[wix-devs] #5658 - Burn problem with AV

Wed Dec 12 20:01:32 PST 2018

Looks like I was accidentally replying directly instead of to the list.

On Wed, Dec 12, 2018 at 9:45 AM Kaveesh Dashora <kaveeshd at gmail.com> wrote:

> Okay. Thanks for the clarification. I thought you are having issue with
> burn signing. Did not read the wix-devs tag. Apologies.
>
> On Wed 12 Dec, 2018, 8:59 PM Sean Hall <r.sean.hall at gmail.com wrote:
>
>> Thanks for the response, but I think there's a misunderstanding here.
>> This is the mailing list for developers that are working on the WiX Toolset
>> itself, we are already shipping a signed installer that works with the vast
>> majority of AV companies. This issue is about addressing specific AV
>> companies like Avast that are causing multiple people's signed Burn bundles
>> to fail to install.
>>
>> On Tue, Dec 11, 2018 at 11:45 PM Kaveesh Dashora <kaveeshd at gmail.com>
>> wrote:
>>
>>> Also, the WIX Version 3.11.0.1528 is installed on my machine.
>>>
>>> On Wed, Dec 12, 2018 at 11:13 AM Kaveesh Dashora <kaveeshd at gmail.com>
>>> wrote:
>>>
>>>> I am not sure about about Avast or others, but I am pretty sure about
>>>> Symantec Endpoint Protection. The certificate which I own comes from
>>>> Symantec.
>>>>
>>>> While building, my build script signs the bundled msi, the engine and
>>>> the final package. I use insignia to extract the engine and sign it and use
>>>> it again to update the final package to sign the final package.
>>>>
>>>> The following steps might help you
>>>> 1. Build the MSI
>>>> 2. Sign the MSI
>>>> 3. Build the Burn UI DLL (This is an optional step, you need this if
>>>> you have a custom burn ui)
>>>> 4. Sign the Burn UI DLL (This is an optional step, you need this if
>>>> you have a custom burn ui)
>>>> 5. Build the Burn Project
>>>> 6. Extract the Engine from the Burn Package ("%InsigniaPath%" -ib
>>>> "Setup.exe" -o "engine.exe")
>>>> 7. Sign the Engine
>>>> 8. Create the final Burn Package with the signed Engine
>>>> ("%InsigniaPath%" -ab "engine.exe" "Setup.exe" -o "Final Package.exe")
>>>> 9. Sign the final Burn Package created in step 8.
>>>>
>>>> Try following these steps, and test with final package. This is how I
>>>> am authoring my package.
>>>>
>>>> On Wed 12 Dec, 2018, 8:46 AM Sean Hall <r.sean.hall at gmail.com wrote:
>>>>
>>>>> Are you saying that your burn authored installer does not see issues
>>>>> with Avast, AVG, or PC Matic SuperShield? What version of WiX and what
>>>>> version of each of those AVs? Who did you buy your code signing certificate
>>>>> from?
>>>>>
>>>>> On Tue, Dec 11, 2018 at 8:42 PM Kaveesh Dashora <kaveeshd at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I have a burn authored installer... Signing the installer using
>>>>>> SignTool avoids this issue with Antivirus. You will need a code signing
>>>>>> certificate. I have verified on my system with SEP installed.
>>>>>>
>>>>>> On Mon 10 Dec, 2018, 11:40 AM Sean Hall via wix-devs <
>>>>>> wix-devs at lists.wixtoolset.org wrote:
>>>>>>
>>>>>>> For https://github.com/wixtoolset/issues/issues/5658, I'm not
>>>>>>> convinced
>>>>>>> that we are going to be able to find a foolproof workaround for these
>>>>>>> problematic AV's. Would it be acceptable to add a /disablecleanroom
>>>>>>> switch,
>>>>>>> disable clean room if running in a specially name folder, or
>>>>>>> something else
>>>>>>> like that instead? I would think that would be ok security-wise
>>>>>>> since if a
>>>>>>> malicious entity can run our bundle with that switch they already
>>>>>>> have code
>>>>>>> execution.
>>>>>>>
>>>>>>> Also, have we submitted the latest v3.11 to each of the vendors in
>>>>>>> the
>>>>>>> issue - Avast, AVG, PC Matic SuperShield?
>>>>>>> ____________________________________________________________________
>>>>>>> WiX Toolset Developer Mailing List provided by FireGiant
>>>>>>> http://www.firegiant.com/
>>>>>>>
>>>>>>