-1

I am appending my installer name with the version number, as in "progname_setup_1.1.5678.9101.exe". I like it because it makes it easy for me to track and for the user to identify it from prior downloads. This is an Inno Setup build of .net. And it is signed (if that matters).

That means the file name will change with each update. Will this practice increase the chances of false positive flags by antivirus software. If I kept the same file name (e.g., progname_setup.exe), perhaps the file would get a chance to build a reputation, even though version numbers would change inside. Or maybe antivirus doesn't work like that at all.

So, what is the best approach for file naming regarding antivirus: progname_setup_1.1.5678.9101.exe, progname_setup.exe, or it doesn't matter?

user3608545
  • 1
  • 1
  • Antivirus programs definitely give weight to the name of the file, yes. How much will it affect your application? I am not sure. – PhistucK May 06 '14 at 14:40
  • [Filename occasionally makes a difference to an AV](http://stackoverflow.com/questions/22926360/malwarebytes-gives-trojan-warning-for-basic-c-sharp-hello-world-program/22926407#22926407). [Even Windows sometimes treats files differently based on filename](http://stackoverflow.com/questions/23020626/mingw-c-program-with-setup-in-its-name-wont-run-windows-7). But you should probably be okay keeping the version number in your filename (`progname_setup_1.1.5678.9101.exe`); I've seen a lot of apps do this. Be aware you might set off a "double extension" warning, though (`.9101.exe`). – cf- May 06 '14 at 14:42
  • Since this isn't about programming anti-virus software, you probably get better answers over at [security.se]. – mabi May 07 '14 at 14:11
  • 4
    This question appears to be off-topic because it is anti-virus software, not programming, might fit for http://security.stackexchange.com/ – bummi Jan 01 '15 at 18:55

1 Answers1

0

I really can't speak for "all" anti virus engines but the good ones really don't use the file name as an indicator of anything because it's just too unreliable. Think about it, if an AV definition file said, "FOO.EXE == Malicious Virus" all the malware writer would have to do is constantly change the file name.

AV engines, at least the good ones, work by looking for bit patterns inside the body of the file; usually specific bit patterns that can exist anywhere in the file. Now, you don't have to take my word for it, check out the CLAMAv signature database docs and you will see that "file name" or any other file metadata (like size, perms, etc) are not even something you can specify in a signature.

https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

You can also run your samples via scanii's web scanning tool https://scanii.com/free-virus-scan/ if you would like to be certain that they should not trigger a false positive - disclaimer scanii is my pet project.

Rafael Ferreira
  • 1,260
  • 8
  • 11