VIPRE Preventing UI v0.9.3 Installation

I’ve installed Joulescope many times, including v0.9.2, with VIPRE active on my machine. This time, when tryig to install 0.9.3 on my Windows 7 Pro machine, I was prevented from doing so. Not sure what the problem is with this particular installation. See info below:

Just to see if it was an update to VIPRE, I tried re-installing 0.9.2 and had no issues.

Well, we did update to newer versions of some Joulescope UI dependencies, so VIPRE could be falsely detecting one of those. Unfortunately, that temporary file alone does not give me much to go on. If you scroll down further, does it give any indication of what “known bad” thing it thinks that this file matches? Can VIPRE quarantine that file? If you can then email it to support at joulescope dot com, I can see what installed file it actually matches.

It also says “attempting to modify the following file”. It should be creating that file. Can you confirm that the “C:\Program Files (x86)\Joulescope” directory was not present before starting the installation?

Matt,

This is what VIPRE pops up as the main dialog - the stuff I posted before was from selecting Show Details…

image

This is the remainder of the details dialog from Viper. Not much to go on.

image

This is the dialog that pops up from the installer.

image

I uninstalled Joulescope before trying again, and I also changed the destination to be different than the Program Files (x86) folder, but that did not help.

VIPRE is catching some temporary file from the Joulescope UI installer (Inno Setup). Unless you can send the file or get VIPRE to provide more detail, I don’t have much ability to help. The VIPRE false positive reporting page asks for a “Threat Name”. I don’t see that anywhere in what you have posted so far. Do you see it?

Windows Defender has no issues with this. We have no other reports of antivirus issues with 0.9.3, and lots of Windows installs. I suspect something is causing a VIPRE false positive.

Another change that we made with the Windows 0.9.3 release is full HSM signing so Windows should not ever give the unknown publisher warning on install. I don’t see how this would trigger VIPRE though…

My IT department just contacted me - this is the information they provided, which is more detailed.

I just scanned the Joulescope Windows build machine with both Windows Defender and Malwarebytes. Both say all clean.

On an old Win 10x64 laptop, I uninstalled the Joulescope UI, then installed VIPRE Antivirus Plus. It was also all clean. After a reboot, I downloaded a fresh copy of the Joulescope UI 0.9.3. VIPRE raised no warnings on the Joulescope UI installation.

I think that we also updated the InnoSetup version between 0.9.2 and 0.9.3. Antivirus software often mistakenly flags installers since they can be used both by the malware and legitimate software. At this point, I think your version of VIPRE is raising a false positive. Are your virus definitions up to date?

I do see that a new version of InnoSetup is now available, which we will use for the next Joulescope UI build. I created an unofficial 0.9.4 development release with the new InnoSetup if you want to see if it makes any difference:
installer
sha256

We definitely take computer security and malware seriously. In this case, your machine really seems to be reporting a false positive.

Hi Matt,

I know you do take it seriously. FYI I downloaded the latest virus definition file for Vipre Endpoint Security and tried both the 0.9.3 installer and the one you sent me. It just keeps getting hung up on an is-*****.tmp file. I find it odd that 0.9.2 installs fine, but 0.9.3 does not. I don’t think I can even ‘always allow’ the file, because it looks like a random 5 characters are part of the filename every time I run the installer. I am removing from quarantine and attaching. Also, I tried just ignoring the error and continuing with the installation, and I got the Vipre protection one more time, on a different .tmp file. And, of course, the program did not run once the installation was finished.

I can’t upload the file being quarantined because it is too big and has the wrong extension.

Can you email it to support _ at _ joulescope dot com?

Well, I tried, but our mail server must pass attachments through VIPRE. See below.

This message was created automatically by mail delivery software. Your email message was not delivered as is to the intended recipients because malware was detected in one or more attachments included with it. All attachments were deleted.

— Additional Information —:

Subject: Problem VIPRE file with 0.9.3 installation

Sender: [removed by wired](mailto:removed by wired)

Time received: 12/15/2020 10:14:59 PM

Message ID:<SN4PR0401MB3583DC7C06C134FE3242F333C0C60@SN4PR0401MB3583.namprd04.prod.outlook.com>

Detections found:

is-N9K8B.tmp exe

Of course it does :man_facepalming:

Perhaps you can try one of the free online tools, like:

You could also try to send it through a personal email account. Or cloud storage, like DropBox or Google Drive.

I’ll try to get it to you this evening using home email.

1 Like

Based upon emails, I figured out that the flagged item was the main “joulescope.exe”, not any of the supporting files. I ran the joulescope.exe from 0.9.2, 0.9.3, and 0.9.4 dev through www.virustotal.com. 0.9.3 moved to pyinstaller 4. I now suspect that these AV tools are flagging pyinstaller 4. I like python, but so do many malware writers, and pyinstaller is a great way to distribute python code.

Here are the results:
0.9.2
0.9.3
0.9.3 rebuit with pyinstaller 3.6 : download installer
0.9.4

While I don’t like the Joulescope UI being flagged by AV software, I am now confident that these are false positives.

The new Joulescope UI 0.9.7 uses pyinstaller 4.2. Here is the virustotal report for joulescope.exe. I have already posted to the Malwarebytes false positive list. All the other major antivirus solutions say it’s good!