Despite the fact I disable the heuristics thingy Avira is still picking up false positives. :(
My Avira setup finds 'viruses' in the executables in the \System Volume Information\ hidden directory.
For example:
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\RP122\A0026205.exe
I also have heuristic scanning turned off.
Kind regards
Quote from: Eddy on August 22, 2008, 09:21:24 PM
My Avira setup finds 'viruses' in the executables in the \System Volume Information\ hidden directory.
For example:
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\RP122\A0026205.exe
I also have heuristic scanning turned off.
Kind regards
Same here. That \System Volume Information\ directory keeps appearing lately.
I have added the "D:\System Volume Information\" directory to the exception list of the guard. This makes Avira ignore this directory, but it still leaves me wondering if Aviras warnings are false positives or not ...
So I uploaded a file that Avira signals as infected, to the online virusscanner VirusTotal: http://www.virustotal.com .
See the result of that scan in attached zip file.
21 of 36 virusscanners finds 'something' in my uploaded file, but as you can see, a lot of the scanners use a heuristic scan or simply label the file as 'suspicious'....
Kind regards
[attachment deleted by admin]
Eddy,
I gather these are PB files. hve you ever reported the problem to the vendor ? I know with certainty that the PB compilers are sound and conform to the PE specs but it may be worth pointing this problem out to them so they can have a play with it.
Quote from: hutch-- on August 24, 2008, 12:20:17 AM
I gather these are PB files.
vbaledit.ocx sounds more like a Visual Basic control. Where did you get the file from, in which folder did you find it? If it's a legitimate control, its origins should be traceable.
EDIT: Google is your friend... but still unclear why a nine-year old MS Access control should trigger a virus alert.
Any free Unicode-compatible rich text box? VBA/Access (http://www.experts-exchange.com/Microsoft/Development/MS_Access/Q_21439828.html)
Zone: Microsoft Access Database
Tags: text, rich, access, unicode, vba
Since the Microsoft Rich text Box Ver 6 (SP4) is not fully Unicode-compatible, and will not display international languages through its .text property assignment, I am looking for a Unicode-compatible Rich Text Box, to internationalise an application written in VBA/Access 2002/2000
Are there any such free-license and trouble-free controls?
I cannot get the vbAccelerator Rich Edit control to work. The vbAccelerator Rich Edit control sounds ideal, and is the only free one I could find. I downloaded files from http://www.vbaccelerator.com/codelib/richedit/richedit.htm and did the following:
1. "Registered", using the VBRegTLB.exe registration utility provided, the following files (I don't know whether this was necessary, or the implications):
OLEGUIDS.TLB
SSubTmr.dll
2.-- Created VB/Access database with one form, Form1
3. -- In VB environment, selected References... from menu and inserted the paths & filenames of the following
vbalEdit.ocx (159 KB)
Quote from: hutch-- on August 24, 2008, 12:20:17 AM
I gather these are PB files.
Hutch,
I can't tell. Gathering from the fact that (for example):
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\
is a hidden directory and looking at its name, my first guess is that this file is related to the Windows "System Restore Point" feature.
Such a file will probably contain a lot of compressed (?) data, meaning it contains pretty much random data. A lot of (pseudo)random data is likely to contain a byte sequence that resembles or matches one of the thousands virus signatures that an AVscanner looks for. Especially when that AVscanner scans the heuristic way.
Come to think of it. Maybe it would be an interesting exercise to generate a number of files that contain only pseudorandom data and have it scanned for viruses. See how long it takes before a virusscanner finds a 'virus' ... :bg
Kind regards
Quote from: Eddy on August 24, 2008, 07:01:06 PM
Maybe it would be an interesting exercise to generate a number of files that contain only pseudorandom data and have it scanned for viruses.
Well, I did that exercise: My small test program generated 100 files with a random number (between 1000 and 100000) of pseudo random bytes.
I had Avira scan those files for viruses. I did that for about 20 times (generating new files every time) but Avira found nothing suspicious ...
So I guess, heuristic scanning is not 'that' bad ...:-)
Kind regards
Try copying the file into a standard folder and debugging it, perhaps like this (http://www.masm32.com/board/index.php?topic=8720.msg66888#msg66888). Avira likes to say that similar files are problematic here, usually with the name A011gfgsfwg.exe or something.
Once, some trojan did get through, back in the days when e-mail bugs jumped out of unopened mail (and "real" men didn't wear A/V protection...) The polymorphic thing spawned 4 processes, installed 5 spy tools, including a rootkit and a backdoor remote control. Long story short, it was doing this from files in the \windows folder named A000agareebw.exe or similar. It locked its running threads so it was not terminatable; I ended up putting that disk in another machine to delete the offending files. Aaaah, those were the days...
So when I saw Avira's report of an A010gapawe.exe file infeciton, it made me stop and wonder for a second... was traces of that trash still in there? Which of course is impossible, that was a completely different PC and physical disk ago. :toothy
I've been in touch with Avira because sometimes some executables made with GoAsm and GoLink were reported as containg a Trojan.
They have said as follows:-
QuoteWe will take out the pattern recognition in one of our next (engine-)updates.
I'm going to wait and see what happens. I have Avira installed on my machine, but switched off, and I shall try it out in a few days time.
Incidentally my contacts at Avira are:-
Freundliche Gruesse
Avira GmbH
and
Fabian Henne
First Level Support
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Internet: http://www.avira.com
Email: virus_malware@avira.com
Since this problem with Avira and apparently with other AV programs too affects all assembler programmers I believe we should fight this one.
In my opinion a false positive reported for a program is a libel upon the author and distributor.
Quote from: Eddy on August 24, 2008, 07:01:06 PM
...Gathering from the fact that (for example):
D:\System Volume Information\_restore{0CD16E99-4193-406D-AE23-BF539F7C9D91}\
is a hidden directory and looking at its name, my first guess is that this file is related to the Windows "System Restore Point" feature.
After having been infected with Conficker through a USB stick, I decided today to install Avira, and did a complete scan. Guess what? I got:
- 5 detections of the System Volume Information\_restore type
- one in C:\WINDOWS\SoftwareDistribution\Download\9859834e89172702ef462fbc3265334a\BIT83.tmp, difficult to verify
- and
63 100% sure false positives, most of them self-created executables in the Masm32 tree, plus a number of self-created ZIP archives.
Now all these files are hanging around in the "quarantine", and are pretty useless because Avira writes, without any warning, some stuff into the headers.
For me, probably no serious damage - I have copies of all really important files on a different PC. However,
destroying archives without warnings is an action that could mean bankruptcy for a software company.
I think a lawsuit against Avira would be an adequate reaction to this behaviour.
I think you should first ask for your money back.
Quote3) The computer program described in the user manual conforms to the latest
technological standards. AVIRA GmbH (hereinafter called "Licensor")
wishes to point out, however, that the latest technological standards do not
guarantee software programs to function entirely without error in all applications
and combinations.
while on the subject of virii, who comes up with these names for them?
Ie- conficker,
someone sitting at a desk at symantec or elsewhere with nothing else better to do the day new ones are discovered?
Quote from: Jimg on April 26, 2009, 09:32:35 PM
I think you should first ask for your money back.
Quote3) The computer program described in the user manual conforms to the latest
technological standards. AVIRA GmbH (hereinafter called "Licensor")
wishes to point out, however, that the latest technological standards do not
guarantee software programs to function entirely without error in all applications
and combinations.
See this post (http://www.masm32.com/board/index.php?topic=11318.new#new) for a description how to see whether you got Conficker or not. I still got it, apparently, in spite of Avira.
Money back would be nice, but it's free. They finance it as an ad for their professional versions (those which can really kill Conficjer, eh ::))
And, just in case you were ironically pointing to the fact that I signed the EULA - is there anybody around who has time to read the EULA? Let's be realistic...
I have Avira (it is disabled most of the time) and just scanned the MASM directory - nothing suspicious found.
In the whole time I've used it (3 years now) I've only ever had it flag viruses.
load dlls dynamically and then call the functions. Vortex has a _invoke macro on here somwhere that lets you use the address like you would with invoke(doesn't work with cdecl calls only stdcall). This should make av's crappy heur stop whining. If you use GoASM it can invoke the dynamic function call directly which is neat.
Seems they've improved it, no false positives here. I've compiled a few viruses on VirtualBox and it found them, but didn't flag non-viral code. :bg
:tdown
Darksider,
We shoot anyone who messes around with viruses here. Tread carefully or you will get arseh*led out the door faster than Haley's comet.
Quote from: hutch-- on September 26, 2009, 01:19:53 AM
:tdown
Darksider,
We shoot anyone who messes around with viruses here. Tread carefully or you will get arseh*led out the door faster than Haley's comet.
Affirmative.
I am new to MASM32, and the current update (as of 25 July 2010) of Avira Antivir detects finst.exe, a temporary executable created during installation,
as containing the Trojan horse TR/Gendal.3938680.
I think this is due to signature rather than heuristics, as I have set the heuristic feature to its lowest level.
It feels not very safe to install the MASM32 SDK with those AV warnings,
though I admit it seems unlikely that a widely used development software as this one would be bundled with viruses.
For now I installed it on a sandboxed environment,
does anyone have some hints towards the safety of this install?
If you gotten the MASM package from Hutchs' site, then there are NO virii in any of the files no matter what any AV says... its just the way the asm progs are written...
Spike,
Do yourself a favour and shoot it, its not one of the high quality AV products. This stuff is build in an isolated environment and has been tested on millions of computers. The fault is in the crappy AV scanner you are using. Their problem is they don't properly understand the Microsoft Portable Executable specifications and try and inflict a subset based on their limited heuristc detection skills.