Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068

[Nikolaj Steensgaard]

On Fri, Jan 13, 2012 at 7:48 AM, Peter Hull peterhul...@hotmail.com wrote:


  Date: Thu, 12 Jan 2012 20:56:15 +0100
  From: n...@panorama9.com
   I would start by digitally signing your burn bundle.
 
 
  The bundle is already signed with a Thawte code signing certificate
 The reported file name looks more like it's the extracted engine than your
 bundle itself. Have you signed the engine.


I only think we have signed the bundle, so we are working on signing the
engine and retesting to see if it makes a difference.


  Either should Trend Micro change there detection mechanism regarding the
  RunOnce key or
  the bundling framework of burn should change its default behavior .
 From the Trend docs I saw it seemed to suggest that 'Malware Behaviour
 Monitoring' could be turned off (indeed, terminating programs like this was
 not the default) and also that signed executables were exempt. So it maybe
 is a bug in Trend that means it doesn't work as documented?


Maybe, but as this is the default setting for a Trend Micro installation it
is quite a problem.

The other thing is that other installers (InstallShield) don't seem to do
 this so does anyone understand how InstallShield handles the reboot issue?


Don't  know , but it could be that  they don't look in the RunOnce key as
default behavior in their engine and thereby don't have this issue ?

Pete


 --
 RSA(R) Conference 2012
 Mar 27 - Feb 2
 Save $400 by Jan. 27
 Register now!
 http://p.sf.net/sfu/rsa-sfdev2dev2
 ___
 WiX-users mailing list
 WiX-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/wix-users




-- 
Best Regards
Nikolaj Steensgaard

Panorama9 A/S
Langebrogade 5
1411 Copenhagen K
Phone: +45 7020 3565
Mobile: +45 2124 3040
n...@panorama9.com

Panorama9 is an IT management platform that shows you everything you need
to know about your assets, IT availability, security vulnerabilities, and
non-compliant systems – from a single Dashboard that’s amazingly easy to
monitor and interpret. Your organization can cut IT costs through improved
uptime and as a cloud-based solution, there is no infrastructure to deploy
or manage. For more information - www.panorama9.com
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068

[NIkolaj Steensgaard]

On 01/12/2012 09:46 AM, Peter Hull wrote:
 From: r...@robmensching.com
 We'll need to teach this anti-virus program about Burn. Fortunately big
 programs, like Visual Studio, are using Burn and if it kills them I hope we
 can muster some change.
 So are you saying we need to raise this as an issue with Trend Micro?
I have been trying to debug this issue to answer that exact question !
 Is the program that actually writes the registry always the same? (I'm a bit 
 confused about what the stages are when a burn exe is run, particularly what 
 the burn engine is and what the burn agent is)
I will explain the issue more detailed to better give insight in what we 
are seeing.

For about year we have been deploying our software build with the WIX 
installer as a MSI package and have not seen this issue.

To Months ago we created a Bundled version ( exe build with WIX 3.6 )  
that checked for .net 3.51 + Win install 3.1 and
installed if needed before installing our software

Then we got reports from client's about this issue occurring

The Bundled version is quite simple and only checks for the above 
mentioned software and downloads / installs if needed

A complete AD with Trend Micro Office Scan were established to reproduce 
the error which we can.

Some things that we so far have noticed :

It only seem to occur on Windows XP for some reason.  ( this machine 
already have the needed .net and Win install so it's not there installer 
that's creates the problem )
Our Code does not at anytime write or read from the RunOnce key
Also as the previous reporter of this issue ( ID: 3431068 )

We will be trying to use SysInternals tools to get a debug of whats 
happening when the issue occurs, and post the result here.

Hope this helps in explaining the issue we are seeing and we are more 
that happy to run any test's you suggest !!!

Nik



 Pete

   
 --
 RSA(R) Conference 2012
 Mar 27 - Feb 2
 Save $400 by Jan. 27
 Register now!
 http://p.sf.net/sfu/rsa-sfdev2dev2
 ___
 WiX-users mailing list
 WiX-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/wix-users


--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068

[Nikolaj Steensgaard]

On Thu, Jan 12, 2012 at 6:03 PM, Hoover, Jacob
jacob.hoo...@greenheck.comwrote:

 I would start by digitally signing your burn bundle.


The bundle is already signed with a Thawte code signing certificate


 Most anti-virus
 software provides more leeway to signed executables. If your bundle is
 static, then you could also submit it to Trend Micro as a false
 positive.  Most AV vendors will update their signatures to work around
 false positives in a timely manner.


Yes, but our bundle is dynamic as the version of the software changes.


 The RunOnce key, from what I read in Rob's response, is written to from
 the bundling framework of burn. It is done proactively rather than as
 needed.


So isn't that really the issue then ?

Either should Trend Micro change there detection mechanism regarding the
RunOnce key or
 the  bundling framework of burn should change its default behavior .

I have already tried to get in contact to Trend Micro through several
channels without luck and
have also submitted a  request to get access to Reputation Service and
Verification Portal (RSVP).

Looking in the Trend Micro software there does'nt seem to be a way to turn
the Malware detection feature



 -Original Message-
 From: NIkolaj Steensgaard [mailto:n...@panorama9.com]
 Sent: Thursday, January 12, 2012 3:37 AM
 To: General discussion for Windows Installer XML toolset.
 Subject: Re: [WiX-users] Reopen Burn triggers virus checker - ID:
 3431068

 On 01/12/2012 09:46 AM, Peter Hull wrote:
  From: r...@robmensching.com
  We'll need to teach this anti-virus program about Burn. Fortunately
 big
  programs, like Visual Studio, are using Burn and if it kills them I
 hope we
  can muster some change.
  So are you saying we need to raise this as an issue with Trend Micro?
 I have been trying to debug this issue to answer that exact question !
  Is the program that actually writes the registry always the same? (I'm
 a bit confused about what the stages are when a burn exe is run,
 particularly what the burn engine is and what the burn agent is)
 I will explain the issue more detailed to better give insight in what we

 are seeing.

 For about year we have been deploying our software build with the WIX
 installer as a MSI package and have not seen this issue.

 To Months ago we created a Bundled version ( exe build with WIX 3.6 )
 that checked for .net 3.51 + Win install 3.1 and
 installed if needed before installing our software

 Then we got reports from client's about this issue occurring

 The Bundled version is quite simple and only checks for the above
 mentioned software and downloads / installs if needed

 A complete AD with Trend Micro Office Scan were established to reproduce

 the error which we can.

 Some things that we so far have noticed :

 It only seem to occur on Windows XP for some reason.  ( this machine
 already have the needed .net and Win install so it's not there installer

 that's creates the problem )
 Our Code does not at anytime write or read from the RunOnce key
 Also as the previous reporter of this issue ( ID: 3431068 )

 We will be trying to use SysInternals tools to get a debug of whats
 happening when the issue occurs, and post the result here.

 Hope this helps in explaining the issue we are seeing and we are more
 that happy to run any test's you suggest !!!

 Nik


 
  Pete
 
 
 
 
 --
  RSA(R) Conference 2012
  Mar 27 - Feb 2
  Save $400 by Jan. 27
  Register now!
  http://p.sf.net/sfu/rsa-sfdev2dev2
  ___
  WiX-users mailing list
  WiX-users@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/wix-users


 
 --
 RSA(R) Conference 2012
 Mar 27 - Feb 2
 Save $400 by Jan. 27
 Register now!
 http://p.sf.net/sfu/rsa-sfdev2dev2
 ___
 WiX-users mailing list
 WiX-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/wix-users


 --
 RSA(R) Conference 2012
 Mar 27 - Feb 2
 Save $400 by Jan. 27
 Register now!
 http://p.sf.net/sfu/rsa-sfdev2dev2
 ___
 WiX-users mailing list
 WiX-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/wix-users




-- 
Best Regards
Nikolaj Steensgaard

Panorama9 A/S
Langebrogade 5
1411 Copenhagen K
Phone: +45 7020 3565
Mobile: +45 2124 3040
n...@panorama9.com

Panorama9 is an IT management platform that shows you everything you need
to know about your assets, IT availability, security vulnerabilities, and
non-compliant systems – from a single Dashboard that’s amazingly easy to
monitor and interpret. Your organization can cut IT costs through improved
uptime and as a cloud-based solution, there is no infrastructure to deploy
or manage. For more information

[WiX-users] Reopen Burn triggers virus checker - ID: 3431068

[NIkolaj Steensgaard]

We have built a EXE with Wix 3.6 beta which are detected by Trend Micro 
as Malware behavior and
we are looking for the reason for this.

This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local 
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
 


Write 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
 

---

Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write 
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---

We have a complete testing enviroment where we can tweak, monitor and 
reproduce this error and are more than
willing to assist in debugging this issue.

Please let me know anything we can provide to debug and solve this

Regards

Nikolaj Steensgaard


--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

[WiX-users] Reopen Burn triggers virus checker - ID: 3431068

[NIkolaj Steensgaard]

We have built a EXE with Wix 3.6 beta which are detected by Trend Micro 
as Malware behavior and
we are looking for the reason for this.

This is the log entry from Trend Micro
---
Malware behavior blocking Terminate Registry High
C:\Documents and Settings\administrator.ADTEST\Local 
Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe
 


Write 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}
 

---

Snip from previous case:
---
Burn-based installers trigger Trend OfficeScan (v.10.5) when they write 
to the RunOnce registry key.
The virus checker terminates the installer immediately.
---

We have a complete testing enviroment where we can tweak, monitor and 
reproduce this error and are more than
willing to assist in debugging this issue.

Please let me know anything we can provide to debug and solve this

Regards

Nikolaj Steensgaard


--
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Re: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068

[NIkolaj Steensgaard]

On 01/11/2012 01:23 PM, Peter Hull wrote:

 Hi Nikolaj!

 Could you comment on whether your installer was signed (the bundle and the 
 actual engine which is unpacked out of it - see this link 
 https://sourceforge.net/mailarchive/forum.php?thread_name=CAHdHTVc1c2h3QuYsiXWcR8A1Xtk38Z3W2KCyAvuP3hMjYqKAiA%40mail.gmail.comforum_name=wix-users
  )
Yes the Bundle is signed with Thawte code signing certificate and also 
the engine ( msi ) included is signed with same certificate.

 I'm glad someone else has seen this problem, especially as you have more 
 control over your environment than I do!
Me 2 as it is quite a problem not being able to install a exe created 
from Wix 3.6.
Does anyone have a Idea how to debug this issue ?

The MSI itself does not write to the RunOnce as far as i know 

 Peter


 Date: Wed, 11 Jan 2012 12:16:37 +0100
 From: n...@panorama9.com
 To: wix-users@lists.sourceforge.net
 Subject: [WiX-users] Reopen Burn triggers virus checker - ID: 3431068

 We have built a EXE with Wix 3.6 beta which are detected by Trend Micro
 as Malware behavior and
 we are looking for the reason for this.

 This is the log entry from Trend Micro
 ---
 Malware behavior blocking Terminate Registry High
 C:\Documents and Settings\administrator.ADTEST\Local
 Settings\Temp\{044fc46d-90ff-4769-9c96-28a774dcbd7a}\.be\copy-yvxrlsay.iz2-P9Agent.exe


 Write
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{044fc46d-90ff-4769-9c96-28a774dcbd7a}

 ---

 Snip from previous case:
 ---
 Burn-based installers trigger Trend OfficeScan (v.10.5) when they write
 to the RunOnce registry key.
 The virus checker terminates the installer immediately.
 ---

 We have a complete testing enviroment where we can tweak, monitor and
 reproduce this error and are more than
 willing to assist in debugging this issue.

 Please let me know anything we can provide to debug and solve this

 Regards

 Nikolaj Steensgaard


 --
 Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
 infrastructure or vast IT resources to deliver seamless, secure access to
 virtual desktops. With this all-in-one solution, easily deploy virtual
 desktops for less than the cost of PCs and save 60% on VDI infrastructure
 costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
 ___
 WiX-users mailing list
 WiX-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/wix-users
   
 --
 Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
 infrastructure or vast IT resources to deliver seamless, secure access to
 virtual desktops. With this all-in-one solution, easily deploy virtual
 desktops for less than the cost of PCs and save 60% on VDI infrastructure
 costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
 ___
 WiX-users mailing list
 WiX-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/wix-users


--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
___
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users