News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

New AV False detections in MASM32 Folder.

Started by j_groothu, February 05, 2007, 12:20:03 PM

Previous topic - Next topic

j_groothu

Damn,
      I am pretty sure these DLL's dumpcu & indenta are clean, so I have submitted the files to AntiVir to see if I get any feedback / corrected detection definitions or something,  These detections started last night while i was searching for include files.  I have already checked them at http://virusscan.jotti.org/ which tells me:
QuoteAntiVir     Found TR/Crypt.XPACK.Gen
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
Dr.Web    Found nothing
F-Prot Antivirus    Found nothing
F-Secure Anti-Virus    Found nothing
Fortinet    Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32    Found nothing
Norman Virus Control    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing

j_groothu

And the prompt automated response so far:
QuoteDear user,

Digital data should always be safe - free of viruses and of harmful code.
Because of this reason, we are happy you are using our Internet offer to
have suspicious files examined for a possible infection.

We have forwarded the file/s you have uploaded to our specialists from the virus lab.
The file/s is/are being analyzed.

We will shortly communicate you the result via email - please have some patience.

We are at your disposal for all kinds of questions regarding virus protection. Please call us
at +49 (0) 7542-500 0 or drop us an email to sales@avira.com

Please find current information about Avira and our security solutions on our website: www.avira.com

--
Yours sincerely
Avira GmbH

j_groothu

And today the expected result  :bdg
QuoteDear Sir or Madam,


Thank you for your recent inquiry.

We could not find a virus in the attachment you have sent us.
This is a false positive caused by our heuristic. We will take out the pattern recognition in one of our next updates.

We thank you for your assistance.

Attachment(s) you sent:
- masm32suspects.zip

--
Freundliche Gruesse / Best regards
Avira GmbH

Andreas Pohl
First Level Support

Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Internet: http://www.avira.com

Vortex

Having Avira installed on my machine, I got the same false warnings. You can always safely ignore those messages.

j_groothu

 :8) be interesting to see if they fix it. I browse the masm folder often so it gets annoying, maybe I'll get around to setting the exclusions if they don't remove it soon.

j_groothu

It seems to have been fixed on my latest AV update.

hutch--

Over time some of the crappier AV scanners have bitten on various parts of the MASM32 project but it has always reduced down to poor heuristic scanning techniques. Neither AVP nor NOD32 have ever had problems with MASM32 as they tend to have better internal design in both lookup style signatures and heuristic scanning.

I build the project on an isolated machine from source code so there is little chance of there being any of the old style binary viruses and I also have multiple archived versions of all of the binaries and source code parked on different machines so there is little chance of getting hit this way apart from the security measures I use which are multiple redundant techniques backed up by squeaky clean disk images.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

j_groothu

Hi Hutch,
      As I was already extremely confident of the integrity of my masm32 folder, your distribution, my systems and network,  the false detections were merely an annoyance to me. When searching for text strings in masm files (often), Having to click "ignore" several times was getting quite frustrating really. :boohoo:

While I know I could have safely set the entire folder to be "excluded" from the guard / scans, It did make me question the accuracy of the heuristics as you suggest.  I figured that such false detections can only do needless damage in the long run, to the reputations of both the detected files in question, as well as the AV software itself.

With that in mind, I was hoping for the result that I got few days later, that the dodgy heuristic be removed or fixed. Should future updates tend to demonstrate further false detections, I'll consider switching - but as it stands I'm pretty impressed with the speed of the "lab analysis" that was provided and maybe a few less people might be frightened off adventuring into masmland.

Keep up the great work  :toothy
Jason



drizz

Quote from: j_groothu on February 05, 2007, 12:20:03 PMI am pretty sure these DLL's dumpcu & indenta are clean
they arent clean i.e. they are packed with "32Lite 0.03a" for whatever reason (size? - fsg has better compression, protection? - -)
also most of other pe files are packed. PowerBasic pe is underneath.
The truth cannot be learned ... it can only be recognized.

hutch--

drizz,

You are confusing compression and virus infected files, a compressed executable file is a valid PE file and run correctly under every version of the Windows PE loader. The exception is the alteration of the specifications of PE files due to DEP in later service packs of XP and in later Windows versions.

The error is in defective heuristic scanning by lower quality AV products. As before, NOD32 and AVP have never produce false positives on any of the MASM32 distribution.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

j_groothu

ROFL, Better ban computers altogether because people use them as tools to make trojans too  :bdg

drizz

Quote from: hutch-- on February 12, 2007, 11:06:55 PM
You are confusing compression and virus infected files
Quote from: hutch-- on February 12, 2007, 11:06:55 PM
The error is in defective heuristic scanning by lower quality AV products. As before, NOD32 and AVP have never produce false positives on any of the MASM32 distribution.

hutch, i know the difference between compressed executable and infected file.
my point was that having _packed_ PEs in the package is bound to open threads like this sooner or later.
(the topic title is : New AV False detections... )
no matter if it's false AV detection or a paranoid user with a hexeditor, but that is for you to decide.
my indirect question was "Why are they packed?"
The truth cannot be learned ... it can only be recognized.

hutch--

drizz,

depending on the file, I generally pack them to improve their load time and force the entire file into memory on load. It is not always a good idea, particularly if its a big DLL that is called from many places at the same time but with smaller files that are generally only used one at a time, its a viable technique.

What I object to with crappy heuristic scanning if an effective reduction in the PE specification which is determined by the OS loader, not n AV scanner author or a packer designer as in UPX. If their software cannot properly handle the range of the PE specification, it needs to be fixed.

The genuinely smart stuff does its own loader simulation and tests the content of the file to ensure it does not contain known signatures or unusual characteristics like a jump directly after the PE header and they do it without executing the file, the junk is just not sophisticated enough to do this and it is often why their heuristic scanning is poor.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

j_groothu

... on an aside, I understood ( perhaps erroneously , I know ) that a similar packing / encryption mechanism was employed within the NT kernel, for both acceleration and obfuscation purposes.[ and if if Bill can do it ... ].  have I missed something here ?

evlncrn8

Quote from: hutch-- on February 13, 2007, 09:46:08 AM
depending on the file, I generally pack them to improve their load time


their load time?

somehow i very seriously doubt a compressed dll or whatever will load faster than the same uncompressed dll,
condidering the loader for the compressed dll/exe is going to have to allocate the memory, unpack it, and so on
then apply fixups (especially in the case for a dll)