I've seen security products do strange things on Windows, recently Windows 2003 servers for a third party web application (written in .net, double yuck) was being 'prohibited' by the clients enterprise security suite. Our clients had already paid (another company) for the web app, the vendor had not received any feedback from other users regarding this issue. In the end since the clients 'security' department had no idea what their enterprise tool (McAfee) was telling them, or how it to work it properly, they ended up adding an exception so that rather than prohibit the app for running, a warning (that nobody in their organisation ever looks at) was raised.

Have you tried authorizing 'suspicious' items:?

"When Sophos Anti-Virus for Windows 2000+, version 7 and above, displays an alert about a suspicious file or suspicious behavior, you can authorize the item either for the individual computer or for a group of computers on your network."

False positives are apparently not terribly rare within such tools. It may be worth checking with the Sophos site, I'm sure you won't be the only person having such problems.

Update: Incidentally one of the overnight updates to McAfee started to quarantine a the contents /System32 on our clients network, due to an error in the update file they deployed. Remember that everyone makes mistakes :)

Martin

Thanks for your comments marto!

Yes, we know how to authorize suspicious behavior items but it requires 1) knowledge of how to do it and 2) authorization from IT. - and - Yes, Sophos is the king of false positives - according to some comparisons it detects over 10-100x as many false positives as competitors.

The software that I am referencing is getting frequent updates and though we can get the authorizations to do the exceptions, it is a general pain-in-the-rear and makes distribution significantly more difficult. I was hoping for a general solution that doesn't trigger Sophos every time.

My guess is that the Sophos detection may be a result of the way PAR::Packer does a two-step by first unpacking the software and then running the thing it unpacked.

Dave

Sophos doesn't have to kill every process that is identified as suspicious. Ask if your IT will change the behavior from blocking to simply warning. If I'm not mistaken, the default Sophos policy for suspicious files is "Do nothing" (other than warn and log), so a "general solution" would be to go back to the default policy. Only if your industry is very sensitive, like finance or medical records, would blocking by default seem like the best policy. Around here, 100% of "suspicious" stuff has turned out to be benign, so we just warn, log, and authorize (so that warning and log noise goes away).

Create a little EXE file using any language other than perl (if you can't, I'm sure many people here - including me - will help you) which either runs perl.exe to start your program (I didn't use PAR myself until now, it may be able to start your program out of the PAR file or you may need to provide an extracted version) or launch a small Perl program which downloads your program from a secure, local web server and eval()s it.

Again: This is no good thing at all, it isn't a real solution, but most of the time, noone is interested, _why_ something isn't working. Even worst if your applications are company critical: They must run, even if there are some very negative issues for a short time.

PS: If you don't need the Windows API, maybe a (Windows or Java-Website-integrated) Telnet client would also do the job. Just set up or use a linux server which provides your applications one per port.

Cava is just a frontend for PAR. Perlapp and perl2exe work in a similar fashion, but you might get lucky.

Cava is just a frontend for PAR...

It is? Prove it to me, please.

LOL! Got confused, Cava author contributes to PAR... Cava is win32 only .