Setup 1.4 is recognized as a virus by Sophos

me

Setup 1.4 is recognized as a virus by Sophos

Postby me » Mon Jan 24, 2011 11:10 am

It is not possible to install CintaNotes 1.4 with Sophos antivirus running because the setup program is considered a virus (Possibly because of packing).
ale
Moderator
Posts: 202
Joined: Fri Feb 06, 2009 6:01 pm

Re: Setup 1.4 is recognized as a virus by Sophos

Postby ale » Mon Jan 24, 2011 12:17 pm

Yes it seems Sophos recognizes the installer as "Mal/HckPk-A" which on Sophos site is described as "Mal/HckPk-A is a program that has been packed with a protection system typically used by malware authors", so it seems really because of the packer.

CintaNotes as far as I remember uses UPX for compression so nothing really strange. Anyway these are heuristic detections, just a guess by the antivirus, so prone to false positives, as in this case.

I submitted the file to Sophos as a false positive. I'll post more news if/when I have them.
User avatar
CintaNotes Developer
Site Admin
Posts: 5001
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Setup 1.4 is recognized as a virus by Sophos

Postby CintaNotes Developer » Mon Jan 24, 2011 12:28 pm

ale, thanks a lot!
Alex
Guest

Re: Setup 1.4 is recognized as a virus by Sophos

Postby Guest » Mon Jan 24, 2011 12:42 pm

CintaNotes Developer wrote:ale, thanks a lot!


Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?
User avatar
CintaNotes Developer
Site Admin
Posts: 5001
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Setup 1.4 is recognized as a virus by Sophos

Postby CintaNotes Developer » Mon Jan 24, 2011 12:45 pm

Guest wrote:
CintaNotes Developer wrote:ale, thanks a lot!


Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?


Actually UPX is so well-known and popular that I seriously doubt that Sophos is reacting on it, more probably it is reacting to the Inno Setup LZMA compressor. This is why it flags only the installer version of CN.
Alex
Guest

Re: Setup 1.4 is recognized as a virus by Sophos

Postby Guest » Mon Jan 24, 2011 1:25 pm

CintaNotes Developer wrote:
Guest wrote:
CintaNotes Developer wrote:ale, thanks a lot!


Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?


Actually UPX is so well-known and popular that I seriously doubt that Sophos is reacting on it, more probably it is reacting to the Inno Setup LZMA compressor. This is why it flags only the installer version of CN.


That's right, Sophos complains only about the setup file not about 'cintanotes.exe'. But what's the point of compressing 'cintanotes.exe' anyway (other than showing off: "see our executable is that tiny...")? Nobody is using floppy disks anymore and even the smallest USB drives easily have >=128 MBytes. It simply makes no sense (to me, anyway) even as a potential means of software protection.
ale
Moderator
Posts: 202
Joined: Fri Feb 06, 2009 6:01 pm

Re: Setup 1.4 is recognized as a virus by Sophos

Postby ale » Tue Jan 25, 2011 9:58 am

I received a response from Sophos, the relevant excerpt says
SophosLabs has analyzed the submitted file(s) and have determined it is a false positive detection.

* CintaNotes_1_4_Setup.exe -- identity created/updated
* sample.tmp -- can be authorised


Please update Sophos Anti-Virus and clear any alerts related to this file from the Quarantine Manager. The file will no longer be detected.
User avatar
CintaNotes Developer
Site Admin
Posts: 5001
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Setup 1.4 is recognized as a virus by Sophos

Postby CintaNotes Developer » Tue Jan 25, 2011 11:21 am

Guest wrote:That's right, Sophos complains only about the setup file not about 'cintanotes.exe'. But what's the point of compressing 'cintanotes.exe' anyway (other than showing off: "see our executable is that tiny...")? Nobody is using floppy disks anymore and even the smallest USB drives easily have >=128 MBytes. It simply makes no sense (to me, anyway) even as a potential means of software protection.
Well maybe I'm being too rigorous here, but I really think that keeping CN as small as possible is an important goal in itself, since its "lightness" is its competitive advantage compared to powerful but bloated apps/services like EverNote. Treading into EverNote's niche would be suicide, there's no chance that CN can survive there. This is also why I'm so picky at the features that get added to CN, and go to extra lengths to ensure that they don't hurt performance.
I agree that it doesn't make much difference if its 600Kb or 2Mb. But psychologically, it does. Sooner or later CN will be over 1Mb, given current roadmap that's unavoidable, but I'd rather have it later.

You can say that UPX is just a trick and it doesn't change the fact that it is already over 2Mb. Well, maybe you are right. But as I see it: you have two options, each have same startup time and are equally perfomant (also there're no AV false positives: nowadays all Anti-Virus vendors recognize UPX). One is 600K, the other 2M. Which would you choose?
Alex
User avatar
CintaNotes Developer
Site Admin
Posts: 5001
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Setup 1.4 is recognized as a virus by Sophos

Postby CintaNotes Developer » Tue Jan 25, 2011 11:31 am

ale wrote:I received a response from Sophos, the relevant excerpt says
SophosLabs has analyzed the submitted file(s) and have determined it is a false positive detection.

* CintaNotes_1_4_Setup.exe -- identity created/updated
* sample.tmp -- can be authorised


Please update Sophos Anti-Virus and clear any alerts related to this file from the Quarantine Manager. The file will no longer be detected.

That's great!
Alex
Guest

Re: Setup 1.4 is recognized as a virus by Sophos

Postby Guest » Tue Jan 25, 2011 5:37 pm

CintaNotes Developer wrote:Well maybe I'm being too rigorous here, but I really think that keeping CN as small as possible is an important goal in itself, since its "lightness" is its competitive advantage compared to powerful but bloated apps/services like EverNote. Treading into EverNote's niche would be suicide, there's no chance that CN can survive there. This is also why I'm so picky at the features that get added to CN, and go to extra lengths to ensure that they don't hurt performance.
I agree that it doesn't make much difference if its 600Kb or 2Mb. But psychologically, it does. Sooner or later CN will be over 1Mb, given current roadmap that's unavoidable, but I'd rather have it later.

You can say that UPX is just a trick and it doesn't change the fact that it is already over 2Mb. Well, maybe you are right. But as I see it: you have two options, each have same startup time and are equally perfomant (also there're no AV false positives: nowadays all Anti-Virus vendors recognize UPX). One is 600K, the other 2M. Which would you choose?


Why does cintanotes.exe crash if you try to run it after unpacking (i.e., upx.exe -d cintanotes.exe). That should not happen, should it?
ale
Moderator
Posts: 202
Joined: Fri Feb 06, 2009 6:01 pm

Re: Setup 1.4 is recognized as a virus by Sophos

Postby ale » Tue Jan 25, 2011 6:34 pm

Unpacked CintaNotes runs correctly here and did in the past (Windows XP SP3). Which OS are you using?
One simple thing I can add, please make sure you have the LANG subfolder, the executable needs to read UI strings on startup. :)
Guest

Re: Setup 1.4 is recognized as a virus by Sophos

Postby Guest » Tue Jan 25, 2011 6:59 pm

CintaNotes Developer wrote:Well maybe I'm being too rigorous here, but I really think that keeping CN as small as possible is an important goal in itself, since its "lightness" is its competitive advantage compared to powerful but bloated apps/services like EverNote. Treading into EverNote's niche would be suicide, there's no chance that CN can survive there. This is also why I'm so picky at the features that get added to CN, and go to extra lengths to ensure that they don't hurt performance.
I agree that it doesn't make much difference if its 600Kb or 2Mb. But psychologically, it does. Sooner or later CN will be over 1Mb, given current roadmap that's unavoidable, but I'd rather have it later.

You can say that UPX is just a trick and it doesn't change the fact that it is already over 2Mb. Well, maybe you are right. But as I see it: you have two options, each have same startup time and are equally perfomant (also there're no AV false positives: nowadays all Anti-Virus vendors recognize UPX). One is 600K, the other 2M. Which would you choose?


Yes, UPX is just a lame trick and yes, I'd prefer the uncompressed one. Since you probably link statically to sqlite and the C runtime, 2 Mbytes is actually quite small for a single executable program. Don't get me wrong here. I like your program very much and appreciate that you offer it for free. But, perhaps your users should decide: probably most users are able to download upx.exe and do the compressing by themselves (or use NTFS file system compression which is way more transparent to the OS). Alternatively, you could offer two downloads: one compressed and one uncompressed.
ale
Moderator
Posts: 202
Joined: Fri Feb 06, 2009 6:01 pm

Re: Setup 1.4 is recognized as a virus by Sophos

Postby ale » Tue Jan 25, 2011 8:02 pm

As a simple user and thinking to simple users, we must remember that these questions have non technical implications. Offering two versions of essentially the same thing goes against a usability principle. If we had two CintaNotes a user would be confused about which one is better, wich one to download and use. Usability says a user must face the absolutely minimal number of questions and choices, only those which are really needed and nothing more, to be up and running. For example we might argue that the 7z compression format is better than zip and thus it would be better to also offer a 7z no-install version, but while these things are true from a technical standpoint I'm pretty sure that a usability test would show that a single choice offers, on average, a more streamlined and satisfying experience.
Midas
Moderator
Posts: 370
Joined: Thu Jan 29, 2009 10:40 am
Contact:

Re: Setup 1.4 is recognized as a virus by Sophos

Postby Midas » Thu Jan 27, 2011 2:04 pm

Guest wrote:
CintaNotes Developer wrote:ale, thanks a lot!

Lesson to learn: please don't use *.exe packers! There is very little benefit for the user, usually just trouble. I'd prefer to have an unpacked cintanotes.exe with its 'true' size of ~1.5 MB. Who cares if cintanotes.exe can be compressed down to 0.5 MB using Upx in the age of hundreds of GBytes harddisks?

I do. :)

EDIT: ... but I tend to agree that packing could be left to the needing users (with some form of packer recomendation, UPX in this case). It's an important feature to anyone who carries executables on a pendrive, where disk space is a premium and which tend to be slower than Hard Drives.
:D Midas, your friendly nugget gobbler, with a message from our sponsors:

Ask questions the smart way -- see www.catb.org/~esr/faqs/
User avatar
CintaNotes Developer
Site Admin
Posts: 5001
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Setup 1.4 is recognized as a virus by Sophos

Postby CintaNotes Developer » Wed Feb 23, 2011 5:48 am

Well there's nothing much to add here. I consider that the pros of UPX packing outweigh the negative arguments.
Up to this date there's been no AV false positives because of UPX per se.
UPX allows CN to distance itself even further from EverNote and OneNote, and in general it brings more good than bad to CN users. This is why it will stay as default, and those who would like to have CN in its original form can just unpack with "upx -d cintanotes.exe" and that's it.
Alex

Return to “Bug Reports”