Suspicious.Cloud again..

Running my Setup file created with SetupBuilder will bring up Symantec (Common Client: 12.3.4.4)
Virus Scanner with following message:

Suspicious.Cloud.5.A found in ~SBBE1B.tmp

On another machine, where the latest Symantec has been installed we could
identify the file as the Setupbuilder Uninstaller file.

I sent the this temp file once to the white list registration of Symantec to get rid of
the virus detection.

But each time I'm build a new Setup file, the Uninstall file will differ slightly and
will be recognized by the Symantec scanner again, which happened already.

What can I do here?
I mean it is not one of my installation files it is the Uninstall file generated by
the SetupBuilder which is causing the failure.

Hello,

The SB compiler generates unique binaries and the Microsoft Authenticode code-signing process modifies the binaries again. There is no "standard" SB uninstall. It is compiled and code-signed on-the-fly.

BTW, this is not related to SetupBuilder and there is absolutely nothing we can do. It's a Symantec false-positive bug and so only Symantec can fix it in their system.

http://www.symantec.com/connect/forums/suspiciouscloud
http://www.symantec.com/security_res...136-99&tabid=2
http://community.norton.com/t5/Norto...2/td-p/1045187

Friedrich

Some aditional information:

Also a totally new project (no files included) build with SetupBuilder is directly sent to the quarantaine:
"Suspicious.Cloud.5.A","Your Project Name-2.exe","C:\Users\IBM_ADMIN\Documents\SetupBuilder Projects\Your Project Name-3\","Infected","20.02.2014 14:21"
(Project Attached)

Regards
Thomas

Wrong newsgroup <g>. You have to report this bug to Symantec !!! ;-) It's their false-positive bug. There is absolutely nothing we (or you) can do if a specific combination of bytes in a Windows executable or a database (the file you posted is a TopSpeed database file) gives a false-positive warning.

Friedrich

If an empty project is causing the heuristic scan to detect the build
setup executable to be sent to the quarantaine, I don't think you can
just put this problem on to your customers.

I think you also have to contact Symantec, to make sure, they do not
detect the Setup files as virus risk.

Thomas

BTW, compiled your project and let VirusTotal check it:

https://www.virustotal.com/en/file/b...is/1392906752/

Friedrich

I know the virustotal seems not to do the heuristic scan on the Suspicious.Cloud.
Have already checked.

Sorry, this is seriously not related to SetupBuilder at all !!!

Here is the test result from your original project file compiled into a .exe:

https://www.virustotal.com/en/file/b...is/1392906752/

Not sure what else I can tell you. We can't do anything to fix this Symantec bug.

Friedrich

It is serious, cause IBM will not change there virus scanner compony wide.
Cause of one failing Installation Builder.

Huh??? Sorry, but this has absolutely NOTHING to do with SetupBuilder. The SetupBuilder compiler generates native Windows binary files. If a specific combination of bytes in your generated executable or binary file causes a false-positive alert then only Symantec can fix the bug in their system. There is nothing that you or we can do here. For example, if code-signing with your own code-signing certificate embeds a specifc combination of bytes into a binary and this triggers the false-positive then there is nothing that you can do to find out what specific combination of bytes causes this nor can you do anything to change this in your own files. Symantec has to fix it !!!

Friedrich

So you telling me your product is not working together with Symantecs heuristic scan and
there is nothing you or me can to against it?

So what is your suggestion in that case:

1.) Catching the files from the quarantaine and sending them to Symantec, hoping
they giving up one day doing there heuristic scan on the "Suspicious.Cloud"

2.) Searching for a different Setup Builder who is doing the job.

3.) Hoping that you might also trying to get in contact with Symantec to
solve that issue.

Kind Regards

Thomas

BTW, or see this:

http://www.lindersoft.com/forums/sho...ntec#post70043

And it's not fair that you say we put this problem on to our customers! Fact is, we can't do anything.

SetupBuilder powers millions of installs per day. SetupBuilder (and other compilers) generate binary files on the fly. As part of the generation or code-signing process, the compiler or Authenticode tools might generate a specific combinations of bytes that trigger a false-positive warning (BUG!!!) in protection systems. Only the protection system vendor can fix this bug in the virus-definition file. Sometimes a binary file recompile helps, sometimes it does not.

Friedrich

No. I did not tell you what you posted. I am shocked... :(

Friedrich

Yes I understand, but I send you a sample, which is a pure empty project, nothing special added, not help nothing.

This file is detected by the Symantec Virus scanner and put into quarantaine.

I'm really pleased about SetupBuilder, don't understand me wrong here.
I'm using it since years, but now Symantec is detecting a pure basic empty Setup.exe as a virus.

Did you ever contact Symantec about this problem?
Shall we try to fix that together?

Please see attached screenshots. Results are from the compiled project file that you posted.

The first screenshot (executable not code-signed) gives an advanced heuristic and reputation Symantec "warning". The second one (compiled 40 minutes later) does not give a warning because we have partnered with Symantec to build a reputation for our compiled files. As a result, the generated and code-signed binary (compiled from your original project) gets not "flagged" (in VirusTotal).

Perhaps it already helps if you code-sign with a reputated code-signing certificate to make Symantec happy and avoid the false-positive bug.

Friedrich

I forgot to answer one question. Yes, from time to time we are in contact with Symantec, but there is no "general" false-positive problem with Symantec. We are even a participant of their whitelisting program.

Remember, SetupBuilder powers millions of installs per day (worldwide). If there would be a "general" Symantec problem then we would see hundreds or thousands of "Suspicious.Cloud" messages here.

This is from one of the Symantec tickets:

---
False Positive Submission [3147335] -- Suspicious.Cloud.5.D

From: Symantec FP Incident Response [mailto:falsepositives@symantec.com]
Sent: Monday, April 15, 2013 9:36 PM
Subject: [No Reply] False Positive Submission [3147335]

In relation to submission [3147335].

Upon further analysis and investigation we have verified your submission and
as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus
definitions, available via LiveUpdate or from our website at
http://securityresponse.symantec.com....download.html

Decisions made by Symantec are subject to change if alterations to the
Software are made over time or as classification criteria and/or the policy
employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor, why not take part in our whitelisting program?
To participate in this program, please complete the following form:
https://submit.symantec.com/whitelist


Sincerely,
Symantec Security Response

---

Friedrich

It will sign the Setup executable right?

But does SetupBuilder also sign the Uninstall executable?

Which is the actuall problem in my custom installation.
Cause there Symantec does not complain about the Setup exe,
it does only complain about the uninstall executable!!

Yes, it will code-sign both your setup.exe and the uninstall executable.

Sometimes, even a specific custom icon for your setup/uninstall can cause the false-positive bug in a heuristic scanning method. Change one pixel in the icon, recompile the setup project to embed the modified icon and the false-positive goes away. Or a very specific combination of bytes from a code-signing process triggers the false-positive. Recompile and re-code-sign (perhaps using another timestamp server) and the error goes away.

I would suggest to always code-sign with a reputated code-signing certificate. And you should build a reputation for your certificate with Symantec to try to avoid false-positives. Remember: the same can happen with your own application .exe or .dll files (or even database files). You only need a specific combination of bytes somewhere in the file and BANG.... So code-sign all your application files, too !!!

Friedrich

Have you tried building an empty project with setupbuild on your side and checking on virustotal ?

Is it also giving you a Suspicious.Cloud ?

Thomas

OK, I will try and comming back to you about the result.

Thanks a lot for your time

Thomas

Thomas,

You can even "simulate" this with other compilers. For example, the attached screenshot is from a 32-bit executable compiled with Microsoft Studio C++ (not code-signed). On top of the Symantec warning, it reports a F-Secure Deepguard malware warning. Recompiled the project a few times (same source code) and the warning goes away. Another re-compile brings back the warning. Welcome to the wonderful world of heuristic detection. BTW, code-signing the file removes both false-positives. But there is no guarantee that the next Symantec, F-Secure, avast! or whatever virus definition update will not change this !!!

Friedrich

Hi,
trying to code sign the Setup.

Getting following error from SetupBuilder
and from Symantec.

Any idear what I can do here?

Hi,

tryed to add a digital signature to the setup and getting following problem.

Do you have any idea what to do?

Thomas,

I think you are using a code-signing certificate in form of .PFX, but you forgot to switch to Microsoft SignTool.exe. You are still using SignCode.exe.

Friedrich

Thomas,

To code-sign files with a .PFX, you have to switch to Microsoft SignTool.exe.

http://www.lindersoft.com/forums/showthread.php?p=75360

Friedrich

I'm using the pfx file and have switched to the Microsoft SignTool.exe from the SDK 7.0.
But it seems the SignTool can not be called, cause before Symantec is removing the temp files.

Thomas,

See attached screenshot. Symantec Endpoint Protection Version 12.1.4013.4013 (64-bit) installed on a clean Windows 7 Ultimate (x64) machine. After that, we installed SetupBuilder 8.1. Then we created a "dummy" standard project with code-sign option (.pfx) and compiled it. No problem at all (no false-positive when installing SetupBuilder nor when compiling a project). Latest Symantec updates and definitions applied.

Friedrich

And that's from your original Hybrid installer type demo project (dated: 2/20/2014).

Friedrich

Here are the installed Symantec versions (see screenshot).

Friedrich

Many thanks for your effort.

I have exactly the same Symantec Version. Correct.

I will play around and try to find out what might be different on my side.

I'm getting back to you about my results.

Thanks a lot.

You are very welcome.

By the way, we have accepted all the standard (default) Symantec installation settings. We did not change a single recommended option. We did not add any Exception (and no files are quarantined; we created and compiled 50 test .sb8 projects).

Friedrich