Jump to content


This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Photo

AntiVirus Problems with CAs


2 replies to this topic

sks2004

sks2004
  • Members
  • 6 posts

Posted 16 May 2005 - 01:25

I have read a number of posts and blogs regarding antivirus applications blocking MSI custom actions...I have witnessed this myself (McAfee ScriptBlocker halting msiexec.exe for suspicious script activity).

A few questions;
1. If you have your installation signed/verified (verisign/activeapp, or whatever they call it), is this good enough, so that antivirus products don't block or attempt to block your MSI setup, of which may include CAs?

2. If you have your VBScript/JScript CAs digitally signed, will this suffice?

3. Besides VBScript/JScript CAs causing antivirus products to freak-out, will any or all other types of CAs also do the same thing (C/C++ DLLs, InstallScript, built-in Type 51, 54, 81, etc...)?

What is the solution?
All over the web; IS docs, MS docs, etc...they describe how to use VBScript/JScript CAs...but if AntiVirus products stop these from acting...

Edited by sks2004, 16 May 2005 - 01:25.


Zweitze

Zweitze
  • Full Members
  • 522 posts

Posted 16 May 2005 - 15:05

In my last experience on this subject, which was about four years ago, I found that these "script blocking" features did NOT monitor usage of the Acitive Scripting engine, but the "FileSystemObject" object. (The product I'm talking about is Norton Antivirus 2000).
It appears NAV script blocking routes all methods of the FileSystemObject to itself, evaluates the parameters, then notifies the user when it doesn't trust the call (or forwards to the real FSO when the call is harmless).

Note that other objects may be monitored as well. Anyway, signatures won't help with such products - they can't even see it's in a script!

If your CA doesn't do file access (or anything considered dangerous), you probably won't have any problem at all. However, I also found systems where Active Scripting was not present, in which case the user gets a run-time error.
The safest workaround is using a DLL. AV products still see this DLL, but they only do the standard AV checks (looking for virus patterns) on your DLL.


sks2004

sks2004
  • Members
  • 6 posts

Posted 16 May 2005 - 23:35

We have decided to stray far, far away from VBScript/JScript Custom Actions, and opt for InstallScript Custom Actions.