electron-builder: NSIS and nsis-web Installers are being detected as: Suspicious.Win32.Save.a false positives with VirusTotal

  • Electron-Builder Version: 22.14.4
  • Node Version: 14.17.6
  • Electron Version: 15.1.2
  • Electron Type (current, beta, nightly): current
  • Electron-updater: 4.3.9
  • Target: nsis / nsis-web / x64

These are EV Signed executables where NSIS and nsis-web Installers are being detected as Suspicious.Win32.Save.a from Sangfor Engine Zero with virus total: https://www.virustotal.com/gui/file/caed701727fa4f7805e2ddae9b0a28ec02e07fc6636f9df8da1b748d164583bd?nocache=1

Uploaded and checked each file on its own and none returned as a virus; then created a nsis-web and uploaded only the installer that flagged as one immediately: https://www.virustotal.com/gui/file/eb4ebdce32741e4b29f8845fbb54c30022ab7f63bbe90543eccb593ff3cbb414?nocache=1

So it seems something within the installer gets reported as a threat. Would you please advise of where the problem may be?

Building from an arm64 M1 machine using the latest parallels and Windows 10 Pro Build-21390

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 8
  • Comments: 34 (3 by maintainers)

Commits related to this issue

Most upvoted comments

@mmaietta For the time being if we can somehow replace/remove the use of nsis-resources-3.4.1 it compiles correctly with nsis-3.0.5.0.

The nsis needs to be recompiled with both extended length strings and debug flags enabled. The hard part is finding a device to do it, it didn’t compile for me.

Tried to figure out how to do that within app-builder-lib/nsisTarget.js but I didn’t succeed… I do have an intel mac to use or maybe Github actions could be of help.

Do you know, and if so, can you share what needs to be compiled for me to give it a shot?

ps. there is a brew of makensis for arm64 if that helps

+4
cliqer on Oct 26, 2021

@mmaietta NSIS is the issue. I got it to work without the trojan warning by downgrading the NSIS version to 3.0.4.1.

This can be done by adding the following to the build configuration in the project’s package.json:

        "nsis": {
            "customNsisBinary": {
                "url": "https://github.com/electron-userland/electron-builder-binaries/releases/download",
                "checksum": "VKMiizYdmNdJOWpRGz4trl4lD++BvYP2irAXpMilheUP0pc93iKlWAoP843Vlraj8YG19CVn0j+dCo/hURz9+Q==",
                "version": "3.0.4.1"
            }
        },

3.0.5.0 is not working due to a build error.

+3
JCMais on Nov 25, 2021

@develar can you please advise here?

  • What is winshell.dll being used for in nsis-resources? Is it needed for something specific?
  • Can we get it from elsewhere? (I haven’t found any) As the current Sourceforge download link has this Suspicious.Win32.Save.a detection in the payload.

@cliqer , thanks for all your investigative work here, I really appreciate it. We can use nsis-3.0.5 for sure, but I’m not sure if that completely removes the need for nsis-resources. If you’re willing to, I’d be happy to review a PR on the nsis update! Setting up a local dev environment is pretty simple: https://github.com/electron-userland/electron-builder/blob/master/CONTRIBUTING.md#to-setup-a-local-dev-environment

+2
mmaietta on Oct 23, 2021

Thank you @mmaietta & @develar.

I see that there is a new tag nsis-3.0.5.0 binary available: https://github.com/electron-userland/electron-builder-binaries/releases/tag/nsis-3.0.5.0

When extracted the plugins folder does not contain WinShell.dll and, after checking each of these files with virustotal, they are not getting flagged.

Any chance this is the solution and that the NSIS binary just needs to be replaced within electron-builder?

+1
cliqer on Oct 18, 2021
Read more comments on GitHub
← electron-builder: Notarization fails on MacOS 10.15.3
electron-builder: NSIS Autoupdater Fails to update →