Avast is flagging my installer (NSIS 2.50)

Hi,

Avast! keep flagging my installer as suspicious. (Win32:Evo-gen [Susp])
An actual scan of the installer gives a green light, no threat found but if I try to move it or download it Avast! will flag it again and remove it.
This is a problem that I need fixed as soon as possible so the question is, is there anything I can do about it like a specific NSIS version or something? I am pretty sure NSIS is what is being flagged since it only flags the installer.
I have already submitted it as a false positive but it was about a week ago now. I understand that checking all submitted files take a lot of time so I was hoping I could do something myself in the meantime.

The installer is created with NSIS 2.50 with the following plugins
http://nsis.sourceforge.net/NSIS_Simple_Firewall_Plugin (at first I thought this might be the problem but removing it makes no difference)
http://nsis.sourceforge.net/Processes_plug-in

The installer is available here
https://mega.nz/#!iMwWgZzI!zaXoI58aofuVvh9YUp4yxuRHM_yRIJR_7NdypyB-Ct8

A virustotal of the file can be found here
https://www.virustotal.com/en/file/98a0a51ef9bd2ee17dddd59e8b324cbdc3d0a60380a7e9894de1b229c0bda91b/analysis/1451261731/

Updated: I think I managed to compile an installer that does not get flagged. The “solution” was to download an older version NSIS (2.46 in my case) and use that instead.

Why not using the latest version of NSIS ?

Hi all,

thank you for reporting this false positive to us. It will be fixed in the next virus database update.

Best regards!

2.50 is the latest release. I tried the 3 beta as well but with same result.

Great, thanks

Strange.

I have been using the 3.0 B2 for months without a problem.
Just downloaded/installed the 3.0 B3 but not tested it yet.

EDIT:
Tested it with the 3.0 B3 version.
Win32:Eco-gen[Susp] detected when zlib compression is used.
The other compression methods give no detection.

Seems the problem is solved in the 29.12.2015 - 151229-0 vps update.

Hello,

I’m using version 2.46 of NSIS installer for many years to build various setups without any problems.
I have never heared about problems with any AV software.

But now a customer told us that AVAST is flagging a setup as maleware (Win32:Eco-gen[Susp]).

All setups are using the same common NSIS code and will be build with the same NSIS compression settings.
But only one setup will be flagged!

After reading this thread I changed the compressor settings for the affected setup from lzma to zlib an everything works fine again.
No more flagging by AVAST!

BTW:
The latest vps update has no effect for my problem!
Older versions (build with 2.46 and lzma) of the affected setup will not be flagged!

Changing to the latest NSIS installer is planed for the next days.

But now we urgently need to find a solution for the existing setup!
So, how can we send a large setup file to you?
Email is not possible because of length limitation for the attachments.

Regards
jo_ho

How large is it…!?
You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php

Thank you for your fast response!

This page would not work for me because it is limited to 10 MB an my setup is between 120 MB and 200 MB.

Perhaps I can send you a link to our download server from which you can download the setup?

Hello,
you can upload it to our FTP (https://www.avast.com/faq.php?article=AVKB229#idt_300) or send us link to download.

Milos

Hello,
I haved send an email to virus@avast.com 2 weeks ago. Direclty after your post here.
But nothing happens since than!

Is it usual that I get no answer? Do I have to try latest signature updates to see if the problem is solved?

I have now send the email again.
The file is on our download server.

Perhaps some one of your team can help me please.