Launch4j Executable Wrapper / Bugs / #175 Launch4j Windows binary

#175 Launch4j Windows binary - virus scan

Milestone: 3.x

Status: open

Owner: Grzegorz Kowal

Labels: None

Priority: 5

Updated: 2018-08-11

Created: 2017-09-26

Creator: Forest

Private: No

Thanks for great software.

Please provide releases without any bugs inside.
It is importand because apps based on Launch4j will also windlude bugs.

launch4j-3.11-win32.exe scan
https://www.virustotal.com/#/file/53d99cd5b5a0e5f38db96ea943f8b8311ab1eb806a6c147a46543de55140bfb7/detection

I would recommend to use virustotal before releasing any executables.

I've found that latest clean version is 3.0.7

Thanks

Discussion

Grzegorz Kowal - 2017-09-28

To provide a release without any bugs is the ultimate goal from QA perspective for any project, but rather impossible to reach :)
But I know what you mean.

Every launch4j package is scanned using virus total, sometimes releases are even dropped if it turns out that they start producing virus alerts. The last release had a problem in one package reported by less popular tool.
But now, how do you 'fix' a problem reported by heuristics scan? The only solution I can think of is signing or not wrapping the jar. I have no control over how launch4j's code is interpreted as malicious.
Perhaps some releases are now reported as infected in VirusTotal because of different tool availability or version, I don't know.

The problem here is the nature of launch4j, a small executable attached to a jar file which reads the registry, accesses the file system and starts processes and the way antivirus engines work. These false positives are based on heuristics scan, so the AV software judges that this is a virus. Such problems appear when switching to a newer version of gcc or just updating w32api libs or making changes in the code as adding new features. .

I will remove all files that are wrapped from the release, and probably add a warning when the wrapping option is chosen or drop this functionality altogether if it doesn't help.

Best regards,
Grzegorz

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Grzegorz Kowal - 2017-09-28

assigned_to: Grzegorz Kowal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Grzegorz Kowal - 2018-05-12

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Grzegorz Kowal - 2018-05-17

status: closed-fixed --> open
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Grzegorz Kowal - 2018-05-17

I have to reopen, the fix helped but still 1 or 2 out of 65 tools reports a problem.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Markus Gothe - 2018-08-09

Fixing the checksum is one thing to make heuristics stop classifying it as virus. And when you codesign you actually implicitly do

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Grzegorz Kowal - 2018-08-11

You mean when wrapping the jar?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Launch4j Windows binary - virus scan

Group

Searches

Help

#175 Launch4j Windows binary - virus scan

Discussion