F-Secure 9.9.15370.0 (false-positive bug)

[NewsArchive]

F-Secure detects applications compiled with SetupBuilder 7 as 'suspicious'
(W32/Malware!Gemini).

Of course, this is a "false-positive". When a legitimate file is
incorrectly detected as infected by an antivirus product, the anti-virus
system vendors call it a "false positive" or a "false alarm". But let's
call it what it is: it's nothing more than a NASTY BUG in their software and
they did a bad job.

https://analysis.f-secure.com/portal/login.html

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

[NewsArchive]

> F-Secure detects applications compiled with SetupBuilder 7 as 'suspicious'
> (W32/Malware!Gemini).
>
> Of course, this is a "false-positive". When a legitimate file is
> incorrectly detected as infected by an antivirus product, the anti-virus
> system vendors call it a "false positive" or a "false alarm". But let's
> call it what it is: it's nothing more than a NASTY BUG in their software and
> they did a bad job.

Friedrich,

Isn't this a fairly new false positive? So, possibly on a definition update
recently, they introduced it?

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

[NewsArchive]

Hi David,

> Isn't this a fairly new false positive? So, possibly on a definition
> update recently, they introduced it?

I don't know exactly when they introduced it. But after quite a few reports
from SetupBuilder users it's still there. Other (good) protection software
companies fix such a bug within 2-10 hours. But F-Secure still flags
millions of SetupBuilder created installers/applications as a threat.

Friedrich

[NewsArchive]

>> Isn't this a fairly new false positive? So, possibly on a definition
>> update recently, they introduced it?
>
> I don't know exactly when they introduced it. But after quite a few reports
> from SetupBuilder users it's still there. Other (good) protection software
> companies fix such a bug within 2-10 hours. But F-Secure still flags
> millions of SetupBuilder created installers/applications as a threat.

Friedrich,

Definitely no reason for them to drag their feet when a Major Setup Tool
company reports the problem.

I'd suggest this (if you feel comfortable doing so) - some Clarion
developers don't read this newsgroup - might help to post this to some
other common newsgroups such as Clarion Third Party and comp.lang.clarion
and ask for all that will to floodgate F-Secure with complaints.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

[NewsArchive]

Hi David,

> Definitely no reason for them to drag their feet when a Major Setup Tool
> company reports the problem.
>
> I'd suggest this (if you feel comfortable doing so) - some Clarion
> developers don't read this newsgroup - might help to post this to some
> other common newsgroups such as Clarion Third Party and comp.lang.clarion
> and ask for all that will to floodgate F-Secure with complaints.

Yes, you are right. But I know that quite a few already sent their
installer to F-Secure (and even support messages) and it's still "flagged".

And the thread is mirrored here (already 2,000+ hits)
http://www.lindersoft.com/forums/showthread.php?t=27387

Perhaps the F-Secure guys are on vacation <g>

Friedrich

[NewsArchive]

> Hi David,
>
>> Definitely no reason for them to drag their feet when a Major Setup Tool
>> company reports the problem.
>>
>> I'd suggest this (if you feel comfortable doing so) - some Clarion
>> developers don't read this newsgroup - might help to post this to some
>> other common newsgroups such as Clarion Third Party and comp.lang.clarion
>> and ask for all that will to floodgate F-Secure with complaints.
>
> Yes, you are right. But I know that quite a few already sent their
> installer to F-Secure (and even support messages) and it's still "flagged".

Friedrich,

However, more complaints can only help in the overall situation. Get the
troops alarmed - AS many as possible - Clarion crowd gets very vocal over
issues - many use your product as you well know -

SOME are even better complainers than others - never know what finally
prompts a company to action!

I've done my part - email to corporate - sample under F-Secure Sample
Analysis System - product support complaint

>
> And the thread is mirrored here (already 2,000+ hits)
> http://www.lindersoft.com/forums/showthread.php?t=27387
>
> Perhaps the F-Secure guys are on vacation <g>

Vacation nightmare! :-(

Hope it's resolved soon FOR ALL of us!

BTW, I did have problems with F-Secure and Microsoft Outlook 2010 testing -
the problem was infrequent - finally disabled F-Secure Spam Add-in for
Outlook 2010 (however, I do not depend on Outlook 2010 heavily).

So obviously Big companies and Bigger companies have problems.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

[NewsArchive]

Hi David,

> However, more complaints can only help in the overall situation. Get the
> troops alarmed - AS many as possible - Clarion crowd gets very vocal over
> issues - many use your product as you well know -
>
> SOME are even better complainers than others - never know what finally
> prompts a company to action!
>
> I've done my part - email to corporate - sample under F-Secure Sample
> Analysis System - product support complaint

Thanks so much Unbelievable but true, it's still not fixed in their
latest virus definition update.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

[NewsArchive]

Friedrich,

I have been pounding the F-Secure doors with uploads of my present and
recent releases of Encourager Software software products to:

https://analysis.f-secure.com/portal/login.html

and got this email from them.

They have whitelisted my products, which of course, is a temporary measure.

"Thank you for bringing this issue to our attention.

The false positive you experienced is caused by our proactive detection
engine.

http://www.f-secure.com/v-descs/susp...e!gemini.shtml

I will bring this to the attention of our software engineers so that we can
implement a fix for lindersoft installer characteristics. I hope you can
understand this this will take some time as this requires tuning of the
heuristics routines."

MY NOTE - before reading next part - initially - I simply chose a
SetupBuilder example project, compiled it and sent it to F-Secure Sample
Analysis System so another complaint could be registered - in hindsight -
should have sent them one of my shipping software installs with FULL code
signed installs, etc

thus the admonishment to send code signed installs -

recommmend to all SetupBuilder users - send one or multiple shipping
software installs so they can whitelist them - yes a hassle - but temporary
work-around.

"As an immediate fix I will whitelist this file you have submitted. If you
have any other setup packages that is being flagged by our product please
submit them to us so that we can implement the whitelisting.

In the long term, we recommend you to sign your executable files with so we
could easily identify your software by the signing key and automatically
fix any false positive problems once they appear. Authenticode signing
would also be very good idea for Windows 7 compatibility.

If you decide to sign your executable files in the future, please send us
one or two signed files so we could prevent any future conflicts between
our Anti-Virus products and your software."

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

[NewsArchive]

Hi David,

> I have been pounding the F-Secure doors with uploads of my present and
> recent releases of Encourager Software software products to:
>
> https://analysis.f-secure.com/portal/login.html
>
> and got this email from them.
>
> They have whitelisted my products, which of course, is a temporary
> measure.
<SNIP>

Thank you for the information and all your help. I really hope they'll fix
it soon. There are literally millions of SetupBuilder 7 generated
applications (installations, web update clients, helper tools, etc.) out
there and it's not acceptable that a protection software vendor is unable to
fix such a major bug in their software within 1-2 days.

Friedrich

[NewsArchive]

The sample I submitted (yes, code-signed <g>) appears as "suspicious" but
"no detection"... which I guess is what you guys have been getting.

jf