flat assembler
Message board for the users of flat assembler.

Index > Heap > OllyDbg & FASMW recognized as viruses by AVG Free.

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
Today my AVG Free Edition recognized OllyDbg 1.10 as a virus Obfustat.SS. Shocked What's going on?

Olly was downloaded from http://www.ollydbg.de/download.htm.

The same about 'FASMW.EXE' (see next posts).


Description: OllyDbg 1.10 as a virus Obfustat.SS.
Filesize: 11.41 KB
Viewed: 11808 Time(s)

OllyDbgAsVirus.png




Last edited by MHajduk on 11 Jul 2007, 07:37; edited 3 times in total
Post 10 Jul 2007, 09:42
View user's profile Send private message Visit poster's website Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
Probably a false positive.

I suppose AVG must have some kind of contact information or forum where you can ask about it?

On AVs... A while ago, all my FASM programs that used the GlobalAlloc memory allocation API were identified as viruses. I reported the false positive but nothing happened. I guess the people who make these idenitification libraries don't care much for the false positives of a few developers... so long as it covers all of their viruses.
Post 10 Jul 2007, 10:33
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
I agree with DustWolf. It's likely a false positive based on binary signature, which is not all that unusual. Check out this recent article about Kaspersky Labs and a Chinese AV company suing each other over false positives. Laughing
Post 10 Jul 2007, 10:49
View user's profile Send private message Visit poster's website Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf


Quote:
the judge would do well to issue a long-standing subpoena to the parents of each company to make sure no one is spit on, or that no lunch money is brutally stolen while the court makes attempts at progress.


Laughing
Post 10 Jul 2007, 11:15
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7106
Location: Slovakia
vid
when they see routines for handling PE executable header, then it is very supicious for them. Many un/packers and debuggers caused alarm with some AV sometimes.
Post 10 Jul 2007, 11:26
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
Yes, I also suspect that it' s false positive. Smile Unfortunately AVG "heals" Olly by deleting him. Evil or Very Mad

I've found partial solution of this problem - by downloading older Olly version ( 1.08 ) which isn't "suspicious" for AVG. Smile
Post 10 Jul 2007, 11:37
View user's profile Send private message Visit poster's website Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Do a full scan, Olly isn't tagged by avg on my compy. You could have something that edited olly and put itself in.
Post 10 Jul 2007, 12:19
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
Most interesting is that virus was found also in zip archive with Olly 1.10 which I've downloaded today to "repair" already installed debugger.

BTW, I performed full system scan yesterday. My AVG is updated everyday.
Post 10 Jul 2007, 12:29
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
It should be even more interesting for you, guys: after today's full system scan FASMW.EXE in 'fasmw167.zip' was recognized as Obfustat.OS virus. Laughing No more threats found. Smile


Description: FASMW.EXE as a virus Obfustat.OS
Filesize: 11.37 KB
Viewed: 11757 Time(s)

FASMWAsVirus.png


Post 10 Jul 2007, 13:18
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
AVG doesn't provide any info about Obfustat.OS?
Post 10 Jul 2007, 14:24
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
Obfustat fake threats.

BANG! 200th post. Smile
Post 10 Jul 2007, 14:57
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1903
DOS386
Quote:
Today my AVG Free Edition recognized OllyDbg 1.10 as a virus Obfustat.SS. Shocked What's going on?


Known issue, no "fix" can be expected within next 1'000'000'000'000 years Laughing


Description: Virii
Filesize: 4.86 KB
Viewed: 11716 Time(s)

FPROT6.png



_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
Post 10 Jul 2007, 21:16
View user's profile Send private message Reply with quote
handyman



Joined: 04 Jun 2007
Posts: 40
Location: USA - KS
handyman
I ran the AVG update just a bit ago this evening and the AVG scanner is now passing FASMW 1.67.21 and Ollydbg 1.10 as OK.

also see:
http://board.flatassembler.net/topic.php?t=7310
Post 13 Jul 2007, 02:17
View user's profile Send private message Reply with quote
Furby



Joined: 01 May 2007
Posts: 74
Location: Kraków, Poland
Furby
ładne imię Mikołaj

Can you add it to a clean list ? I use nod32 at work and Avast at home so I don't no much about the issue
Post 13 Jul 2007, 19:39
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
Furby wrote:
ładne imię Mikołaj
Dzięki. Smile

Nawiasem mówiąc, imię to jakby ostatnio spowszedniało... (coraz więcej małych imienników)... Laughing

[BTW, this name becomes more common lately... (more and more little namesakes)... Laughing]
Post 13 Jul 2007, 20:06
View user's profile Send private message Visit poster's website Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Not surprising. More programs, so theoretically more signatures, eventually more are going to match, right?
Post 20 Jul 2007, 16:12
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6029
Location: Poland
MHajduk
kohlrak wrote:
Not surprising. More programs, so theoretically more signatures, eventually more are going to match, right?
Yes, that's true. Smile
Post 20 Jul 2007, 20:26
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
Even my dumb, wimpy (buggy?) DOS ATTR.COM is (still) detected as "suspicious unknown EXE / COM virus" by AVG Free. (And it doesn't even open / read / create / modify / write / close / delete any files or stay resident!!)

There are three possible ways around it:


  • pack your .COMs and .EXEs (624, aPACK, 32Lite, UPX)
  • turn off heuristics in AVG Free Resident Shield (under Properties)
  • send the .ZIP (encrypted) w/ password in body to virus AT grisoft DOT com


If these don't help, please post here!!
Post 20 Jul 2007, 20:27
View user's profile Send private message Visit poster's website Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
It's not just AVG free, though avg free is becomming more and more known for this, i guess that would actually be a good sign for AVG because that would mean it's virus db is bigger, hence all the false alarms. But, because this problem is becomming more and more common, i think it's now important that we come up with something other than "signatures" and more towards potential threat opcodes and calls. Especially because the webdav (sp?) thing seems to get through firewalls pretty well.
Post 22 Jul 2007, 20:30
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 401
Location: Russian
asmfan
After loading FASMW on www.virustotal.com i got funny result
Quote:
Webwasher-Gateway 6.0.1 2007.07.23 Win32.Malware.gen (suspicious)

lol, seems all of us getting a compiled malware )))

_________________
Any offers?
Post 23 Jul 2007, 07:56
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.