Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On Fri, Jan 13, 2012 at 7:48 AM, Peter Hull peterhul...@hotmail.com wrote: Date: Thu, 12 Jan 2012 20:56:15 +0100 From: n...@panorama9.com I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate The reported file name looks more like it's the extracted engine than your bundle itself. Have you signed the engine. I only think we have signed the bundle, so we are working on signing the engine and retesting to see if it makes a difference. Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . From the Trend docs I saw it seemed to suggest that 'Malware Behaviour Monitoring' could be turned off (indeed, terminating programs like this was not the default) and also that signed executables were exempt. So it maybe is a bug in Trend that means it doesn't work as documented? Maybe, but as this is the default setting for a Trend Micro installation it is quite a problem. The other thing is that other installers (InstallShield) don't seem to do this so does anyone understand how InstallShield handles the reboot issue? Don't know , but it could be that they don't look in the RunOnce key as default behavior in their engine and thereby don't have this issue ? Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Best Regards Nikolaj Steensgaard Panorama9 A/S Langebrogade 5 1411 Copenhagen K Phone: +45 7020 3565 Mobile: +45 2124 3040 n...@panorama9.com Panorama9 is an IT management platform that shows you everything you need to know about your assets, IT availability, security vulnerabilities, and non-compliant systems – from a single Dashboard that’s amazingly easy to monitor and interpret. Your organization can cut IT costs through improved uptime and as a cloud-based solution, there is no infrastructure to deploy or manage. For more information - www.panorama9.com -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On 01/12/2012 09:46 AM, Peter Hull wrote: From: r...@robmensching.com We'll need to teach this anti-virus program about Burn. Fortunately big programs, like Visual Studio, are using Burn and if it kills them I hope we can muster some change. So are you saying we need to raise this as an issue with Trend Micro? I have been trying to debug this issue to answer that exact question ! Is the program that actually writes the registry always the same? (I'm a bit confused about what the stages are when a burn exe is run, particularly what the burn engine is and what the burn agent is) I will explain the issue more detailed to better give insight in what we are seeing. For about year we have been deploying our software build with the WIX installer as a MSI package and have not seen this issue. To Months ago we created a Bundled version ( exe build with WIX 3.6 ) that checked for .net 3.51 + Win install 3.1 and installed if needed before installing our software Then we got reports from client's about this issue occurring The Bundled version is quite simple and only checks for the above mentioned software and downloads / installs if needed A complete AD with Trend Micro Office Scan were established to reproduce the error which we can. Some things that we so far have noticed : It only seem to occur on Windows XP for some reason. ( this machine already have the needed .net and Win install so it's not there installer that's creates the problem ) Our Code does not at anytime write or read from the RunOnce key Also as the previous reporter of this issue ( ID: 3431068 ) We will be trying to use SysInternals tools to get a debug of whats happening when the issue occurs, and post the result here. Hope this helps in explaining the issue we are seeing and we are more that happy to run any test's you suggest !!! Nik Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On Thu, Jan 12, 2012 at 6:03 PM, Hoover, Jacob jacob.hoo...@greenheck.comwrote: I would start by digitally signing your burn bundle. The bundle is already signed with a Thawte code signing certificate Most anti-virus software provides more leeway to signed executables. If your bundle is static, then you could also submit it to Trend Micro as a false positive. Most AV vendors will update their signatures to work around false positives in a timely manner. Yes, but our bundle is dynamic as the version of the software changes. The RunOnce key, from what I read in Rob's response, is written to from the bundling framework of burn. It is done proactively rather than as needed. So isn't that really the issue then ? Either should Trend Micro change there detection mechanism regarding the RunOnce key or the bundling framework of burn should change its default behavior . I have already tried to get in contact to Trend Micro through several channels without luck and have also submitted a request to get access to Reputation Service and Verification Portal (RSVP). Looking in the Trend Micro software there does'nt seem to be a way to turn the Malware detection feature -Original Message- From: NIkolaj Steensgaard [mailto:n...@panorama9.com] Sent: Thursday, January 12, 2012 3:37 AM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068 On 01/12/2012 09:46 AM, Peter Hull wrote: From: r...@robmensching.com We'll need to teach this anti-virus program about Burn. Fortunately big programs, like Visual Studio, are using Burn and if it kills them I hope we can muster some change. So are you saying we need to raise this as an issue with Trend Micro? I have been trying to debug this issue to answer that exact question ! Is the program that actually writes the registry always the same? (I'm a bit confused about what the stages are when a burn exe is run, particularly what the burn engine is and what the burn agent is) I will explain the issue more detailed to better give insight in what we are seeing. For about year we have been deploying our software build with the WIX installer as a MSI package and have not seen this issue. To Months ago we created a Bundled version ( exe build with WIX 3.6 ) that checked for .net 3.51 + Win install 3.1 and installed if needed before installing our software Then we got reports from client's about this issue occurring The Bundled version is quite simple and only checks for the above mentioned software and downloads / installs if needed A complete AD with Trend Micro Office Scan were established to reproduce the error which we can. Some things that we so far have noticed : It only seem to occur on Windows XP for some reason. ( this machine already have the needed .net and Win install so it's not there installer that's creates the problem ) Our Code does not at anytime write or read from the RunOnce key Also as the previous reporter of this issue ( ID: 3431068 ) We will be trying to use SysInternals tools to get a debug of whats happening when the issue occurs, and post the result here. Hope this helps in explaining the issue we are seeing and we are more that happy to run any test's you suggest !!! Nik Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Best Regards Nikolaj Steensgaard Panorama9 A/S Langebrogade 5 1411 Copenhagen K Phone: +45 7020 3565 Mobile: +45 2124 3040 n...@panorama9.com Panorama9 is an IT management platform that shows you everything you need to know about your assets, IT availability, security vulnerabilities, and non-compliant systems – from a single Dashboard that’s amazingly easy to monitor and interpret. Your organization can cut IT costs through improved uptime and as a cloud-based solution, there is no infrastructure to deploy or manage. For more information
[WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro as Malware behavior and we are looking for the reason for this. This is the log entry from Trend Micro --- Malware behavior blocking Terminate Registry High C:\Documents and Settings\administrator.ADTEST\Local Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe Write HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a} --- Snip from previous case: --- Burn-based installers trigger Trend OfficeScan (v.10.5) when they write to the RunOnce registry key. The virus checker terminates the installer immediately. --- We have a complete testing enviroment where we can tweak, monitor and reproduce this error and are more than willing to assist in debugging this issue. Please let me know anything we can provide to debug and solve this Regards Nikolaj Steensgaard -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
[WiX-users] Reopen Burn triggers virus checker - ID: 3431068
We have built a EXE with Wix 3.6 beta which are detected by Trend Micro as Malware behavior and we are looking for the reason for this. This is the log entry from Trend Micro --- Malware behavior blocking Terminate Registry High C:\Documents and Settings\administrator.ADTEST\Local Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe Write HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a} --- Snip from previous case: --- Burn-based installers trigger Trend OfficeScan (v.10.5) when they write to the RunOnce registry key. The virus checker terminates the installer immediately. --- We have a complete testing enviroment where we can tweak, monitor and reproduce this error and are more than willing to assist in debugging this issue. Please let me know anything we can provide to debug and solve this Regards Nikolaj Steensgaard -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068
On 01/11/2012 01:23 PM, Peter Hull wrote: Hi Nikolaj! Could you comment on whether your installer was signed (the bundle and the actual engine which is unpacked out of it - see this link https://sourceforge.net/mailarchive/forum.php?thread_name=CAHdHTVc1c2h3QuYsiXWcR8A1Xtk38Z3W2KCyAvuP3hMjYqKAiA%40mail.gmail.comforum_name=wix-users ) Yes the Bundle is signed with Thawte code signing certificate and also the engine ( msi ) included is signed with same certificate. I'm glad someone else has seen this problem, especially as you have more control over your environment than I do! Me 2 as it is quite a problem not being able to install a exe created from Wix 3.6. Does anyone have a Idea how to debug this issue ? The MSI itself does not write to the RunOnce as far as i know Peter Date: Wed, 11 Jan 2012 12:16:37 +0100 From: n...@panorama9.com To: wix-users@lists.sourceforge.net Subject: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068 We have built a EXE with Wix 3.6 beta which are detected by Trend Micro as Malware behavior and we are looking for the reason for this. This is the log entry from Trend Micro --- Malware behavior blocking Terminate Registry High C:\Documents and Settings\administrator.ADTEST\Local Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe Write HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a} --- Snip from previous case: --- Burn-based installers trigger Trend OfficeScan (v.10.5) when they write to the RunOnce registry key. The virus checker terminates the installer immediately. --- We have a complete testing enviroment where we can tweak, monitor and reproduce this error and are more than willing to assist in debugging this issue. Please let me know anything we can provide to debug and solve this Regards Nikolaj Steensgaard -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users