tom5870
Posts: 7
Joined: Wed Jul 26, 2017 4:00 pm

Symantec endpoint risk issue

Fri Mar 16, 2018 3:36 pm

Whenever I copy a built installers (different projects), to a machine with Symantec Endpoint Security, it quarantines that package claiming "Heur.AdvML.B" was detected. This seems to be happening on the latest versions of 14, I have 14.5.1. Any suggestions?

Eusebiu
Posts: 4895
Joined: Wed Nov 14, 2012 2:04 pm

Re: Symantec endpoint risk issue

Tue Mar 20, 2018 4:18 pm

Hi,

Can you try to build your package with the latest version of Advanced Installer and see if the problem persists? Please take a look on the "Weird exe setup infected reported by virustotal" thread which debates the same problem.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

tom5870
Posts: 7
Joined: Wed Jul 26, 2017 4:00 pm

Re: Symantec endpoint risk issue

Thu Mar 29, 2018 9:47 pm

Building with 14.7 seemed to correct the issue. Big question is why did the updater in 14.5.1 refuse to download the later versions. Guess it doesn't matter now, just have to see if 14.7 has the same issue with updating.

Eusebiu
Posts: 4895
Joined: Wed Nov 14, 2012 2:04 pm

Re: Symantec endpoint risk issue

Mon Apr 02, 2018 10:40 am

Hi,

I'm glad the problem is solved in the latest version. Just let us know if you encounter other problems.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

10e
Posts: 3
Joined: Wed Apr 11, 2018 6:20 pm

Re: Symantec endpoint risk issue

Wed Apr 11, 2018 6:25 pm

I'm having the exact same issue when building my setup with AI 14.7 build 9cfg640d4e3. Symantec Endpoint Protection finds Heur.AdvML.B and won't let the installer execute on target machine. Why is this happening?

Eusebiu
Posts: 4895
Joined: Wed Nov 14, 2012 2:04 pm

Re: Symantec endpoint risk issue

Thu Apr 12, 2018 2:19 pm

Hi and welcome to our forums.

I've tested the scenario and I replicated the detection. I can assure you this is a false positive detection. We will submit a false positive ticket to the antivirus vendors and hopefully they will manage to fix and prevent such false positives in the future.

In the meantime I strongly recommend you to also submit to the antivirus vendors your built setup packages so they be whitelisted. This is a best practice and this way you will avoid such unpleasant detections. Nowadays the antivirus heuristics is changing on a daily basis and they become more and more aggressive. The best solution to avoid such false detection is to whitelist all of your built setup packages.

Thank you for your understanding.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

10e
Posts: 3
Joined: Wed Apr 11, 2018 6:20 pm

Re: Symantec endpoint risk issue

Thu Apr 12, 2018 4:33 pm

Thanks for the quick reply and I did send the antivirus vendors the built setup package.

My concern is that the package is white-listed by contents and not file name? If this is the case I suspect I'd have submit every build of my setup package for white-listing which isn't practical.

Another approach mentioned elsewhere is to set the project output folder as an exception in the antivirus settings.

Eusebiu
Posts: 4895
Joined: Wed Nov 14, 2012 2:04 pm

Re: Symantec endpoint risk issue

Tue Apr 17, 2018 10:09 am

Hi,

Indeed, a package is not white-listed by its name, but by a hash, so every new package should be submitted for white-listing. This is what we do with Advanced Installer. Does the problem still appear if you build your package with the 14.8 version of Advanced Installer?

Setting the project output as an exception in the antivirus settings can also be a solution.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

xsensordev
Posts: 2
Joined: Fri Aug 18, 2017 7:33 pm

Re: Symantec endpoint risk issue

Wed Jun 13, 2018 4:55 pm

Are you seriously suggesting that "trying the latest" version might fix the problem? Do you guys even use your own software in an environment with a variety of antivirus programs running?

This false positive problem has been on and off for several years now. We've been using Advanced Installer for 5+ years, and all this time its hit and miss with Symantec treating our exe installs (but not the msi build of the same project) as dangerous payloads.

Obviously Advanced Installer must be pretty small potatoes if you have not established a relationship with the antivirus vendors. God, so frustrating to have customers calling us up complaining we're shipping virus laden software.

Bogdan
Posts: 2788
Joined: Tue Jul 07, 2009 7:34 am
Contact:  Website

Re: Symantec endpoint risk issue

Thu Jun 14, 2018 3:48 pm

Hi,
re you seriously suggesting that "trying the latest" version might fix the problem?
Since the AV vendors change their heuristics daily, sometimes this helps, just as you can see in the initial messages from this thread.
We do not guarantee that an upgrade to the latest version will fix your version, thus we do not recommend this as a main solution, but sometimes it can be the easiest solution.

The algorithms defined by AV providers do not support whitelisting a certain vendor (e.g. our company for example) as that would be a serious security breach for them. They do whitelist us our binaries everytime we upload them, but this sometimes it is not enough as these binaries get changed with your package settings. (in EXEs we include your MSI, for other stubs we inject settings from the project and so on).

Basically, all these files are now new files in what the AV providers are concerned, and their false-positive detections start to appear.
God, so frustrating to have customers calling us up complaining we're shipping virus laden software.
We strongly recommend that you scan each official release (not your daily builds) on virustotal.com for false positives and submit your official release setup package to any of the AV vendors that incorrectly detect it.

We do this for the setup package of Advanced Installer itself, each time we release a new build, as it is commonly detected because it contains all the EXE/DLL stubs used in the packages you generate.

Regards,
Bogdan
Bogdan Mitrache - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”