False positives

[bf2]

What do anti-virus software look for? I was just fooling around and the Sophos anti-virus at my workplace raised a false positive with the following code:

Code Select Expand


.386
OPTION CASEMAP:NONE
include \masm32\include\masm32rt.inc
.DATA
MsgBoxCaption    DB "Caption", 0
MsgBoxText    DB ?
var1        DB 10100b
var2        dw ?
.CODE
start:
;MOVZX     EAX, var1
mov    CS, var2
invoke dwtoa, EAX,  ADDR MsgBoxText
invoke MessageBox, NULL, ADDR MsgBoxText, ADDR MsgBoxCaption, MB_OK
invoke ExitProcess, NULL
END start


As soon as I uncommented the line MOVZX EAX, var1, it was happy again.

The code I wrote doesn't mean anything, because as I said, I was just fooling around.

I appreciate we don't know exactly what algorithm an AV software uses but how can one simple MOVZX statement make that much difference? Especially when what potentially is the main offending line (fiddling with CS) is still present?

[vanjast]

Anti-V's are a pet 'hate' around here.. and usually are ignored, hoping they'll go away.
AV's claim a lot of things so who knows what algorithms (if any) that they use..

th emost probable algorithm is...
1) Look at it
2) I don't understand it => VIRUS!!!!
3) Next

[oex]

th emost probable algorithm is...
1) Look at it
2) I don't understand it => VIRUS!!!!
3) Next

Or....
1) Look at it
2) It's not on the friendly corporate partners database => VIRUS!!!!
3) Next

[hfheatherfox07]

LOL

I saw your post and I had to reply ....

first of all make sure that you do not "pack" your .exe's with UPX or any other compressors ...AV's give a false positive ... They search among many other things the Digital signature of a "packed" or "compressed" file....

I bought an AV ... and it detected all my packed files , but let in a virus so bad that I formatted my PC few times Over , just to be sure...

Second of all....

Google "TEST YOUR AV"

and you will find stuff like this:

Code Select Expand

Have you ever wondered if your anti-virus software is really working?
Would you like to see what happens when it detects a virus?
Here's a safe way to test your computer's virus protection that doesn't require you to have a real virus sample.

First, open Notepad. Then copy and paste into it the text on the line below. (It should all be on one line.)

Code Select Expand

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Code Select Expand

Then select File, Save, select All Files for the file type, then save the file as eicar.com.
The result should look exactly like the screenshot below:



Here is source of that(Explanation):

http://www.tech-pro.net/howto_000.html

http://forums.techguy.org/tech-tips-tricks/481798-test-your-anti-virus-software.html


Although that is nice .... If you relay want to learn about AV's here is the forum for that:

http://vx.netlux.org/    :bg


The about site should teach you all you need to know .... it is like MASM site for Anti Virus Techs...

[jj2007]

Here is source of that(Explanation):

http://www.tech-pro.net/howto_000.html

That site is a marketing hoax. A group of AV companies have agreed that their products "recognise" a 60-byte com file and alert the user, thus telling him "you are safe, my friend". Wrong. You are safe if the AV recognises all those thousands of much more sophisticated real malware files.

[hutch--]

bf2,

You solve most of the problem by having BOTH a version control block in your RC script and a manifest file as it gives the AV scanner something to look for. Any code that does early branching after the entry point is looked at with suspicion and this does not help with tiny test pieces. I would suggest that for development you run in a profile that does not have the AV scanner running. When you re doing normal things in a normal user profile you can safely run your AV scanner but for development purposes they are an un-necessary pain to deal with.