PDA

View Full Version : CryptoGuard detected ransomware in C:\Users\...



RichBPL
01-05-2023, 11:03 AM
One of my customers gets a message like the following when running my digitally signed setup program (this message is from their log, so I don't know exactly what the on-screen message looked like.):


CryptoGuard detected ransomware in C:\Users\XXXX\OneDrive - XXXX\Desktop\XXSetupXX

They said the message appeared after they entered the password to continue the install and the message they saw said something about trying to write encrypted files to disk.

I rebuilt the setup program (using SB Ver 10.0.6531) to not prompt for a password, but they still received the same message, presumably when XXSetupXX has started to install files.

Does Sophos, in general, not like how Setup Builder operates or is Sophos complaining about some file I am distributing? My app is a regular Clarion-built application, but it does include some popular 3rd party clarion add-ons which have their own .DLL's and configuration files.

linder
01-05-2023, 01:15 PM
Hi Rich,

assuming your installer does not contain Ransomware....<g> your setup seems to trigger a "false-positive". Upload your installer to Sophos and report it as false-positive so they can fix their bug in the next virus definition update.

BTW, is your installer code-signed?

Friedrich

RichBPL
01-05-2023, 09:09 PM
My installer is code signed with a standard code certificate that your site helped me obtain from Sectigo, quite some time ago. The cert expires within 30 days.

Do you think that every time I compile my installer that I will have to re-submit it to Sophos?

-Rich

linder
01-17-2023, 07:35 AM
Hi Rich,

in most cases they do some kind of "whitelisting". But sometimes, protection vendors do not really fix their "bug" in the virus definition file and you have to re-submit.

Friedrich