Issue
When trying to launch the installation of a CVP or CSVP (v 8.9.17.2) some anti virus generate an alert about a possible malware in the package.
The installation is then impossible.
What system is impacted?
Only the CVP and CSVP version 8.9.17.2, bundled in Celiveo R9SP4, are impacted.
What is happening?
Celiveo is protecting the CVP binary code using signature and obfuscation agents
In June 2022 Celiveo has moved to the .Net Reactor high performance obfuscation engine.
Unfortunately it is apparently so efficient in masking code that some anti-virus consider that to be the trademark of a malware, which it is not.
The alert from those antivirus is a false positive, they believe our obfuscated code could be a malware trying to hide itself.
Is my system at risk?
Those alerts are false positives and no system is at risk.
Your security is very important to Celiveo and we follow strict rules and security protocols before releasing any version of Celiveo.
All our builds parts are passed through 4 security steps:
- Static Application Security Testing (SAST) with SonarQube
- Dynamic Application Security Testing (DAST), with OWASP ZAP
- Software Composition Analysis (SCA), with OWASP dependency-check
- Final anti malware and anti-virus, with BitDefender
Don't hesitate to contact our support would you have any question or concern about the packages.
Solution
If your anti virus is blocking the installation of the CVP/CSVP package, you can upgrade to CVP version R9SP5 (8.9.21.2) released in October 2022, it uses another other security technology to avoid triggering False Positive alerts.