Kaspersky detected SetupBuilder as "Trojan-Dropper.Win32.Injector.llpg". Of
course, this is AGAIN a BUG in their virus definition update.

Okay, no problem you think? Well, here we go:

---

Kaspersky Lab: How to report false positives to the viruslab?

A. Put the suspected virus in a password-protected zip or rar file.

B. Compose an email message (only short description) and attach the zip
file.

C. Include the password in the body/subject of the email. If you suspect
a false positive, then include "Possible false positive" in the
subjectline.

D. Send the zip/rar file to newvirus@kaspersky.com

---

Okay, I did all this and asked them to FIX the bug. Then I received this:

---

This message has been generated by an automatic message response system. The
message contains details about verdicts that have been returned by
Anti-Virus in response to the files (if any are included in the message)
with the latest updates installed.

sb8_4714_dev.exe - Trojan-Dropper.Win32.Injector.llpg

New malicious software was found in this file. It's detection will be
included in the next update. Thank you for your help.

Best Regards, Kaspersky Lab

39A/3 Leningradskoe Shosse, Moscow, 125212, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com"

---

Anybody home?..... think McFly, think!!!

https://www.youtube.com/watch?v=Uz7238BM5UQ

This is killing me :-(

Friedrich

Friedrich,

> New malicious software was found in this file. It's detection will be
> included in the next update. Thank you for your help.

Sometimes you have to wonder if there is a functioning brainstem on
the other side of the equation... often, it seems, there isn't which
is truly sad.

Lee White (Lodestar Software)

And the best thing is, our customers received the following:

---

"Sorry, it was a false detection. It will be fixed in the next update. Thank
you for your help.

This file was detected, because this installer is injects code into process
and self delete. This is what malware do.
So all new files like this also will be detected. To fix this - change
installer.

---

They add a false-positive, fix their bug, then another specialist adds it
again and so on and so forth and and so on and so...

And did you read this!!! "To fix this - change installer". That is what
Kaspersky Lab says <g>

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

Lee,

> Sometimes you have to wonder if there is a functioning brainstem on
> the other side of the equation... often, it seems, there isn't which
> is truly sad.

<G>

If it wasn't so sad it would be funny. SetupBuilder users and Lindersoft
contacted Kaspersky to report the false-positive. Kaspersky confirmed that
it was a bug in THEIR system and "to fix this - change installer"?! What?
Are you serious?

Kaspersky: "Sorry, it was a false detection. It will be fixed in the next
update. Thank you for your help.... To fix this - change installer."

A few minutes later, the same file:

Kaspersky: "New malicious software was found in this file. It's detection
will be included in the next update. Thank you for your help."

They are caught in a loop.

More medicine! I need more medicine! Please!

Friedrich

Friedrich,

> More medicine! I need more medicine! Please!

No, THEY need to up their dosage or refrain altogether!<g>

You just need a couple of Ibuprofen and vacation!!!!

Lee White

>> More medicine! I need more medicine! Please!
>
> No, THEY need to up their dosage or refrain altogether!<g>
>
> You just need a couple of Ibuprofen and vacation!!!!

<VBG> :-)

Friedrich

One minute ago:

Lindersoft: "No, this is NOT a new virus. This is a false-positive. Could
you please fix this and do NOT add it as a new virus???"

Kaspersky Lab: "Sorry, it was a false detection. It will be fixed in the
next update. Thank you for your help."

Yippee-ki-yay, I think we are safe now <g>. Where is John McClane when you
really need him?

Friedrich

http://media.tumblr.com/tumblr_le0zo9IfWm1qcig1w.gif

>
>Yippee-ki-yay, I think we are safe now <g>. Where is John McClane when you
>really need him?

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

> And did you read this!!! "To fix this - change installer". That is what
> Kaspersky Lab says <g>
>
>

how about "to fix this - change anti-virus vendor"

Tony Tetley

>
> how about "to fix this - change anti-virus vendor"
>

Good idea <g>

Friedrich

Can you recommend a good installer to replace this P.O.S.?<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

>
> Can you recommend a good installer to replace this P.O.S.?<g>
>

<G> :-)

Friedrich

FWIW, I use kaspersky, and SB8 8.5.4714.0 is running with antivirus
database from March 18.

I left SB8 running overnight. Maybe I won't try closing it and
restarting<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Just tried on my XP VM, and SB fired right up. No probs.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

And to think, I respected this group a few years ago (they cleaned out a
nasty piece of malware from my system).

--

Russ Eggen
RADFusion International, LLC

And on the same note, we just lost a possible sale because when a
potential client downloaded our demo.. then went to install it.. Norton
said it was a possible virus (I don't have a lot of details). So, we
went to request a whitelist on our install.

Do we have to create a bunch of VM's and install and purchase all of the
anti-viruses and test each one before we release a demo. Not worried
about purchases.

Perhaps we as software developers need to take a pro-active approach and
class action these anti-virus companies... which are costing us millions
(well not 'us' like me (I wish), but all software companies).

IS there not a central location where you can upload your software and
it will test it with all of the popular anti-viruses.

Better yet, I think I'll make my own anti-virus company.. I'll just
prevent or warn about anything that gets installed. What's that, about
15 lines of code <G>

Ray
VMT

https://www.virustotal.com/

>
> IS there not a central location where you can upload your software and
> it will test it with all of the popular anti-viruses.
>

--

Russ Eggen
RADFusion International, LLC

And in an installer I made just this morning, this site reports Jiangmin
false positive. Friedrich has documented how this company won't fix
their software, let alone acknowledge Friedrich's communication.

Every other AV program says its cool.

--

Russ Eggen
RADFusion International, LLC

Russ,

> Every other AV program says its cool.

But not as cool as Shawn, right?!<g>

Lee White

NOBODY is as cool as Shawn!

Jane Fleming

He's never complained about my code. That's why he's cool! :-)

--

Russ Eggen
RADFusion International, LLC

Thanks Russ for telling me about this VirusTotal.

I tested mine and I had 3 issues.. the first 2 were an issue with the
ammyy program which is what we use to get on our customers screens.

Eset reported it: a variant of Win32/RemoteAdmin.Ammyy.C potentially unsafe

And Agnitum said it was riskware

The 3rd was the Jiangmin issue as well.

I worry about the ammyy program but it works so well. I put a password
in it so nobody else can request access to our customers machines. So
far, not a single issue. But this may be causing our problem as we
install it with our software so we can just run it from our program.

Ray
VMT

Ray,

This nice thing about this testing site is you have ammunition to give
to your customer(s) and you can then tell them you have an open issue
ticket with the vendor in question (assuming you do open one <g>).

Also, you could issue advices or notices in your RSS feeds and or web
site stating there are known issues with those AV vendors (be sure to
date the notice!) and update when things change - including when the
vendor fixed their bug.

You are seen as on top of things and responsible. Gives you a nice and
unassailable reputation! Worked well for Friedrich, didn't it? <g>

--

Russ Eggen
RADFusion International, LLC

That's a neat site but it won't test large setups. Ours are typically
between 300-500mb.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Jeff - I think you could make a dummy installer, as it appears it checks
just the installer program. Reports it as a Lindersoft executable. But
I think no matter how many different ones you submit, the results will
be the same.

--

Russ Eggen
RADFusion International, LLC

Except for the times that they're not<g>

Thanks Russ.

> But
>I think no matter how many different ones you submit, the results will
>be the same.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Yeah, that's a crap shoot! :-)

--

Russ Eggen
RADFusion International, LLC

Hi Friedrich,

> Kaspersky detected SetupBuilder as "Trojan-Dropper.Win32.Injector.llpg". Of
> course, this is AGAIN a BUG in their virus definition update.

I wouldn't touch Kaspersky with a 10 foot pole after my experience with
them years ago.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Russ,

> Jeff - I think you could make a dummy installer, as it appears it
> checks just the installer program. Reports it as a Lindersoft
> executable. But I think no matter how many different ones you
> submit, the results will be the same.

That is a great idea !!! I have added a new feature to the IDE. There is a
new "Compile Mode" menu item. When you toggle "Enable File 'Dummy' Mode"
then the compiler will link in 5 byte "dummy" files instead of the real
files.

The installer stub (loader), the uninstaller, the installer runtime and all
the required service files are the real ones. The compiler will only
replace the files in the archive (files to be installed) with "dummy" ones.

This can then be uploaded to VirusTotal.

Very good idea. Thank you !!!

Friedrich

You are welcome! Good option for the IDE too.

--

Russ Eggen
RADFusion International, LLC