One of my customers gets a message like the following when running my digitally signed setup program (this message is from their log, so I don't know exactly what the on-screen message looked like.):

CryptoGuard detected ransomware in C:\Users\XXXX\OneDrive - XXXX\Desktop\XXSetupXX
They said the message appeared after they entered the password to continue the install and the message they saw said something about trying to write encrypted files to disk.

I rebuilt the setup program (using SB Ver 10.0.6531) to not prompt for a password, but they still received the same message, presumably when XXSetupXX has started to install files.

Does Sophos, in general, not like how Setup Builder operates or is Sophos complaining about some file I am distributing? My app is a regular Clarion-built application, but it does include some popular 3rd party clarion add-ons which have their own .DLL's and configuration files.