Windows Defender scans my installer for a VERY long time

This just started recently, within the last week or so. I’ve confirmed the behavior on all 3 Windows 10 PCs I have, and get roughly one complaint per day from potential customers now. The download will complete as normal, but then gets stalled for 5 to 15 MINUTES while Defender does its work. In Edge, it at least says “Running Security Scan” but Chrome just looks like it’s sitting there.

This one has me stumped. I thought it might be just my newer builds or just Windows 1903, but it also happens with all my builds and one of my test machines is still on 1809.

Does anybody have any ideas? If you want to try it out, just download my app from https://beaconapp.cc/download - there is a large button right in the middle. This is very frustrating, and Google hasn’t been much help.

It will go away once MS has enough data (no joke)… I’ve seen it before. Give it a month or so.

I don’t think that’s it. I’ve had my app released for years and this just started happening with builds that have existed for a long while. I get plenty of downloads, I don’t think it’s related to building a profile.

Maybe MS Support can answer this. I’d give it a try: https://support.microsoft.com/en-us/contactus/

For anybody that runs into a similar issue, I have the solution:

Sign your app.

Once I produced a signed installer, the scan completes in moments. About 3-5 seconds.

Update… no maybe it’s something else. My first test completed as expected. That’s when I posted the message. Subsequent downloads of the same signed build are having the same absurdly long delay.

My current theory is a bug with Microsoft’s Digital Signature Service. But I’m back to square one. But hey, at least my app is signed now!

So after some more trial and error, it looks to be something unique to GitHub. If I produce my installer and serve it directly from my server or from a CDN, the scan time is much better. Still a little longer than I expect, but I’ll take any time measured in seconds over minutes. The same exact file served from GitHub exhibits the problem. Since it’s all inside Microsoft, my theory is Defender is scanning the app source code instead of the installer itself.

So for the time being at least, I’m hosting the files from a CDN instead of using GitHub’s.

MS checking the sources for something they can steal … uh … use :stuck_out_tongue:

To be fair, it’s a really smart idea. The problem is it doesn’t really make sense. The binary you attach to a release could be anything at all. So if they are doing it, they wouldn’t necessarily be scanning the correct source. But even if they got it right, why scan each download? Why not store the result since it won’t change?

So I don’t think it’s the reason.

But they do offer code scanning for some languages.

Agreed its a weird situation that they’d scan each download from github and maybe try to scan sources that could be completely unrelated
There’s got to be some explanation

Lord knows what

Some antiviruses dynamically scan executables on the fly in search of virus signature. Maybe Defender is getting into that now, with a typical MS way : make it big, slow and inefficient, nobody will notice.

By why only when downloaded from GitHub? Or maybe all of AWS, since that’s what GitHub uses for hosting releases.

could it be that Github somehow adds something to the downloaded package that your other download package doenst?

No, the hashes match. Unless there is something in the headers…

I’ll look into that when I get home.

Probably the heuristic scanning code in windows defender is not quite good enough, afaik it’s probably a bunch of ‘advanced’ regex, your packed/installer is big enough to handle but in my part i am using Internet Download Manager and it’s finished in seconds after being downloaded. Downloading through Internet Explorer/Edge? known if not changed by default to be using the Windows Defender if i am not mistaken.

Probably need to be checked by per-customer report is they running third party anti-virus or anti-malware?, on top of that also how about the their system resources or specifications?.

Installer quite commonly used by the ‘underground’ as one of the way to pack their malware or virus. Probably right now installer becoming one of needs to be checked by anti-virus or anti-malware industries.

[quote=443349:@Aditya Nugraha]Probably the heuristic scanning code in windows defender is not quite good enough, afaik it’s probably a bunch of ‘advanced’ regex, your packed/installer is big enough to handle but in my part i am using Internet Download Manager and it’s finished in seconds after being downloaded. Downloading through Internet Explorer/Edge? known if not changed by default to be using the Windows Defender if i am not mistaken.

Probably need to be checked by per-customer report is they running third party anti-virus or anti-malware?, on top of that also how about the their system resources or specifications?[/quote]
Thanks, but there’s no blaming the customer on this one. I’ve confirmed the behavior on multiple machines, from a mostly stock vmware version up to a Ryzen 2700X. Multiple members of the Xojo community have confirmed it too. It’s definitely Windows Defender, not some third party tool. And telling the customer to change settings is not an option.

When I tried using a zip archive for the 32-bit and 64-bit versions separately, the scans on each were almost instantaneous. It’s very strange. And, like I said, I get better scan Times hosted privately instead of GitHub.

I’m still scratching my head as to the exact cause, but at least I’ve found a workaround.