Frank Bastiaens
Posts: 17
Joined: Thu Apr 02, 2015 9:44 am

Virus Detected with AI Exe

Tue Mar 28, 2023 11:05 am

Hi,

I get a message via Defender that a AI created executable is a Virus. (Windows Defender)

Name: Trojan:Win32/Wacatac.B!ml
Alert Level: Severe
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Kind Regards

PS, Attached the AIP
Attachments
BullWall RC.aip
(62.57KiB)Downloaded 592 times

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Tue Mar 28, 2023 11:23 am

Hello Frank,

Most likely, that happens because you did not digitally sign your setup.

What is a Code Signing Certificate and how to ensure digital trust for your application

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Frank Bastiaens
Posts: 17
Joined: Thu Apr 02, 2015 9:44 am

Re: Virus Detected with AI Exe

Tue Mar 28, 2023 11:53 am

Hi Catalin,

You would think so, but then this should already happen 2 weeks ago when I created this package for the first time.

Kind Regards.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Wed Mar 29, 2023 5:15 pm

Hello Frank,

I can assure you this is because your setup is not digitally signed (I've had many users in the same scenario and the detection went off after the setup was signed).

And I also can assure you that this is a false-positive detection. If you'd like, you can submit it for whitelisting to Microsoft:

Submit a file for malware analysis

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Thu Apr 20, 2023 11:43 am

Hello and welcome to our forums,

You're always welcome!

And sure, let me know if you got any questions.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

JGwinner
Posts: 2
Joined: Thu Jun 01, 2023 5:54 pm

Re: Virus Detected with AI Exe

Fri Jun 02, 2023 11:23 pm

I know what code signing is, but some guidance on how to include that with Advanced Installer would really be helpfull

Especially as without this, AI basically won't work at all. You have no idea how many angry phone calls we got that our software is virus riddled.

== John ==

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Wed Jun 07, 2023 12:00 pm

Hello John,

First of all, I am sorry to hear about the angry phone calls - we ourselves have faced a similar problem in the past so I definitely can understand your pain.
I know what code signing is, but some guidance on how to include that with Advanced Installer would really be helpfull
Regarding this, fortunately it's pretty easy to achieve - simply go to "Digital Signature" page and sign your package from there.

Digital Signature: Sign MSI, EXE and MSP files

Now, besides that, what I would also suggest is the following - before each release, scan your MSI/EXE & binaries using VirusTotal. If anything comes up there, I would advise contacting the specific AntiVirus vendor for whitelisting - most of them have a section on their website where you can input files for whitelisting.

A little note here, I would advise doing so for well known Antivirus vendors, not for unknown ones (e.g. Rise is one of those if I remember correctly - a Chinese vendor who no longer have English support).

This is something we do before each release as well - our support team gathers the MSI and all its resources (dll files, exe files, etc.) and scans them. If something comes up, we postpone the release for 1-2 days until we get an answer from the vendors.

Even with this, considering how fast the AntiVirus heuristics change, we might be ok now and flagged the next day - but I have to admit this is quite rare and this solution has worked for us so far pretty well.

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

wingers
Posts: 13
Joined: Sat Jan 21, 2017 5:37 pm

Re: Virus Detected with AI Exe

Wed Jun 07, 2023 6:58 pm

Catalin wrote:
Wed Mar 29, 2023 5:15 pm
Hello Frank,

I can assure you this is because your setup is not digitally signed (I've had many users in the same scenario and the detection went off after the setup was signed).

And I also can assure you that this is a false-positive detection. If you'd like, you can submit it for whitelisting to Microsoft:

Submit a file for malware analysis

Hope this helps!

Best regards,
Catalin
Had same issue - and it is NOT because it is not digitally signed, as reported on another forum post it gets flagged by defender even if digitally signed...

I tried submitting it to Microsoft Security Intelligence but report came back as "Analyst comments: Your submission has been rejected due to too many files."
2023-06-07_18-55-39.png
2023-06-07_18-55-39.png (148.63KiB)Viewed 13641 times

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Thu Jun 08, 2023 9:11 am

Hello Darren,

In most cases so far, if the setup was signed with a trusted certificate (e.g. EV which has instant reputation), the Defender's complaints went away.

Not quite sure why this is not your case here.

Regarding the submission, how many files have you tried to submit that it complains there are too many files? So far I never encountered this behavior.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

wingers
Posts: 13
Joined: Sat Jan 21, 2017 5:37 pm

Re: Virus Detected with AI Exe

Thu Jun 08, 2023 10:13 am

I just submitted the one file - updater.exe (as can be seen in the screenshot) - I just assumed it is looking inside it and finding other files or similar?

perhaps try submitting it yourself?

was definitely signed with a digital signature and was definitely detected multiple times by defender - never had this issue before
Last edited by wingers on Thu Jun 08, 2023 10:20 am, edited 1 time in total.

wingers
Posts: 13
Joined: Sat Jan 21, 2017 5:37 pm

Re: Virus Detected with AI Exe

Thu Jun 08, 2023 10:16 am

just submitted it again - this time the original file from stub folder, rather than the signed file which was detected - hopefully this time it will be accepted, will report back later

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Thu Jun 08, 2023 10:23 am

Hello Darren,

I've tested the updater.exe file with the latest security update from Microsoft I was not able to reproduce the false-positive issue.

Security intelligence version: 1.391.828.0

Can you please test this again with the latest virus database update from Microsoft?

https://www.microsoft.com/en-us/wdsi/defenderupdates

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

wingers
Posts: 13
Joined: Sat Jan 21, 2017 5:37 pm

Re: Virus Detected with AI Exe

Thu Jun 08, 2023 11:04 am

seems okay this morning so far.

Did try uploading it again to the website for testing - and definitely just uploaded the one exe from the stubs directory, but it still reports too many files - very strange, so we can't submit it as you keep asking.
2023-06-08_11-03-17.png
2023-06-08_11-03-17.png (170.77KiB)Viewed 13617 times

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Virus Detected with AI Exe

Fri Jun 09, 2023 9:35 am

Hello Darren,

Thank you for your followup on this!

Glad to hear things are working as expected as expected now.

Regarding the issue, it is indeed strange as I've never encountered it when submitting files at Microsoft.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”