Author Topic: How to avoid DeepScreen as developer?  (Read 7941 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: How to avoid DeepScreen as developer? [solved]
« Reply #15 on: November 04, 2015, 12:44:39 PM »
I have a attached a sample innosetup script (with private portions being censored by ***) and compiled it using InnoSetup 5.5.6 in InnoIDE 1.0.0.0078.
Downloadsource: http://www.baeckerprogramm.de/downloads/setup.exe
It "features" the same errors as in my screenshot from earlier.

Thanks for clarifying the certificate root issue and reassuring a trusted installer would be excepted. I will forward this information, so we will decide when to apply for a trusted code signing certificate.

PS: Extention limitation fail... due to .iss being blocked my whole text is lost now. So this is just a summary.
PS2: "winsdk" obviously refers to signtool.exe from the Microsoft Windows SDK (7.1A in my case).
« Last Edit: December 04, 2015, 06:03:52 PM by Markus Strunz »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11863
    • AVAST Software
Re: How to avoid DeepScreen as developer?
« Reply #16 on: November 04, 2015, 05:18:40 PM »
Just a note: I can see you signed even the inner setup (Setup.e32 from Inno installation) with the self-signed certificate. In this case, it actually causes a second DeepScreen to be performed.
The original (untouched) Setup.e32 wouldn't be DeepScreen even when unsigned because its prevalence is very high (it's been run on millions of machines already).

REDACTED

  • Guest
Re: How to avoid DeepScreen as developer?
« Reply #17 on: November 05, 2015, 12:16:00 PM »
Just as a note:
I never configured anything like creating an installer in an self-extraction binary or which files to sign. All I did using InnoSetup was creating a most basic setup and telling him "this is how to use the signtool". Anything else is "how innosetup works". All setups used with that great tool work like that.

That simple setup does not contain anything complex like our real setup does like component downloading, running lot of pascal scripting (checking for need of optional components), fiddling with registry (like adding a trusted location for Access) and potential system files (like C:\Program Files (x86)\Common Files\System\ado\msado60.tlb which is provided by Win7 SP1, but missing in anything earlier - but with the version check it should never try to overwrite them). But isn't it interesting that all you need to do is hit the wizzard button, click together your "setup example" and you can create a setup files that Avast considers suspicious? To be honest, I'd totally understand that Avast signature heuristic would consider our internal setup as suspicious, because we are doing really a lot of stuff that could have dramatic impact on system security, if it was with malice intend. So I'd actually except Avast to deep screen the inner setup, it really has enough suspicuous content. But what really bugs it is the fact it deep screens the same setup twice. Maybe the 2nd deep screening is caused because the first deep screening is interrupted at the error? I have not enough insight into the interna of how far it can execute before deep screeing interrupts it. The fact that I don't even get asked for "do you want to run this file as administrator" by Windows I am tempted to assume the execution is interrupted, before the process attempts to invoke admin privileges.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11863
    • AVAST Software
Re: How to avoid DeepScreen as developer?
« Reply #18 on: November 05, 2015, 12:26:33 PM »
When you run an Inno-based installer, it extracts its own executable into the TEMP folder and launches another process - and that's where those two scans come from. One is performed on the outer executable, the second one (potentially) on the executable launched from the TEMP folder.

REDACTED

  • Guest
Re: How to avoid DeepScreen as developer?
« Reply #19 on: November 05, 2015, 12:32:15 PM »
I am aware of that... in theory. But doesn't the deep screen sandbox go so far to track child process spawns as well? In that understanding I'd expect the deep screen to follow both processes at least to moment the process is actually showing the first dialogue which is to ask for admin privileges. That's why my theory would be that the sandbox of the deep screen crashes the self extractor before it can fully spawn the child process (the error message would even suggest that it exactly fails at the moment to try to spawn it). Because the previous deep screening was not able to scan that child process it obviously recognizes it as "unscanned" and does what it was programmed to.

REDACTED

  • Guest
Re: How to avoid DeepScreen as developer?
« Reply #20 on: December 04, 2015, 06:03:41 PM »
Heureka!

We finally have our code signing certificate and it indeed nolonger triggers a deep screening and nolonger crashes the inno setup. Everything is now like it should be: 2 normal file scans, one from the outer installer and one from the inner installer. No errors, just smooth and fast execution. We definitely should have done that earlier!

Just wanted to update that thread to confirm that a valid signature is given trust here and avoids issues with the deep screening sandbox.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89329
  • No support PMs thanks
Re: How to avoid DeepScreen as developer?
« Reply #21 on: December 04, 2015, 06:21:54 PM »
Thanks for taking the time and coming back to keep us updated.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security