“Don’t straighten your crown under a plum tree”
An installer is a tool used to install software on a computer. While some simpler software applications can be installed simply by copying the relevant .exe (executable) file into the Program Files folder, in cases where there is a need to write to the computer’s registry or libraries, an installer is required. Today’s story involves an experience I had with an installer I wrote for a piece of software.
Intruder detected?
With the program itself already implemented and tested, all that remained to do was write an installer and uninstaller and prepare for final testing. I wrote the installer, as I always do, and attempted to install the program. This time, however, my anti-virus software threw up an alert (Figure 1).
“You’ve got a cheek, calling my installer a threat,” I thought. However, despite my repeated attempts to install the program, the anti-virus software continued to give me the same warning. The flowchart below gives a simplified overview of the installation process. (Figure 2)
The anti-virus software was identifying my installer as a threat and deleting it completely. However, when I ran the installers associated with other programs, they worked just fine─I was stumped.
I then decided to have the installer simply save the new set of files over the old ones, rather than deleting the old ones first. This time, the anti-virus software did not issue a warning. This meant that it was the deletion of the old files that was causing the problem.
Guilty by suspicion
So just what was it about the deletion process that the anti-virus software found suspicious? To find the answer, I tried deleting the old program files manually, one by one. Thereupon, I discovered that whenever I tried to delete a bitmap (.bmp) file, the virus software would issue an alert. Indeed, none of the other applications installed on the computer used bitmap files. My program, however, used a lot of graphics to aid the setup process, and therefore required the installation of bitmap files in addition to the executable. I had now established that my anti-virus software was generating alerts because it deemed the installer’s attempts to delete old bitmap files to be the work of a virus. I modified the installer so that it would only delete non-bitmap file types and would simply overwrite old bitmap files. The problem was solved.
The anti-virus software defined all software that attempts to delete bitmap files to be viral, an approach I found a little blunt. Perhaps there is a virus out there that attempts to delete bitmap files willy-nilly… I have heard stories of anti-virus software detecting malware (ransomware, at that) on the laptops of Kikusui employees whose owners had returned to Japan after business trips overseas, and only just managing to stop the malware infecting the system. Our anti-virus software therefore does seem to be doing its job. However, I felt that my experience revealed just how unsophisticated anti-virus software is. Or perhaps the “punishment” of all suspicious behaviors is an unavoidable consequence of the fact that anti-virus software is only employed as a last-ditch defense against infection.