Spyware and Trojan warnings for installations created with Wise

Article:TECH12346  |  Created: 2005-09-13  |  Updated: 2009-12-18  |  Article URL http://www.symantec.com/docs/TECH12346
Article Type
Technical Solution


Issue



  1. Critical Object warning when Lavasoft Ad-Ware scans the computer.
  2. Data Miner message when an installation created by WIS 9 and executed on a computer with F-Secure Anti-Virus Client Security.
  3. The following error is displayed while compiling a WiseScript .WSE file:
    "Could not open the file C:\Program Files\Wise Installation System\Progress\WizWin32a.DLL. Please check that this software has been installed properly."
  4. WiseCustomCall.dlls, called from MSI installations are falsely detected as trojan horses by some anti-virus softwares (i.e. Vipre)

Cause



Lavasoft Ad-Aware SE Personal Build 1.x, and F-Secure Anti-Virus Client Security 6.00 have mistakenly identified Wise Installation System files as components of known spyware (BroadcastPC or WhenU.DesktopToolbar ).

Installation of the PC-cillin spyware blocker has also been noted to prevents the Wise Installer from running. It detects the creation of the temporary file as spyware and apparently denies access to the temp folder.


Solution



Lavasoft Ad-Aware SE mistakenly identifies WizWin32a.DLL as a data miner file belonging to 'Broadcast PC'. Ad-Aware may also incorrectly identify Httpin32.DLL as a data miner.

BroadcastPC is a vendor of known ad ware software and is listed on the following sites:
http://sarc.com/avcenter/venc/data/adware.broadcastpc.html
http://www.pestpatrol.com/PestInfo/b/broadcastpc.asp
http://www.securemost.com/articles/trou_3_remove_broadcastpc.htm

WIS 9 uses WizWin32a.DLL for the progress bar during installation. It can be seen on the Progress Bar page of Installation Expert in the Custom Progress Bar DLL field. WIS 9 uses Httpin32.DLL during installs to handle FTP and HTTP downloads during "Copy Local File" actions.

Ad-Aware will also identify 'restart.exe' (default location \Program Files\Wise Installation System\Runtime\Wise) file as belonging to  'WhenU.DesktopToolbar'.

WhenU.DesktopToolbar is listed on the following site:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453091138

WIS 9 uses Restart.EXE in conjunction with runtime scripts to restart the computer. Restart.wse is in the same directory as the Restart.EXE file if you need to examine this script.

If Ad-Aware and Wise Installation Systems both exist on the development computer, a Wise Solutions file may be deleted by Ad-Aware.  Deselecting WizWin32a.DLL listed in the "Object" column for removal after Ad-Aware scanning will prevent deletion of these files. To replace missing files, reinstall Wise Installation Systems on the affected computer.

F-Secure AntiVirus Client Security will open a 'Data Miner detected' message when an installation created by WIS 9 is executed. When this message appears, select the radio button next to 'Do Nothing' and click 'Ok'. Selecting 'Quarantine' or 'Delete' will cause the installation to silently fail.

F-Secure- AntiVirus Security uses the portions of Lavasoft's Ad-Aware which is why both products misidentify WIS 9 files as Broadcast PC.

Wise Solutions has contacted Lavasoft to notify them Ad-Aware is mistakenly identifying our files as spyware.

Lastly, WiseCustomCalla.dlls, and WiseCustomCallb.dlls have been falsely identified as trojan horses by Vipre Antivirus. The WiseCustomCall dlls have been tested internally, and are safe.  The Symantec team that supports the Wise products has contacted Vipre Antivirus to notify them that they are mistakenly identifying our files as trojan horses.


Legacy ID



1934


Article URL http://www.symantec.com/docs/TECH12346


Terms of use for this information are found in Legal Notices