Reply to Thread

Post a reply to the thread: CryptoGuard detected ransomware in C:\Users\...

Your Message

Click here to log in

What's the name of our main installation product (in uppercase letters), directly followed by the current year?

 

You may choose an icon for your message from this list

Additional Options

  • Will turn www.example.com into [URL]http://www.example.com[/URL].

Topic Review (Newest First)

  • 01-17-2023, 06:35 AM
    linder

    Re: CryptoGuard detected ransomware in C:\Users\...

    Hi Rich,

    in most cases they do some kind of "whitelisting". But sometimes, protection vendors do not really fix their "bug" in the virus definition file and you have to re-submit.

    Friedrich
  • 01-05-2023, 08:09 PM
    RichBPL

    Re: CryptoGuard detected ransomware in C:\Users\...

    My installer is code signed with a standard code certificate that your site helped me obtain from Sectigo, quite some time ago. The cert expires within 30 days.

    Do you think that every time I compile my installer that I will have to re-submit it to Sophos?

    -Rich
  • 01-05-2023, 12:15 PM
    linder

    Re: CryptoGuard detected ransomware in C:\Users\...

    Hi Rich,

    assuming your installer does not contain Ransomware....<g> your setup seems to trigger a "false-positive". Upload your installer to Sophos and report it as false-positive so they can fix their bug in the next virus definition update.

    BTW, is your installer code-signed?

    Friedrich
  • 01-05-2023, 10:03 AM
    RichBPL

    CryptoGuard detected ransomware in C:\Users\...

    One of my customers gets a message like the following when running my digitally signed setup program (this message is from their log, so I don't know exactly what the on-screen message looked like.):

    CryptoGuard detected ransomware in C:\Users\XXXX\OneDrive - XXXX\Desktop\XXSetupXX
    They said the message appeared after they entered the password to continue the install and the message they saw said something about trying to write encrypted files to disk.

    I rebuilt the setup program (using SB Ver 10.0.6531) to not prompt for a password, but they still received the same message, presumably when XXSetupXX has started to install files.

    Does Sophos, in general, not like how Setup Builder operates or is Sophos complaining about some file I am distributing? My app is a regular Clarion-built application, but it does include some popular 3rd party clarion add-ons which have their own .DLL's and configuration files.

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •