Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
I've used an old (2004?) version of InstallShield and it generated a setup.exe and the msi separately. I'm assuming that setup.exe is their bootstrapper and was well-known enough to go onto the AV makers white-lists. When burn is released hopefully its engine could also be white-listed, assuming it's always the same. As Rob said, some big products like Visual Studio will be using it. For now it seems that Nikolaj's attempts to get in touch with Trend have not been successful - maybe an approach from someone actually on the WiX team would bear fruit? Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On Fri, Jan 13, 2012 at 7:48 AM, Peter Hull peterhul...@hotmail.com wrote: Date: Thu, 12 Jan 2012 20:56:15 +0100 From: n...@panorama9.com I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate The reported file name looks more like it's the extracted engine than your bundle itself. Have you signed the engine. I only think we have signed the bundle, so we are working on signing the engine and retesting to see if it makes a difference. Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . From the Trend docs I saw it seemed to suggest that 'Malware Behaviour Monitoring' could be turned off (indeed, terminating programs like this was not the default) and also that signed executables were exempt. So it maybe is a bug in Trend that means it doesn't work as documented? Maybe, but as this is the default setting for a Trend Micro installation it is quite a problem. The other thing is that other installers (InstallShield) don't seem to do this so does anyone understand how InstallShield handles the reboot issue? Don't know , but it could be that they don't look in the RunOnce key as default behavior in their engine and thereby don't have this issue ? Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Best Regards Nikolaj Steensgaard Panorama9 A/S Langebrogade 5 1411 Copenhagen K Phone: +45 7020 3565 Mobile: +45 2124 3040 n...@panorama9.com Panorama9 is an IT management platform that shows you everything you need to know about your assets, IT availability, security vulnerabilities, and non-compliant systems – from a single Dashboard that’s amazingly easy to monitor and interpret. Your organization can cut IT costs through improved uptime and as a cloud-based solution, there is no infrastructure to deploy or manage. For more information - www.panorama9.com -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
Burn is a little different because it is designed to recover from power failures and unexpected reboots. To do that it writes to the RunOnce registry key up front. Other bootstrappers/chainers may not write to RunOnce except when a force reboot is required in the middle of the chain. Then the bootstrapper/chainer must write to RunOnce in order to complete the installation. If something (anti-virus in this case) kills processes writing to RunOnce then those other chainers could end up in a bad state if they didn't save their data before getting killed. Burn won't have that problem since it tries to register with RunOnce before modifying machine state. So, basically, Burn exposes the configuration problem that could leave other chainers in a bad state. Or maybe they would just work okay but you'd have to go figure out why they didn't resume after reboot. On Fri, Jan 13, 2012 at 4:36 AM, Nikolaj Steensgaard n...@panorama9.comwrote: On Fri, Jan 13, 2012 at 7:48 AM, Peter Hull peterhul...@hotmail.com wrote: Date: Thu, 12 Jan 2012 20:56:15 +0100 From: n...@panorama9.com I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate The reported file name looks more like it's the extracted engine than your bundle itself. Have you signed the engine. I only think we have signed the bundle, so we are working on signing the engine and retesting to see if it makes a difference. Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . From the Trend docs I saw it seemed to suggest that 'Malware Behaviour Monitoring' could be turned off (indeed, terminating programs like this was not the default) and also that signed executables were exempt. So it maybe is a bug in Trend that means it doesn't work as documented? Maybe, but as this is the default setting for a Trend Micro installation it is quite a problem. The other thing is that other installers (InstallShield) don't seem to do this so does anyone understand how InstallShield handles the reboot issue? Don't know , but it could be that they don't look in the RunOnce key as default behavior in their engine and thereby don't have this issue ? Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Best Regards Nikolaj Steensgaard Panorama9 A/S Langebrogade 5 1411 Copenhagen K Phone: +45 7020 3565 Mobile: +45 2124 3040 n...@panorama9.com Panorama9 is an IT management platform that shows you everything you need to know about your assets, IT availability, security vulnerabilities, and non-compliant systems – from a single Dashboard that’s amazingly easy to monitor and interpret. Your organization can cut IT costs through improved uptime and as a cloud-based solution, there is no infrastructure to deploy or manage. For more information - www.panorama9.com -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- virtually, Rob Mensching - http://RobMensching.com LLC -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
And the MSDN docs *recommend* RunOnce as a way to finish application setups. It does seem unfair for an AV product to decide to prevent completion of application setup. InstallShield uses the RunOnce key too, judging from search hits and their content. Phil W -Original Message- From: Rob Mensching [mailto:r...@robmensching.com] Sent: Friday, January 13, 2012 12:48 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068 Burn is a little different because it is designed to recover from power failures and unexpected reboots. To do that it writes to the RunOnce registry key up front. Other bootstrappers/chainers may not write to RunOnce except when a force reboot is required in the middle of the chain. Then the bootstrapper/chainer must write to RunOnce in order to complete the installation. If something (anti-virus in this case) kills processes writing to RunOnce then those other chainers could end up in a bad state if they didn't save their data before getting killed. Burn won't have that problem since it tries to register with RunOnce before modifying machine state. So, basically, Burn exposes the configuration problem that could leave other chainers in a bad state. Or maybe they would just work okay but you'd have to go figure out why they didn't resume after reboot. On Fri, Jan 13, 2012 at 4:36 AM, Nikolaj Steensgaard n...@panorama9.comwrote: On Fri, Jan 13, 2012 at 7:48 AM, Peter Hull peterhul...@hotmail.com wrote: Date: Thu, 12 Jan 2012 20:56:15 +0100 From: n...@panorama9.com I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate The reported file name looks more like it's the extracted engine than your bundle itself. Have you signed the engine. I only think we have signed the bundle, so we are working on signing the engine and retesting to see if it makes a difference. Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . From the Trend docs I saw it seemed to suggest that 'Malware Behaviour Monitoring' could be turned off (indeed, terminating programs like this was not the default) and also that signed executables were exempt. So it maybe is a bug in Trend that means it doesn't work as documented? Maybe, but as this is the default setting for a Trend Micro installation it is quite a problem. The other thing is that other installers (InstallShield) don't seem to do this so does anyone understand how InstallShield handles the reboot issue? Don't know , but it could be that they don't look in the RunOnce key as default behavior in their engine and thereby don't have this issue ? Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Best Regards Nikolaj Steensgaard Panorama9 A/S Langebrogade 5 1411 Copenhagen K Phone: +45 7020 3565 Mobile: +45 2124 3040 n...@panorama9.com Panorama9 is an IT management platform that shows you everything you need to know about your assets, IT availability, security vulnerabilities, and non-compliant systems – from a single Dashboard that’s amazingly easy to monitor and interpret. Your organization can cut IT costs through improved uptime and as a cloud-based solution, there is no infrastructure to deploy or manage. For more information - www.panorama9.com -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- virtually, Rob Mensching - http://RobMensching.com LLC -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users *** Confidentiality Notice: This e-mail, including any associated or attached files, is intended solely for the individual or entity to which it is addressed. This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify the sender immediately by reply e-mail and then delete this message from your
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
MSI doesn't write to RunOnce because it is a system service that came
installed in the operating system. Pretty much all bootstrappers/chainers
will write to RunOnce if they need to do a reboot and come back
afterwards. Burn goes one step further to ensure robustness and registers
up front.
We'll need to teach this anti-virus program about Burn. Fortunately big
programs, like Visual Studio, are using Burn and if it kills them I hope we
can muster some change.
On Wed, Jan 11, 2012 at 11:50 PM, NIkolaj Steensgaard n...@panorama9.comwrote:
On 01/11/2012 01:23 PM, Peter Hull wrote:
Hi Nikolaj!
Could you comment on whether your installer was signed (the bundle and
the actual engine which is unpacked out of it - see this link
https://sourceforge.net/mailarchive/forum.php?thread_name=CAHdHTVc1c2h3QuYsiXWcR8A1Xtk38Z3W2KCyAvuP3hMjYqKAiA%40mail.gmail.comforum_name=wix-users)
Yes the Bundle is signed with Thawte code signing certificate and also
the engine ( msi ) included is signed with same certificate.
I'm glad someone else has seen this problem, especially as you have more
control over your environment than I do!
Me 2 as it is quite a problem not being able to install a exe created
from Wix 3.6.
Does anyone have a Idea how to debug this issue ?
The MSI itself does not write to the RunOnce as far as i know
Peter
Date: Wed, 11 Jan 2012 12:16:37 +0100
From: n...@panorama9.com
To: wix-users@lists.sourceforge.net
Subject: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro
as Malware behavior and
we are looking for the reason for this.
This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
Write
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
---
Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---
We have a complete testing enviroment where we can tweak, monitor and
reproduce this error and are more than
willing to assist in debugging this issue.
Please let me know anything we can provide to debug and solve this
Regards
Nikolaj Steensgaard
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a
complex
infrastructure or vast IT resources to deliver seamless, secure access
to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI
infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
--
virtually, Rob Mensching - http://RobMensching.com LLC
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
From: r...@robmensching.com We'll need to teach this anti-virus program about Burn. Fortunately big programs, like Visual Studio, are using Burn and if it kills them I hope we can muster some change. So are you saying we need to raise this as an issue with Trend Micro? Is the program that actually writes the registry always the same? (I'm a bit confused about what the stages are when a burn exe is run, particularly what the burn engine is and what the burn agent is) Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On 01/12/2012 09:46 AM, Peter Hull wrote: From: r...@robmensching.com We'll need to teach this anti-virus program about Burn. Fortunately big programs, like Visual Studio, are using Burn and if it kills them I hope we can muster some change. So are you saying we need to raise this as an issue with Trend Micro? I have been trying to debug this issue to answer that exact question ! Is the program that actually writes the registry always the same? (I'm a bit confused about what the stages are when a burn exe is run, particularly what the burn engine is and what the burn agent is) I will explain the issue more detailed to better give insight in what we are seeing. For about year we have been deploying our software build with the WIX installer as a MSI package and have not seen this issue. To Months ago we created a Bundled version ( exe build with WIX 3.6 ) that checked for .net 3.51 + Win install 3.1 and installed if needed before installing our software Then we got reports from client's about this issue occurring The Bundled version is quite simple and only checks for the above mentioned software and downloads / installs if needed A complete AD with Trend Micro Office Scan were established to reproduce the error which we can. Some things that we so far have noticed : It only seem to occur on Windows XP for some reason. ( this machine already have the needed .net and Win install so it's not there installer that's creates the problem ) Our Code does not at anytime write or read from the RunOnce key Also as the previous reporter of this issue ( ID: 3431068 ) We will be trying to use SysInternals tools to get a debug of whats happening when the issue occurs, and post the result here. Hope this helps in explaining the issue we are seeing and we are more that happy to run any test's you suggest !!! Nik Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
I would start by digitally signing your burn bundle. Most anti-virus software provides more leeway to signed executables. If your bundle is static, then you could also submit it to Trend Micro as a false positive. Most AV vendors will update their signatures to work around false positives in a timely manner. The RunOnce key, from what I read in Rob's response, is written to from the bundling framework of burn. It is done proactively rather than as needed. -Original Message- From: NIkolaj Steensgaard [mailto:n...@panorama9.com] Sent: Thursday, January 12, 2012 3:37 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068 On 01/12/2012 09:46 AM, Peter Hull wrote: From: r...@robmensching.com We'll need to teach this anti-virus program about Burn. Fortunately big programs, like Visual Studio, are using Burn and if it kills them I hope we can muster some change. So are you saying we need to raise this as an issue with Trend Micro? I have been trying to debug this issue to answer that exact question ! Is the program that actually writes the registry always the same? (I'm a bit confused about what the stages are when a burn exe is run, particularly what the burn engine is and what the burn agent is) I will explain the issue more detailed to better give insight in what we are seeing. For about year we have been deploying our software build with the WIX installer as a MSI package and have not seen this issue. To Months ago we created a Bundled version ( exe build with WIX 3.6 ) that checked for .net 3.51 + Win install 3.1 and installed if needed before installing our software Then we got reports from client's about this issue occurring The Bundled version is quite simple and only checks for the above mentioned software and downloads / installs if needed A complete AD with Trend Micro Office Scan were established to reproduce the error which we can. Some things that we so far have noticed : It only seem to occur on Windows XP for some reason. ( this machine already have the needed .net and Win install so it's not there installer that's creates the problem ) Our Code does not at anytime write or read from the RunOnce key Also as the previous reporter of this issue ( ID: 3431068 ) We will be trying to use SysInternals tools to get a debug of whats happening when the issue occurs, and post the result here. Hope this helps in explaining the issue we are seeing and we are more that happy to run any test's you suggest !!! Nik Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On Thu, Jan 12, 2012 at 6:03 PM, Hoover, Jacob jacob.hoo...@greenheck.comwrote: I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate Most anti-virus software provides more leeway to signed executables. If your bundle is static, then you could also submit it to Trend Micro as a false positive. Most AV vendors will update their signatures to work around false positives in a timely manner. Yes, but our bundle is dynamic as the version of the software changes. The RunOnce key, from what I read in Rob's response, is written to from the bundling framework of burn. It is done proactively rather than as needed. So isn't that really the issue then ? Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . I have already tried to get in contact to Trend Micro through several channels without luck and have also submitted a request to get access to Reputation Service and Verification Portal (RSVP). Looking in the Trend Micro software there does'nt seem to be a way to turn the Malware detection feature -Original Message- From: NIkolaj Steensgaard [mailto:n...@panorama9.com] Sent: Thursday, January 12, 2012 3:37 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068 On 01/12/2012 09:46 AM, Peter Hull wrote: From: r...@robmensching.com We'll need to teach this anti-virus program about Burn. Fortunately big programs, like Visual Studio, are using Burn and if it kills them I hope we can muster some change. So are you saying we need to raise this as an issue with Trend Micro? I have been trying to debug this issue to answer that exact question ! Is the program that actually writes the registry always the same? (I'm a bit confused about what the stages are when a burn exe is run, particularly what the burn engine is and what the burn agent is) I will explain the issue more detailed to better give insight in what we are seeing. For about year we have been deploying our software build with the WIX installer as a MSI package and have not seen this issue. To Months ago we created a Bundled version ( exe build with WIX 3.6 ) that checked for .net 3.51 + Win install 3.1 and installed if needed before installing our software Then we got reports from client's about this issue occurring The Bundled version is quite simple and only checks for the above mentioned software and downloads / installs if needed A complete AD with Trend Micro Office Scan were established to reproduce the error which we can. Some things that we so far have noticed : It only seem to occur on Windows XP for some reason. ( this machine already have the needed .net and Win install so it's not there installer that's creates the problem ) Our Code does not at anytime write or read from the RunOnce key Also as the previous reporter of this issue ( ID: 3431068 ) We will be trying to use SysInternals tools to get a debug of whats happening when the issue occurs, and post the result here. Hope this helps in explaining the issue we are seeing and we are more that happy to run any test's you suggest !!! Nik Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Best Regards Nikolaj Steensgaard Panorama9 A/S Langebrogade 5 1411 Copenhagen K Phone: +45 7020 3565 Mobile: +45 2124 3040 n...@panorama9.com Panorama9 is an IT management platform that shows you everything you need to know about your assets, IT availability, security vulnerabilities, and non-compliant systems – from a single Dashboard that’s amazingly easy to monitor and interpret. Your organization can cut IT costs through improved uptime and as a cloud-based solution, there is no infrastructure to deploy or manage. For more information
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
Date: Thu, 12 Jan 2012 20:56:15 +0100 From: n...@panorama9.com I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate The reported file name looks more like it's the extracted engine than your bundle itself. Have you signed the engine. Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . From the Trend docs I saw it seemed to suggest that 'Malware Behaviour Monitoring' could be turned off (indeed, terminating programs like this was not the default) and also that signed executables were exempt. So it maybe is a bug in Trend that means it doesn't work as documented? The other thing is that other installers (InstallShield) don't seem to do this so does anyone understand how InstallShield handles the reboot issue? Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
[WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro
as Malware behavior and
we are looking for the reason for this.
This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
Write
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
---
Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---
We have a complete testing enviroment where we can tweak, monitor and
reproduce this error and are more than
willing to assist in debugging this issue.
Please let me know anything we can provide to debug and solve this
Regards
Nikolaj Steensgaard
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
[WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro
as Malware behavior and
we are looking for the reason for this.
This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
Write
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
---
Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---
We have a complete testing enviroment where we can tweak, monitor and
reproduce this error and are more than
willing to assist in debugging this issue.
Please let me know anything we can provide to debug and solve this
Regards
Nikolaj Steensgaard
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
Hi Nikolaj!
Could you comment on whether your installer was signed (the bundle and the
actual engine which is unpacked out of it - see this link
https://sourceforge.net/mailarchive/forum.php?thread_name=CAHdHTVc1c2h3QuYsiXWcR8A1Xtk38Z3W2KCyAvuP3hMjYqKAiA%40mail.gmail.comforum_name=wix-users
)
I'm glad someone else has seen this problem, especially as you have more
control over your environment than I do!
Peter
Date: Wed, 11 Jan 2012 12:16:37 +0100
From: n...@panorama9.com
To: wix-users@lists.sourceforge.net
Subject: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro
as Malware behavior and
we are looking for the reason for this.
This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
Write
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
---
Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---
We have a complete testing enviroment where we can tweak, monitor and
reproduce this error and are more than
willing to assist in debugging this issue.
Please let me know anything we can provide to debug and solve this
Regards
Nikolaj Steensgaard
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On 01/11/2012 01:23 PM, Peter Hull wrote:
Hi Nikolaj!
Could you comment on whether your installer was signed (the bundle and the
actual engine which is unpacked out of it - see this link
https://sourceforge.net/mailarchive/forum.php?thread_name=CAHdHTVc1c2h3QuYsiXWcR8A1Xtk38Z3W2KCyAvuP3hMjYqKAiA%40mail.gmail.comforum_name=wix-users
)
Yes the Bundle is signed with Thawte code signing certificate and also
the engine ( msi ) included is signed with same certificate.
I'm glad someone else has seen this problem, especially as you have more
control over your environment than I do!
Me 2 as it is quite a problem not being able to install a exe created
from Wix 3.6.
Does anyone have a Idea how to debug this issue ?
The MSI itself does not write to the RunOnce as far as i know
Peter
Date: Wed, 11 Jan 2012 12:16:37 +0100
From: n...@panorama9.com
To: wix-users@lists.sourceforge.net
Subject: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro
as Malware behavior and
we are looking for the reason for this.
This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
Write
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
---
Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---
We have a complete testing enviroment where we can tweak, monitor and
reproduce this error and are more than
willing to assist in debugging this issue.
Please let me know anything we can provide to debug and solve this
Regards
Nikolaj Steensgaard
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
