Getting assembled programs not to be detected as a virus.

[HaudNomen]

This is my first post, I actually joined because I personally had trouble with this, as far as I know it's not possible to stop AVG and other AVs' from detecting masm32 as a virus.
But it is possible to be able to write apps that won't be detected as a virus on another computer.

After looking around the forum, I noticed reports of kernel32.lib and user32.lib being the library files causing the false virus reports.

To get it to not do this, download Microsoft Express C++ compiler, after installing, copy the lib files from the SDK install directory and replace the \masm32\lib files with them.

The SDK install directory for me was: "C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib"

After doing this, I noticed no false virus reports using: http://virusscan.jotti.org/

I hope this helped.

[BlackVortex]

Well, I just ran my kernel32.lib through virustotti and it detected absolutely nothing, so that's not really the problem (anymore?)

[Vortex]

Hi HaudNomen,

Could you try to rebuild those import libraries?

[HaudNomen]

@BlackVortex
If you call anything used in the libs, the exe will be detected as a virus.

@Vortex
The Microsoft libs are no doubt closed source and propietry, so I doubt it.

[hutch--]

It is clearly a defect in the AV software as the libs are built using Microsoft LINK. The installation builds them during the install so the libs work directly on the machine they are built on.

[Vortex]

HaudNomen,

You can easily build the import libraries :

Code Select Expand

\masm32\tools\l2def\l2def.exe \masm32\lib\kernel32.lib
\masm32\tools\l2def\l2def.exe \masm32\lib\user32.lib

\masm32\bin\polib /OUT:kernel32.lib /DEF:kernel32.def /MACHINE:IX86
\masm32\bin\polib /OUT:user32.lib /DEF:user32.def /MACHINE:IX86

[Mark Jones]

HaudNomen, thanks for the report. It is a shame that some AV products erroneously red-flag MASM projects, but it is important to note that these libraries have not changed significantly in a very long time -- this whole "false positive" thing is relatively new, and not the fault of the MASM32 package of course.

Still, it would be nice to eliminate the issue altogether. I saw one case where a binary linked with a newer version of MS LINK triggered fewer false positives. While I could not test it thuoughly, the executable was considerably larger after linking with the newer linker. Perhaps the details of this may shed more light on the issue if you have the time to investigate.

[HaudNomen]

Yeah, the older masm32 builds triggered false reports on 2 or 3 anti-viruses, now it seems the only one left is AVG, it's annoying how AVG are so damn lazy that they can't even look into this in depth.

[BogdanOntanu]

Yeah, the older masm32 builds triggered false reports on 2 or 3 anti-viruses, now it seems the only one left is AVG, it's annoying how AVG are so damn lazy that they can't even look into this in depth.

It is not about being lazy.

It is more about the "return of investment". It takes time and you have to pay highly specialized people to investigate those things and in the end the number of people that are using ASM is very small. Besides if you are using ASM then you should be able to tell yourself if some thing is a VX threat or not.

At the end of the capitalistic day the number of peoples using VB or Java or .Net/C# or C++ or even plain C applications is much more bigger that the few guys that have and assembler installed on their PC and as a manager you spend your money for the bigger user base and not for the very few.

[BlackVortex]

You sure went a bit overboard on this one. My view is that AVG is just shitty software, a couple of weeks ago they destroyed the installations of thousands of their customers. My friend's laptop got nailed by it, haha, it detected his user32.dll as a virus and he chose to "clean" it  !!!!

More info :
http://www.mydigitallife.info/2008/11/18/avg-offers-free-one-year-license-for-users-affected-by-faulty-update/

[hutch--]

Probably letting the market sort out trash like AVG is the most effective way of getting rid of crappy AV heuristic detection. The library issue is a simple one, if the files are substantialy larger after linking with the later MS libraries using the later linker, the AV scanner is simply making assumptions about the size of a file, not its content.

As per my comments before, if you are a technically savvy user get rid of all of the automated AV crap and properly secure your machine, if you don't have the technical skill to do this at least pay for reputable AV software, Kaspersky, Nod32 etc ... and never allow AV software to automatically run your machine for you.

[BogdanOntanu]

You sure went a bit overboard on this one. My view is that AVG is just shitty software, a couple of weeks ago they destroyed the installations of thousands of their customers. My friend's laptop got nailed by it, haha, it detected his user32.dll as a virus and he chose to "clean" it  !!!!

False positives on small ASM generated files by heuristics or signature match is one thing. Of course an error but a pardonable one and no market problem because a very few people have assemblers installed on their PC.

Detecting user32.dll as a threat and removing it from users PC is another kind of error. A much bigger one with a different explanation altogether and unfortunately much harder to be excused by the market.

Look, I am not trying to defend AVG. I work for another antivirus company (competition of AVG) but being in the same industry I have a sense of compassion for them and in the same time I am just trying to explain you the reasons and hence you can get a more mature view on this issue.

For example you have to test for tens of thousands or hunderd of thousands of signatures and /or multiple heuristics and unpacking /decryption or many packers/protectors.

You have to get a match for every and each VX out there in the world BUT in the same time you MUST avoid at all costs to hit one of the valid normal DLL's or applications and this for all versions of applications and all versions of Windows with all updates and service packs in all incremental stages existing on all languages.

The testing work in huge. Large teams of peoples perform it every day and at every release or update. Sometimes they do make an error; maybe once in a year or maybe more. Consider the work involved... think a little... I would say it is a wonder that it happens so rarely.

And under the circumstances the testing of ASM files from MASM or TASM or NASM or FASM packages for false positives comes the last. This is the only thing I was explaining above. Not "overboard" but simple logic instead.

In order to grow up a litlle you know what? TRY to make an AV better that what the maket has to offer alone and we will talk later... much later... when you have white hair and near death after testing a few billion files for a match and another billion files for no match...

As I have said they do make mistakes, but under the circumstances it is expected once in a while.

[BogdanOntanu]

Probably letting the market sort out trash like AVG is the most effective way of getting rid of crappy AV heuristic detection. The library issue is a simple one, if the files are substantialy larger after linking with the later MS libraries using the later linker, the AV scanner is simply making assumptions about the size of a file, not its content.

As per my comments before, if you are a technically savvy user get rid of all of the automated AV crap and properly secure your machine, if you don't have the technical skill to do this at least pay for reputable AV software, Kaspersky, Nod32 etc ... and never allow AV software to automatically run your machine for you.

Of course the market will hit them badly for such an error but I doubt it will be because of detecting a few asm files by heuristic.

I do not know how others work and I can not talk about how "we" work ...  but I honestly doubt that the heuristic in AVG is making assumptions on file size.

Heuristic does make  a lot of checks on PE headers and "common" logical stuff used by VX authors. The whole idea is that heuristic will not check the file content for signatures because you can not have the signatures of VX that will be made in the future ... instead heuristic will check "other" things and of course it is perfectible and it can make errors.

[BlackVortex]

Heuristics will never be perfect, but I just wish the antivirus products would give more noob-friendly messages, like "Suspicious file/bahaviour". And not just "Warning : Trojan.Win32.Yougonnagetraped.B (variant)"    :green2

EDIT : Even the main executable of the super-popular game Left 4 Dead got flagged by NOD32, haha !