Windows installer (not any more) detected as malware [solved]

We got one report that the EXC!TE SNARE DRUM installer is detected as malware by MalwareBytes. We don’t know why this is. See more info in my post below.

Hello! I just purchased & downloaded Excte Snare Drum Pro…however it’s getting flagged from running in Win10. A VirusTotal check has three positive hits:

  • McAfee-GW-Edition BehavesLike.Win32.CoinMiner.wc
  • Bkav Pro W32.AIDetect.malware1
  • Sangfor Engine Zero Trojan.Win32.Save.a

Would it be possible to verify that all’s ok before we run it?

Thanks for your time (looking forward to using this) D

2 Likes

I’ve just uploaded our Windows installer to virustotal myself and I can confirm the results.

We don’t have an explanation why McAfee, Bkav and Sangfor might flag this as malware. Our plugin in based on the official open source Steinberg VST3SDK and vstgui. We are using Inno Setup for the installer, which also is open source. Our development happens mainly on Linux systems and just the packaging and testing for Windows are done on a clean Windows machine. We think it’s close to impossible that our product could be compromised by anything third-party and we certainly haven’t added any malicious code ourselves.
But basically, you need to trust us here. We are a new player in the market and may not have a respected name yet, but we are trying to get there. We will discuss how to fix these false positives. Maybe digitally signing the Windows installer package will already help.

What I suspect that is happening:
Probably the makers of crypto/malware also used the open source installer Inno Setup for their malware, so the scanners will find the files which were flagged as malware also in our installer, but they are simply part of the installer software, nothing harmful. On top of that, we are new in the business, not trusted by the malware scanner engines. Our installer isn’t a popular and proven binary which gets us some points in their scoring. IMO this is why we are getting detected as malware.

There seem to be some reports where Inno Setup installers are detected as false positives:

Would it be possible, for users who have purchased, to simply provide the .dll and any additional files, just so they can bypass the installer? I’m happy just dropping the files where they need to go, if that’s do-able…

That may seem like a good solution, but we are worried that this may cause more support issues of not correctly installed plugins. The VST3 plugins are actually folders with a .vst3 ending, not simple .dll files any more (AFAIK VST2 were).

While the presets must go to a different path, for Win10 that’s C:\ProgramData\VST3 Presets\CHAIR\EXC!TE Snare Drum PRO\.
ProgramData is a hidden folder by default. Not a problem for some users maybe, but the installer makes it super easy. We will make sure to sign the installer with the next update, maybe that already fixes the issue.

Gotcha, thanks very much for investigating!

Happy to report that for whatever reason, today Virus Total reports no malware on this file…all is right in the world. Thanks again

1 Like

Wow, that happened without us doing anything in that matter. Interesting. Thanks a lot for letting us know!