False-positive Malware Detection Announcement

Written by Bogdan Mitrache · October 8th, 2021

On September 21st, 2021, the Morphisec team published an article explaining how a PowerShell script can be used to deploy malware via an MSI installation package.

The team performing this investigation has used Advanced Installer in their tests and incorrectly assumed this vulnerability is enabled by our predefined support for running PowerShell scripts.

ImportantThis is incorrect . Advanced Installer does not include any malware inside the setup packages it builds. The functionality described by the Morphisec team can be achieved with any professional MSI authoring tool that supports PowerShell custom actions.

In the meantime, the article published by the Morphisec team has been republished on other security blogs and recently antivirus vendors have started to warn or block the end-users from running setup packages generated by Advanced Installer, which contain a PowerShell script custom action.

We have contacted the Morphisec team to inform them about their incomplete research and so far we have received no reply from them. We will continue trying to contact them as well as antivirus vendors.

What should I do?

If you have a setup package created with Advanced Installer that contains PowerShell custom actions please follow our guidelines for submitting a false-positive request with any antivirus vendor that is incorrectly flagging your installer.

Also, additionally please make sure your installer package is digitally signed with a valid code signing certificate acquired from a known vendor, and that you have enabled the option “Sign script” for your custom action too (this option is available only for inline PowerShell custom actions).

We cannot report false-positive detection on your behalf because we don’t have access to your setup packages.

If you have any questions regarding the report of a false-positive detection please contact our support team at support at advancedinstaller dot com .

We will post more updates as soon as possible.

Comments: