False Positives

February 24, 2012

Since we released SharedSafe in August 2011, a number of Virus Scanners detected our downloadable executable as a virus. Luckily, and as of today, the latest build of SharedSafe does not cause any false virus warnings anymore.

But why was that happening?

SharedSafe is a .NET application. And to be sure that the right Windows Installer is available and the .NET framework is installed, it needs to have a bootstrapper. The problem here is that you can not combine a regular bootstrapper with the MSI file that instructs the Windows Installer how to install the application. So you end up with two files, the Setup.exe and the MSI file.

So we bought another component that zips the bootstrapper and the MSI file together and magically puts its own startup code before the zip-part and wraps that in an executable.

The final executable contains the startup code + zip, which contains a Setup.exe and a MSI. And that was probably too obscure for some "heuristic" virus scan algorithms.

For each version released, we checked SharedSafe on Jotti's online scanner and sent a false positive report to the companies that were producing the virus scanners. Some of them were responsive and corrected the problem in their next update. Some of them did not respond at all.

Well, happy ending, at last. ... let's see what happens when we use another startup code for an upcoming version of SharedSafe that runs .NET 4 ;)