virus found?

Psycho · March 02, 2006, 10:45:24 AM

during a routine AV sweep of my system i discovered a virus in one of the masm examples, example3 to be exact. The virus is Win95.Radix.405.B in C:\masm32\examples\EXAMPLE3\APPACK\APPACK.EXE. I do not know if this is a file comes with mas32, anyway I just thought i would let people know.

rags · March 02, 2006, 01:14:47 PM

Comes up clean for me using AVG Free edition.
Regards,
rags

hutch-- · March 02, 2006, 01:40:43 PM

Anthony,

You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.

Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.

skywalker · March 02, 2006, 02:32:03 PM

Quote from: hutch-- on March 02, 2006, 01:40:43 PM
Anthony,

You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.

Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.

I found a AVG scanner by Grisoft, but no AVP. Is that what you meant ?

I have been looking for a free scanner since going to XP.

PBrennick · March 02, 2006, 09:03:11 PM

AVG is reliable. It is not free, though, you have to buy a membership I think. If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again. Probably not very ethical but there it is.

Paul

skywalker · March 02, 2006, 09:16:00 PM

Quote from: PBrennick on March 02, 2006, 09:03:11 PM
AVG is reliable. It is not free, though, you have to buy a membership I think. If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again. Probably not very ethical but there it is.

Paul

It's free for home use.

McAfee is not my scanner of choice. They have a tendency to miss obvious virii.

Psycho · March 02, 2006, 11:13:47 PM

Hutch It was detected with Bit Defender online, my other AV's didnt pick up on it

hutch-- · March 02, 2006, 11:33:05 PM

Anthony,

The problems of false positives are almost exclusively the AV scanners authors not being properly conversant with the PE specifications for 32 but executable files in Windows. When they make assumptions that entail a subset of the specification and reject perfectly valid files, it is a problem in terms of their assumptions. Some squark on executable packers stubs, others cannot handle the PE header starting at any other address than is produced with VC, others complain about merging data, resource and code sections and some will complain about data being written in the spaces between sections.

These are all perfectly valid PE executable files written according to the specifications yet they report them as false positives. What they need to do is proerly understand the PE specifications and design their heuristic scanning so that it properly evaluates a much wider range of conditions. NOD32 does not have these problems and neither does AVP.

Mark Jones · March 03, 2006, 12:59:33 AM

Hutch, since this "problem" seems to keep surfacing, maybe consider some form of change to the libraries? UPX perhaps?

PBrennick · March 03, 2006, 09:45:49 PM

That would certainly stop the false positives and stop scaring off some of the userbase.

Paul

White_Dragoon · March 03, 2006, 10:29:04 PM

Once, Panda Active Scan (the web scan), delete me a .ASM file in the MASM32 directory and classified it as "Hacking tool".

I think the .ASM was an example of how to shut down windows.

See you

hutch-- · March 03, 2006, 10:58:51 PM

Unfortunately, pandering to the defects in one AV product is just shifting the problem around. The problems that the junk AV range have follow from them not handling files created by an assembler.

Small files are seen by some as suspicious fo no other reason than their size, even though most modern viruses, trojans and the like are much larger and written in VC.

Mark Jones · March 03, 2006, 11:05:18 PM

Quote from: PBrennick on March 03, 2006, 09:45:49 PM
That would certainly stop the false positives and stop scaring off some of the userbase...

Hehe, tounge-firmly-in-cheek. :P

BogdanOntanu · March 04, 2006, 12:43:38 AM

Most AV consider runtime packed exe's as dubiouse :D

Mark Jones · March 04, 2006, 04:49:47 AM

That may be so... but if it quiets the scanners, why not? :wink
Side bonus: libraries are smaller.

News:

virus found?

Psycho

skywalker

skywalker

Psycho

White_Dragoon