I’m a software developer with World GPS Solutions. We create the Fleet Tracking software for our sister company Advantrack. We distribute our fleet tracking software via Microsoft’s ClickOnce installer. Recently we have been getting support calls every time we update our software. Avast is flagging a evo-gen false positive which is forcing our customers to completely uninstall and reinstall our application. We would very much like to know how we can resolve this situation. The application installs correctly the first time, but it is the ClickOnce updates which trigger Avast to disable our app. Details from our customer service have been slow to reach us, the developers, so we are not sure which version of Avast or perhaps which version of Windows OS may be causing the problem. We’ve so far had no luck reproducing the problem on our internal network using virtual machines running Avast Free, so tomorrow we’ll start deploying to an internet test server using the exact same methods our clients use to install and receive updates.
We currently sign our manifest with a certificate from a trusted CA. Do we need to insure the executable is also signed? Or should all our .dll’s be signed? Is there something about the ClickOnce publishing process we need to change to make Avast not throw a false positive?
Can we be white-listed? While this would be great, it would be even better if we knew some technical details about Evo-Gen and how to avoid falling prey to it in the future. So far, of all the malware protection software our there, only Avast has generated a false positive for our application.
We’re looking for a solution where we disrupt our mutual customers as little as possible.
We’ve been able to reproduce the error now using Avast Free, and that should help us as we try to solve the problem. Actually, Avast has thrown both an Evo-Gen on one install and a DRep on the next. We should be able to get rid of the latter by strong signing our executable and hopefully that will clear up the Evo-Gen problem too.
Issue now appears to be resolved. When using Visual Studio 2008 to Publish via ClickOnce (we have to support an older .NET 3.5 app) and you digitally sign your manifest with your certificate, it doesn’t sign your executable. It seems that both Win8 smart screen filter and Avast don’t care for that. So we now manually sign our application executable and then regenerate our application and deployment manifests.
With ClickOnce, it checks the digital signature on the deployment manifest to insure that application manifest hasn’t changed, then hashes every file in the deployment and verifies that it matches the hash stored in the application manifest (which includes the executable.) So even without any other digital signatures or strong naming (which add even more public keys and digital sig’s to the manifest), there shouldn’t be any way for these files to be tampered with or the hashes wouldn’t come out right. But I guess Avast doesn’t understand how ClickOnce really works and can’t perform this validation itself and instead sometimes throws a false positive.
There was a moment there where we were worried because our application wouldn’t update to the new ClickOnce version, but then we discovered that the way were were manually rebuilding the manifests with the mage.exe tool was the culprit.
I would like to point out that even though we opened a support ticket with Avast, we never got a response from them. So I hope this post helps others.