Voriki
Posts: 11
Joined: Fri May 21, 2021 3:59 pm

Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 21, 2021 4:13 pm

Hey folks, we have an app that is distributed with an installer, and receives silent updates via the Advanced Installer updater. The package is signed via an EV certificate that has recently expired. We've reissued the certificate and update AI to use the new certificate. However, when we tried to update an existing app (that had the old certificate) to one with the new certificate one of two things occurs:

1. A UAC notification shows up and the installation process occurs in the foreground - since the update should be silent, these shouldn't be showing up
2. An antivirus (AVG in this case) marks the updater as an IDP.Generic threat and quarantines it.

We're not quite sure what to do in this situation, how to resolve it without forcing a manual reinstall on all machines, or how to avoid it in the future. Anyone have any advice?

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 21, 2021 4:24 pm

Hello and welcome to our forums,

This might indeed happen if the certificate has changed.

To be more precise, this happens if the two certificates you are using do not have the same "Subject".

For more information about this, please have a look over the following forum thread where a similar problem is discussed:

Update without elevation and Certificate issue
We're not quite sure what to do in this situation, how to resolve it without forcing a manual reinstall on all machines, or how to avoid it in the future. Anyone have any advice?
With the above being said, a solution would be obtaining a new certificate that has the same "Subject" as the older one.

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Voriki
Posts: 11
Joined: Fri May 21, 2021 3:59 pm

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 21, 2021 5:14 pm

Hi Catalin,

Thanks for the quick response. The Subject fields of the two certificates are different in 2 ways:
  • The old certificate had an extra locality line. The cert provider confirmed they can issue a new cert with this line (not an issue)
  • A SERIALNUMBR field in the Subject itself. The provider said that this is unique to every certificate and so a reissue will have a different value

We'll issue a certificate with the 1st change, but by the sound of it, that second field needing to change means that even a reissued certificate won't solve the problem.

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 21, 2021 6:00 pm

Hello,
We'll issue a certificate with the 1st change, but by the sound of it, that second field needing to change means that even a reissued certificate won't solve the problem.
In order to avoid this, the certificate's Subject must be the same between the two certificates.
A SERIALNUMBR field in the Subject itself. The provider said that this is unique to every certificate and so a reissue will have a different value
To be fully honest with you, I was not aware of this scenario - e.g. a unique serial number being input into the Subject field.

As I have mentioned above, as far as I know, the certificates' Subject must be the exact same.

I will try to discuss this with our developement team to see if perhaps there is some other way around this, but I honestly doubt.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Voriki
Posts: 11
Joined: Fri May 21, 2021 3:59 pm

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 21, 2021 6:08 pm

Understood. In either case, thank you for checking

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Tue May 25, 2021 4:14 pm

Hello Andrei,

I have discussed this with our development team and, unfortunately, it looks like there is no workaround for this. :(


The only solution would be the one presented above - i.e. having the same Subject.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Voriki
Posts: 11
Joined: Fri May 21, 2021 3:59 pm

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Tue May 25, 2021 4:17 pm

Understood. Thank you for checking.

One other option we've considered is changing our certificate provider. Would changing our provider to one that can provide the same Subject get around this issue?

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Tue May 25, 2021 5:06 pm

Hello Andrei,

If the "Subject" will be the same, then this should indeed be working as expected.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube


Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Tue May 25, 2021 5:16 pm

You are always welcome!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Voriki
Posts: 11
Joined: Fri May 21, 2021 3:59 pm

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Thu May 27, 2021 10:46 pm

Hi Catalin,

It seems that the issue is that the old certificate used our state level information for the Subject, and the new certificate used federal level information due to regulatory changes. This led to all the changes in the Subject line mentioned above.

We've been talking with our certificate provider, and exploring alternate providers, as well as looked into a self-signed certificate. It seems like there is no way to provision a certificate with the same Subject as before, as the regulation changes prevent it. We've got some machines where folks don't have elevated status on their machines, so are relying on the silent updates. I wanted to check in with you one more time to see if there was any alternative route to pushing these updates to people that you, or anyone at Advanced Installer could suggest?

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 28, 2021 11:18 am

Hello Andrei,

I'm afraid there is no other solution other than the one provided above.

In your case, for instance, we would need to validate only a part of the "Subject" (e.g. without the unique serial number). We can not do that, because the Subject would no longer be unique.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Voriki
Posts: 11
Joined: Fri May 21, 2021 3:59 pm

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 28, 2021 12:12 pm

Gotcha. Figured I'd do one last check just in case.

Thanks again!

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Fri May 28, 2021 1:05 pm

You are always welcome, Andrei!

I am sorry we could not quite solve this.

Please let me know if there is anything else I could help you with and I will gladly assist!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Catalin
Posts: 4228
Joined: Wed Jun 13, 2018 7:49 am

Re: Certificate expired -> Update is no longer silent + triggers antivirus threat (IDP.Generic)

Thu Jun 03, 2021 6:53 pm

Hello Andrei,

I hope this is not too late, but I may have found a workaround for your problem.

You can find more details about it in our "How to install only digitally signed update packages" article --> "Migrating to a new certificate" section.

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”