MAKEMSI uses VBSCRIPT to create or change MSIs and for many of its installed shortcuts and options.
Scripts are a reasonably common method allowing relative "morons" to easily cause problems. Most of these would be via Internet Explorer or Outlook. If the spyware tools limited testing to these execution environments then I think that would be an excellent idea.
Its execution of scripts outside of browser, mail and similar high risk environments that I have issue with. I am not convinced that this is a major problem but it probably does merit caution. Microsoft's Anti-Spyware seems like a reasonable approach while Norton's Malicious Script Detection is so over the top that I consider it a "bug".
Some tools even prompt for script execution by MSIs (custom actions), this is stupidity as it would be an extremely unlikely source of problems.
These tools have been identified:
Its been mentioned that signing script with "signtool" can prevent this issue but I couldn't get this to work for me.
Some anti-spyware or antivirus programs including "Norton AntiVirus" have an option (sometimes turned on by default) to automatically terminate VBSCRIPT!
If turned on this will prevent MAKEMSI and some other Installed features from working correctly. They may partially work or terminate part way through. You can use the "Version Information Box" shortcut for a quick test, if it doesn't display a message box then you probably have some sort of anti-virus or antispyware (piece of cr.p) killing VBSCRIPT.
|OPTIONS IF CA's Affected: Use Other Script Engines|
You can use the "SUNDRY_DISALLOW_USE_OF_SCRIPT_CUSTOM_ACTIONS" macro to ensure that you don't accidently produce script action.
The script engine would generally have to be added as part of your package but most are not too big.
The biggest disadvantage of any approach which users EXE based custom actions is that they won't integrate well with Windows Installer (so no access to the session object and its properties etc). This may or may not be an issue. Some possible ways of passing information in or out (doing both in one script may be tricky) is via registry or INI files as these are natively suppported by Windows Installer (obviously subject to where you need to sequence the custom action).