during a routine AV sweep of my system i discovered a virus in one of the masm examples, example3 to be exact. The virus is Win95.Radix.405.B in C:\masm32\examples\EXAMPLE3\APPACK\APPACK.EXE. I do not know if this is a file comes with mas32, anyway I just thought i would let people know.
Comes up clean for me using AVG Free edition.
Regards,
rags
Anthony,
You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.
Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.
Quote from: hutch-- on March 02, 2006, 01:40:43 PM
Anthony,
You get used to false positives after a while, the ones that deliver these mistakes have defective heuristic scanning. F-Prot spits on the 3 DLLs that I wrote myself for the editor, others used to alarm on one demo that had no imports and it goes on and on. the project is developed on an isolated machine and some of these files have not changed for years.
Trick is to use AV scanners like NOD32 or AVP that have far better designed heuristic scanners that properly understand the PE specification.
I found a AVG scanner by Grisoft, but no AVP. Is that what you meant ?
I have been looking for a free scanner since going to XP.
AVG is reliable. It is not free, though, you have to buy a membership I think. If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again. Probably not very ethical but there it is.
Paul
Quote from: PBrennick on March 02, 2006, 09:03:11 PM
AVG is reliable. It is not free, though, you have to buy a membership I think. If you know someone with AOL, ask for a temporary screen name and you can download a free copy of McAfee that will always run and always be up-to-date even if you never use AOL again. Probably not very ethical but there it is.
Paul
It's free for home use.
McAfee is not my scanner of choice. They have a tendency to miss obvious virii.
Hutch It was detected with Bit Defender online, my other AV's didnt pick up on it
Anthony,
The problems of false positives are almost exclusively the AV scanners authors not being properly conversant with the PE specifications for 32 but executable files in Windows. When they make assumptions that entail a subset of the specification and reject perfectly valid files, it is a problem in terms of their assumptions. Some squark on executable packers stubs, others cannot handle the PE header starting at any other address than is produced with VC, others complain about merging data, resource and code sections and some will complain about data being written in the spaces between sections.
These are all perfectly valid PE executable files written according to the specifications yet they report them as false positives. What they need to do is proerly understand the PE specifications and design their heuristic scanning so that it properly evaluates a much wider range of conditions. NOD32 does not have these problems and neither does AVP.
Hutch, since this "problem" seems to keep surfacing, maybe consider some form of change to the libraries? UPX perhaps?
That would certainly stop the false positives and stop scaring off some of the userbase.
Paul
Once, Panda Active Scan (the web scan), delete me a .ASM file in the MASM32 directory and classified it as "Hacking tool".
I think the .ASM was an example of how to shut down windows.
See you
Unfortunately, pandering to the defects in one AV product is just shifting the problem around. The problems that the junk AV range have follow from them not handling files created by an assembler.
Small files are seen by some as suspicious fo no other reason than their size, even though most modern viruses, trojans and the like are much larger and written in VC.
Quote from: PBrennick on March 03, 2006, 09:45:49 PM
That would certainly stop the false positives and stop scaring off some of the userbase...
Hehe, tounge-firmly-in-cheek. :P
Most AV consider runtime packed exe's as dubiouse :D
That may be so... but if it quiets the scanners, why not? :wink
Side bonus: libraries are smaller.
It does not quiet the scanners, most professional AV are quite capable to read inside runtime packers :D
(more than you even think)
Also runtime packing will require write access to the code section ;)
I recommend KAV :U
Ghirai,
I can't see paying $50.00 US for a one year license for something I can get for free. None of them are that much better than the rest so this is a valid statement.
Paul