News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

virus found?

Started by Psycho, March 02, 2006, 10:45:24 AM

Previous topic - Next topic

Psycho

during a routine AV sweep of my system i discovered a virus in one of the masm examples, example3 to be exact. The virus is Win95.Radix.405.B in C:\masm32\examples\EXAMPLE3\APPACK\APPACK.EXE. I do not know if this is a file comes with mas32, anyway I just thought i would let people know.

rags

Comes up clean for me using AVG Free edition.
Regards,
     rags
God made Man, but the monkey applied the glue -DEVO

hutch--

Anthony,

You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.

Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

skywalker

Quote from: hutch-- on March 02, 2006, 01:40:43 PM
Anthony,

You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.

Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.

I found a AVG scanner by Grisoft, but no AVP. Is that what you meant ?

I have been looking for a free scanner since going to XP.


PBrennick

AVG is reliable.  It is not free, though, you have to buy a membership I think.  If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again.  Probably not very ethical but there it is.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

skywalker

Quote from: PBrennick on March 02, 2006, 09:03:11 PM
AVG is reliable.  It is not free, though, you have to buy a membership I think.  If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again.  Probably not very ethical but there it is.

Paul

It's free for home use.

McAfee is not my scanner of choice. They have a tendency to miss obvious virii.



Psycho

Hutch It was detected with Bit Defender online, my other AV's didnt pick up on it

hutch--

Anthony,

The problems of false positives are almost exclusively the AV scanners authors not being properly conversant with the PE specifications for 32 but executable files in Windows. When they make assumptions that entail a subset of the specification and reject perfectly valid files, it is a problem in terms of their assumptions. Some squark on executable packers stubs, others cannot handle the PE header starting at any other address than is produced with VC, others complain about merging data, resource and code sections and some will complain about data being written in the spaces between sections.

These are all perfectly valid PE executable files written according to the specifications yet they report them as false positives. What they need to do is proerly understand the PE specifications and design their heuristic scanning so that it properly evaluates a much wider range of conditions. NOD32 does not have these problems and neither does AVP.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Mark Jones

Hutch, since this "problem" seems to keep surfacing, maybe consider some form of change to the libraries? UPX perhaps?
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

PBrennick

That would certainly stop the false positives and stop scaring off some of the userbase.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

White_Dragoon

Once, Panda Active Scan (the web scan), delete me a .ASM file in the MASM32 directory and classified it as "Hacking tool".

I think the .ASM was an example of how to shut down windows.

See you

hutch--

Unfortunately, pandering to the defects in one AV product is just shifting the problem around. The problems that the junk AV range have follow from them not handling files created by an assembler.

Small files are seen by some as suspicious fo no other reason than their size, even though most modern viruses, trojans and the like are much larger and written in VC.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Mark Jones

Quote from: PBrennick on March 03, 2006, 09:45:49 PM
That would certainly stop the false positives and stop scaring off some of the userbase...

Hehe, tounge-firmly-in-cheek. :P
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

BogdanOntanu

Most AV consider runtime packed exe's as dubiouse :D
Ambition is a lame excuse for the ones not brave enough to be lazy.
http://www.oby.ro

Mark Jones

That may be so... but if it quiets the scanners, why not?  :wink
Side bonus: libraries are smaller.
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08