False positive

[REDACTED]

I'm analysing Installshield project and I see that I can sign setup.exe.

Building installation makes a new setup.exe (installshield compiler).

I will change installations tomorrow for next releases.

Just for now, I can analyse setup.exe with virustotal if you want.
--> https://www.virustotal.com/fr/file/2824b5d61b41cb040a3bf1c8cfb4d17f47aecf4d0bd24a38bcafcf669d7cc811/analysis/1531061627/

But, in fact, i think that our 200 differents installations have 200 differents setup.exe (Slightly different with differents properties for example).

Can we hope that these setup.exe aren't detected right now ?

[adam.pavlat]

Hi,

detection disabled, thanks for signing the setup.

Adam

[REDACTED]

Hi I can t test right now.

But is your last operation impacts all my setup.exe ?
Without signing for the moment ...

Thanks

[adam.pavlat]

Interesting,

I was digging in the submit DB and found these samples by name of parent process and the location on a customer machine:

04433D326B4E14A380CDC8BFA27394D178744A19061EF31817823BE8E918D90C
26DADB77345E830258BC20BE11A1437B8451E6D670BD4C2F091A0DD0B0A65CFE
2824B5D61B41CB040A3BF1C8CFB4D17F47AECF4D0BD24A38BCAFCF669D7CC811
4355DDA03F4C8B9A913502FE232BA6BD161D3E7838840B87982A0158F2AD2E49
5B32673833D34D689EBB8422B07D0086987FDFD65C4AA1F96F6447944B7FD61F
666B63E9C252D49C63D0A3002514E14BA5C2BC659CFDF203CB6B4DD87C9B981A
8269C75C2107AA354525C75BFBFF2D0DA5D143F7485EB1C614A9CA4F751E1C42
8F5FA05821818207558ABC8631B5BC267CE176D6A58930EA07E822917F32E76C
915DE05DA7BC6C74AB149120BE2525D917885EA82F0402D4AB932E47A87B0B7B
ABDA5CD8818924E08F21BB6A6638C7D3C78ECB99B0D64FF5B8EED1A998D16B3A
B85C02E7EBEFD8F50349F977F4CD139A5AC830A36BB610E2BF557646D4C42FCE
C1646F9BFF2F50E0CE10043DD6FEFC3AC16C716D6110B6C77DC1B0BB703D1E34
CA5B5879910941ECFF0E1F311B54DDD37F1A7D954F74B106A45D7F5DEE732F7A
CA993685813010F0405136C5392FFE7DDDA774F9905F46315FED1D4E73C02C89
CB36DCA652DB6027C7FAEE4F8A3A40D89FE47334957057260512D7F4FBC69025
CC3AA9C7B6C133431E2289C3F5B8463DA775AF0B2F760A2F9F35936554DF69FE
F4B33C8EB06FFAC0591303FB56FDB02E720FDD5974AC35272602A1F58D42F6D4

There was about 5 detections on them. I disable them and whitelisted samples, but this is not the generic solution.

Adam

[REDACTED]

Hi

Perhaps i can give you all sha256 thumbprint of setup.exe.
200 thumbpront for 2018 installations version
200 for 2017

In a simple text file ?

[adam.pavlat]

Yes sure why not.

[REDACTED]

Hi

you can find 2 files :
  https://www.index-education.com/contenu/telechargement/partenaires/Details.txt
  https://www.index-education.com/contenu/telechargement/partenaires/Thumbprint.txt

Files contains sha256 of "setup.exe" packaged in our differents installations.

Thumbprint.txt contains only unique sha256. I notice that some setup.exe are identical, so the thumbprint too.
Details.txt contains more details.

Look for example to one of first lines :
Install_EDTadminrelais_BE_2017.0.2.10_win32;a88927f39e0d3b276026ebb1f656cf52dcf9fa0b16407873c4aa36cad0baf3e2
a88927f39e0d3b276026ebb1f656cf52dcf9fa0b16407873c4aa36cad0baf3e2 is the hash of the setup.exe packaged in Install_EDTadminrelais_BE_2017.0.2.10_win32.exe
You can download this file to verify if you want : http://tele3.index-education.com/telechargement/edt/v2017.0/exe/Install_EDTadminrelais_BE_2017.0.2.10_win32.exe

setup.exe is inside Install_EDTadminrelais_BE_2017.0.2.10_win32.exe. You can extract files  with this commande line
Install_EDTadminrelais_BE_2017.0.2.10_win32.exe /s /extract_all:c:\temp\Install_EDTadminrelais_BE_2017.0.2.10_win32

I hope that you can add all these files as clean files. Tomorrow, i will work to sign all setup.exe

Thanks for your help

Best regards

Laurent

[Sirmer]

Hi,
all files we have are now classified as clean.

[REDACTED]

Hi good news !

I will check with our support if everything is ok now.

I'm working to sign installshield "internal" setup.exe

Last question, we have never been detected as a virus. Installations are very similar each publication. So why now ?

I must check that old versions don't have same problem with avast ...

Best regards

Laurent ESPARIAT