Damn,
I am pretty sure these DLL's dumpcu & indenta are clean, so I have submitted the files to AntiVir to see if I get any feedback / corrected detection definitions or something, These detections started last night while i was searching for include files. I have already checked them at http://virusscan.jotti.org/ which tells me:
QuoteAntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
And the prompt automated response so far:
QuoteDear user,
Digital data should always be safe - free of viruses and of harmful code.
Because of this reason, we are happy you are using our Internet offer to
have suspicious files examined for a possible infection.
We have forwarded the file/s you have uploaded to our specialists from the virus lab.
The file/s is/are being analyzed.
We will shortly communicate you the result via email - please have some patience.
We are at your disposal for all kinds of questions regarding virus protection. Please call us
at +49 (0) 7542-500 0 or drop us an email to sales@avira.com
Please find current information about Avira and our security solutions on our website: www.avira.com
--
Yours sincerely
Avira GmbH
And today the expected result :bdg
QuoteDear Sir or Madam,
Thank you for your recent inquiry.
We could not find a virus in the attachment you have sent us.
This is a false positive caused by our heuristic. We will take out the pattern recognition in one of our next updates.
We thank you for your assistance.
Attachment(s) you sent:
- masm32suspects.zip
--
Freundliche Gruesse / Best regards
Avira GmbH
Andreas Pohl
First Level Support
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Internet: http://www.avira.com
Having Avira installed on my machine, I got the same false warnings. You can always safely ignore those messages.
:8) be interesting to see if they fix it. I browse the masm folder often so it gets annoying, maybe I'll get around to setting the exclusions if they don't remove it soon.
It seems to have been fixed on my latest AV update.
Over time some of the crappier AV scanners have bitten on various parts of the MASM32 project but it has always reduced down to poor heuristic scanning techniques. Neither AVP nor NOD32 have ever had problems with MASM32 as they tend to have better internal design in both lookup style signatures and heuristic scanning.
I build the project on an isolated machine from source code so there is little chance of there being any of the old style binary viruses and I also have multiple archived versions of all of the binaries and source code parked on different machines so there is little chance of getting hit this way apart from the security measures I use which are multiple redundant techniques backed up by squeaky clean disk images.
Hi Hutch,
As I was already extremely confident of the integrity of my masm32 folder, your distribution, my systems and network, the false detections were merely an annoyance to me. When searching for text strings in masm files (often), Having to click "ignore" several times was getting quite frustrating really. :boohoo:
While I know I could have safely set the entire folder to be "excluded" from the guard / scans, It did make me question the accuracy of the heuristics as you suggest. I figured that such false detections can only do needless damage in the long run, to the reputations of both the detected files in question, as well as the AV software itself.
With that in mind, I was hoping for the result that I got few days later, that the dodgy heuristic be removed or fixed. Should future updates tend to demonstrate further false detections, I'll consider switching - but as it stands I'm pretty impressed with the speed of the "lab analysis" that was provided and maybe a few less people might be frightened off adventuring into masmland.
Keep up the great work :toothy
Jason
Quote from: j_groothu on February 05, 2007, 12:20:03 PMI am pretty sure these DLL's dumpcu & indenta are clean
they arent clean i.e. they are packed with "32Lite 0.03a" for whatever reason (size? - fsg has better compression, protection? - -)
also most of other pe files are packed. PowerBasic pe is underneath.
drizz,
You are confusing compression and virus infected files, a compressed executable file is a valid PE file and run correctly under every version of the Windows PE loader. The exception is the alteration of the specifications of PE files due to DEP in later service packs of XP and in later Windows versions.
The error is in defective heuristic scanning by lower quality AV products. As before, NOD32 and AVP have never produce false positives on any of the MASM32 distribution.
ROFL, Better ban computers altogether because people use them as tools to make trojans too :bdg
Quote from: hutch-- on February 12, 2007, 11:06:55 PM
You are confusing compression and virus infected files
Quote from: hutch-- on February 12, 2007, 11:06:55 PM
The error is in defective heuristic scanning by lower quality AV products. As before, NOD32 and AVP have never produce false positives on any of the MASM32 distribution.
hutch, i know the difference between compressed executable and infected file.
my point was that having _packed_ PEs in the package is bound to open threads like this sooner or later.
(the topic title is :
New AV False detections... )
no matter if it's false AV detection or a paranoid user with a hexeditor, but that is for you to decide.
my indirect question was "Why are they packed?"
drizz,
depending on the file, I generally pack them to improve their load time and force the entire file into memory on load. It is not always a good idea, particularly if its a big DLL that is called from many places at the same time but with smaller files that are generally only used one at a time, its a viable technique.
What I object to with crappy heuristic scanning if an effective reduction in the PE specification which is determined by the OS loader, not n AV scanner author or a packer designer as in UPX. If their software cannot properly handle the range of the PE specification, it needs to be fixed.
The genuinely smart stuff does its own loader simulation and tests the content of the file to ensure it does not contain known signatures or unusual characteristics like a jump directly after the PE header and they do it without executing the file, the junk is just not sophisticated enough to do this and it is often why their heuristic scanning is poor.
... on an aside, I understood ( perhaps erroneously , I know ) that a similar packing / encryption mechanism was employed within the NT kernel, for both acceleration and obfuscation purposes.[ and if if Bill can do it ... ]. have I missed something here ?
Quote from: hutch-- on February 13, 2007, 09:46:08 AM
depending on the file, I generally pack them to improve their load time
their load time?
somehow i very seriously doubt a compressed dll or whatever will load faster than the same uncompressed dll,
condidering the loader for the compressed dll/exe is going to have to allocate the memory, unpack it, and so on
then apply fixups (especially in the case for a dll)
hmmmm,
> their load time?
Yes, how long it takes to read a smaller file from disk. On average memory is far faster than disk IO so your unpacking overhead is generally compensated for by the speed difference. Once it is unpacked it has the same relocation time as any other DLL. The other factor is that a packed EXE/DLL loads the entire file at once and is not slowed down by paging.
Generally, I suspect the motives of people who complain about packed executables. Why would anyone care? Unless...
Paul
Quote from: PBrennick on February 26, 2007, 11:03:41 PM
Generally, I suspect the motives of people who complain about packed executables. Why would anyone care? Unless...
Equally, suspect the motives of people who feel the need to pack their executables (it owrks both ways) :bdg
UPX is one of the most popular packers. I didn't experiment it much, what are your comments about this tool?