Author Topic: Avast is flagging my installer (NSIS 2.50) (Read 5766 times)

REDACTED · « **on:** December 28, 2015, 01:59:17 AM »

Hi,

Avast! keep flagging my installer as suspicious. (Win32:Evo-gen [Susp])
An actual scan of the installer gives a green light, no threat found but if I try to move it or download it Avast! will flag it again and remove it.
~~This is a problem that I need fixed as soon as possible so the question is, is there anything I can do about it like a specific NSIS version or something?~~ I am ~~pretty~~ sure NSIS is what is being flagged since it only flags the installer.
I have already submitted it as a false positive but it was about a week ago now. ~~I understand that checking all submitted files take a lot of time so I was hoping I could do something myself in the meantime.~~

The installer is created with NSIS 2.50 with the following plugins
http://nsis.sourceforge.net/NSIS_Simple_Firewall_Plugin (at first I thought this might be the problem but removing it makes no difference)
http://nsis.sourceforge.net/Processes_plug-in

The installer is available here
https://mega.nz/#!iMwWgZzI!zaXoI58aofuVvh9YUp4yxuRHM_yRIJR_7NdypyB-Ct8

A virustotal of the file can be found here
https://www.virustotal.com/en/file/98a0a51ef9bd2ee17dddd59e8b324cbdc3d0a60380a7e9894de1b229c0bda91b/analysis/1451261731/

Updated: I think I managed to compile an installer that does not get flagged. The "solution" was to download an older version NSIS (2.46 in my case) and use that instead.

Eddy · « **Reply #1 on:** December 28, 2015, 02:46:18 PM »

Why not using the latest version of NSIS ?

denics · « **Reply #2 on:** December 28, 2015, 05:23:32 PM »

Hi all,

thank you for reporting this false positive to us. It will be fixed in the next virus database update.

Best regards!

REDACTED · « **Reply #3 on:** December 28, 2015, 05:47:51 PM »

Quote from: Eddy on December 28, 2015, 02:46:18 PM

Why not using the latest version of NSIS ?

2.50 is the latest release. I tried the 3 beta as well but with same result.

Quote from: denics on December 28, 2015, 05:23:32 PM

Hi all,

thank you for reporting this false positive to us. It will be fixed in the next virus database update.

Best regards!

Great, thanks

Eddy · « **Reply #4 on:** December 28, 2015, 06:06:34 PM »

Strange.

I have been using the 3.0 B2 for months without a problem.
Just downloaded/installed the 3.0 B3 but not tested it yet.

EDIT:
Tested it with the 3.0 B3 version.
Win32:Eco-gen[Susp] detected when zlib compression is used.
The other compression methods give no detection.

Eddy · « **Reply #5 on:** December 30, 2015, 04:14:31 AM »

Seems the problem is solved in the 29.12.2015 - 151229-0 vps update.

REDACTED · « **Reply #6 on:** February 02, 2016, 08:54:27 AM »

Hello,

I'm using version 2.46 of NSIS installer for many years to build various setups without any problems.
I have never heared about problems with any AV software.

But now a customer told us that AVAST is flagging a setup as maleware (Win32:Eco-gen[Susp]).

All setups are using the same common NSIS code and will be build with the same NSIS compression settings.
But only one setup will be flagged!

After reading this thread I changed the compressor settings for the affected setup from lzma to zlib an everything works fine again.
No more flagging by AVAST!

BTW:
The latest vps update has no effect for my problem!
Older versions (build with 2.46 and lzma) of the affected setup will not be flagged!

Changing to the latest NSIS installer is planed for the next days.

But now we urgently need to find a solution for the existing setup!
So, how can we send a large setup file to you?
Email is not possible because of length limitation for the attachments.

Regards
jo_ho

Asyn · « **Reply #7 on:** February 02, 2016, 09:00:53 AM »

Quote from: jo_ho on February 02, 2016, 08:54:27 AM

So, how can we send a large setup file to you?

How large is it..!?
You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php

REDACTED · « **Reply #8 on:** February 02, 2016, 10:16:19 AM »

Quote from: Asyn on February 02, 2016, 09:00:53 AM

Quote from: jo_ho on February 02, 2016, 08:54:27 AM
So, how can we send a large setup file to you?
How large is it..!?
You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php

Thank you for your fast response!

This page would not work for me because it is limited to 10 MB an my setup is between 120 MB and 200 MB.

Perhaps I can send you a link to our download server from which you can download the setup?

Milos · « **Reply #9 on:** February 02, 2016, 12:39:20 PM »

Hello,
you can upload it to our FTP (https://www.avast.com/faq.php?article=AVKB229#idt_300) or send us link to download.

Milos

REDACTED · « **Reply #10 on:** February 16, 2016, 03:55:39 PM »

Quote from: Milos on February 02, 2016, 12:39:20 PM

Hello,
you can upload it to our FTP (https://www.avast.com/faq.php?article=AVKB229#idt_300) or send us link to download.

Milos

Hello,
I haved send an email to virus@avast.com 2 weeks ago. Direclty after your post here.
But nothing happens since than!

Is it usual that I get no answer? Do I have to try latest signature updates to see if the problem is solved?

I have now send the email again.
The file is on our download server.

Perhaps some one of your team can help me please.

Author Topic: Avast is flagging my installer (NSIS 2.50) (Read 5766 times)

REDACTED

Avast is flagging my installer (NSIS 2.50)

Eddy

Re: Avast is flagging my installer (NSIS 2.50)

denics

Re: Avast is flagging my installer (NSIS 2.50)

REDACTED

Re: Avast is flagging my installer (NSIS 2.50)

Eddy

Re: Avast is flagging my installer (NSIS 2.50)

Eddy

Re: Avast is flagging my installer (NSIS 2.50)

REDACTED

Re: Avast is flagging my installer (NSIS 2.50) - and also NSIS 2.46!

Asyn

Re: Avast is flagging my installer (NSIS 2.50) - and also NSIS 2.46!

REDACTED

Re: Avast is flagging my installer (NSIS 2.50) - and also NSIS 2.46!

Milos

Re: Avast is flagging my installer (NSIS 2.50)

REDACTED

Re: Avast is flagging my installer (NSIS 2.50)