Page 1 of 1

Setup 1.4 is recognized as a virus by Sophos

Posted: Mon Jan 24, 2011 11:10 am
by me
It is not possible to install CintaNotes 1.4 with Sophos antivirus running because the setup program is considered a virus (Possibly because of packing).

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Mon Jan 24, 2011 12:17 pm
by ale
Yes it seems Sophos recognizes the installer as "Mal/HckPk-A" which on Sophos site is described as "Mal/HckPk-A is a program that has been packed with a protection system typically used by malware authors", so it seems really because of the packer.

CintaNotes as far as I remember uses UPX for compression so nothing really strange. Anyway these are heuristic detections, just a guess by the antivirus, so prone to false positives, as in this case.

I submitted the file to Sophos as a false positive. I'll post more news if/when I have them.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Mon Jan 24, 2011 12:28 pm
by CintaNotes Developer
ale, thanks a lot!

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Mon Jan 24, 2011 12:42 pm
by Guest
CintaNotes Developer wrote:ale, thanks a lot!


Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Mon Jan 24, 2011 12:45 pm
by CintaNotes Developer
Guest wrote:
CintaNotes Developer wrote:ale, thanks a lot!


Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?


Actually UPX is so well-known and popular that I seriously doubt that Sophos is reacting on it, more probably it is reacting to the Inno Setup LZMA compressor. This is why it flags only the installer version of CN.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Mon Jan 24, 2011 1:25 pm
by Guest
CintaNotes Developer wrote:
Guest wrote:
CintaNotes Developer wrote:ale, thanks a lot!


Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?


Actually UPX is so well-known and popular that I seriously doubt that Sophos is reacting on it, more probably it is reacting to the Inno Setup LZMA compressor. This is why it flags only the installer version of CN.


That's right, Sophos complains only about the setup file not about 'cintanotes.exe'. But what's the point of compressing 'cintanotes.exe' anyway (other than showing off: "see our executable is that tiny...")? Nobody is using floppy disks anymore and even the smallest USB drives easily have >=128 MBytes. It simply makes no sense (to me, anyway) even as a potential means of software protection.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 9:58 am
by ale
I received a response from Sophos, the relevant excerpt says
SophosLabs has analyzed the submitted file(s) and have determined it is a false positive detection.

* CintaNotes_1_4_Setup.exe -- identity created/updated
* sample.tmp -- can be authorised


Please update Sophos Anti-Virus and clear any alerts related to this file from the Quarantine Manager. The file will no longer be detected.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 11:21 am
by CintaNotes Developer
Guest wrote:That's right, Sophos complains only about the setup file not about 'cintanotes.exe'. But what's the point of compressing 'cintanotes.exe' anyway (other than showing off: "see our executable is that tiny...")? Nobody is using floppy disks anymore and even the smallest USB drives easily have >=128 MBytes. It simply makes no sense (to me, anyway) even as a potential means of software protection.
Well maybe I'm being too rigorous here, but I really think that keeping CN as small as possible is an important goal in itself, since its "lightness" is its competitive advantage compared to powerful but bloated apps/services like EverNote. Treading into EverNote's niche would be suicide, there's no chance that CN can survive there. This is also why I'm so picky at the features that get added to CN, and go to extra lengths to ensure that they don't hurt performance.
I agree that it doesn't make much difference if its 600Kb or 2Mb. But psychologically, it does. Sooner or later CN will be over 1Mb, given current roadmap that's unavoidable, but I'd rather have it later.

You can say that UPX is just a trick and it doesn't change the fact that it is already over 2Mb. Well, maybe you are right. But as I see it: you have two options, each have same startup time and are equally perfomant (also there're no AV false positives: nowadays all Anti-Virus vendors recognize UPX). One is 600K, the other 2M. Which would you choose?

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 11:31 am
by CintaNotes Developer
ale wrote:I received a response from Sophos, the relevant excerpt says
SophosLabs has analyzed the submitted file(s) and have determined it is a false positive detection.

* CintaNotes_1_4_Setup.exe -- identity created/updated
* sample.tmp -- can be authorised


Please update Sophos Anti-Virus and clear any alerts related to this file from the Quarantine Manager. The file will no longer be detected.

That's great!

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 5:37 pm
by Guest
CintaNotes Developer wrote:Well maybe I'm being too rigorous here, but I really think that keeping CN as small as possible is an important goal in itself, since its "lightness" is its competitive advantage compared to powerful but bloated apps/services like EverNote. Treading into EverNote's niche would be suicide, there's no chance that CN can survive there. This is also why I'm so picky at the features that get added to CN, and go to extra lengths to ensure that they don't hurt performance.
I agree that it doesn't make much difference if its 600Kb or 2Mb. But psychologically, it does. Sooner or later CN will be over 1Mb, given current roadmap that's unavoidable, but I'd rather have it later.

You can say that UPX is just a trick and it doesn't change the fact that it is already over 2Mb. Well, maybe you are right. But as I see it: you have two options, each have same startup time and are equally perfomant (also there're no AV false positives: nowadays all Anti-Virus vendors recognize UPX). One is 600K, the other 2M. Which would you choose?


Why does cintanotes.exe crash if you try to run it after unpacking (i.e., upx.exe -d cintanotes.exe). That should not happen, should it?

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 6:34 pm
by ale
Unpacked CintaNotes runs correctly here and did in the past (Windows XP SP3). Which OS are you using?
One simple thing I can add, please make sure you have the LANG subfolder, the executable needs to read UI strings on startup. :)

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 6:59 pm
by Guest
CintaNotes Developer wrote:Well maybe I'm being too rigorous here, but I really think that keeping CN as small as possible is an important goal in itself, since its "lightness" is its competitive advantage compared to powerful but bloated apps/services like EverNote. Treading into EverNote's niche would be suicide, there's no chance that CN can survive there. This is also why I'm so picky at the features that get added to CN, and go to extra lengths to ensure that they don't hurt performance.
I agree that it doesn't make much difference if its 600Kb or 2Mb. But psychologically, it does. Sooner or later CN will be over 1Mb, given current roadmap that's unavoidable, but I'd rather have it later.

You can say that UPX is just a trick and it doesn't change the fact that it is already over 2Mb. Well, maybe you are right. But as I see it: you have two options, each have same startup time and are equally perfomant (also there're no AV false positives: nowadays all Anti-Virus vendors recognize UPX). One is 600K, the other 2M. Which would you choose?


Yes, UPX is just a lame trick and yes, I'd prefer the uncompressed one. Since you probably link statically to sqlite and the C runtime, 2 Mbytes is actually quite small for a single executable program. Don't get me wrong here. I like your program very much and appreciate that you offer it for free. But, perhaps your users should decide: probably most users are able to download upx.exe and do the compressing by themselves (or use NTFS file system compression which is way more transparent to the OS). Alternatively, you could offer two downloads: one compressed and one uncompressed.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Tue Jan 25, 2011 8:02 pm
by ale
As a simple user and thinking to simple users, we must remember that these questions have non technical implications. Offering two versions of essentially the same thing goes against a usability principle. If we had two CintaNotes a user would be confused about which one is better, wich one to download and use. Usability says a user must face the absolutely minimal number of questions and choices, only those which are really needed and nothing more, to be up and running. For example we might argue that the 7z compression format is better than zip and thus it would be better to also offer a 7z no-install version, but while these things are true from a technical standpoint I'm pretty sure that a usability test would show that a single choice offers, on average, a more streamlined and satisfying experience.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Thu Jan 27, 2011 2:04 pm
by Midas
Guest wrote:
CintaNotes Developer wrote:ale, thanks a lot!

Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?

I do. :)

EDIT: ... but I tend to agree that packing could be left to the needing users (with some form of packer recomendation, UPX in this case). It's an important feature to anyone who carries executables on a pendrive, where disk space is a premium and which tend to be slower than Hard Drives.

Re: Setup 1.4 is recognized as a virus by Sophos

Posted: Wed Feb 23, 2011 5:48 am
by CintaNotes Developer
Well there's nothing much to add here. I consider that the pros of UPX packing outweigh the negative arguments.
Up to this date there's been no AV false positives because of UPX per se.
UPX allows CN to distance itself even further from EverNote and OneNote, and in general it brings more good than bad to CN users. This is why it will stay as default, and those who would like to have CN in its original form can just unpack with "upx -d cintanotes.exe" and that's it.