News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

McAfee and MASM32 v10

Started by AceSnoopy, May 23, 2009, 05:33:33 PM

Previous topic - Next topic

AceSnoopy

A heads-up, and question:

I've always found that using McAfee security software yields a good balance of safety and cost on my WinXP machine - and it's saved me from my own stupidity many a time :P

However, i came to reinstall MASM10 today for the first time after recieving the major McAfee update due to a hardware failure and subsequent total system mess-up - and its "Artemis" heuristic system seems to give positives on files:


  • C:\MASM32\MENUEDIT.DLL (Variant Artemis!8F65127FB737)
  • C:\MASM32\MNUTOASM.EXE (Variant Artemis!FDE0082D56DB)
  • C:\MASM32\PROCMAP.EXE (Variant Artemis!15AD69EF710D)
  • C:\MASM32\TPROC.EXE (Variant Artemis!3FDBEABF8EE9)
  • C:\MASM32\EXAMPLES\EXAMPL10\ENUMERATE\ENUMWIN\ENUMWIN.EXE (Variant Artemis!0BDAEF9123E7)
  • C:\MASM32\EXAMPLES\EXAMPL10\THREADS\MULTIDL\MULTIDL.EXE (Variant Artemis!A681AB4C5DFF)
  • C:\MASM32\EXAMPLES\POASM\RUNCPL\RUNCPL.EXE (Detected as "Generic.dx trojan" - and the only file not recorded as an "Artemis!" variant)
  • C:\MASM32\PLUGINS\DUMPCU.DLL (Variant Artemis!B818CEF240E5)
  • C:\MASM32\PLUGINS\IDENTB.DLL (Variant Artemis!964871D9EAE0)
  • C:\MASM32\TOOLS\L2DEF\L2DEF.EXE (Variant Artemis!DC4C993C32E8)

At first i was unconcerned as i had experienced some issues with version 9. However, when i decided on a full system scan to complement my initial scan only of the masm32 directory in order to check if any other locations had been written to with files that may have been mistaken for malware, i was shocked to find that McAfee recorded a series of executable files in a totally unrelated and long archived backup directory as being "infected" with similar artemis variations.

These files (about 5 ancient versions of the Frostwire self extraction installation executable in case it matters to anyone - no im not sure why i still keep them around haha) were never recorded as threats before masm installation - and the system is reported as otherwise clean. It would be really helpful if anyone could confirm the masm files in question as known to cause false positives? And also if anyone could suggest why scanning of these unrelated but specifically grouped files may be affected?

Thanks in advance

(And also boooo to mcafee - would it be so hard to name your heuristic detections something that made it clear they were made by heuristic analysis! artemis indeed...)

BlackVortex

Tone down or disable the heuristics.

Not sure what answer you expect. Also, McAfee sucks   :dance:

dedndave

yah - norton and mcafee both pains
there are free ones out there that are better
the one i use is free - none at all
but - i assure you, those are false positives
you should be able to enter them into an "ignore list" of some kind

it is probably getting those positives from the pe headers - a common av mistake with assembler exe's

AceSnoopy

Oh well, after clicking on two "Advanced..." buttons and going into like the third level of configuration menu i just about get the option to turn off heuristics altogether - no tolerance settings :(

Dumbed down? nooooo not at all... Then why do i need to open an advanced pane to even view the logs?  :lol

I can de-quarantine the files as it finds them and it looks like that's about as good as its gonna get - looks like i'll be looking through the freeware A/Vs before renewal time comes around! Still concerned about false positives on other files due to the presence of masm though - il check it out further but it takes a couple of hours to run a full scan. How exciting...

Mark Jones

It is unfortunate that AV products sometimes make false positives, but this behavior has been increasing non-llinearly for some time now. It can be guaranteed, that the official MASM32 releases are clean, and these errors lie in the fault of the particular AV scanner used.

Many here have struggled with free AV's marking their executables as bad when in fact the AV scanners are not parsing the PE file specification correctly (or otherwise assuming things about the executable.) The only thing that can be done is a notice sent to the AV companies that some aspect of their scanning engine is making a mistake. They usually update their definitions, but eventually some new "variant" appears or a blanket heuristic pattern released, and the process repeats.
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

dedndave

i think it is simpler than that, Mark
the AV programmers are lazy
they see the PE and ID it as assembly language code and dump on it

Vortex

Hi AceSnoopy,

Add this link below to your favorites, it can be useful :

http://virusscan.jotti.org/en

Kruesty

Quote from: Vortex on May 24, 2009, 06:19:01 PM
Add this link below to your favorites, it can be useful :

http://virusscan.jotti.org/en

Hey that a good site! Thanks for this!

hutch--

Hi Steve,

Welcome on board. Good to hear from the folks at codingcrew again.  :U
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

zs8861

I think if I install the masm32,I will close the antiAirus product in my computer. :bg