Need "vendor confirmation for false positives" on WiX Toolset 3.14.1 installer

[wcoenen-fis]

Hello,

We have been happily using WiX 3 for over a decade. However, after recent policy changes at our company, the WiX tools started getting blocked by the corporate security software. So naturally I have tried to get the WiX 3.14.1 toolset installer whitelisted. As part of that process, our IT security people have run some sandbox analysis tools on wix314.exe. Unfortunately that analysis flagged the installer as malicious.

The main problem seems to be that the CrowdStrike analysis tool does not like the behavior that was introduced to fix CVE-2024-24810, where the installer now copies itself to the system temp folder. This is what is getting flagged as malicious. In addition, there is a long list of other "suspicious behavior" detections.

I have tried to explain that this all expected behavior and therefore false positives. But our IT security people insist that I get "vendor confirmation for false positives". Can somebody take a look at the attached documents and confirm that these are false positives?

wix314.exe _ Sandbox _ Counter Adversary Operations _ Intelligence.pdf
wix314.exe _ Sandbox _ Counter Adversary Operations _ Mitre Attack.pdf
wix314.exe _ Sandbox _ Counter Adversary Operations _ Dynamic Analysis.pdf

Thanks,
Wim Coenen

[bevanweiss]

WiX 3 is 'legacy' now. You should be upgrading to WiX v5+
Some of the behaviour reported is just the way that WiX needs to work, others might have some mitigations available to make it look 'less risky' from the likes of Crowdstrike.
An Issue for those 'others' (with mitigations) would probably be the way to go on that, but the issues should only be raised where there is a reasonable action that WiX should do instead (to achieve the required functionality). Not just for each problem that you have..

[robmen]

FYI: FireGiant will support companies looking to stay on WiX v3 (and WiX v4 and later versions), even after community support expires early next year.

[wcoenen-fis]

We are aware of WiX v5 and that we will eventually need to upgrade. However, over a decade we have accumulated many wxs files spread over many projects. (And worse, in many of those project we have a tangle of copy-pasted ad-hoc scripts that generate wxs files.) So in the short term, I need to keep our WiX 3 usage in working order. Upgrading will be a longer journey.

Meanwhile, our IT security people got back to me. They are still not happy to tick their "vendor confirms it is not a problem" tick box, and they want a more unambiguous statement. Can you confirm that, to the best of your knowledge, there are no known security risks with installing WiX toolset version 3.14.1? I think a simple "confirmed" will do.

I apologize for having to bother you about this.

[robmen]

Sorry. The WiX Toolset Open Source project is not a vendor. We are not in a position to make guarantees here. From the MS-RL license, the key line is near the end:

(F) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions.

If you need guarantees, you'll want to consider being a customer.

[wcoenen-fis]

Fair enough. Not exactly the answer I was hoping for, but also not really unexpected. Thank you for the straight answer.