AVG false positives

[hutch--]

This is what I get from the curent version from their site. I tested it on a complete drive that had the new version 10 of masm32 installed on it. Now the problem is that these files are built from their original source code and are fully compliant with the Microsoft Portable Executable specifications including the later modification for DEP (Data Execution Prevention).

Code Select Expand


\masm32\macros\lst.exe      virus found Win32/heur
\masm32\mnutoasm.exe        virus found Win32/heur
\masm32\tools\l2def.exe     virus found Win32/heur
\masm32\tproc.exe           virus found Win32/heur


At this stage I would recomment that any person who is going to install the MASM32 SDK removes AVG fom their computer and installs a reliable configurable AV product that does not exhibit these problems.

Here is the difference using a reputable AV scanner, in this instance NOD32.

Code Select Expand


Scan Log
Version of virus signature database: 3312 (20080731)
Date: 8/19/2008  Time: 4:39:45 PM
Scanned disks, folders and files: R:\Boot sector;R:\
R:\masm32\examples\advanced\msort\msort.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl07\console\hello\hello.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl07\hlldemo\smalled\redit.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl08\jmptable\jmptable.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl08\sortdemo\simple.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl09\maketbl\maketbl.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl09\strings\strings.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\exampl10\threads\multhread\multhrd.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\poasm\fda2\fda2.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\poasm\riched\richedit.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\poasm\runcpl\runcpl.asm » MIME - is OK (internal scanning not performed)
R:\masm32\examples\poasm\winenum\winenum.asm » MIME - is OK (internal scanning not performed)
R:\masm32\include\masm32.inc » MIME - is OK (internal scanning not performed)
R:\masm32\include\masm32rt.inc » MIME - is OK (internal scanning not performed)
R:\masm32\include\windows.inc » MIME - is OK (internal scanning not performed)
R:\masm32\include\winextra.inc » MIME - is OK (internal scanning not performed)
R:\masm32\m32lib\masm32.inc » MIME - is OK (internal scanning not performed)
R:\masm32\macros\macros.asm » MIME - is OK (internal scanning not performed)
R:\masm32\tools\maketbl\maketbl.asm » MIME - is OK (internal scanning not performed)
R:\masm32\tutorial\dlltute\dll\dlltute.asm » MIME - is OK (internal scanning not performed)
R:\drv_c\anydvd\SetupAnyDVD6051.exe » NSIS - bad archive
R:\drv_c\anydvd\version6100\SetupAnyDVD6100.exe » NSIS - bad archive
R:\drv_c\anydvd\version6160\SetupAnyDVD6160.exe » NSIS - bad archive
R:\drv_c\anydvd\version6165\SetupAnyDVD6165.exe » NSIS - bad archive
R:\drv_c\anydvd\version6166\SetupAnyDVD6166.exe » NSIS - bad archive
R:\drv_c\anydvd\version6169\SetupAnyDVD6169.exe » NSIS - bad archive
R:\drv_c\anydvd\version6170\SetupAnyDVD6170.exe » NSIS - bad archive
R:\drv_c\anydvd\version6174\SetupAnyDVD6174.exe » NSIS - bad archive
R:\drv_c\anydvd\version6184\SetupAnyDVD6184.exe » NSIS - bad archive
R:\drv_c\anydvd\version6193\SetupAnyDVD6193.exe » NSIS - bad archive
R:\drv_c\anydvd\version6201\SetupAnyDVD6201.exe » NSIS - bad archive
R:\drv_c\anydvd\version6300\SetupAnyDVD6300.exe » NSIS - bad archive
R:\drv_c\anydvd\version6303\SetupAnyDVD6303.exe » NSIS - bad archive
R:\drv_c\anydvd\version6312\SetupAnyDVD6312.exe » NSIS - bad archive
R:\drv_c\anydvd\version6315\SetupAnyDVD6315.exe » NSIS - bad archive
R:\drv_c\anydvd\version6317\SetupAnyDVD6317.exe » NSIS - bad archive
R:\drv_c\anydvd\version6400\SetupAnyDVD6400.exe » NSIS - bad archive
Number of scanned objects: 4581
Number of threats found: 0
Time of completion: 4:40:43 PM  Total scanning time: 58 sec (00:00:58)


here are the results fromthe  Kaspersky current version on the same drive with MASM32 installed.

Code Select Expand


Scan: completed 8/19/2008 5:07:27 PM   (events: 6, objects: 5158, time: 00:01:59)
8/19/2008 5:05:16 PM Task completed
8/19/2008 5:04:15 PM Task started
Scan: completed 8/19/2008 5:07:27 PM   (events: 6, objects: 5158, time: 00:01:59)
8/19/2008 5:05:28 PM Task started
8/19/2008 5:06:39 PM Detected: Trojan-Downloader.Win32.SetupFactory.i R:\drv_c\flplayer\FLVPlayerSetup.exe
8/19/2008 5:06:39 PM Untreated: Trojan-Downloader.Win32.SetupFactory.i R:\drv_c\flplayer\FLVPlayerSetup.exe Postponed
8/19/2008 5:07:14 PM Detected: Trojan-Downloader.Win32.SetupFactory.i R:\drv_c\flplayer\FLVPlayerSetup.exe
8/19/2008 5:07:27 PM Untreated: Trojan-Downloader.Win32.SetupFactory.i R:\drv_c\flplayer\FLVPlayerSetup.exe Skipped by user
8/19/2008 5:07:27 PM Task completed


Note no reference to MASM32 files at all. It appeared not to like the flv player setup I have installed even though it works fine and is not infected.

[n00b!]

Sorry, that it's not correctly specified but in school I tried once to install Masm32 for fun and it did not work because of G Data (or something like that).
And since I know that in Masm32 there is definitely no virus it's a false positive :)

[hutch--]

Thanks noob, every little bit helps.

[Neil]

Just installed Masm32 version 10 & I am getting false positives on the following files :-

masm32\macros\lst.exe
masm32\mnutoasm.exe
masm32\tools\l2def\l2def.exe
masm32\tproc.exe

I had no problems with version 9, the anti virus scanner is AVG & if I can find a workaround I'll post it. I know that Hutch is going to tell me to change my antivirus scanner  :green

[jdoe]

masm32\macros\lst.exe
masm32\mnutoasm.exe
masm32\tools\l2def\l2def.exe
masm32\tproc.exe

I had no problems with version 9, the anti virus scanner is AVG & if I can find a workaround I'll post it. I know that Hutch is going to tell me to change my antivirus scanner  :green

You don't have an exception list in the configuration of AVG ?

:bdg

[hutch--]

Neil,

The interesting part is the files are all built with a basic compiler and I can vouch for the results from the source down to the MZ and PE header format. this is the source for LST.EXE.

Code Select Expand


' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
'                       PB Main Template for PBCC40
' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

FUNCTION PBmain as LONG

    Open "macros.asm" for Input as #1
    Open "lst.txt" for Output as #2

    Do
      Line Input #1, a$
      a$ = trim$(a$)
      If a$ = "" Then
        ! jmp overit
      End If
      If left$(a$,1) = ";" Then
        ! jmp overit
      End If
      If instr(a$,"MACRO") <> 0 Then
        b$ = left$(a$,instr(a$," ")-1)
        Print #2, b$
      End If
    overit:
    Loop while not eof(1)

    Close #2
    Close #1

    xx& = shell("\masm32\qeditor.exe lst.txt",1)

End FUNCTION

' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤


YES, get a decent AV scanner that does not have lousy heuristic scanning.  :bg

[Neil]

jdoe,
I've found where to manage the exceptions in AVG & I've put the path to masm32 in it. I'll see if that does the trick, maybe I won't have to get a new AV scanner after all.

[Mark Jones]

Just a thought... but perhaps some of us here should become involved in a project to build a proper, light-weight, manual anti-virus scanner. One which does not false, does not do heuristics, is not updated hourly due to a shadow market, nor runs in the background constantly (in an un-stoppable process) or otherwise does anything else we do not specifically tell it to do. It seems like all of the AV products today are huge bloat-ware packages and completely take over the PC and prevent the user from exerting any control. Like Hutch says, if we practice safe web habits, the chance of getting a real infection is very low. We should have the option of running a manual scanner whenever we choose, instead of it controlling us whenever IT chooses.

...Also, instead of their idea of "heuristics" and maintaining a huge database of viral matches, an idea may be to treat each scanned file as a disassembly and assign weights to detected elements. i.e., if the file is compressed, it gets one strike. If it also calls APIs by ordinal, it gets another. Encryption, another strike. Suspect files are reported with the highest number of weights first, along with their disassembled code -- so that we, the users in control, can see wether or not the code really is malicious. There should also be an easy way to mark "good" files so that they are excluded from further detections (as long as their MD5 signature remains the same, of course) -- that always scared me, the fact that "Exclusions" from other scanners meant that the file was never touched again. Well, what happens if it becomes infected later? Therefore, even though a file is marked as excluded, it should not be forgotten about.

Just an idea. :8)

[jj2007]

Contrary to my habits, and because I have a problem with an lsass.exe GPF, I allowed AVG to do a complete check:
- \masm32\examples\poasm\runcpl\runcpl.exe is a 'Trojan horse Generic12.KDK'
- two of my freshly assembled own files are 'Trojan horse Downloader.Tibs.9Z'
They all got deleted without asking for it. Heuristic analysis was off.
Of course, AVG did not find any problem with lsass.exe and its dll's...
AVG sucks

[BlackVortex]

I've posted this in another thread, but here it is also fitting

http://www.mydigitallife.info/2008/11/18/avg-offers-free-one-year-license-for-users-affected-by-faulty-update/

:boohoo:

@ jj2007
At least it didn't delete your sources, right ?    :cheekygreen:

[herge]

Hi *.*:

Also AVG don t like MMX type instructions,
ie it don t like 128 bit registers.

I am not sure how you could crash a computer
with MMX registers, besides getting your
stack un-balanced.

Regards: herge