Autoupdater should use a consistent filename for the exe so that it can be excluded from windows virus scanning about ckan HOT 14 CLOSED

This is set here:

from ckan.

FYI, I just tried setting up such an exclusion, and I'm not sure it actually works the way hoped for here:

1. Start → Settings
2. Update & Security
3. Windows Security
4. Virus & threat protection
5. Virus & thread protection settings → Manage settings
6. Add an exclusion
7. Since no download is in progress, I entered: %TEMP%\ckan.exe for testing

It looks like it only works for specific files that actually exist, not just a list of paths, which means you would have to navigate through these steps while CKAN was in the middle of downloading an auto-update, since as soon as it's done it will be moved to replace the running ckan.exe (if it isn't deleted by Defender). At my current typical network speeds this would give me about 0.2 seconds to react. I haven't tested that, but if such a file changes, I suspect it would no longer be considered the same file, and the exclusion would no longer apply.

And notably, there is no support for globs, which could be needed if we have to download to %TEMP%\ckan-<UUID>.exe to handle collisions.

from ckan.

Can't you just enter ckan.exe as the exclusion?

Ah, yeah, try doing "process" and entering ckan.exe:

from ckan.

Can't you just enter ckan.exe as the exclusion?

Not successfully. "Add an exclusion" drops down this dropdown:

Clicking "File" brings up a File Open popup, not an "enter a string" popup.

It says this:

Ah, yeah, try doing "process" and entering ckan.exe:

But that would only work for a process, right? The message shown in the OP here is just for a file that has not even been run yet (C:\Users\Jon\AppData\Local\Temp\449e655d-f7ad-4de7-a352-85d26e33c81f.exe), so it's not a process.

from ckan.

Ah right...hmm... docs are here: https://support.microsoft.com/en-us/topic/how-to-add-a-file-type-or-process-exclusion-to-windows-security-e524cbc2-3975-63c2-f9d1-7c2eb5331e53

The new exe is created by the old ckan.exe process right? Oh! It's not!

from ckan.

1. Old exe downloads new ckan.exe and the updater exe to temp folder
2. Old exe runs the updater and passes it the path to the old and new ckan.exe
3. Old exe closes
4. Updater replaces ckan.exe with the new file
5. Updater runs the new ckan.exe and closes

I am guessing that the Defender message in the OP happens in step 1 (since that corresponds to when Defender auto-deleted the download for me when I tried it with a browser). Please add more details if there's reason to doubt that.

from ckan.

Is there a good way to test this process? I don't have older exes to run

from ckan.

oh heh there was a new dev build just put out. So I already had ckan.exe added as a process exclusion, and I added AutoUpdate.exe this time, and it seems to have worked!

However it's possible that defender just didn't detect a problem this time.

from ckan.

Adding AutoUpdate.exe wouldn't do anything, since the file is never renamed to that. It's executed at its temp file location.

from ckan.

I think this is what I eventually turned off to work around Defender's very high false positive rate:

from ckan.

ok, so maybe the issue should be "ckan.exe should download the autoupdate.exe to a consistent filename." e.g. temp<guid>\ckan-autoupdate.exe. Then you can add ckan-autoupdate.exe and ckan.exe as process exclusions and it should work? maybe?

from ckan.

That would help if the problem happens after the updater is executed.

It would not help if it happens after the download step, before execution. So far that seems more likely to me.

from ckan.

According to the docs, the file created by ckan.exe should be excluded from scanning.

Oh...but that should have already been happening for me, since I had ckan.exe added. hm. but maybe it got scanned after ckan.exe closed?

The docs on process exclusions look interesting, regarding folders and environment variables...

from ckan.

I'm thinking the best we can do here is to auto-launch a URL for a new wiki when the user clicks "Use dev builds" (on Windows) that explains Defender's false positives, how to turn off "reputation-based protection 🤮", and the attendant risks, then explains how to turn dev builds off again in the settings if the user isn't comfortable with that.

from ckan.