masm32 virus found - not false positive?

Started by abitlater, February 17, 2008, 06:34:03 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

hutch--

#15
August 18, 2008, 02:20:20 AM
My problem with this approach is the published Microsoft Portable Executable specification. When an AV vendor trashes a valid PE executable, they have reduced the specification to a subset based on their own technical inexperience and while you may find a workaround for one AV vendor, the next one is likely to do something stupid that is different to the last one and cause the same problem.

The real solution is for the end user to get rid of trashy AV scanners that take shortcuts and use the reputable ones, Kaspersky and NOD32 have generally been very good and the authors appear to have enough technical know how not to make stupid mistakes.

The risk for the end user is if AV scanners are so badly written that they take shortcuts to look like it is secure, the level of security is a lot less reliable than a properly written and updated AV scanner that knows the difference.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

GregL

#16
August 19, 2008, 05:27:04 AM Last Edit: August 19, 2008, 07:01:53 PM by Greg
Thanks for the tip about Sandboxie, Mark. It looks useful. Another step towards dumping anti-virus programs altogether. I recently ran into the same problem as everyone else with AVG and a few files in Masm32. I sent them in for analysis, I got a reply back confirming the detection was correct.  ::)  I'm sure it's automated and nobody really looks at the files. I keep having to restore them from the Virus Vault. There doesn't seem to be an exception list for the Virus Scanner in the free edition. I've about had it (with AVG).

hutch--

#17
August 19, 2008, 05:52:02 AM
Greg,

Would you post the list of files that triggered the false positives ?
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Vortex

#18
August 19, 2008, 10:28:34 AM
lingo, stop being ridiculous. I scanned your Extractor version with Jotti. Your performance is not better than mine :

http://virusscan.jotti.org/

QuoteA-Squared  Found nothing
AntiVir  Found TR/Dropper.Gen 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found MULDROP.Trojan (probable variant) 
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Ikarus  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Sophos Antivirus  Found Mal/Behav-153 
VirusBuster  Found nothing
VBA32  Found nothing

Mark Jones

#19
August 19, 2008, 03:30:30 PM
Vortex, Avira doesn't seem to like some of your apps. Here is a report from scanning my current /MASM32 folder (it's not the latest version, and contains some additions.) Will post a new report with the new MASM32 sometime soon.
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

Vortex

#20
August 19, 2008, 05:00:19 PM
Mark,

I am using the same AV but unfortunately it's the fault of the developers of that software. According to them, I cannot embed a binary data block to my executable because it would be marked as malware! ...and then I need to waste my time to find new tricks to avoid those false positives.

GregL

#21
August 19, 2008, 07:22:52 PM
Hutch,

Attached is a screen shot of the files AVG keeps putting in the Virus Vault.


[attachment deleted by admin]

hutch--

#22
August 19, 2008, 09:51:43 PM
Greg,

Thanks, an interesting piece of info, all of those files are built with the PowerBASIC compiler 8.04 and I know for sure that it has no problems. The vendor apparently writes some data into the spacing between sections which is within the PE specifications.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

PBrennick

#23
August 19, 2008, 10:41:11 PM
Hutch,
I do not doubt that you have a good product, tried and true but I would never feel comfortable with a statement like this:
QuoteThe vendor apparently writes some data into the spacing between sections which is within the PE specifications.

The question, obviously would be, "what data and why?"

Mark,
SandBoxie, this is something I think we all should have. Never heard of it before and I thank you for it.

-- Paul
The GeneSys Project is available from:
The Repository or My crappy website

hutch--

#24
August 20, 2008, 01:03:52 AM
Paul,

The PE specs do not limit what is written in sections or between them. The vendor has done this for years with what are very successful basic compilers and the output conforms to the PE specifications so the problem is with lousy heuristic scanning that flags valid PE images as infected.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Farabi

#25
August 20, 2008, 03:04:24 AM
My AVG seems to misdetect mnutoasm.exe as a virus named Win32/heur. I just ignore it.
Those who had universe knowledges can control the world by a micro processor.
http://www.wix.com/farabio/firstpage

"Etos siperi elegi"

Cobra

#26
August 20, 2008, 07:11:54 AM
I moved the entire masm32 folder to a test box and no alerts came up when writing to the drive. Additionally, no alerts came up during a scan either. Using NOD32 3.0.669 on that box.
Print
Go Up Pages 1 2
User actions