Virus false positive

[Jimg]

assembling the following code:

Code Select Expand

.486                               
.model flat, stdcall               
option casemap :none               
.nolist
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\kernel32.lib

    include \masm32\include\urlmon.inc
    includelib \masm32\lib\urlmon.lib
.listall
.code

start:
    push 0
    call ExitProcess

    call WriteFile
    call URLDownloadToFile
end start

using:

Code Select Expand

if exist "multidl.obj" del "multidl.obj"
if exist "multidl.exe" del "multidl.exe"

\masm32\bin\ml /c /coff /Fl /Sn "multidl.asm"
\masm32\bin\PoLink /SUBSYSTEM:CONSOLE "multidl.obj"

I get a virus warning for the HEUR/Malware virus.
Anyone else have this problem, or is it just my machine?

[attachment deleted by admin]

[evlncrn8]

well, usually stating what anti virus you actually used might help...

[jj2007]

What do you expect from a good virus scanner? That it ignores WriteFile and URLDownloadToFile in the first 20 bytes of code?? HEUR stands for heuristic, so your "false" positive is absolutely no surprise...

[Jimg]

Ok, I didn't tell my antivirus prog on purpose to see if anyone else had the problem or it was just my screwy computer. 

The sequence WriteFile and URLDownLoadToFile is right out of one of the examples in the new masm32 beta10 and not in the first 20 bytes in the example, I just simplified it to the smallest possible code that would cause the problem.  In the example, it does:

Code Select Expand

    print "Downloading "
    print pst2,13,10

    fn URLDownloadToFile,0,pst1,pst2,0,0

If you expect a virus scanner to flag this as a problem, I don't see why.  And if there is a good reason it should, then shouldn't the example be changed to avoid the problem???

[hutch--]

Jim,

The problem is in the assumptions of the heuristic scanning, it is viable code so the scanner is wrong.

[Jimg]

Exactly.  I agree.  I just want to know if anyone else's scanner is having this problem. 
And I don't really know why anyone would want to produce a program that would trigger a virus detection.  If you want your program to work in today's world, it would seem you need to put effort into avoiding the problem, whatever it takes.  I will contact the antivirus program maker, but I don't hold out much hope of a good solution.

[jj2007]

Jim, you are right, of course. My statements were meant to provoke...
Some of the lean & mean code produced here can become victim of heuristic scanners, and we are not the only ones affected. False positives can destroy a small to medium business relying on a single sold application, and there is still no institution that would handle the conflict arising from them. Ideally, each of the antivirus providers should have an email address of the type FalsePositive@AntiVirus@com, and a simple mail stating the problem should suffice to force them to update their databases.
And even that is not enough, because you will know only by accident that user X has installed TheEsotericVirusScanner and stumbled over the problem; most of the time user X will not send you a mail flagging the problem - he will send the mail to other potential users warning them of your app...

[Jimg]

Hutch-

Just to avoid as many headaches as possible, I suggest you do not include multidl.exe in the masm distribution.  Unless you actually enjoy endlessly telling people their AV program sucks and there is nothing wrong when they try to install.   It's easy enough to click makeit.bat if one wants to try it.

Actually this is true of many of the exe's included in the examples.  Could possibly decrease the size of the distribution a meaningful amount.

[Jimg]

Just for information's sake the following AV programs found multidl.exe to be suspicious/malware0

AntiVir
Authentium
F-Prot
F-Secure
Panda
Sophos
VBA32
Webwasher-Gateway

Code Select Expand


VirusTotal - Free Online Virus and Malw... http://www.virustotal.com/analisis/71c3...


                     | Slovenš.ina | Dansk | ....... | Român. | Türkçe |
                Nederlands | ........ | Français | Svenska | Português |
             Italiano |      |      | Magyar | Deutsch | .esky | Polski
                                                               | Español

                                        Virustotal  is  a  service  that
                                        analyzes  suspicious  files  and
                                        facilitates the quick detection
                                        of viruses, worms, trojans, and
                                        all kinds of malware detected by
                                        antivirus     engines.     More
                                        information...



                  File multidl.exe received on 02.01.2008 22:39:31
                                        (CET)
                              Current status: finished
                                 Result: 8/32 (25%)

                   Compact                          Print results
                                               Last
                 Antivirus        Version                Result
                                               Update
                 AhnLab-V3        2008.2.2.10 2008.02.01-
                 AntiVir          7.6.0.61    2008.02.01HEUR/Malware
                                                          Possibly a new variant
                 Authentium       4.93.8      2008.02.01W32/Downloader-Sml-bas
                 Avast            4.7.1098.0  2008.02.01-
                 AVG              7.5.0.516   2008.02.01-
                 BitDefender      7.2         2008.02.01-
                 CAT-QuickHeal    9.00        2008.02.01-
                 ClamAV           0.92        2008.02.01-
                 DrWeb            4.44.0.091702008.02.01-
                 eSafe            7.0.15.0    2008.01.28-
                 eTrust-Vet       31.3.5502   2008.02.01-
                 Ewido            4.0         2008.02.01-
                 FileAdvisor      1           2008.02.01-
                 Fortinet         3.14.0.0    2008.02.01-
                 F-Prot           4.4.2.54    2008.02.01W32/Downloader-Sml-bas
                 F-Secure         6.70.13260.02008.02.01Suspicious:W32/Malware
                 Ikarus           T3.1.1.20   2008.02.01-
                 Kaspersky        7.0.0.125   2008.02.01-
                 McAfee           5221        2008.02.01-
                 Microsoft        1.3204      2008.02.01-
                 NOD32v2          2844        2008.02.01-
                 Norman           5.80.02     2008.02.01-
                 Panda            9.0.0.4     2008.02.01Suspicious file
                 Prevx1           V2          2008.02.01-
                 Rising           20.29.22.00 2008.01.30-
                 Sophos           4.26.0      2008.02.01Mal/Heuri-E
                 Sunbelt          2.2.907.0   2008.02.01-
                 Symantec         10          2008.02.01-
                 TheHacker        6.2.9.205   2008.02.01-
                                                          suspected of
                 VBA32            3.12.2.6    2008.01.31Win32.Trojan.Downloade
                                                          (http://...)
                 VirusBuster      4.3.26:9    2008.02.01-
                 Webwasher-Gateway6.6.2       2008.02.01Heuristic.Malware

                 Additional information
                 File size: 3072 bytes
                 MD5: a681ab4c5dff8fb41f35b4c166aca7c1
                 SHA1: 27b3604d89456350c537bd088c9d40855b79c27d
                 PEiD: -

                   ATTENTION: VirusTotal is a free service offered
                 by Hispasec Sistemas. There are no guarantees
                 about the availability and continuity of this
                 service. Although the detection rate afforded by
                 the use of multiple antivirus engines is far
                 superior to that offered by just one product,
                 these results DO NOT guarantee the harmlessness
                 of a file. Currently, there is not any solution
                 that  offers  a  100%  effectiveness  rate  for
                 detecting viruses and malware.



                 VirusTotal © Hispasec Sistemas -   Blog - Contact:
                                 info@virustotal.com

[jj2007]

Just for information's sake the following AV programs found multidl.exe to be suspicious/malware

Wow, that site is extremely useful! I just sent my dashboard installer and got three positives (false, of course  :green) from CAT-QuickHeal, eSafe and Panda... thanxalot for the hint!

[hutch--]

Jim,

Thanks for the link, much the same comment as before, it is the place of AV software to find trojans and viruses, not squark at valid code. I note that the two that I do approve of, Kaspersky and NOD32 do not deliver the false positives.

[Jimg]

Avira finally responded:

The file 'dnld.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

We'll see.

NOD32 looked real interesting...  until I checked the price.  Ugh.