Just as a note:
I never configured anything like creating an installer in an self-extraction binary or which files to sign. All I did using InnoSetup was creating a most basic setup and telling him "this is how to use the signtool". Anything else is "how innosetup works". All setups used with that great tool work like that.
That simple setup does not contain anything complex like our real setup does like component downloading, running lot of pascal scripting (checking for need of optional components), fiddling with registry (like adding a trusted location for Access) and potential system files (like C:\Program Files (x86)\Common Files\System\ado\msado60.tlb which is provided by Win7 SP1, but missing in anything earlier - but with the version check it should never try to overwrite them). But isn't it interesting that all you need to do is hit the wizzard button, click together your "setup example" and you can create a setup files that Avast considers suspicious? To be honest, I'd totally understand that Avast signature heuristic would consider our internal setup as suspicious, because we are doing really a lot of stuff that could have dramatic impact on system security, if it was with malice intend. So I'd actually except Avast to deep screen the inner setup, it really has enough suspicuous content. But what really bugs it is the fact it deep screens the same setup twice. Maybe the 2nd deep screening is caused because the first deep screening is interrupted at the error? I have not enough insight into the interna of how far it can execute before deep screeing interrupts it. The fact that I don't even get asked for "do you want to run this file as administrator" by Windows I am tempted to assume the execution is interrupted, before the process attempts to invoke admin privileges.
