Differences in virus/trojans detected in EXE vs MSI

[stasokhvat]

Hello,

We have recently released our installer in MSI format. However, we are considering switching to EXE format for a few reasons.
When we sent the EXE installer to one of our users, she reported that Windows reports a virus.
I have just run both the MSI and EXE files through VirusTotal and I am seeing very different detection results:
1) EXE file: 6 packages detect virus/trojan in it. See results here: https://www.virustotal.com/gui/file/ce8 ... 5651e857ad
2) MSI file: virus/trojan detected by one package. See results here: https://www.virustotal.com/gui/file/413 ... ac8a3f1b76

The structure of MSI and EXE files is identical (same binary contents of installable files).

The package includes one Autohotkey-based EXE file which is flagged by 2 packages: https://www.virustotal.com/gui/file/9e3 ... b01c260abe , so this is the reason the MSI package is also flagged as potentially unsafe. However, I cannot understand why the EXE file has so many false positive detections. I suspect that there could be a problem with the stubs that are used for the EXE file. I am using the very latest version of Advanced Installer.

We are not using a digital signature yet but it will be available shortly. I can see that, according to your forum, a digital signature can fix some of the false positive detections, but I doubt that it will be able to fix the issues with the EXE file. Can you please look at this and let us know what can be done?

Best regards,
Stanislav

[Catalin]

Hello Stanislav,

Please note I have replied to your email.

Let's continue the discussion there.

Basically, these are false-positive detections.

Best regards,
Catalin