Re: Code signing to help with Windows virus false positives
On 11/3/16 7:34 AM, Ethan Watson wrote: Turns out we have some good contacts at F-Secure though. So I can see about getting the problem fixed at the detection level - and because of the way the security community operates, that knowledge should flush across to things like Windows Defender. That would be awesome. Thanks! -- Andrei
Re: Code signing to help with Windows virus false positives
http://imgur.com/5DnCWYw One of our guys just tried compiling and running a simple Hello World program. F-Secure jumped right in. Code signing the compiler isn't enough. It's been a persistent problem around here with DMD generated binaries that F-Secure will pick it up. Needless to say, if this happens out in the wild with one of our games you won't want me to paste a single line from the feedback we'll get about the game not working. Turns out we have some good contacts at F-Secure though. So I can see about getting the problem fixed at the detection level - and because of the way the security community operates, that knowledge should flush across to things like Windows Defender.
Re: Code signing to help with Windows virus false positives
On Wednesday, 12 October 2016 at 06:39:05 UTC, Thomas Mader wrote: On Tuesday, 11 October 2016 at 06:09:03 UTC, Thomas Mader wrote: I worked with NSIS and InnoSetup. InnoSetup is much cleaner and easier. At work we switched from NSIS to InnoSetup and we create MSI packages from NSIS and InnoSetup packages IIRC. I think it's better to go with InnoSetup because it might be more easy and probably more powerful than building MSI directly. But I don't have any experience with building an MSI installer and the feature set of MSI. We are also signing the installer and all exe and DLLs inside. I was right. We create the MSI package out of the InnoSetup executable with a minimal xml config for WiX. That's not an MSI installer, it's an Inno installer wrapped in an .msi package. It doesn't solve false antivirus positives because the antivirus engines simply monitor the Inno installer getting extracted and executed.
Re: Code signing to help with Windows virus false positives
On Tuesday, 11 October 2016 at 01:37:55 UTC, Martin Nowak wrote: Whatever makes more sense. From my very limited understanding .msi installers are natively understood installers in Windows, and the weapon of choice for robust and more professional installers. If innosetup is just another NSIS like tool, it might not solve all our problems. InnoSetup is like NSIS in that it builds an .exe that does the file copying, registry writing, downloading, executing, and so forth. MSI packages are "executed" by the MSI engine built into the OS -- the logic is in the OS, the data is in the MSI package. We're fairly clueless here and could really use help here. Just signing the NSIS installers could work for now, any support for this hypothesis. I tried to submit the latest release as sample to Microsoft but their file upload had a size limit smaller than the binary. Getting past the antivirus gauntlet is mostly about (1) signing and (2) submitting installers until they get tired of blocking you. The two go hand-in-hand because it's basically building up a history of trusted behavior. I don't know that NSIS is any worse or better than Inno about triggering antivirus. If that's your primary goal, it might not be worth a big porting job. Bob (co-BDFL, WiX toolset, http://wixtoolset.org/, https://www.joyofsetup.com/)
Re: Code signing to help with Windows virus false positives
On Tuesday, 11 October 2016 at 06:09:03 UTC, Thomas Mader wrote: I worked with NSIS and InnoSetup. InnoSetup is much cleaner and easier. At work we switched from NSIS to InnoSetup and we create MSI packages from NSIS and InnoSetup packages IIRC. I think it's better to go with InnoSetup because it might be more easy and probably more powerful than building MSI directly. But I don't have any experience with building an MSI installer and the feature set of MSI. We are also signing the installer and all exe and DLLs inside. I was right. We create the MSI package out of the InnoSetup executable with a minimal xml config for WiX.
Re: Code signing to help with Windows virus false positives
On Tuesday, 11 October 2016 at 01:37:55 UTC, Martin Nowak wrote: On Saturday, 20 August 2016 at 13:45:11 UTC, Basile B. wrote: "to MSI using innosetup" ? There's a misunderstanding here. Inno setup doesn't compile to MS installer, it's a complete independant solution. Whatever makes more sense. From my very limited understanding .msi installers are natively understood installers in Windows, and the weapon of choice for robust and more professional installers. If innosetup is just another NSIS like tool, it might not solve all our problems. We're fairly clueless here and could really use help here. Just signing the NSIS installers could work for now, any support for this hypothesis. I tried to submit the latest release as sample to Microsoft but their file upload had a size limit smaller than the binary. I worked with NSIS and InnoSetup. InnoSetup is much cleaner and easier. At work we switched from NSIS to InnoSetup and we create MSI packages from NSIS and InnoSetup packages IIRC. I think it's better to go with InnoSetup because it might be more easy and probably more powerful than building MSI directly. But I don't have any experience with building an MSI installer and the feature set of MSI. We are also signing the installer and all exe and DLLs inside.
Re: Code signing to help with Windows virus false positives
On Saturday, 20 August 2016 at 13:45:11 UTC, Basile B. wrote: "to MSI using innosetup" ? There's a misunderstanding here. Inno setup doesn't compile to MS installer, it's a complete independant solution. Whatever makes more sense. From my very limited understanding .msi installers are natively understood installers in Windows, and the weapon of choice for robust and more professional installers. If innosetup is just another NSIS like tool, it might not solve all our problems. We're fairly clueless here and could really use help here. Just signing the NSIS installers could work for now, any support for this hypothesis. I tried to submit the latest release as sample to Microsoft but their file upload had a size limit smaller than the binary.
Re: Code signing to help with Windows virus false positives
On Saturday, 20 August 2016 at 13:26:03 UTC, Martin Nowak wrote: On 08/20/2016 03:21 PM, Martin Nowak wrote: On Monday, 15 August 2016 at 20:47:10 UTC, Basile B. wrote: Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said). If the origin of the problem is NSIS then in a first time it would be worth trying InnoSetup or also a MSI installer. We already had that in our backlog b/c maintaining the NSIS installer is a mess. Let's try to build a proper MSI installer w/ InnoSetup. https://issues.dlang.org/show_bug.cgi?id=15284#c20 http://forum.dlang.org/post/gjdwctcoakpfxzyjd...@forum.dlang.org https://trello.com/c/pDvkBVVZ/70-switch-windows-installer-to-msi-using-innosetup "to MSI using innosetup" ? There's a misunderstanding here. Inno setup doesn't compile to MS installer, it's a complete independant solution.
Re: Code signing to help with Windows virus false positives
On 08/20/2016 03:21 PM, Martin Nowak wrote: > On Monday, 15 August 2016 at 20:47:10 UTC, Basile B. wrote: >>> Please share your suggestions for how to help with the false positive >>> issue (or just continue laughing in ignorance based on an assumption >>> of something I never said). >> >> If the origin of the problem is NSIS then in a first time it would be >> worth trying InnoSetup or also a MSI installer. > > We already had that in our backlog b/c maintaining the NSIS installer is > a mess. > > Let's try to build a proper MSI installer w/ InnoSetup. > https://issues.dlang.org/show_bug.cgi?id=15284#c20 > http://forum.dlang.org/post/gjdwctcoakpfxzyjd...@forum.dlang.org https://trello.com/c/pDvkBVVZ/70-switch-windows-installer-to-msi-using-innosetup
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 20:47:10 UTC, Basile B. wrote: Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said). If the origin of the problem is NSIS then in a first time it would be worth trying InnoSetup or also a MSI installer. We already had that in our backlog b/c maintaining the NSIS installer is a mess. Let's try to build a proper MSI installer w/ InnoSetup. https://issues.dlang.org/show_bug.cgi?id=15284#c20 http://forum.dlang.org/post/gjdwctcoakpfxzyjd...@forum.dlang.org
Re: Code signing to help with Windows virus false positives
On Tuesday, 16 August 2016 at 05:38:00 UTC, Ethan Watson wrote: D code seems to be sufficiently different that virus scanners get confused. Both Windows Defender and F-Secure complained about it being the same trojan in fact. Don't see any F-Secure problem for dmd-2.071.1.exe. https://virustotal.com/en/file/7f7fc5c7707425bcde05cf2e6b5e1f35358061d9adb870bd4e943bf9973f9bbe/analysis/
Re: Code signing to help with Windows virus false positives
On Tuesday, 16 August 2016 at 05:38:00 UTC, Ethan Watson wrote: D code seems to be sufficiently different that virus scanners get confused. Well, nothing can be said for sure as nobody bothered with data, but if all assumptions are met, one thing to try is to compile with msvc toolchain and/or ldc and see if it makes a difference.
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote: Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said). DevExpress components are distributed as an encrypted self-extracting 7zip archive. No idea why, but might fool Windows Defender from doing anything.
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote: I'm afraid to see people overreacting in front of a minor and temporary problem. This is not the first time this is a problem. Our scanner at Remedy regularly used to block code sent to and from Walter at the email level. Sometimes things just wouldn't be received on either side. Our scanner also used to pick up the DMD that we shipped to our work environments until we added an exception for it. I just put a clean install of Visual Studio and Visual D on this laptop in case some people want to see some D stuff after my talk today. Windows Defender blocked my download of DMD. D code seems to be sufficiently different that virus scanners get confused. Both Windows Defender and F-Secure complained about it being the same trojan in fact. This cannot be a problem if we expect people to get in to the language. If the first stop download is picked up as a virus? This is unbelievably bad.
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 23:58:01 UTC, Mike Parker wrote: On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote: It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now. Is there some threshold for a bug report to be considered actionable? Aside from that, given that a small percentage of D users actually post in the forums, four posts on the same issue is something that ought to be taken as a problem. There's no way to know how many have encountered it and just decided to go elsewhere. It's not about being "pro-certificate", but about solving a problem that's potentially damaging to the perception of D. Ok ok ok. It's been something like three hours I've been thinking to this. Clearly I've exposed my **own POV** about some stuff I don't like about what Windows is becoming. But for the good of everybody (i.e I forget my own little griefs) that would be certainly nice to have a certificate for the D fundation. But it won't change the fact that once setup quitely thanks to the certificate...the language and standard libraries issues are still there ;)
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote: It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now. Is there some threshold for a bug report to be considered actionable? Aside from that, given that a small percentage of D users actually post in the forums, four posts on the same issue is something that ought to be taken as a problem. There's no way to know how many have encountered it and just decided to go elsewhere. It's not about being "pro-certificate", but about solving a problem that's potentially damaging to the perception of D.
OT Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote: It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now. Sorry for my harsh words, but Brad had an idea (and even offered his _personal_ money) & you immediately replied: I'm laughing out of loud here. Mmmh I discredite myself, I meant rolling on floor laughing... A fruitful discussion is often based on offering good alternative proposals ;-)
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote: On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote: On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote: With all of the issues people are having with Windows [...] There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065 Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here. No. Of course not. To quote Microsoft: "Signing your program’s files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases this can result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers." At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet. Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well). Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said). If the origin of the problem is NSIS then in a first time it would be worth trying InnoSetup or also a MSI installer.
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 20:07:30 UTC, Seb wrote: On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote: At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet. Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well). Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said). Unfortunately until Walter agrees to introduce some moderation around here, you need to ignore the trolls - they feed from negative energy (OT: https://www.youtube.com/watch?v=FMEe7JqBgvg). I think it's a great idea & you should definitely get in touch with the Martin Nowak! It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now.
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote: At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet. Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well). Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said). Unfortunately until Walter agrees to introduce some moderation around here, you need to ignore the trolls - they feed from negative energy (OT: https://www.youtube.com/watch?v=FMEe7JqBgvg). I think it's a great idea & you should definitely get in touch with the Martin Nowak!
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote: On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote: With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives). I propose the D Foundation acquire a code signing certificate and we start using it for releases. Alternatively any well known organization member could be the signer (having "The D Foundation" on the popup sure would look nice though). I'd be happy to put my money where my mouth is and chip in some of the money to cover the certificate cost. I've used StartSSL's code signing certificates successfully for this purpose but I imagine any vendor will do. The biggest hassle is certificate format conversion but once you've got the certificate in the Windows certificate store signing is just a command line call that can be easily scripted. There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065 Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here. No. Of course not. To quote Microsoft: "Signing your program’s files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases this can result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers." At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet. Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well). Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said).
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 19:08:56 UTC, Basile B. wrote: How this is called in everyday's world ? racketeering ? exactly.
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote: On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote: With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives). I propose the D Foundation acquire a code signing certificate and we start using it for releases. [...] Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here. Mmmh I discredite myself, I meant rolling on floor laughing... Anyway do you imagine the AV publisher policy against dev, "If your binaries are signed, we promise, you won't have false positive..." i.e: "buy a certificate". How this is called in everyday's world ? racketeering ?
Re: Code signing to help with Windows virus false positives
On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote: With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives). I propose the D Foundation acquire a code signing certificate and we start using it for releases. Alternatively any well known organization member could be the signer (having "The D Foundation" on the popup sure would look nice though). I'd be happy to put my money where my mouth is and chip in some of the money to cover the certificate cost. I've used StartSSL's code signing certificates successfully for this purpose but I imagine any vendor will do. The biggest hassle is certificate format conversion but once you've got the certificate in the Windows certificate store signing is just a command line call that can be easily scripted. There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065 Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here.
Code signing to help with Windows virus false positives
With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives). I propose the D Foundation acquire a code signing certificate and we start using it for releases. Alternatively any well known organization member could be the signer (having "The D Foundation" on the popup sure would look nice though). I'd be happy to put my money where my mouth is and chip in some of the money to cover the certificate cost. I've used StartSSL's code signing certificates successfully for this purpose but I imagine any vendor will do. The biggest hassle is certificate format conversion but once you've got the certificate in the Windows certificate store signing is just a command line call that can be easily scripted. There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065