alarms - so that means minimally, I'll have to upload ALL of
the Profile Exchange Data Version installs as well. :-(

David


--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

David,

> but the same code sign certificate I used on the uploaded ones - it was
> applied to Profile Exchange Data Version installs - and they are still
> getting false alarms - so that means minimally, I'll have to upload ALL of
> the Profile Exchange Data Version installs as well. :-(

One can only hope that they begin to choke on too vast a white-list.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Enhanced Reporting: http://www.cpcs-inc.com

Lee,

Quite surprising, it is taking this long to just cover ALL SB installs!

That is why I posted in other SV newsgroups - we really need AS many SB
users as possible to upload at least one SB install.

However, I understand the reluctance - if you're not familiar with
F-Secure, and no users complaining - why bother?

The problem is this - if you release software to the public - trial based
or otherwise - you have no idea how many potential users and your downloads
and they ran into the initial problem, and said - forget it - I'll just
delete the download. Thus, a possible sales loss occurred. :-(

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

David,

Have they released new definitions or are you still being flagged by
9.0.15370.0 (which I would expect).?

Sounds as if a new definition would update the whitelist. But their
software guys are going to need to tweak the heuristics to eliminate SB
overall.

Jane Fleming

> David,
>
> Have they released new definitions or are you still being flagged by
> 9.0.15370.0 (which I would expect).?

Jane,

Not really familiar with how this really works...

I know shortly after I submitted - next round of definitions - my submitted
programs were whitelisted - no challenge. I use the F-secure product so I
can know fairly quickly.

>
> Sounds as if a new definition would update the whitelist. But their
> software guys are going to need to tweak the heuristics to eliminate SB
> overall.

OK, when you or they mention "heuristics" - is this part of a program
update? This problem didn't appear until fairly recently - so is a fair
assessment - a fairly recent program update caused this problem?

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Jane,

> Have they released new definitions or are you still being flagged by
> 9.0.15370.0 (which I would expect).?

It's still flagged by their latest definition update (30-AUG-2010) :-(

Friedrich

Friedrich,

That's the same virus definition version number as before.

What the Aug 30 date *may* mean is that that's the last time virustotal
checked for updates, so the update is "current" as of that date - not that
the update was released on that date.

JAT

jf

Hi Jane,

> That's the same virus definition version number as before.
>
> What the Aug 30 date *may* mean is that that's the last time virustotal
> checked for updates, so the update is "current" as of that date - not that
> the update was released on that date.

I think the version of the virus scan "engine" is the same for months
(9.0.15370.0). But the virus definition date (2010.08.30) is in the last
column and updated several times a day. I always do a "reanalyze" to make
sure the latest definition is used.

Friedrich

I think you're right (as usual).

I ran a test SB exe through virustotal just now. It shows AVG version as
the same as the exe version I have, but doesn't list a version number for
the definitions database (just the date).

Uploaded the same test to f-secure, and still flagged as suspicious there
also.

And here I thought I was white-listed and special!

jf

Jane,

It seems like they only white-list AFTER you send them a particular sample
- not white listing - "As you have digitally signed your files, this will
allow us to avoid future false alarms on your software." as they have
promised.

For my latest release of Product Scope, it is 21.1 MB in size (sample
uploads restricted to 20 MB) - I gave the download URL to them - they
retrieved the program install and whitelisted it.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Even after 5 full days, F-Secure was unable to fix their bug. Amazing for
a critical mission protection vendor. Millions of SB7 apps are still
flagged as suspicious. I think they are on vacation <g>

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

Friedrich,

What is the screen shot from? Is that an app?

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

Russ,

>
> What is the screen shot from? Is that an app?
>

It's from VirusTotal:

http://www.virustotal.com

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

Nifty. Bookmarked.

FWIW - my install is also flagged by F-Secure.

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

Friedrich,

I uploaded a new SB-built test exe yesterday. And today, another one I just
built a few minutes ago.

Virustotal still flags them. But sending them directly to f-secure's
analysis portal says "clean".

Jane

Hi Jane,

> I uploaded a new SB-built test exe yesterday. And today, another one I
> just built a few minutes ago.
>
> Virustotal still flags them. But sending them directly to f-secure's
> analysis portal says "clean".

That is good news!!!! :-) Thank you!

Friedrich

> Hi Jane,
>
>> I uploaded a new SB-built test exe yesterday. And today, another one I
>> just built a few minutes ago.
>>
>> Virustotal still flags them. But sending them directly to f-secure's
>> analysis portal says "clean".
>
> That is good news!!!! :-) Thank you!

Friedrich,

When you say that is good news - does that indicate they are finally
resolving the issue -

because SB installs that are not directly F-Secure whitelisted are still
being challenged.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

Hi David,

> When you say that is good news - does that indicate they are finally
> resolving the issue -
>
> because SB installs that are not directly F-Secure whitelisted are still
> being challenged.

According to VirusTotal.com (with the 2010-09-01 definition update) and some
reports from F-Secure users, it is still not fixed.

Friedrich

My un-informed take on this is that...

1) An installer program is EXPECTED to have some special powers to actually properly
install and manipulate a destination system..
2) a Virus type program will try and emulate a good installer.
3) The monumental task for the Virus checker is to differentiate between the two.

Seems most can, but F-Secure cannot differentiate between a program pretending to be
SB7, then it SHOULD warn users.
If the end result is that certain virus whatever checkers see a possible bad program
as a GOOD SB7 installer and let it through, then who wants that.

I do not support F-Secure's position on this, but I do see the dilema they are faced
with.

My 2 cents...

John Griffiths
(today in lovely Santa Fe, New Mexico)

Hi John,

> My un-informed take on this is that...
>
> 1) An installer program is EXPECTED to have some special powers to
> actually properly install and manipulate a destination system..
> 2) a Virus type program will try and emulate a good installer.
> 3) The monumental task for the Virus checker is to differentiate between
> the two.
>
> Seems most can, but F-Secure cannot differentiate between a program
> pretending to be SB7, then it SHOULD warn users.
> If the end result is that certain virus whatever checkers see a possible
> bad program as a GOOD SB7 installer and let it through, then who wants
> that.
>
> I do not support F-Secure's position on this, but I do see the dilema they
> are faced with.
>
> My 2 cents...

The SetupBuilder compiler generates native Win32 applications. Similar to
what Clarion, Visual Studio, Delphi, etc. are doing. F-Secure did the
following: they took some SetupBuilder file "characteristics" (there are
always elements in an application that can be used to uniquely identify the
generator) and decided to use this to flag the application. This is very
bad practice. And they are doing this on a regular basis (a nightmare for
users of freeware installers because most virus or spyware stuff is
distributed through freeware setups).

Think of this: someone uses Clarion to develop a virus or spyware. F-Secure
scans the application and detects Clarion specific information in the EXE
header. This is then used to flag the application as "suspicious". The
negative side effect is that ALL Clarion programs are flagged now. VERY BAD
PRACTICE!

Most anti-virus companies resolve such issues within 24 hours.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

> Even after 5 full days, F-Secure was unable to fix their bug. Amazing for
> a critical mission protection vendor. Millions of SB7 apps are still
> flagged as suspicious. I think they are on vacation <g>

Friedrich,

Unbelievable!

David

--
From David Troxell - Encourager Software
http://www.encouragersoftware.com/profile/microsoft-office-2010.html

David,

> When you say that is good news - does that indicate they are finally
> resolving the issue -
>
> because SB installs that are not directly F-Secure whitelisted are still
> being challenged.

BAD NEWS. Update 9/1/2010 -- SetupBuilder 7 apps are still flagged as
"potentially malicious". The very same test project compiled with
SetupBuilder 6 is not flagged. SetupBuilder V3, V4, and V5 apps are also
not flagged.

So F-Secure still flags SB7 apps (even after SIX days).

Friedrich

A simple virus scan does not flag the SB7 app (see attached). If you
execute it, DeepGuard blocks it (but the same SB5 or SB6 is not blocked at
all). So there is still a bug in their "revolutionary technology that
ensures safe use of the computer even if traditional technologies should
fall short".

BTW, the "F-Secure 9.9.15370.0 (false-positive bug)" thread already received
more than 4,100 hits, so it's a popular thing.

Friedrich

At least we know what not to buy, now.

Jeff Slarve

> At least we know what not to buy, now.

Of course, personal or company choice is one thing - but how many
SetupBuilder sales are now lost because of this -

and just as importantly - trial versions of SetupBuilder installs - first
impression - how many trial versions aren't installed because of the
F-Secure challenge...

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

All you can do is what you can do.

Put a non-demonizing-about-FSecure notice on your download page about
the false positives, and hopefully your app is worthy enough for them
to try it out.

It's a temporary inconvenience.

Jeff Slarve

Jeff,

Actually, the better alternative to what you suggest is this - AND it's a
temporary inconvenience AND annoyance as well.

Submit all your current and recent past installs (recent previous versions
might still be available at download sites) to:

F-Secure Sample Analysis System, MFG - F-Secure
Internet Link - https://analysis.f-secure.com/portal/login.html

F-Secure will whitelist them - and they will NOT be challenged - I have
verified this with Encourager Software installs - they were whitelisted
within a few hours of submittal.

Yes, annoying to do this - BUT better than posting a message on download
page.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

> At least we know what not to buy, now.

Well as much as being a software developer I don't like their taking a
while to work out whatever is in their app that blocks SB7 installs, I
can't fault them at all for doing what the program is supposed to do -
protect my PC.

We have run F-Secure on all our machines now (on 24x7) and we have not had
a single incident of malware, spyware or a virus... for the almost FIVE
YEARS that we have been running it.

Plus I don't have to run separate apps to control those things.

So from the aspect of doing what it is supposed to do, F-Secure works.


Can we help is that Friedrich appears to be some closet virus writer<VBG>?

He might be smarter than we give him credit for (which is saying a LOT) and
have been silently siphoning off a penny a year from each of our accounts
to pay for Emily's new pony<g>.

:-)

Charles




--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

ROFL! Hardly likely mate, hardly likely.

J André Labuschagné

Hi Friedrich,

Curious: What software do you use to do this testing with (that produces
the report)?

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

I think his screen shots, like mine, are from http://www.virustotal.com/

Jane

Hehehe! Great minds ask the same questions! <g> See Jane's response and
Friedrich's to the query I made.

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

Hi Jane,

> I think his screen shots, like mine, are from http://www.virustotal.com/

AWSOME! Thank you so much! I had no idea that existed:)

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

Hi Jane,

> I think his screen shots, like mine, are from http://www.virustotal.com/

Happy to report that the latest BA build comes 100% clean. That one is
built with SB6 but the next will be SB7 and I'll be sure to run it through:)

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

Arnor,

UNTIL this problem is fixed properly - any SB72 installs will trigger a
F-Secure false positive.

So, any current company SB72 installs CAN be whitelisted (usually within
hours) - at this URL - a simple, account signup - upload your SB72 install
- F-Secure will whitelist it - then customers OR potential customers won't
have a F-Secure problem with those installs.

Product Description - F-Secure Sample Analysis System, MFG - F-Secure
Internet Link - https://analysis.f-secure.com/portal/login.html

I uploaded all current Encourager Software installs and recent previous and
all were whitelisted within hours.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

> UNTIL this problem is fixed properly - any SB72 installs will trigger a
> F-Secure false positive.

Actually it appears that it HAS been fixed (at least from what my testing
shows), however the VirusTotal website has not updated to the latest
version (despite what they say ... see below).

As you can see from the attached screen shots:

The EZChangeLog installer (created with SB72) gets a clean scan from my
local PC ( F-SecureSB1.png )

The F-Secure definitions on my machine (updated yesterday ) is Anti-Virus
9.20 build 15437 ( F-SecureSB2.png )

However the VirusTotal website shows they updated on 9/4/2010, BUT they
show they have version 9.0.15370.0 ... an old version ( F-SecureSB3.png )
and they still show a problem.

So it appears that the VirusTotal online scanner system is not updating
properly.


Also the F-Secure DeepGuard no longer blocks SetupBuilder 7.2 created
installers on my machine.

So it appears that F-Secure HAS done their job ( finally ).

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

>> UNTIL this problem is fixed properly - any SB72 installs will trigger a
>> F-Secure false positive.
>
> Actually it appears that it HAS been fixed (at least from what my testing
> shows), however the VirusTotal website has not updated to the latest
> version (despite what they say ... see below).

Charles,

First, I would not want to be the one to give false hope, IF they have not
truly fixed the problem. :-D

As you know - I am running the actual product as well - and it gets regular
updates (if our automatic update settings are turned on - mine is) without
our prompting.

Deep Guard is STILL blocking!

I have used this particular file to periodically test, because I know I
have never responded to the F-Secure Allow the program prompt for this
install - I just close the window and re-test a couple times a day:

sb72_3015_Dev.exe

Deep Guard STILL blocks that file.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

David,

>
> Deep Guard is STILL blocking!
>

Confirmed. Even a simple "HelloWorld.exe" compiled with SB7x is still
blocked. Latest updates applied. Of course, wupdate.exe and wucheck.exe
clients are also still blocked (and there are millions of clients installed
worldwide).

Friedrich

Oh man! These guys are so going down on my cool meter scale. :-(

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

> First, I would not want to be the one to give false hope, IF they have not
> truly fixed the problem. :-D
>
> As you know - I am running the actual product as well - and it gets regular
> updates (if our automatic update settings are turned on - mine is) without
> our prompting.

Apparently the VirusTotal website version is NOT setup that way.

Just to be sure on yours, right-click the F-Secure icon in the system tray
and select ABOUT.

Mine shows:

F-Secure Anti-Virus 9.20 build 15437

and

F-Secure DeepGuard 2.21 build 114


> I have used this particular file to periodically test, because I know I
> have never responded to the F-Secure Allow the program prompt for this
> install - I just close the window and re-test a couple times a day:
>
> sb72_3015_Dev.exe
>
> Deep Guard STILL blocks that file.

Interesting.

If I download that file ( sb72_3015_Dev.exe ), right-click it in Windows
Explorer and select the scan for viruses and malware option, it shows it to
be a clean file ( see attached F-SecureSB721.png )

But if I double-click it to run it, DeepGuard IS still blocking it ( see
attached F-SecureSB722.png ).


(checking...)

Ah - it appears I had told DeepGuard to unblock the ECL installer.

So apparently the Malware detection issue is fixed, but DeepGuard is still
blocking SB72 installs.

This is not as big a deal (it simply advises the user that the program is
suspicious and asks them if they want to unblock it), but I have sent a
reply back to F-Secure tech support on the ticket I have open with them
advising them that SB72 created installers are still being blocked.

So great progress, but a tad more work for F-Secure to do.

Charles




--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Hi Charles,

> Apparently the VirusTotal website version is NOT setup that way.
>
> Just to be sure on yours, right-click the F-Secure icon in the system tray
> and select ABOUT.
>
> Mine shows:
>
> F-Secure Anti-Virus 9.20 build 15437
>
> and
>
> F-Secure DeepGuard 2.21 build 114

See attached screenshot. It still blocks SB72 apps with the latest version.
It even says F-Secure Anti-Virus 9.20 build 16071 (yours is 15437) and
DeepGuard is 2.21 build 116 (yours is 114).

So perhaps you have a build where SB72 was not blocked and they introduced
it later? VirusTotal.com is still correct (IMO).

Friedrich

> See attached screenshot. It still blocks SB72 apps with the latest version.
> It even says F-Secure Anti-Virus 9.20 build 16071 (yours is 15437) and
> DeepGuard is 2.21 build 116 (yours is 114).
>
> So perhaps you have a build where SB72 was not blocked and they introduced
> it later? VirusTotal.com is still correct (IMO).

No, that is exactly what I said confirming (what David said).

SB72 created installers are no longer reported as Malware - except on the
VirusTotal.com site and when you look at the version of the F-Secure
definitions they are using, they ARE out of date (despite the fact that
they show they were updated on 9/2/1010).

VirusTotal is reporting SB72 created installers as Malware (using the OLD
version of F-Secure definitions) and they ARE wrong.

A direct scan with the latest definitions shows NO MALWARE FOUND (as per my
other screen shot).

:-)


When I originally reported that DeepGuard was no longer blocking, I was
mistaken as my ECL installer had been added to an exception list.

So the good news is that F-Secure virus definitions no longer report SB72
created installers as Malware, but their DeepGuard tool is still blocking
it.

I've reported this to F-Secure on my open trouble ticket and hopefully they
will get that sorted out soon as well.

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

Hi Charles,

>> So perhaps you have a build where SB72 was not blocked and they
>> introduced it later? VirusTotal.com is still correct (IMO).
>
> No, that is exactly what I said confirming (what David said).
>
> SB72 created installers are no longer reported as Malware - except on the
> VirusTotal.com site and when you look at the version of the F-Secure
> definitions they are using, they ARE out of date (despite the fact that
> they show they were updated on 9/2/1010).
>
> VirusTotal is reporting SB72 created installers as Malware (using the OLD
> version of F-Secure definitions) and they ARE wrong.
>
> A direct scan with the latest definitions shows NO MALWARE FOUND (as per
> my other screen shot).

Yes, you are right. See my Scanning Report posted on 9/1/2010 in this
thread. F-Secure already said "no malware found" but VirusTotal.com still
reported "malware detected".

So they fixed the malware problem but still have a bug in their DeepGuard.

> When I originally reported that DeepGuard was no longer blocking, I was
> mistaken as my ECL installer had been added to an exception list.
>
> So the good news is that F-Secure virus definitions no longer report SB72
> created installers as Malware, but their DeepGuard tool is still blocking
> it.
>
> I've reported this to F-Secure on my open trouble ticket and hopefully
> they will get that sorted out soon as well.

Thank you!!!

Friedrich

Charles received an email from F-Secure stating this issue will be fixed in
the next update release.

I want to thank you and all the others for your help!

Friedrich

8 days for an email to announce the correction would be in next
version!

wow

an excellent thing "we" (no one is specialy "thought about" here) do
not work so *fast* in such circumstances!

imagine if we did - the chaos created throughout the world.....

Seems a good example of how a *real* community can back up a "favorite"
seller when such a problem arises. This makes me happy to see we can do
"something" all together if we want to.

(sorry for not having being here to help also but I was so deep in
coding and learning what no docs describe that I closed all skype and
NG and emails for a few days)

Good to see this pb will be solved very soon Friedrich.

--
Merci
Cordialement - Best regards
Jean-Pierre GUTSATZ
__________________________________________________ _____

For those who do not understand ... : "Qui bene amat bene castigat."
__________________________________________________ _____

DMC - Data Management Center : a tool to let you Migrate Import Export
Transfer your Data
www.dmc-fr.com Certified by Microsoft : "Works with Vista" & "Works
with Windows Server 2008"

Good news indeed!

Trying to see this from their side, they should have a whole lot of issues that I
could see causing such a delay in a fix:

1) Getting enough examples (signed would be ideal - thanks to Jane and myself and
I'm sure a few others) to see that there is an issue.
2) Investigate what changed to cause this false positive.
3) Implement fixes and changes in future updates.
4) Test it against the samples and their virus vault examples.

All that stuff may take some time. I'd rather think that is what was going on
instead of incompetence as it does appear to be a one-off. <G>

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

Hi Russ,

> Good news indeed!
>
> Trying to see this from their side, they should have a whole lot of issues
> that I could see causing such a delay in a fix:
>
> 1) Getting enough examples (signed would be ideal - thanks to Jane and
> myself and I'm sure a few others) to see that there is an issue.
> 2) Investigate what changed to cause this false positive.
> 3) Implement fixes and changes in future updates.
> 4) Test it against the samples and their virus vault examples.
>
> All that stuff may take some time. I'd rather think that is what was
> going on instead of incompetence as it does appear to be a one-off. <G>

<G> Yes, I think you are right. I am sure it was not trivial to "fix"
this. It seems to me they already did something on their definition files
some days ago, but it turned out this was not enough. They also had to
change the algorithm in their DeepGuard technology.

But on the other hand, there are not too many compiler products for Windows
available today (<80). To flag applications just because the executable
header file was identified as SB7 program was, well, "suboptimal".

Friedrich

Friedrich,

I agree. This was a mistake on their part, thus I was hoping that the
investigation as to why it happened in the first place would explain the delay.
If it never happens again, that is near proof that such an action was indeed done.
If it does happen again, then OK - shoot them out of a cannon <G>

I live in hope too much sometimes <vbg>.

> But on the other hand, there are not too many compiler products for Windows
> available today (<80). To flag applications just because the executable
> header file was identified as SB7 program was, well, "suboptimal".
>
> Friedrich
>

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

Great news. Their programmer was probably sunning himself/herself on a beach
somewhere.

John Griffiths

> Great news. Their programmer was probably sunning himself/herself on a
> beach somewhere.

:)

Friedrich

Thanks for pushing this, Charles!

Jane

> Thanks for pushing this, Charles!

Glad to do my part.

I think it is the combined efforts of everyone who has submitted software
and/or opened trouble tickets that has helped bump this in the priority
queue at F-Secure.

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

>> A direct scan with the latest definitions shows NO MALWARE FOUND (as per
>> my other screen shot).
>
> Yes, you are right. See my Scanning Report posted on 9/1/2010 in this
> thread. F-Secure already said "no malware found" but VirusTotal.com still
> reported "malware detected".

Update:
http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml

"The detection of Suspicious:W32/Malware!Gemini by Virustotal's scan is
equivalent to an automatic block by DeepGuard"

Because DeepGuard still blocks all SB7 apps, the VirusTotal report is
correct.

Friedrich

>
> Because DeepGuard still blocks all SB7 apps, the VirusTotal report is
> correct.
>
> Friedrich
>

Jane

<ROFL>

Domain registered now <g>

Friedrich

Years ago, there was kind of a rush of buying up the *sucks.* domains
just in case. Maybe they'd better get it quick<g>

Jeff Slarve