FdInstall false-positive
I had a report that the AntiVir virus scanner was detecting a DR/Zlob.Gen virus in my new FdInstall.exe installer. I was pretty certain this was a false-positive, and three alternative scanners I had access to all agreed with me.
Googling for other online scanners I came across a handy site to check it more thoroughly. Simply upload your file and have it checked by around 30 commercial scanning engines, with near-live results (if there aren’t too many queued jobs).
I submitted the latest FdInstall.exe, and as expected AntiVir was the only engine to consider it infected, so I fired off an e-mail to report the false-positive. However… eSafe, Fortinet and Panda considered the file to be ‘suspicious’. The Additional Information section at the bottom reported the UPX packer, and that the file had a binary resource.
Just to compare, I submitted the old FdInstall.exe for scanning. No virus detected, but both eSafe and Fortinet still considered it suspicious due to the use of UPX.
I rebuilt FdInstall.exe without compressing the header, and resubmitted it for scanning. Result: completely clean! One of the scanners still reported the presence of UPX and binary resources, but it wasn’t enough to show as suspicious.
It seems that many scanning engines consider compressed executables to be a worry, as though they’re trying to hide something. I’m surprised this is still the case when using well-known packers like UPX, which can be unpacked using freely available programs and code.
I’ve now updated the FdInstall.exe on my site with an uncompressed version. It adds a whopping 11% (11K) to the installer size, but it’s well worth it to avoids further false-positives.
Hats off to Fortinet for their comprehensive response to my query in less than an hour. The file is white-listed in their latest definitions. Avira have also confirmed the file is clean, and plan to fix the issue in a future definition update.