New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trend Micro Antivirus blocks use of RunOnce #5482

Open
miracle152004 opened this Issue Jan 30, 2017 · 9 comments

Comments

Projects
None yet
4 participants
@miracle152004

miracle152004 commented Jan 30, 2017

  • Which version of WiX are you building with?
    3.10.3.3007

  • Which version of .NET are you building with?
    4.6.1

  • If the problem occurs when installing your packages built with WiX, what is the version of Windows the package is running on?
    Windows 7

  • Describe the problem and the steps to reproduce it.
    Creating a bundle installation of multiple msis using an .NET Applcation which calls the windows installer xml command line tools containing a custom bootstrapper application raises a "unauthorized changes" error in Trend Micro antivirus and the bootstrapper application is blocked.
    This only happens if the you are signing the custom bootstrapper using insignia to detach, then sign with signtool and reattach the engine.

`////DETACH engine.exe
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.FileName = Path.Combine(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "Wix-Tools", "insignia.exe");
startInfo.Arguments = " -ib " + """ + bundlefile+ "" -o "" + bundleEngineFile + """;
Process p = Process.Start(startInfo);
p.WaitForExit();'

        '////SIGN engine.exe
        SignFile(basePath, bundleEngineFile);'

        ////REATACH engine.exe
        startInfo = new ProcessStartInfo();
        startInfo.FileName = Path.Combine(ExecutingAssemblyPath, "Wix-Tools", "insignia.exe");
        startInfo.Arguments = " -ab " + "\"" + bundleEngineFile + "\" " + "\"" + bundlefile + "\" -o \"" + bundlefile + "\"";
        p = Process.Start(startInfo);
        p.WaitForExit();

        ////SIGN empower setup
        SignFile(basePath, bundlefile);`

This does not happen if you are using a Standard BootstrapperApplication:

and using the code from above.

Also if you are signing the bundle engine and the bundle file using msbuild this error does not occur:





Trend Micro logs the error when the custom bootstrapper application tries to write the RunOnce entry into the HKCU.

  • Describe the behavior you expected and how it differed from the actual behavior.
    The Setup should be installed without the antivirus saying it is a thread.

Currently I do not know why this error occurs and how to prevent it.
Could you please take a look.
Thanks.

Best regards
Christopher Black

@barnson

This comment has been minimized.

Show comment
Hide comment
@barnson

barnson Jan 30, 2017

Member

Please post details of the Trend Micro error.

Member

barnson commented Jan 30, 2017

Please post details of the Trend Micro error.

@miracle152004

This comment has been minimized.

Show comment
Hide comment
@miracle152004

miracle152004 Jan 31, 2017

Hi,

this is the information I get after exporting the thread:
grafik

This is a screenshot of the details screen:
grafik

miracle152004 commented Jan 31, 2017

Hi,

this is the information I get after exporting the thread:
grafik

This is a screenshot of the details screen:
grafik

@miracle152004

This comment has been minimized.

Show comment
Hide comment
@miracle152004

miracle152004 Jan 31, 2017

Sorry used the wrong button. just wanted to comment.

miracle152004 commented Jan 31, 2017

Sorry used the wrong button. just wanted to comment.

@barnson

This comment has been minimized.

Show comment
Hide comment
@barnson

barnson Jan 31, 2017

Member

Is this a problem when building or running the bundle? The error is at runtime but most of the issue is about building.

Member

barnson commented Jan 31, 2017

Is this a problem when building or running the bundle? The error is at runtime but most of the issue is about building.

@miracle152004

This comment has been minimized.

Show comment
Hide comment
@miracle152004

miracle152004 Feb 1, 2017

This is a problem when running the bundle on a different system which has the antivirus software installed. Currently it only happens with Trend Micro, every other encountered antivirus works without issues.

miracle152004 commented Feb 1, 2017

This is a problem when running the bundle on a different system which has the antivirus software installed. Currently it only happens with Trend Micro, every other encountered antivirus works without issues.

@miracle152004

This comment has been minimized.

Show comment
Hide comment
@miracle152004

miracle152004 Feb 1, 2017

Since today I am also getting this error if I am using a Standard UI.

Same error that the run once registry key cannot be written.

miracle152004 commented Feb 1, 2017

Since today I am also getting this error if I am using a Standard UI.

Same error that the run once registry key cannot be written.

@barnson barnson changed the title from Creating a signed bundle is identified as threat by Trend Micro Antivirus to Trend Micro Antivirus blocks use of RunOnce Feb 14, 2017

@barnson barnson added this to the v4.0 milestone Feb 14, 2017

@barnson barnson added the burn label Feb 14, 2017

@varun7447

This comment has been minimized.

Show comment
Hide comment
@varun7447

varun7447 Mar 22, 2017

Actually the same issue is with Symantec Endpoint. When we try to sign the engine.exe the Symantec End Point thinks this as a Heuristic Virus and deletes the engine.exe file.

varun7447 commented Mar 22, 2017

Actually the same issue is with Symantec Endpoint. When we try to sign the engine.exe the Symantec End Point thinks this as a Heuristic Virus and deletes the engine.exe file.

@Saravana1010

This comment has been minimized.

Show comment
Hide comment
@Saravana1010

Saravana1010 Jul 13, 2017

Try to run the Bootstrapper setup exe in "Run as administrator" mode. If it will get work, then we may find different approach to resolve this issue.

Saravana1010 commented Jul 13, 2017

Try to run the Bootstrapper setup exe in "Run as administrator" mode. If it will get work, then we may find different approach to resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment