One of my freshly-compiled plugins was falsely detected as “Trojan:Win32/Phonzy.A!ml” by Windows Defender /on my build machine/, somewhere between compiling, signing (with a proper corp key, the one that’s a hassle to get) and packaging into an installer.
I can just disable Windows Defender on the code folders on my build machine, but are there any other gotchas to watch for that will cause grief with end-users? Like, should I automatically submit all installer files to virustotal or something?
I haven’t had this myself, but you can submit your software for analysis here:
Google says:
"
Remember to *Select “Software developer” as your submission type.
Upload your program file.
Provide as much detail as possible:
Explain what your program does.
Mention that you believe it’s a false positive.
Describe how the program is installed and any system interactions it performs.
Include any relevant contact information.
Check the submission history: You can track the status of your submission on the Microsoft Security Intelligence website.
Important Note: Microsoft’s review process can take time, and subsequent builds of your software might still be flagged until your software builds a reputation.
"
You can forget about submitting to Microsoft. I’ve seen false positives for software that is used by millions of people, and apparently, that is still not enough of a reputation to get allow-listed.
I’ve turned off virus scans for my sources/build folders. Once signed with an EV-code signing certificate, they can be downloaded without triggering Microsoft Defender.
Here we go again: we use Inno Setup for our cloud app and for our products and have zero problems. Ditching Inno Setup in favor of some complicated Microsoft tool is a pointless endeavor.
@Toddler-Boy, @remaincalm, That what I was thinking. I personally prefer Inno Setup.
I grabbed the .pfx file manually, and getting it should be explained by the cert provider.
In this instance, I didn’t check which artifact was quarantined - it might have been the .exe installer itself. But it got caught somewhere between “build” and “sign” (I have them separated in my build script, instead of having the Inno compiler do the signing itself - bit easier to reason about when they’re split out). So it must have hooked the file write.
(All artifacts are signed with appropriate certs, and the compiled installer gets signed as well).
I’ve been using this script for a year and have only had this happen once. I’ve got a Defender exclusion on my build folder now so it won’t happen again (hopefully! not sure if anything goes in temp folders during the build). Just broadly worried about unpredictable remote systems…
