The MASM Forum Archive 2004 to 2012

General Forums => The Campus => Topic started by: Psycho on March 02, 2006, 10:45:24 AM

Title: virus found?
Post by: Psycho on March 02, 2006, 10:45:24 AM
during a routine AV sweep of my system i discovered a virus in one of the masm examples, example3 to be exact. The virus is Win95.Radix.405.B in C:\masm32\examples\EXAMPLE3\APPACK\APPACK.EXE. I do not know if this is a file comes with mas32, anyway I just thought i would let people know.
Title: Re: virus found?
Post by: rags on March 02, 2006, 01:14:47 PM
Comes up clean for me using AVG Free edition.
Regards,
     rags
Title: Re: virus found?
Post by: hutch-- on March 02, 2006, 01:40:43 PM
Anthony,

You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.

Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.
Title: Re: virus found?
Post by: skywalker on March 02, 2006, 02:32:03 PM
Quote from: hutch-- on March 02, 2006, 01:40:43 PM
Anthony,

You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.

Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.

I found a AVG scanner by Grisoft, but no AVP. Is that what you meant ?

I have been looking for a free scanner since going to XP.

Title: Re: virus found?
Post by: PBrennick on March 02, 2006, 09:03:11 PM
AVG is reliable.  It is not free, though, you have to buy a membership I think.  If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again.  Probably not very ethical but there it is.

Paul
Title: Re: virus found?
Post by: skywalker on March 02, 2006, 09:16:00 PM
Quote from: PBrennick on March 02, 2006, 09:03:11 PM
AVG is reliable.  It is not free, though, you have to buy a membership I think.  If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again.  Probably not very ethical but there it is.

Paul

It's free for home use.

McAfee is not my scanner of choice. They have a tendency to miss obvious virii.


Title: Re: virus found?
Post by: Psycho on March 02, 2006, 11:13:47 PM
Hutch It was detected with Bit Defender online, my other AV's didnt pick up on it
Title: Re: virus found?
Post by: hutch-- on March 02, 2006, 11:33:05 PM
Anthony,

The problems of false positives are almost exclusively the AV scanners authors not being properly conversant with the PE specifications for 32 but executable files in Windows. When they make assumptions that entail a subset of the specification and reject perfectly valid files, it is a problem in terms of their assumptions. Some squark on executable packers stubs, others cannot handle the PE header starting at any other address than is produced with VC, others complain about merging data, resource and code sections and some will complain about data being written in the spaces between sections.

These are all perfectly valid PE executable files written according to the specifications yet they report them as false positives. What they need to do is proerly understand the PE specifications and design their heuristic scanning so that it properly evaluates a much wider range of conditions. NOD32 does not have these problems and neither does AVP.
Title: Re: virus found?
Post by: Mark Jones on March 03, 2006, 12:59:33 AM
Hutch, since this "problem" seems to keep surfacing, maybe consider some form of change to the libraries? UPX perhaps?
Title: Re: virus found?
Post by: PBrennick on March 03, 2006, 09:45:49 PM
That would certainly stop the false positives and stop scaring off some of the userbase.

Paul
Title: Re: virus found?
Post by: White_Dragoon on March 03, 2006, 10:29:04 PM
Once, Panda Active Scan (the web scan), delete me a .ASM file in the MASM32 directory and classified it as "Hacking tool".

I think the .ASM was an example of how to shut down windows.

See you
Title: Re: virus found?
Post by: hutch-- on March 03, 2006, 10:58:51 PM
Unfortunately, pandering to the defects in one AV product is just shifting the problem around. The problems that the junk AV range have follow from them not handling files created by an assembler.

Small files are seen by some as suspicious fo no other reason than their size, even though most modern viruses, trojans and the like are much larger and written in VC.
Title: Re: virus found?
Post by: Mark Jones on March 03, 2006, 11:05:18 PM
Quote from: PBrennick on March 03, 2006, 09:45:49 PM
That would certainly stop the false positives and stop scaring off some of the userbase...

Hehe, tounge-firmly-in-cheek. :P
Title: Re: virus found?
Post by: BogdanOntanu on March 04, 2006, 12:43:38 AM
Most AV consider runtime packed exe's as dubiouse :D
Title: Re: virus found?
Post by: Mark Jones on March 04, 2006, 04:49:47 AM
That may be so... but if it quiets the scanners, why not?  :wink
Side bonus: libraries are smaller.
Title: Re: virus found?
Post by: BogdanOntanu on March 04, 2006, 03:43:19 PM
It does not quiet the scanners, most professional AV are quite capable to read inside runtime packers :D
(more than you even think)

Also runtime packing will require write access to the code section ;)
Title: Re: virus found?
Post by: Ghirai on March 04, 2006, 04:05:21 PM
I recommend KAV :U
Title: Re: virus found?
Post by: PBrennick on March 04, 2006, 05:29:52 PM
Ghirai,
I can't see paying $50.00 US for a one year license for something I can get for free.  None of them are that much better than the rest so this is a valid statement.

Paul