Suspicious.Cloud again..

[ThoKluge001]

Running my Setup file created with SetupBuilder will bring up Symantec (Common Client: 12.3.4.4)
Virus Scanner with following message:

Suspicious.Cloud.5.A found in ~SBBE1B.tmp

On another machine, where the latest Symantec has been installed we could
identify the file as the Setupbuilder Uninstaller file.

I sent the this temp file once to the white list registration of Symantec to get rid of
the virus detection.

But each time I'm build a new Setup file, the Uninstall file will differ slightly and
will be recognized by the Symantec scanner again, which happened already.

What can I do here?
I mean it is not one of my installation files it is the Uninstall file generated by
the SetupBuilder which is causing the failure.

[linder]

Hello,

The SB compiler generates unique binaries and the Microsoft Authenticode code-signing process modifies the binaries again. There is no "standard" SB uninstall. It is compiled and code-signed on-the-fly.

BTW, this is not related to SetupBuilder and there is absolutely nothing we can do. It's a Symantec false-positive bug and so only Symantec can fix it in their system.

http://www.symantec.com/connect/forums/suspiciouscloud
http://www.symantec.com/security_res...136-99&tabid=2
http://community.norton.com/t5/Norto...2/td-p/1045187

Friedrich

[ThoKluge001]

Some aditional information:

Also a totally new project (no files included) build with SetupBuilder is directly sent to the quarantaine:
"Suspicious.Cloud.5.A","Your Project Name-2.exe","C:\Users\IBM_ADMIN\Documents\SetupBuilder Projects\Your Project Name-3\","Infected","20.02.2014 14:21"
(Project Attached)

Regards
Thomas

[linder]

Wrong newsgroup <g>. You have to report this bug to Symantec !!! ;-) It's their false-positive bug. There is absolutely nothing we (or you) can do if a specific combination of bytes in a Windows executable or a database (the file you posted is a TopSpeed database file) gives a false-positive warning.

Friedrich

[ThoKluge001]

If an empty project is causing the heuristic scan to detect the build
setup executable to be sent to the quarantaine, I don't think you can
just put this problem on to your customers.

I think you also have to contact Symantec, to make sure, they do not
detect the Setup files as virus risk.

Thomas

[linder]

BTW, compiled your project and let VirusTotal check it:

https://www.virustotal.com/en/file/b...is/1392906752/

Friedrich

[ThoKluge001]

I know the virustotal seems not to do the heuristic scan on the Suspicious.Cloud.
Have already checked.

[linder]

Sorry, this is seriously not related to SetupBuilder at all !!!

Here is the test result from your original project file compiled into a .exe:

https://www.virustotal.com/en/file/b...is/1392906752/

Not sure what else I can tell you. We can't do anything to fix this Symantec bug.

Friedrich

[ThoKluge001]

It is serious, cause IBM will not change there virus scanner compony wide.
Cause of one failing Installation Builder.

[linder]

Huh??? Sorry, but this has absolutely NOTHING to do with SetupBuilder. The SetupBuilder compiler generates native Windows binary files. If a specific combination of bytes in your generated executable or binary file causes a false-positive alert then only Symantec can fix the bug in their system. There is nothing that you or we can do here. For example, if code-signing with your own code-signing certificate embeds a specifc combination of bytes into a binary and this triggers the false-positive then there is nothing that you can do to find out what specific combination of bytes causes this nor can you do anything to change this in your own files. Symantec has to fix it !!!

Friedrich