Electron-builder: NSIS False Positives

Please specify Avast version, I will check.

Avast 11.2.2262
Virus database 160629-0

Avast 12.1.22.72 — cannot reproduce.

Cannot reproduce? hmm..

@atypicalprogrammer Please note — latest, 12.1.2 Avast.

Ah ok, this was user-reported, will see if they use latest version.

@atypicalprogrammer Ideally, installer can download corresponding arch file using http://nsis.sourceforge.net/Inetc_plug-in and doesn't contain both. But I have no time to implement it.

I can reproduce on Windows 7.
Avast 12.3.2280
Virus Definitions 161220-1

I was able to reproduce when downloading using Edge with SmartScreen enabled.

You must download the file, scanning the file says it is ok and downloading without the smart screen or using Chrome did not prompt the Avast fast scan, which causes the false positive.

@flsobral Do you mean SmartScreen block or Avast message?

if SmartScreen is enabled and the installer is not codesigned, it will trigger the Avast quick scan which raises the false positive.
disabling the SmartScreen and downloading with Chrome does not triggers the quick scan, and if you perform a regular scan on the files Avast says the file is ok.

I've read about people changing the compression algorithm used by NSIS as a workaround, but we don't have this option on electron-builder.

I'm in the the process of acquiring a code sign certificate hoping it will help me with both smart screen and AVs, but I know this is not a viable option for everyone as it incurs in a recurring annual fee, so it would be great for the community if we could have a built in workaround.

@flsobral If you are company, maybe you can contact Avast support to get answer?

We found out about this problem when a customer contacted us about Norton flagging our installer as a possible threat. We started testing with Avast, but we already know this might an issue with most AVs, especially because it is flagged by the Evo-gen algorithm, which seems pretty standard AFAIK.

So instead of whitelisting our installer with every AV, we're focusing on a way to prevent this algorithm from flagging the executable.

Hopefully code signing will help us to achieve that, but I don't know that for sure and I'm guessing this is not a viable option for everyone using electron-builder, so having a workaround for it would be great.

For instance, I found this in the Avast forum:

After reading this thread I changed the compressor settings for the affected setup from lzma to zlib an everything works fine again.

@flsobral To use zip instead of lzma — set useZip to true (in the nsis). It is an experimental undocumented and untested option :) If you will confirm that it helps you — I will document and test it.

yup, it worked!
Executing the installer still triggers the SmartScreen and the Avast quick scan, but it comes clean now, no false positive. 👍

However, the size of the installer roughly doubled! The previous installer's size was 145mb, using zip the size increased to 294mb!

Maybe there's something else we can tweak to make it smaller?

Maybe there's something else we can tweak to make it smaller?

No. ZIP is very old and ineffective format.

So, if you are company — contact AVAST to get detailed answer why. So, we can fix it. e.g. last time electron-builder user contacted MS about slow scanning and MS fixed Defender for us.

Another option — edit nsis.js locally in your node_modules and set USE_NSIS_BUILT_IN_COMPRESSOR to true (only if you build one arch installer). Maybe it will help you. With USE_NSIS_BUILT_IN_COMPRESSOR we use built-in NSIS lzma compression and do not include additional compressed app package.

@develar . Thank you for Helping us.
I am using (useZip : true) but, Avast anti-virus detects the .exe as a virus.

Avast version : 170727-2 (Avast Free Antivirus).

my electronbuilderConfig:
{
"appId": "com.company.myapp",
"asar": true,
"electronVersion": "1.7.3",
"files": [
"view//",
"localImg//",
"node_modules//",
"scripts//",
"sign//",
"tools//",
"package.json"
],
"asarUnpack":[
"/node_modules/node-notifier//*"
],
"compression":"store",
"forceCodeSigning" : true,
"publish": [{
"provider": "generic",
"url": "http://location/myapp/beta/${os}/${arch}",
"channel": "beta"
}],
"releaseInfo": {
"releaseName": "myapp",
"releaseNotes": "my notes"
},
"mac": {
"category": "public.app-category.business"
},
"win": {
"target": "nsis"
},
"nsis": {
"useZip":true,
"createDesktopShortcut":true
}
}

If i submit my application Myapp-setup-0.1.1.exe (higher version) to Avast's false positive form given by Avast in the following url its not detecting myapp .exe as virus. (http://www.avast.com/false-positive-file-form.php). But I have to submit my application's exe to Avast on every update. Is there any better solution to avoid detecting our Application as Virus?. Once again Thank you for effort.

Is your app signed?

Yes. I have signed my application. I am using 'forceCodeSigning : true' in electronBuilder config. Even in tried verifying myapp.exe with signtool and its fine But Avast flagging my application as threat.

Has anyone found any other workaround besides zip-instead-of-lzma? Doubled installer size is pretty harsh. Can anyone confirm modifying node_modules & USE_NSIS_BUILT_IN_COMPRESSOR works without increasing the binary size so much?