NSIS installer flagged as trojan by Windows Defender

[255kb]

• Electron-Builder Version: 22.13.1

• Node Version: 14

• Electron Version: 13.5.2
• Electron Type (current, beta, nightly):

• Target: Windows

I updated electron-builder to the latest version (22.13.1) in our project (https://github.com/mockoon/mockoon) and the Windows NSIS installer got flagged as Trojan:Win32/Bulta!rfn by Windows Defender and Suspicious.Win32.Save.a by SangFor (similarly to #6334).
The only significant changes between this version of our app (1.16.0) and the previous one (1.15.0), in terms of Electron/Electron-builder config, was an update of electron-builder from 22.11.7 to 22.13.1 and the addition of a custom protocol (https://github.com/mockoon/mockoon/blob/main/electron-builder.json#L62-L68).

You can see here VirusTotal scans:

• installer using electron-builder latest version (Windows Defender and SangFor false positives): https://www.virustotal.com/gui/file/597f253fa72671ff8316aeb26fe2f415482a01c6c9a8dcf4c89669688cdd4292/detection
  EDIT: after submitting a false positive report to Microsoft and rerunning the analysis on the above link, Windows Defender disappeared. But Alibaba and DrWeb, were added as false positives.

• installer using electron-builder previous version 22.11.7 (SangFor false positive only): https://www.virustotal.com/gui/file/2fdb971668f4ca6aa994cccd855bb67038a95bdd8366928136afa6a23420a7a0

Strangely, our version 1.15.0 installer scan shows no false positive: https://www.virustotal.com/gui/file/88d1b730fd67accaf281e38a8cc313cec307e01b5af7fa8178905e98167d9ae8 even if it was using the same electron-builder version 22.11.7.

Thank you for your help.

[mmaietta]

Thanks for the project link as I've been able to get a local test env set up now to repro.
I used your master branch (uses electron-builder v22.11.7) to build a windows dist on my mac build machine and VirusTotal still flagged Suspicious.Win32.Save.a in the package
https://www.virustotal.com/gui/file/570f3290e92f3be956a0c8b8e6beefb021a85b033df069abc87fda4b0b4dc023?nocache=1

I then tested using a standard project: https://github.com/electron/electron-quick-start-typescript and Sangfor Engine Zero was flagged as well for latest electron-builder, v22.14.2:
https://www.virustotal.com/gui/file/b269811422907467a1b79c468fc4d4fb3a754d3e58ed360e62e9e81dad28ad3b?nocache=1
v22.11.7 also flagged Sangfor Engine Zero:
https://www.virustotal.com/gui/file/6ceb55c4f90953169b7c13ffac4a7f8f13ba82080d89b9905a79fc3cb5679767?nocache=1
v22.10.5 also flagged Sangfor Engine Zero and eGambit:
https://www.virustotal.com/gui/file/72e066a9a03d7060a48e83a81152c23af2274992dae0ae9d2df66acf450329b7?nocache=1

I'll take a look at #6334 asap, but I'm unsure of what steps are needed with this ticket/issue.

Unrelated, I never had heard of Mockoon before, but I love the concept! Wish I had that kind of tool when I used to be an developer IC

Any chance you'd be willing to test with latest electron-builder 22.14?

[255kb]

Thanks for looking into it @mmaietta
I repackaged the app using 22.14.5 and still got a false positive from SangFor https://www.virustotal.com/gui/file/9d5dc2f9bbf6de0692d028fa2f6ecb35fc99e898791ea8f8455eeb3e8531d7ad?nocache=1
Honestly, I am not sure if this SangFor thing is that bad (never heard of it). I was more concerned about the fact that my new version was flagged as Trojan by Windows Defender. I am glad this false positive disappeared.

Also, I am not sure what you can do on your side. I found various occurrences of this issue with NSIS: https://nsis.sourceforge.io/NSIS_False_Positives

Unrelated: Thanks :) I worked hard to make Mockoon a great mocking tool!

[mmaietta]

This seems to be duplicate/related to #6334
Let's consolidate convo there