What do anti-virus software look for? I was just fooling around and the Sophos anti-virus at my workplace raised a false positive with the following code:
.386
OPTION CASEMAP:NONE
include \masm32\include\masm32rt.inc
.DATA
MsgBoxCaption DB "Caption", 0
MsgBoxText DB ?
var1 DB 10100b
var2 dw ?
.CODE
start:
;MOVZX EAX, var1
mov CS, var2
invoke dwtoa, EAX, ADDR MsgBoxText
invoke MessageBox, NULL, ADDR MsgBoxText, ADDR MsgBoxCaption, MB_OK
invoke ExitProcess, NULL
END start
As soon as I uncommented the line MOVZX EAX, var1, it was happy again.
The code I wrote doesn't mean anything, because as I said, I was just fooling around.
I appreciate we don't know exactly what algorithm an AV software uses but how can one simple MOVZX statement make that much difference? Especially when what potentially is the main offending line (fiddling with CS) is still present?
Anti-V's are a pet 'hate' around here.. and usually are ignored, hoping they'll go away.
AV's claim a lot of things so who knows what algorithms (if any) that they use..
th emost probable algorithm is...
1) Look at it
2) I don't understand it => VIRUS!!!!
3) Next
Quote from: vanjast on May 18, 2011, 05:52:35 PM
th emost probable algorithm is...
1) Look at it
2) I don't understand it => VIRUS!!!!
3) Next
Or....
1) Look at it
2) It's not on the friendly corporate partners database => VIRUS!!!!
3) Next
LOL
I saw your post and I had to reply ....
first of all make sure that you do not "pack" your .exe's with UPX or any other compressors ...AV's give a false positive ... They search among many other things the Digital signature of a "packed" or "compressed" file....
I bought an AV ... and it detected all my packed files , but let in a virus so bad that I formatted my PC few times Over , just to be sure...
Second of all....
Google "TEST YOUR AV"
and you will find stuff like this:
Have you ever wondered if your anti-virus software is really working?
Would you like to see what happens when it detects a virus?
Here's a safe way to test your computer's virus protection that doesn't require you to have a real virus sample.
First, open Notepad. Then copy and paste into it the text on the line below. (It should all be on one line.)
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Then select File, Save, select All Files for the file type, then save the file as eicar.com.
The result should look exactly like the screenshot below:
(http://www.tech-pro.net/images/eicar.gif)
Here is source of that(Explanation):
http://www.tech-pro.net/howto_000.html
http://forums.techguy.org/tech-tips-tricks/481798-test-your-anti-virus-software.html
Although that is nice .... If you relay want to learn about AV's here is the forum for that:
http://vx.netlux.org/ :bg
The about site should teach you all you need to know .... it is like MASM site for Anti Virus Techs...
Quote from: hfheatherfox07 on May 18, 2011, 08:38:12 PM
Here is source of that(Explanation):
http://www.tech-pro.net/howto_000.html
That site is a marketing hoax. A group of AV companies have agreed that their products "recognise" a 60-byte com file and alert the user, thus telling him "you are safe, my friend".
Wrong. You are safe if the AV recognises all those thousands of much more sophisticated real malware files.
bf2,
You solve most of the problem by having BOTH a version control block in your RC script and a manifest file as it gives the AV scanner something to look for. Any code that does early branching after the entry point is looked at with suspicion and this does not help with tiny test pieces. I would suggest that for development you run in a profile that does not have the AV scanner running. When you re doing normal things in a normal user profile you can safely run your AV scanner but for development purposes they are an un-necessary pain to deal with.