Trojan warning with AVG

Well.. it appears that 5.11 "has the virus" however 5.14 doesn't trigger it..

Edited by bone

Signing the DLL did not help in fact (stupid AVG).

In any case, I have contacted AVG and then have corrected the issue.

Certs are somewhat cheap, and will most or less be required for any software you want to install in Vista as otherwise big red flags will be raised.

Code signing can be done with any General Pupose cert or Code signing certificate. It basically is just to sign exe and dll files.
Our company uses Thwate, one of the original root certs doing code signing, along with Veri$ign (they were the only 2 for a long time)
http://www.thawte.com/ssl-digital-certificates/code-signing/index.html

Geotrust sells them too:
http://geotrust.com/products/signing_services/code_signing.asp
I'me never been impressed with Geotrust, so we don't use them.

And of course, if you can afford it, Verisign is the obvious choice:
http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html

Personally, Thwate is a good mix of price and acceptability. Non-signed exes and installers will raise flags in XP SP2 and Vista (more obvious in Vista) that the file is from an unknown source. It is becoming standard practice to sign all packages to auth. its origin (e.g. your company)

You don't NEED to use special tools to sign code, there is a tool called codesign.exe and signtool.exe that came in the Windows SDK from Microsoft which you can use to sign projects.

Some installers, such as Advanced Installer, which is what we use, supports signing your installers as you compile them.

It really is a shame that almost all projects need to be signed now, as it really is just a money making machine for cert providers... as the certs really only ensures that the company with which you are dealing made the installer... it doesn't authenticate anything ABOUT the organization (fraudulent, trying to trick users with a common name, with slight variations, etc)

Any will work. Win 2003 should work just fine. Please note though that signtool.exe may in a bin directory. You will most likely want to copy the exe OUT of that directory to somewhere else on your computer. The reason for this is that if you are using something like Win 2k, the dll apis in that same bin directory as signtool.exe will NOT be compatible with it. So the ref dir order being: local, system32, win, ... signtool.exe will ref the newer dll files in the same dir as it (instead of the ones it should call in your sys32 dir, causing these api functions to error. In short, do yourself a favor and copy the exe to something like ur desktop or C:\ dir (as you will need to ref it via command line).

No. And this generally only works for installers (and in Win XP SP2 when running installers) and other files not installed with an MSI (as in Windows really all things should be MSI'ed these days.. there is little reason not to, older install systems are just messy, unaccountable, and often can't even repair themselves.

What signing an exe (or msi or dll or ocx or cab etc) installer or downloaded file, the "ugly" Vista warning will come up telling you that a non-trusted app wants to execute.

Having a cert gives this screen two new important things:
(1) it now displays WHO made this app as well as a link to a website you can optionally provide to give information
(2) it now allows the user the option "trust" your digital signature and hence your software in the future will NOT show that "ugly" Vista warning

In Win XP SP2, these dialogs and improvements are similar, however the dialog is smaller, less obtrusive (doesn't gray out the rest of the screen etc)

Hi Chris!

It's on the way to you ;-)

Best regards,
Ingo

I think you guys should check out http://www.opswat.com/ there are 2 or 3 products that may be a match. I think that OESIS Framework at http://www.opswat.com/products/oesis-framework provides a single interface to many antivirus and AVG is in that list. Another option is, I think, Metascan at http://www.opswat.com/products/metascan which is more for ISV.
I also found that AVG is certified by OPSWAT at http://www.opswat.com/certified.

I hope this helps.
Regards,

Edited by Mark G. - 07 Oct 11 at 1:29AM