Trend Micro Antivirus blocks use of RunOnce

[miracle152004]

• Which version of WiX are you building with?
  3.10.3.3007

• Which version of .NET are you building with?
  4.6.1

• If the problem occurs when installing your packages built with WiX, what is the version of Windows the package is running on?
  Windows 7

• Describe the problem and the steps to reproduce it.
  Creating a bundle installation of multiple msis using an .NET Applcation which calls the windows installer xml command line tools containing a custom bootstrapper application raises a "unauthorized changes" error in Trend Micro antivirus and the bootstrapper application is blocked.
  This only happens if the you are signing the custom bootstrapper using insignia to detach, then sign with signtool and reattach the engine.

`////DETACH engine.exe
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.FileName = Path.Combine(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "Wix-Tools", "insignia.exe");
startInfo.Arguments = " -ib " + """ + bundlefile+ "" -o "" + bundleEngineFile + """;
Process p = Process.Start(startInfo);
p.WaitForExit();'

        '////SIGN engine.exe
        SignFile(basePath, bundleEngineFile);'

        ////REATACH engine.exe
        startInfo = new ProcessStartInfo();
        startInfo.FileName = Path.Combine(ExecutingAssemblyPath, "Wix-Tools", "insignia.exe");
        startInfo.Arguments = " -ab " + "\"" + bundleEngineFile + "\" " + "\"" + bundlefile + "\" -o \"" + bundlefile + "\"";
        p = Process.Start(startInfo);
        p.WaitForExit();

        ////SIGN empower setup
        SignFile(basePath, bundlefile);`

This does not happen if you are using a Standard BootstrapperApplication:

and using the code from above.

Also if you are signing the bundle engine and the bundle file using msbuild this error does not occur:

Trend Micro logs the error when the custom bootstrapper application tries to write the RunOnce entry into the HKCU.

• Describe the behavior you expected and how it differed from the actual behavior.
  The Setup should be installed without the antivirus saying it is a thread.

Currently I do not know why this error occurs and how to prevent it.
Could you please take a look.
Thanks.

Best regards
Christopher Black

[barnson]

Please post details of the Trend Micro error.

[miracle152004]

Hi,

this is the information I get after exporting the thread:

This is a screenshot of the details screen:

[miracle152004]

Sorry used the wrong button. just wanted to comment.

[barnson]

Is this a problem when building or running the bundle? The error is at runtime but most of the issue is about building.

[miracle152004]

This is a problem when running the bundle on a different system which has the antivirus software installed. Currently it only happens with Trend Micro, every other encountered antivirus works without issues.

[miracle152004]

Since today I am also getting this error if I am using a Standard UI.

Same error that the run once registry key cannot be written.

[ghost]

Actually the same issue is with Symantec Endpoint. When we try to sign the engine.exe the Symantec End Point thinks this as a Heuristic Virus and deletes the engine.exe file.

[Saravana1010]

Try to run the Bootstrapper setup exe in "Run as administrator" mode. If it will get work, then we may find different approach to resolve this issue.

[rseanhall]

From the discussion in https://www.firegiant.com/blog/2020/12/22/wix-online-meeting-202-highlights/:

We use the RunOnce key in the way that it was intended to be used - to complete installation after a reboot (or the machine loses power, etc). While it may be possible to use some other Windows functionality to schedule ourselves to run after a reboot, doing so would risk even more false positives from antivirus software since RunOnce is the way you're supposed to do that. We have no plans to change how we're using RunOnce, but if someone comes up with a proposal that meets all of the functionality we need while still being secure then we'll be happy to review it.

[allenlooplee]

I'm struggling with this RunOnce issue with anti-virus. I think there should be a chance for the user to opt out this "feature" if we don't need it.

[rseanhall]

This issue was tracking how to keep the current functionality without triggering anti-virus. If you want to opt out of this functionality, you should create a new feature request for that.