All,

Spent quite a few days debugging the current antivirus "false-positive"
situation. I tracked it down to the SetupBuilder "stub loader". This small
loader is responsible for the application startup process.

The following links are the VirusTotal reports for the SetupBuilder 8.0 and
8.5 stubs. The source code is 100% identical, but the 8.5 stub includes an
updated manifest for Windows 10 compatibility and the file version resource
number increased from 8.0 to 8.5. Other than that, absolutely no
difference.

Stub Loader 8.0:
https://www.virustotal.com/en/file/f...is/1428135808/

Stub Loader 8.5:
https://www.virustotal.com/en/file/4...is/1428135963/

The 8.0 stub loader is 100% false-positive free, but the 8.5 stub loader
gives three false-positives. "Tencent Antivirus" introduced a new bug
today, "TrendMicro-HouseCall" fixed their bug a few hours ago. Jiangmin is
a story of its own.

http://www.lindersoft.com/forums/forumdisplay.php?17

Some antivirus products share the same detection engine or malware
signatures. This is the result of inter-vendor partnerships. So what
appears as a malware detection by three separate products could actually be
the result of a single bad signature shared by all of them.

Antivirus applications are based on file signatures on disk. They have a
large database (definition file) of specific byte patterns, and they look
for one or more byte patterns within a file. Some of the more advanced
antivirus applications have additional features such as heuristics
detection - i.e. looking for suspicious markers in what the application
actually does.

In our specific "false-positive" case, the antivirus pattern matcher looked
for an unique sequence of bytes that is specific to a piece of malware. And
found it in the stub loader.

This time I was able to replace the sequence of "bad" bytes and it results
again in a 100% false-positive free stub loader:
https://www.virustotal.com/en/file/8...is/1428150197/

All I can say at this point is; This is scary... scary as hell. Antivirus
systems are the dark side.

We'll make a SetupBuilder update available next week.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner