flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > malware alert for FASM.EXE (WIN32 command line tool) COMODO

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
Few minutes ago I got a malware alert from COMODO for FASM.EXE in
/source/win32
directory (command line tool).
This wasn't delivered as EXE, only source but yesterday evening I compiled it (Z80 version) to EXE.

I send it to COMODO as "wrong alert" but does anybody know about some suspicious code lines there ?
Maybe there was a reason why it was delivered only as source.

I tracked all other versions now, but no alert again. Maybe because I marked it as wrong alert, not sure.
Post 15 Jan 2012, 15:27
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
Yep, looks like it is time to delete your antivirus software.

Please, no more antivirus alerts. Those programs change their definitions far too often to know what triggers these things. One minute it could be X and the next minute it could be Y. The best solution is to delete the AV. The next best solution is to ignore the alerts and forget about it.
Post 15 Jan 2012, 15:40
View user's profile Send private message Visit poster's website Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
revolution wrote:
The best solution is to delete the AV.

I don't think so.
For me I would like to have one warning more than less and let me decide what to do. And you can not seriously expect users out there to delete or change their antivirus/malware kits due to reaction with your delivered software.

The best solution is to check whats going on and which code sequence is interpreted malicious which was not planned this way.

And it doesn't help at all to move those messages into heap or trash section. Maybe their have been more warnings in the last time but I did not searched the heap forum for this because I did not expect it to be discussed here.
Rolling Eyes

Maybe Microsoft do same way with unwanted reported errors and thats the reason for finding many traps in the software by some third party people. Cool
Post 15 Jan 2012, 16:09
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
There have been many many scary warnings about fasm code by AVs. There will always be the warnings because of the nature of the AVs and how they work.

Like I said above there is no way to reliably avoid these warnings. The reasons for the warnings are continually changing. One day the code is fine, the next day the same code has a problem, and the third day it is fine again. It is a race we can't win, and is just a waste of time to change the source code just to suit a particular AV each and every time there is a new warning.

The actual real problem is the AV falsely detecting something bad that does not exist. Therefore, in theory, it is up to the AV company to correct their problem. The way to "encourage" the AV company to fix their problem is to tell them their product is faulty and ask for a fix or simply delete the AV and tell them that you deleted it because it is an annoying product that can't tell the good from bad.

That said I thoroughly encourage people to use: http://www.virustotal.com/
For pretty much all code you upload to virustotal it will trigger at least one, and often more than one, AV detection. And each day the detections change to different scanners with different ideas about what badness is inside. Trying to fix it for ALL scanners in perpetuity is an endless nightmare.
Post 15 Jan 2012, 18:06
View user's profile Send private message Visit poster's website Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
First never use virustotal, if it gets one detection, it pass to all other AV's.
I have been doing some test and somethings that set AV off.
Code:
section '.text' code readable  executable  writeable
    
Or putting
Code:
section '.data' data readable writeable  
    
Before:
Code:
section '.text' code readable  executable 
    
Or code like this
Code:
        mov     esi,Test_Key
        mov     edi,Test_Key_1
        mov     ecx,12
  .Key_loop:
        lodsb
        lodsb
        lodsb
        lodsb
        stosb
        loop    .Key_loop
    
I have many more, you can add your own, but do not test on virustotal
Only test here: http://vscan.novirusthanks.org/
And you must click "Do not distribute the sample" button.
Post 16 Jan 2012, 01:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
Dex4u wrote:
... virustotal, if it gets one detection, it pass to all other AV's.
Why you say that? I've seen many files that get more than one detection. I've even seen genuine virus files trigger every AV.
Post 16 Jan 2012, 01:42
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
Dex4u wrote:
Only test here: http://vscan.novirusthanks.org/
And you must click "Do not distribute the sample" button.
Why you say "only test here ..."? It is not always better to use more than one service if you are suspicious of them? Can we not use both services (and others if they exist)?

And why "must" check the button? What is your reasoning behind this? Why not let the user have a choice?
Post 16 Jan 2012, 01:45
View user's profile Send private message Visit poster's website Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
revolution wrote:
Dex4u wrote:
Only test here: http://vscan.novirusthanks.org/
And you must click "Do not distribute the sample" button.
Why you say "only test here ..."? It is not always better to use more than one service if you are suspicious of them? Can we not use both services (and others if they exist)?

And why "must" check the button? What is your reasoning behind this? Why not let the user have a choice?


If you test for example fasm.exe at virustotal and it says its a virus, (we know its a false positive) it will send a hash out to all other AV as a virus.
Now we do not want that.

If you test the same file (fasm.exe) as novirusthanks and click the "Do not distribute the sample" button.
Then it will not send out to other AV, even if detected (by a false positive).

Now if you want your code to be seen as a virus, by a false positive from VT, then go ahead use virustotal.

We are taking about testing our own code here or trusted code like fasm, not stuff we got off the net.
Post 16 Jan 2012, 02:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
Dex4u wrote:
If you test for example fasm.exe at virustotal and it says its a virus, (we know its a false positive) it will send a hash out to all other AV as a virus.
No it doesn't. It sends your file (not the hash) to the AV companies for testing.
Dex4u wrote:
Now we do not want that.
Why not? The more samples the AV companies get the better chance they have of getting their AVs working properly.


Last edited by revolution on 16 Jan 2012, 02:28; edited 1 time in total
Post 16 Jan 2012, 02:27
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
here are my results on both sites: (My e-mail reaper)

File Info

Report date: 2012-01-16 03:24:02 (GMT 1)
File name: darknemesis-exe
File size: 3072 bytes
MD5 Hash: fe22c74faf3792827672f9249929952c
SHA1 Hash: debe437b47a7155842e03b90d239b0b4791105f1
Detection rate: 2 on 9 (22%)
Status: INFECTED

Detections

Avast -
AVG -
Avira AntiVir -
ClamAV -
Comodo -
Emsisoft -
F-Prot - W32/new-malware!Maximus
Ikarus -
TrendMicro - PAK_Generic.008

Scan report generated by
NoVirusThanks.org



And Virustotal

https://www.virustotal.com/file/f8b76b8540bcfae097bc565dbeb8a4f1642b76d0c4b38710bc269fe21880efbb/analysis/1326680676/
Post 16 Jan 2012, 02:27
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
All it does is Open an HTTP handle and connect to a site and read bytes.
Post 16 Jan 2012, 02:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
My funniest situation I had was when Symantec AV detected my source code for CRC computation as malware and quarantined it. The customer was very unhappy that I had sent a virus to them. We wasted far too much time on that one stupid thing trying to convince the customer that text files were no threat and that the AV was at fault. For the cost of the wasted time we could have bought ten copies of other AVs to show that the file was harmless. After that the customer no longer trusted the AV and they eventually removed it after finding out that lots of other stuff was also incorrectly quarantined for no good reason.
Post 16 Jan 2012, 02:38
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
Post 16 Jan 2012, 03:20
View user's profile Send private message Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
typedef wrote:
here are my results on both sites: (My e-mail reaper)

File Info

Report date: 2012-01-16 03:24:02 (GMT 1)
File name: darknemesis-exe
File size: 3072 bytes
MD5 Hash: fe22c74faf3792827672f9249929952c
SHA1 Hash: debe437b47a7155842e03b90d239b0b4791105f1
Detection rate: 2 on 9 (22%)
Status: INFECTED

Detections

Avast -
AVG -
Avira AntiVir -
ClamAV -
Comodo -
Emsisoft -
F-Prot - W32/new-malware!Maximus
Ikarus -
TrendMicro - PAK_Generic.008

Scan report generated by
NoVirusThanks.org



And Virustotal

https://www.virustotal.com/file/f8b76b8540bcfae097bc565dbeb8a4f1642b76d0c4b38710bc269fe21880efbb/analysis/1326680676/


Now that you have used virustotal, retest in 1-2 weeks and your detection rate will be much more.
Post 16 Jan 2012, 03:25
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
^^Who cares. YOu are all going to use it anyways. So expect it.

Plus, I made a malware and it is detected by only of those. See, once you take over a machine, say a fresh install of windows, you can control all the the software installations i.e using a config file. You could blacklist all the known Anti-viruses so they don't get installed or ran.

In case of safe mode, well, why not just replace user32.dll and kernel32.dll (and the ones in the dllcahce folder) with your own proxy dlls and hook all the processes. TOTAL WIN !
Post 16 Jan 2012, 03:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16578
Location: Earth 2.0 beta
typedef wrote:
Some AVs are terribly designed:
Hehe, only some? I thought the whole paradigm was wrong from the start. AVs "encourage" users to become complacent, trusting and lazy towards external programs.

Yes, Avira detected itself as malware. Avira played it down as affecting "only 5000 users so it was a minor problem"! Those 5000 people had major problems getting things running again.

Also, I forget which AV it was and I'm too lazy to google it now but, one of the AVs detected a critical Windows file as malware and rendered many systems unbootable. The threat to your system from the AVs is as large as the threat from malware. At least modern malware attempts to keep your system running, whereas AVs will happily kill your system if they detect the wrong file and "protect" you by rendering your system unusable.
Post 16 Jan 2012, 03:40
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
^^ Norton. Very Happy
Post 16 Jan 2012, 04:35
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1904
Post 16 Jan 2012, 05:04
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
Hehehehe, look:

Image
Post 16 Jan 2012, 10:21
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
I am fully agree with revolution here! If AV gives you false positive it is not your fault, it is fault of the AV!
BTW, I removed my previous AV because for 5 years it gave me only false positives. Now I have installed ClamAV (for an emergency cases). It does not have on-the-fly checks so, I am pretty satisfied. Smile
Post 16 Jan 2012, 12:51
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.