flat assembler
Message board for the users of flat assembler.

Index > Feedback > FAsmG triggering anti-virus

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
TheRaven



Joined: 22 Apr 2008
Posts: 89
Location: U.S.A.
TheRaven
Downloaded fasmg on two separate occasions where both events triggered an anti-virus software report and effective deletion of the downloaded file. The fasmg down-load is categorized as viral more specifically identified as malware. Am not certain if the file contents have been compromised on the server-side or the issue is simply client-side false positive.

Would prefer the issue resolved on my end, but for security reasons recommend the file's review addressing possible corruption. Consider providing check-sums/hashes for FAsm downloads expediting the differentiation between fasm and malicious code limiting impact from similar events in the future.

Thanks for your time and effort developing fasm and any consideration you offer this incident TG.

Currently, my device employs Windows 10 32-bit using Windows Defender for anti-virus services. Windows 10 is set to run in user mode contrast to developer mode; more than likely Win10 Defender definitions need updated to include FAsmG in the friendly list.

FAsm 1 download packages did not not trigger antiviral response from Windows 10 Defender.

_________________
Nothing so sought and avoided more than the truth.
I'm not insane, I know the voices in my head aren't real!


Last edited by TheRaven on 27 May 2016, 20:29; edited 1 time in total
Post 26 May 2016, 20:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17666
Location: In your JS exploiting you and your system
revolution
Yet another AV failure. Why people trust them is beyond my ken. Time to delete your AV. More trouble than they are worth.
Post 27 May 2016, 01:53
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
virustotal.com shows a negligible detection ratio: https://www.virustotal.com/en/file/82aa266ae0a84d9b75ca8c07f1ac77e8e8841aa9e1deaf7677c2e598621bd84b/analysis/1464335475/
The false alarms on fasm 1 packages used to be much worse.
Post 27 May 2016, 07:54
View user's profile Send private message Visit poster's website Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1608
Location: Ukraine
shoorick
seems, baidu tries to protect us from wisdom Cool
Post 27 May 2016, 10:03
View user's profile Send private message Visit poster's website Reply with quote
TheRaven



Joined: 22 Apr 2008
Posts: 89
Location: U.S.A.
TheRaven
Off topic thanks to Shoorick for his work on WaFAsm Studio.

Virus Total seems in need of update to its report that fasmg is passive regarding Microsoft antivirus identification and treatment. Apparent that assembler is still scoffed as black-hat special interest lowering allegation that HLL developers have evolved intellectually over the last two decades.

Thanks for the response Tomasz; FAsm being so available and very popular among assemblers assume it understood by O.S. and antivirus software developers and vendors --guess I'm the fool in this matter. Perfect example of the blind leading the blind...

In closure thought the matter should be discussed for general safety consideration and am very aware of legacy antivirus reports concerning FAsm 1. Just seems that antivirus and operating system devs/vendors should have caught up with 2016, but sadly is same old sh!t marketing laziness.
Post 27 May 2016, 18:38
View user's profile Send private message Reply with quote
TheRaven



Joined: 22 Apr 2008
Posts: 89
Location: U.S.A.
TheRaven
shoorick wrote:
seems, baidu tries to protect us from wisdom Cool


IKR - pathetic. Rolling Eyes

_________________
Nothing so sought and avoided more than the truth.
I'm not insane, I know the voices in my head aren't real!
Post 27 May 2016, 20:23
View user's profile Send private message Reply with quote
TheRaven



Joined: 22 Apr 2008
Posts: 89
Location: U.S.A.
TheRaven
Good news - I can now download FAsmG without triggering Windows Defender BS. You'd think that Microsoft would know about FAsm due to the fact that its been around since Win2K Pro (for me anyway) and that was how long ago? Too d^mn long for this crap to occur.

Anyway, I'm happy now ...and back to business.
Post 10 Sep 2016, 18:36
View user's profile Send private message Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
Getting this again with fasmg on Win10 with Windows Defender.

Trying to upgrade one of my four current projects to use CALM today.

If anyone else gets this, I assume you can turn Defender off, but alternatively you can:
1. Go to Windows Security -> Open Windows Security.
2. Virus & threat protection.
3. Protection history.
4. Find 'Thread blocked' Severe at the timestamp it occurred.
5. Allow via UAC.
6. Actions->Allow on the Affected item: file: C:\Users\User\Downloads\fasmg\fasmg.exe
Threat detected: Trojan:Win32/Wacatac.C!ml

I thought the Win exe was left out, buried in a separate folder, or we had to build from source now! After the steps above, .exe came back. Now on to upgrading this project so I don't have to keep fully qualifying local variables (will be a huge timesaver)..
Post 24 Mar 2020, 16:14
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
It seems like a recent surge of false detections: https://www.virustotal.com/gui/file/b377ed4a6dc1adf40718bc0a3485693656b84512f004f5782786ef1fe879e5e9/detection

I wanted to investigate what's triggering it, but for some reason Defender on my machine has stopped detecting it even after I removed it from Allowed list.

I can only ask everyone that if you have an opportunity to report such problems to AV providers, please do so.

Note that you can always assemble fasmg from scratch using fasm 1, or use a Linux version of fasmg to assemble the Windows version, etc. For extreme safety, you might even assemble with listing (through .fas when assembling with fasm 1, or with listing.inc in case of fasmg) and then review all the bytes. Wink
Post 24 Mar 2020, 16:22
View user's profile Send private message Visit poster's website Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
With Windows Defender, seems the options are not that great. I reached out to Msft support and they said the site would have to reach out to them unfortunately. I included the chat as an attachment.

And yes, thought the omission of the .exe was initially a new challenge, where we now had to assemble ourselves. Wouldn't mind that challenge and seems fitting as part of an assembler download.


Description:
Download
Filename: MsftChat.txt
Filesize: 2.4 KB
Downloaded: 125 Time(s)

Post 24 Mar 2020, 17:29
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
They have a publicly available form where anyone can report a false positive. However I'm not doing this now, because Defender no longer detects anything in fasmg.exe on my machine - maybe it's the updated definitions, I don't know.
Post 24 Mar 2020, 18:11
View user's profile Send private message Visit poster's website Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
OK submitted report!
Post 24 Mar 2020, 19:48
View user's profile Send private message Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
That was fast! Looks like they resolved:
Submission details
fasmg.exe
Status: Completed
Submitted: Mar 24, 2020 3:46:32 PM
User Opinion: Incorrect detection
Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.
Post 25 Mar 2020, 00:22
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
While I manage to keep the standing with Windows Defender mostly under control (with help of the aforementioned reporting path), fasmg.exe has a bit unnerving number of false positives on VirusTotal now: https://www.virustotal.com/gui/file/26cbdadbe705c8c8e36d032528c91bb2d586b0c21e4d2890b9d070332d75f171/detection
(in comparison fasm.exe has almost no detections).

Are you a customer of one of these AVs or do you know anyone that is? If yes, would you be able to report the false positive?
Post 15 Sep 2020, 09:17
View user's profile Send private message Visit poster's website Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
Sure, I mostly use Windows Defender, but submitted BitDefender just now:

https://www.bitdefender.com/submit/?success=1
RE: [FP] [URL] Submission 1005654847

I'll follow-up if needed and reference the Microsoft definitions if they want to cross-reference their findings.
A bit swamped and stress now with work, but I'll keep chipping away at this, may have more Antivirus Software or can ask around. Just tried running a small productivity tool built with fasmg at work and it was blocked several times. Realize how frustrating it can be downloading and setting things up, easy to just give up when you have Antivirus in the way.
Post 16 Sep 2020, 05:57
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3045
Location: vpcmipstrm
bitRAKE
The behaviors listed by Virus Total are totally bogus:
https://www.virustotal.com/gui/file/26cbdadbe705c8c8e36d032528c91bb2d586b0c21e4d2890b9d070332d75f171/behavior/C2AE

fasmg doesn't do any of that. They fail to exclude their own instrumentation - lame.

_________________
¯\(°_o)/¯ unlicense.org


Last edited by bitRAKE on 16 Sep 2020, 07:45; edited 1 time in total
Post 16 Sep 2020, 07:24
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17666
Location: In your JS exploiting you and your system
revolution
bitRAKE wrote:
The behaviors listed by Virus Total are totally bogus:
Unfortunately many people will unconditionally believe the nonsense because big-corp says it is true. Sad

AVs are the spyware we should be removing.
Post 16 Sep 2020, 07:36
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3045
Location: vpcmipstrm
bitRAKE
Using fear to convince people with money that they need your help is kind of a weak position. What do you expect from those kinds of people? Borderline extortion is all they know. There are, of course, real researchers that bring awareness to or fix problems, but that's not what I'm talking about.

revolution, People want to believe a collection of floating turds is a life-raft - that's on them, but don't expect me to jump on board.

_________________
¯\(°_o)/¯ unlicense.org
Post 16 Sep 2020, 08:13
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
Curiously, every time I upload a new version, even if it initially is not detected, it becomes flagged by some AVs (including aforementioned BitDefender) in about a week or so. Almost as if they updated specifically to be able to detect fasmg.

Could this mean that fasmg.exe is distributed by someone is a context that is considered malicious, poisoning every new release I make? I find it very suspicious, as nothing like that happens with fasm 1.
Post 30 Sep 2020, 14:00
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17666
Location: In your JS exploiting you and your system
revolution
The internal rules used by AVs are not published so we can't know what is triggering it.

Maybe just ignore it. If people want to blindly believe their AV, rather than do their own research, then that is their problem IMO. People that actually understand how to use fasmg, and assemblers in general, might be more willing to take the extra five minutes and make up their own mind.

Do you really want to keep playing this endless game of whack-a-mole?
Post 30 Sep 2020, 14:09
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.