Syncthing Windows Setup v1.22.2

billstewart · December 8, 2022, 4:56pm

Syncthing Windows Setup is a lightweight yet full-featured Windows installer.

Documentation and download: GitHub - Bill-Stewart/SyncthingWindowsSetup: Syncthing Windows Setup

Changes from previous release:

Installs the ARM64 version of syncthing.exe on that platform
Mozilla Public License (MPL) shows in installer as informational only rather than as a license agreement that requires acceptance

Reminder to users: If your security software flags the installer as malware, please submit it to your vendor as a false-positive.

billstewart · December 12, 2022, 7:04pm

Good news: The false positive detections on VirusTotal for this version of the installer are much lower. As I write this, only 3 of its anti-malware engines detect a false positive:

Dr.Web - Tool.InstSrv.3
ESET-NOD32 - A Variant Of Win32/NSSM.D Potentially Unsafe
Fortinet - Riskware/NSSM

To rectify these false positives, I have attempted to contact all three vendors in the hope that they will remove these bogus detections.

The only one of the three that has not yet responded is ESET. I haven’t been able to find an online submission form for submitting false positives to ESET; instead I have sent several emails to samples AT eset.com. These emails have so far been completely ignored as far as I can tell.

Does anyone run ESET on Windows that can submit syncthing-1.22.2-setup.exe to them as a false positive?

billstewart · December 13, 2022, 4:08pm

In regards to the Dr.Web detection, this is the response I received from the vendor:

Hello. It is not your software that we detect; it is the 3rd party tool nssm.exe, compiled into your package. Please, note, that we use the “Tool” verdict for non-malicious files which can potentially be used by malware. In case of nssm.exe, it is known to have been used by malicious programs to start them as services. In case a user installed this software intentionally, they are free to turn off the detection of “Tools” in their Antivirus settings.

In other words, Dr.Web complains about this installer because it uses NSSM for a legitimate purpose. I have responded to them that using NSSM does not automatically mean the software is malware. (This would, of course, be absurd.) We’ll see what they say.

I am still awaiting responses from ESET (they have so far ignored my emails) and Fortinet in regards to their false positive detections.

bt90 · December 13, 2022, 6:40pm

Roll the dice and you’ll get a more accurate rating than from the average AV vendor. I hate the snake oil merchants guild with a passion

billstewart · December 14, 2022, 3:42pm

Fortinet has now removed their detection of the installer, leaving only Dr.Web and ESET-NOD32. As I write this, the false positive rate for the installer is less than 3% on VirusTotal, which might be as good as we can get.

Note that in both of these cases, these anti-malware products are warning about the use of NSSM. In the case of this installer, this particular warning is rather silly, because the whole point of installing as administrator is to run Syncthing as a service using NSSM. (I have also pointed out to them that if the user doesn’t install as administrator then NSSM is not involved.)

In any case, hopefully this helps others use this installer without being pointlessly blocked by an anti-malware product.