www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Code signing to help with Windows virus false positives

reply Brad Anderson <eco gnuk.net> writes:
With all of the issues people are having with Windows Defender 
now would be a good time to start code signing the Windows 
installer and binaries (doing this is the first thing Microsoft 
suggests on their page for Software Developers about Windows 
Defender false positives).

I propose the D Foundation acquire a code signing certificate and 
we start using it for releases. Alternatively any well known 
organization member could be the signer (having "The D 
Foundation" on the popup sure would look nice though). I'd be 
happy to put my money where my mouth is and chip in some of the 
money to cover the certificate cost.

I've used StartSSL's code signing certificates successfully for 
this purpose but I imagine any vendor will do. The biggest hassle 
is certificate format conversion but once you've got the 
certificate in the Windows certificate store signing is just a 
command line call that can be easily scripted.

There is already an issue created for this here: 
https://issues.dlang.org/show_bug.cgi?id=16065
Aug 15 2016
parent reply Basile B. <b2.temp gmx.com> writes:
On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:

 With all of the issues people are having with Windows Defender 
 now would be a good time to start code signing the Windows 
 installer and binaries (doing this is the first thing Microsoft 
 suggests on their page for Software Developers about Windows 
 Defender false positives).

 I propose the D Foundation acquire a code signing certificate 
 and we start using it for releases. Alternatively any well 
 known organization member could be the signer (having "The D 
 Foundation" on the popup sure would look nice though). I'd be 
 happy to put my money where my mouth is and chip in some of the 
 money to cover the certificate cost.

 I've used StartSSL's code signing certificates successfully for 
 this purpose but I imagine any vendor will do. The biggest 
 hassle is certificate format conversion but once you've got the 
 certificate in the Windows certificate store signing is just a 
 command line call that can be easily scripted.

 There is already an issue created for this here: 
 https://issues.dlang.org/show_bug.cgi?id=16065


Do you think that a certificate prevents an antivirus to scan an 
executable ? I'm laughing out of loud here.
Aug 15 2016
next sibling parent reply Basile B. <b2.temp gmx.com> writes:
On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:

 On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:

 With all of the issues people are having with Windows Defender 
 now would be a good time to start code signing the Windows 
 installer and binaries (doing this is the first thing 
 Microsoft suggests on their page for Software Developers about 
 Windows Defender false positives).

 I propose the D Foundation acquire a code signing certificate 
 and we start using it for releases. [...]


 Do you think that a certificate prevents an antivirus to scan 
 an executable ? I'm laughing out of loud here.


Mmmh I discredite myself, I meant rolling on floor laughing...

Anyway do you imagine the AV publisher policy against dev, "If 
your binaries are signed, we promise, you won't have false 
positive..." i.e: "buy a certificate".

How this is called in everyday's world ? racketeering ?
Aug 15 2016
parent ketmar <ketmar ketmar.no-ip.org> writes:
On Monday, 15 August 2016 at 19:08:56 UTC, Basile B. wrote:

 How this is called in everyday's world ? racketeering ?


exactly.
Aug 15 2016
prev sibling parent reply Brad Anderson <eco gnuk.net> writes:
On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:

 On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:

 With all of the issues people are having with Windows Defender 
 now would be a good time to start code signing the Windows 
 installer and binaries (doing this is the first thing 
 Microsoft suggests on their page for Software Developers about 
 Windows Defender false positives).

 I propose the D Foundation acquire a code signing certificate 
 and we start using it for releases. Alternatively any well 
 known organization member could be the signer (having "The D 
 Foundation" on the popup sure would look nice though). I'd be 
 happy to put my money where my mouth is and chip in some of 
 the money to cover the certificate cost.

 I've used StartSSL's code signing certificates successfully 
 for this purpose but I imagine any vendor will do. The biggest 
 hassle is certificate format conversion but once you've got 
 the certificate in the Windows certificate store signing is 
 just a command line call that can be easily scripted.

 There is already an issue created for this here: 
 https://issues.dlang.org/show_bug.cgi?id=16065


 Do you think that a certificate prevents an antivirus to scan 
 an executable ? I'm laughing out of loud here.


No. Of course not.

To quote Microsoft: "Signing your program’s files in a consistent 
manner, with a digital certificate issued by a trusted root 
authority, helps our research team quickly identify the source of 
a program and apply previously gained knowledge. In some cases 
this can result in your program being quickly added to the known 
list or, far less frequently, in adding your digital certificate 
to a list of trusted publishers."

At work we added class 3 code signing and it helped quite a bit 
with McAfee's warnings about our software for end users. In that 
case it was warnings about new releases of our software that 
hadn't had many installs yet.

Microsoft isn't selling certificates (though it'd be nice if they 
offered them like Apple does although with Apple you have to get 
a DUNS number which I'm sure you consider a scam as well).

Please share your suggestions for how to help with the false 
positive issue (or just continue laughing in ignorance based on 
an assumption of something I never said).
Aug 15 2016
next sibling parent reply Seb <seb wilzba.ch> writes:
On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:

 At work we added class 3 code signing and it helped quite a bit 
 with McAfee's warnings about our software for end users. In 
 that case it was warnings about new releases of our software 
 that hadn't had many installs yet.

 Microsoft isn't selling certificates (though it'd be nice if 
 they offered them like Apple does although with Apple you have 
 to get a DUNS number which I'm sure you consider a scam as 
 well).

 Please share your suggestions for how to help with the false 
 positive issue (or just continue laughing in ignorance based on 
 an assumption of something I never said).


Unfortunately until Walter agrees to introduce some moderation 
around here, you need to ignore the trolls - they feed from 
negative energy (OT: https://www.youtube.com/watch?v=FMEe7JqBgvg).

I think it's a great idea & you should definitely get in touch 
with the Martin Nowak!
Aug 15 2016
parent reply Basile B. <b2.temp gmx.com> writes:
On Monday, 15 August 2016 at 20:07:30 UTC, Seb wrote:

 On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:

 At work we added class 3 code signing and it helped quite a 
 bit with McAfee's warnings about our software for end users. 
 In that case it was warnings about new releases of our 
 software that hadn't had many installs yet.

 Microsoft isn't selling certificates (though it'd be nice if 
 they offered them like Apple does although with Apple you have 
 to get a DUNS number which I'm sure you consider a scam as 
 well).

 Please share your suggestions for how to help with the false 
 positive issue (or just continue laughing in ignorance based 
 on an assumption of something I never said).


 Unfortunately until Walter agrees to introduce some moderation 
 around here, you need to ignore the trolls - they feed from 
 negative energy (OT: 
 https://www.youtube.com/watch?v=FMEe7JqBgvg).

 I think it's a great idea & you should definitely get in touch 
 with the Martin Nowak!


It's not trolling (unless you define trolling as "everything that 
goes againt my position"), I just exposed my arguments. I'm 
afraid to see people overreacting in front of a minor and 
temporary problem. It seems that 3 or 4 posts are considered 
enough to act but you (the "pro-certificate-ppl") do not try to 
see why 3 or 4 posts could be "not enough"), i.e you are biased. 
You are about to act just because of what's happening right now.
Aug 15 2016
next sibling parent Seb <seb wilzba.ch> writes:
On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote:

 It's not trolling (unless you define trolling as "everything 
 that goes againt my position"), I just exposed my arguments. 
 I'm afraid to see people overreacting in front of a minor and 
 temporary problem. It seems that 3 or 4 posts are considered 
 enough to act but you (the "pro-certificate-ppl") do not try to 
 see why 3 or 4 posts could be "not enough"), i.e you are 
 biased. You are about to act just because of what's happening 
 right now.


Sorry for my harsh words, but Brad had an idea (and even offered 
his _personal_ money) & you immediately replied:


 I'm laughing out of loud here.
 Mmmh I discredite myself, I meant rolling on floor laughing...


A fruitful discussion is often based on offering good alternative 
proposals ;-)
Aug 15 2016
prev sibling next sibling parent reply Mike Parker <aldacron gmail.com> writes:
On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote:


 It's not trolling (unless you define trolling as "everything 
 that goes againt my position"), I just exposed my arguments. 
 I'm afraid to see people overreacting in front of a minor and 
 temporary problem. It seems that 3 or 4 posts are considered 
 enough to act but you (the "pro-certificate-ppl") do not try to 
 see why 3 or 4 posts could be "not enough"), i.e you are 
 biased. You are about to act just because of what's happening 
 right now.


Is there some threshold for a bug report to be considered 
actionable? Aside from that, given that a small percentage of D 
users actually post in the forums, four posts on the same issue 
is something that ought to be taken as a problem. There's no way 
to know how many have encountered it and just decided to go 
elsewhere. It's not about being "pro-certificate", but about 
solving a problem that's potentially damaging to the perception 
of D.
Aug 15 2016
parent Basile B. <b2.temp gmx.com> writes:
On Monday, 15 August 2016 at 23:58:01 UTC, Mike Parker wrote:

 On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote:


 It's not trolling (unless you define trolling as "everything 
 that goes againt my position"), I just exposed my arguments. 
 I'm afraid to see people overreacting in front of a minor and 
 temporary problem. It seems that 3 or 4 posts are considered 
 enough to act but you (the "pro-certificate-ppl") do not try 
 to see why 3 or 4 posts could be "not enough"), i.e you are 
 biased. You are about to act just because of what's happening 
 right now.


 Is there some threshold for a bug report to be considered 
 actionable? Aside from that, given that a small percentage of D 
 users actually post in the forums, four posts on the same issue 
 is something that ought to be taken as a problem. There's no 
 way to know how many have encountered it and just decided to go 
 elsewhere. It's not about being "pro-certificate", but about 
 solving a problem that's potentially damaging to the perception 
 of D.


Ok ok ok. It's been something like three hours I've been thinking 
to this.
Clearly I've exposed my **own POV** about some stuff I don't like 
about what Windows is becoming. But for the good of everybody 
(i.e I forget my own little griefs) that would be certainly nice 
to have a certificate for the D fundation. But it won't change 
the fact that once setup quitely thanks to the certificate...the 
language and standard libraries issues are still there ;)
Aug 15 2016
prev sibling parent reply Ethan Watson <gooberman gmail.com> writes:
On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote:

 I'm afraid to see people overreacting in front of a minor and 
 temporary problem.


This is not the first time this is a problem.

Our scanner at Remedy regularly used to block code sent to and 
from Walter at the email level. Sometimes things just wouldn't be 
received on either side.

Our scanner also used to pick up the DMD that we shipped to our 
work environments until we added an exception for it.

I just put a clean install of Visual Studio and Visual D on this 
laptop in case some people want to see some D stuff after my talk 
today. Windows Defender blocked my download of DMD.

D code seems to be sufficiently different that virus scanners get 
confused. Both Windows Defender and F-Secure complained about it 
being the same trojan in fact.

This cannot be a problem if we expect people to get in to the 
language. If the first stop download is picked up as a virus? 
This is unbelievably bad.
Aug 15 2016
next sibling parent Kagamin <spam here.lot> writes:
On Tuesday, 16 August 2016 at 05:38:00 UTC, Ethan Watson wrote:

 D code seems to be sufficiently different that virus scanners 
 get confused.


Well, nothing can be said for sure as nobody bothered with data, 
but if all assumptions are met, one thing to try is to compile 
with msvc toolchain and/or ldc and see if it makes a difference.
Aug 16 2016
prev sibling next sibling parent Martin Nowak <code dawg.eu> writes:
On Tuesday, 16 August 2016 at 05:38:00 UTC, Ethan Watson wrote:

 D code seems to be sufficiently different that virus scanners 
 get confused. Both Windows Defender and F-Secure complained 
 about it being the same trojan in fact.


Don't see any F-Secure problem for dmd-2.071.1.exe.
https://virustotal.com/en/file/7f7fc5c7707425bcde05cf2e6b5e1f35358061d9adb870bd4e943bf9973f9bbe/analysis/
Aug 20 2016
prev sibling parent reply Ethan Watson <gooberman gmail.com> writes:
http://imgur.com/5DnCWYw

One of our guys just tried compiling and running a simple Hello 
World program. F-Secure jumped right in.

Code signing the compiler isn't enough. It's been a persistent 
problem around here with DMD generated binaries that F-Secure 
will pick it up. Needless to say, if this happens out in the wild 
with one of our games you won't want me to paste a single line 
from the feedback we'll get about the game not working.

Turns out we have some good contacts at F-Secure though. So I can 
see about getting the problem fixed at the detection level - and 
because of the way the security community operates, that 
knowledge should flush across to things like Windows Defender.
Nov 03 2016
parent Andrei Alexandrescu <SeeWebsiteForEmail erdani.org> writes:
On 11/3/16 7:34 AM, Ethan Watson wrote:

 Turns out we have some good contacts at F-Secure though. So I can see
 about getting the problem fixed at the detection level - and because of
 the way the security community operates, that knowledge should flush
 across to things like Windows Defender.


That would be awesome. Thanks! -- Andrei
Nov 03 2016
prev sibling next sibling parent reply Basile B. <b2.temp gmx.com> writes:
On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:

 On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:

 On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:

 With all of the issues people are having with Windows [...]
 There is already an issue created for this here: 
 https://issues.dlang.org/show_bug.cgi?id=16065


 Do you think that a certificate prevents an antivirus to scan 
 an executable ? I'm laughing out of loud here.


 No. Of course not.

 To quote Microsoft: "Signing your program’s files in a 
 consistent manner, with a digital certificate issued by a 
 trusted root authority, helps our research team quickly 
 identify the source of a program and apply previously gained 
 knowledge. In some cases this can result in your program being 
 quickly added to the known list or, far less frequently, in 
 adding your digital certificate to a list of trusted 
 publishers."

 At work we added class 3 code signing and it helped quite a bit 
 with McAfee's warnings about our software for end users. In 
 that case it was warnings about new releases of our software 
 that hadn't had many installs yet.

 Microsoft isn't selling certificates (though it'd be nice if 
 they offered them like Apple does although with Apple you have 
 to get a DUNS number which I'm sure you consider a scam as 
 well).

 Please share your suggestions for how to help with the false 
 positive issue (or just continue laughing in ignorance based on 
 an assumption of something I never said).


If the origin of the problem is NSIS then in a first time it 
would be worth trying InnoSetup or also a MSI installer.
Aug 15 2016
parent reply Martin Nowak <code dawg.eu> writes:
On Monday, 15 August 2016 at 20:47:10 UTC, Basile B. wrote:

 Please share your suggestions for how to help with the false 
 positive issue (or just continue laughing in ignorance based 
 on an assumption of something I never said).


 If the origin of the problem is NSIS then in a first time it 
 would be worth trying InnoSetup or also a MSI installer.


We already had that in our backlog b/c maintaining the NSIS 
installer is a mess.

Let's try to build a proper MSI installer w/ InnoSetup.
https://issues.dlang.org/show_bug.cgi?id=15284#c20
http://forum.dlang.org/post/gjdwctcoakpfxzyjdgzw forum.dlang.org
Aug 20 2016
parent reply Martin Nowak <code+news.digitalmars dawg.eu> writes:
On 08/20/2016 03:21 PM, Martin Nowak wrote:

 On Monday, 15 August 2016 at 20:47:10 UTC, Basile B. wrote:

 Please share your suggestions for how to help with the false positive
 issue (or just continue laughing in ignorance based on an assumption
 of something I never said).


 If the origin of the problem is NSIS then in a first time it would be
 worth trying InnoSetup or also a MSI installer.


 
 We already had that in our backlog b/c maintaining the NSIS installer is
 a mess.
 
 Let's try to build a proper MSI installer w/ InnoSetup.
 https://issues.dlang.org/show_bug.cgi?id=15284#c20
 http://forum.dlang.org/post/gjdwctcoakpfxzyjdgzw forum.dlang.org


https://trello.com/c/pDvkBVVZ/70-switch-windows-installer-to-msi-using-innosetup
Aug 20 2016
parent reply Basile B. <b2.temp gmx.com> writes:
On Saturday, 20 August 2016 at 13:26:03 UTC, Martin Nowak wrote:

 On 08/20/2016 03:21 PM, Martin Nowak wrote:

 On Monday, 15 August 2016 at 20:47:10 UTC, Basile B. wrote:

 Please share your suggestions for how to help with the false 
 positive issue (or just continue laughing in ignorance based 
 on an assumption of something I never said).


 If the origin of the problem is NSIS then in a first time it 
 would be worth trying InnoSetup or also a MSI installer.


 
 We already had that in our backlog b/c maintaining the NSIS 
 installer is a mess.
 
 Let's try to build a proper MSI installer w/ InnoSetup. 
 https://issues.dlang.org/show_bug.cgi?id=15284#c20 
 http://forum.dlang.org/post/gjdwctcoakpfxzyjdgzw forum.dlang.org


 https://trello.com/c/pDvkBVVZ/70-switch-windows-installer-to-msi-using-innosetup


"to MSI using innosetup" ?

There's a misunderstanding here. Inno setup doesn't compile to MS 
installer, it's a complete independant solution.
Aug 20 2016
parent reply Martin Nowak <code dawg.eu> writes:
On Saturday, 20 August 2016 at 13:45:11 UTC, Basile B. wrote:

 "to MSI using innosetup" ?

 There's a misunderstanding here. Inno setup doesn't compile to 
 MS installer, it's a complete independant solution.


Whatever makes more sense. From my very limited understanding 
.msi installers are natively understood installers in Windows, 
and the weapon of choice for robust and more professional 
installers.
If innosetup is just another NSIS like tool, it might not solve 
all our problems.

We're fairly clueless here and could really use help here.

Just signing the NSIS installers could work for now, any support 
for this hypothesis.
I tried to submit the latest release as sample to Microsoft but 
their file upload had a size limit smaller than the binary.
Oct 10 2016
next sibling parent reply Thomas Mader <thomas.mader gmail.com> writes:
On Tuesday, 11 October 2016 at 01:37:55 UTC, Martin Nowak wrote:

 On Saturday, 20 August 2016 at 13:45:11 UTC, Basile B. wrote:

 "to MSI using innosetup" ?

 There's a misunderstanding here. Inno setup doesn't compile to 
 MS installer, it's a complete independant solution.


 Whatever makes more sense. From my very limited understanding 
 .msi installers are natively understood installers in Windows, 
 and the weapon of choice for robust and more professional 
 installers.
 If innosetup is just another NSIS like tool, it might not solve 
 all our problems.

 We're fairly clueless here and could really use help here.

 Just signing the NSIS installers could work for now, any 
 support for this hypothesis.
 I tried to submit the latest release as sample to Microsoft but 
 their file upload had a size limit smaller than the binary.


I worked with NSIS and InnoSetup. InnoSetup is much cleaner and 
easier.
At work we switched from NSIS to InnoSetup and we create MSI 
packages from NSIS and InnoSetup packages IIRC.
I think it's better to go with InnoSetup because it might be more 
easy and probably more powerful than building MSI directly. But I 
don't have any experience with building an MSI installer and the 
feature set of MSI.
We are also signing the installer and all exe and DLLs inside.
Oct 10 2016
parent reply Thomas Mader <thomas.mader gmail.com> writes:
On Tuesday, 11 October 2016 at 06:09:03 UTC, Thomas Mader wrote:

 I worked with NSIS and InnoSetup. InnoSetup is much cleaner and 
 easier.
 At work we switched from NSIS to InnoSetup and we create MSI 
 packages from NSIS and InnoSetup packages IIRC.
 I think it's better to go with InnoSetup because it might be 
 more easy and probably more powerful than building MSI 
 directly. But I don't have any experience with building an MSI 
 installer and the feature set of MSI.
 We are also signing the installer and all exe and DLLs inside.


I was right. We create the MSI package out of the InnoSetup 
executable with a minimal xml config for WiX.
Oct 11 2016
parent Bob Arnson <bob joyofsetup.com> writes:
On Wednesday, 12 October 2016 at 06:39:05 UTC, Thomas Mader wrote:

 On Tuesday, 11 October 2016 at 06:09:03 UTC, Thomas Mader wrote:

 I worked with NSIS and InnoSetup. InnoSetup is much cleaner 
 and easier.
 At work we switched from NSIS to InnoSetup and we create MSI 
 packages from NSIS and InnoSetup packages IIRC.
 I think it's better to go with InnoSetup because it might be 
 more easy and probably more powerful than building MSI 
 directly. But I don't have any experience with building an MSI 
 installer and the feature set of MSI.
 We are also signing the installer and all exe and DLLs inside.


 I was right. We create the MSI package out of the InnoSetup 
 executable with a minimal xml config for WiX.


That's not an MSI installer, it's an Inno installer wrapped in an 
.msi package. It doesn't solve false antivirus positives because 
the antivirus engines simply monitor the Inno installer getting 
extracted and executed.
Oct 15 2016
prev sibling parent Bob Arnson <bob joyofsetup.com> writes:
On Tuesday, 11 October 2016 at 01:37:55 UTC, Martin Nowak wrote:

 Whatever makes more sense. From my very limited understanding 
 .msi installers are natively understood installers in Windows, 
 and the weapon of choice for robust and more professional 
 installers.
 If innosetup is just another NSIS like tool, it might not solve 
 all our problems.


InnoSetup is like NSIS in that it builds an .exe that does the 
file copying, registry writing, downloading, executing, and so 
forth. MSI packages are "executed" by the MSI engine built into 
the OS -- the logic is in the OS, the data is in the MSI package.


 We're fairly clueless here and could really use help here.

 Just signing the NSIS installers could work for now, any 
 support for this hypothesis.
 I tried to submit the latest release as sample to Microsoft but 
 their file upload had a size limit smaller than the binary.


Getting past the antivirus gauntlet is mostly about (1) signing 
and (2) submitting installers until they get tired of blocking 
you. The two go hand-in-hand because it's basically building up a 
history of trusted behavior.

I don't know that NSIS is any worse or better than Inno about 
triggering antivirus. If that's your primary goal, it might not 
be worth a big porting job.

Bob (co-BDFL, WiX toolset, http://wixtoolset.org/, 
https://www.joyofsetup.com/)
Oct 15 2016
prev sibling parent Kagamin <spam here.lot> writes:
On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:

 Please share your suggestions for how to help with the false 
 positive issue (or just continue laughing in ignorance based on 
 an assumption of something I never said).


DevExpress components are distributed as an encrypted 
self-extracting 7zip archive. No idea why, but might fool Windows 
Defender from doing anything.
Aug 16 2016