There are two scenarios to consider with AV.
- Files you packaged yourself and are delivering to end-users
- Files the end user or app might try to create/modify at runtime.
AV systems cannot scan inside of a Thinstalled EXE. You can protect against this by making sure your packaging computer has AV installed and up-to-date before you build into an EXE file, since the ThinApp project structure is just normal files on the filesystem your AV should scan these.
If you inadvertently package a virus/Trojan inside of one of your packages, then two things are true:
- The virus Trojan will be largely unable to spread to the rest of the system. For example, viruses and Trojan typically to spread by writing to HKLM\…\Run, the Startup folder, or overwriting system32 files. In all of these cases ThinApp will sandbox those changes, so when the computer restarts or the user logins in again – the Trojan will not run again because those changes haven’t occurred. One exception is that by default we don’t sandbox writes to network shares, so if you have exposed writable network shares a Trojan could spread through this.
- If the app tries to copy files from inside the package to the system or makes a network connection and tries to download new content (usually EXE files), ThinApp will write these files to the sandbox. The sandbox is just normal plain files on the filesystem, and your AV system will definitely scan and quarantine anything detected as malicious.
Because ThinApp doesn’t use any device drivers it is compatible with all AV solutions. The only issue we have is the occasional false-positive, but that happens with everyone and this usually gets correct by AV vendors within a few days.