flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Malicious Using libc in assembly example

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
zhak



Joined: 12 Apr 2005
Posts: 489
Location: Belarus
Chrome blocks Using libc in assembly (http://flatassembler.net/examples/flibc.zip) as malicious
Post 25 Sep 2016, 18:01
View user's profile Send private message Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 6901
Location: Kraków, Poland
Is this rating attached to the URL, or is it because of the file contents?
Perhaps some other site recognized as malicious was linking to this URL and this caused the problems.
Post 25 Sep 2016, 18:34
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3475
Location: Bulgaria
It is because of google, they want people to stop using assembly language and to write only in JS. Very Happy
Post 25 Sep 2016, 18:36
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 6901
Location: Kraków, Poland
Should I remove the file to prevent bad rating from "leaking" into the whole site?
Post 25 Sep 2016, 18:40
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
IMO we can't fight this and would waste time trying. Today we remove one innocent file, then tomorrow another and etc. etc. etc.

Let people make their own determination and stop relying on Google to "protect" them. Google has a great search engine, but I wouldn't trust them to protect me from anything.

IMO let it be. If Google wish to downgrade or whatever, well, life is too short to be pandering to every big corps whimsies. [/rant] Razz


Last edited by revolution on 25 Sep 2016, 21:05; edited 1 time in total
Post 25 Sep 2016, 19:02
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2290
Location: Usono (aka, USA)
revolution is right, it's pointless to worry about (esp. hiding decent stuff). Bad heuristics have bitten me literally dozens of times with various browsers (and AVs), always for innocuous things (even plain sources!). It's overreaching on their part (or even reckless incompetence since it occurs so frequently).
Post 25 Sep 2016, 21:00
View user's profile Send private message Visit poster's website Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 489
Location: Belarus
Maybe repackaging could cure the archive? People could be scared to download it
Post 25 Sep 2016, 21:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
zhak wrote:
Maybe repackaging could cure the archive?
For how long though? It is Google's problem actually, they are the one's giving false information.
Post 25 Sep 2016, 21:09
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7395
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
i suggest showing file hashes in /examples, and /download, fasmarm and freshide
Post 26 Sep 2016, 03:01
View user's profile Send private message Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1244
Location: Icarian Sea
A problem that arises is that users possibly will not try an application after such a warning. How to distribute even a small win32 program when eset, chrome, virustotal etc complains.
Post 26 Sep 2016, 09:18
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3475
Location: Bulgaria
Out of the jokes, Picnic is right that the problem needs some solution. But revolution is also right, that the problem is actually Googles problem, not our.

This way the only proper way is to signal google for its problem and to insist they to fix their problem.
Post 26 Sep 2016, 12:48
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3475
Location: Bulgaria
Especially for google I found the following FAQ: https://www.google.com/transparencyreport/safebrowsing/faq/?hl=en
Google wrote:
How accurate is this information?

We work very hard to maintain accurate information and have had very few false positives.

Maybe, because no one wants to report and simply changes their sites? Google interpret it as removing of malware.
Google wrote:
What if you can’t get in touch with the webmaster because they’re not registered with Google Webmaster Tools?

Every time we add an unsafe site to the list, we make a reasonable effort attempt to inform the webmaster by sending a notification to a standard set of email addresses (e.g., webmaster@[sitename].com; info@[sitename].com; admin@[sitename].com).

Google wrote:
What if I don’t think my site is infected?

Malware can hide in many places, and it can be hard even for experts to figure out if their website is infected. Our accuracy rate is very good, but you can submit your site for a malware review by following the instructions here.
Post 26 Sep 2016, 13:28
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 489
Location: Belarus
Post 26 Sep 2016, 14:12
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 489
Location: Belarus
flibcdll.exe is the file that AVs don't like. Well, the solution is obvious: include only source files in examples and instructions how to compile them.
Post 26 Sep 2016, 14:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
Wow, that Google text quoted is vague in the extreme. "very high", "very good", ... What about some actual figures Google?
zhak wrote:
flibcdll.exe is the file that AVs don't like. Well, the solution is obvious: include only source files in examples and instructions how to compile them.
I don't think that is the only "solution", or even a "solution" at all. As already reported above even source files can cause problems.
Post 26 Sep 2016, 14:46
View user's profile Send private message Visit poster's website Reply with quote
Grom PE



Joined: 13 Mar 2008
Posts: 113
Location: i@grompe.org.ru
Ahah, a file that contains almost no code is marked as suspicious. Good joke, AVs, good joke. I'd be more suspicious of the 54 kb file...

Unfortunately, Google requires jumping though multiple hoops to get stuff unflagged: https://support.google.com/webmasters/answer/3258249 , namely, registering and requesting a review.
and even then, if their argument is AV trigger, then a false positive needs to be submitted to AV companies first, as I really doubt Google employees would do that on your behalf...

Really, it's a losing battle, real malware authors make sure to test that their stuff is not detected before they release it, so antiviruses are truly worthless except for money extortion and time waste from users and developers.
Post 26 Sep 2016, 17:32
View user's profile Send private message Visit poster's website Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
In the Google Webmaster Dashboard:
https://www.google.com/webmasters/
there is an option to view the malicious code reports. If something in the website is flaged as malicious it should appear there and some suggestions would appear.

If the website is not yet registred there, once you do it, all the important unresolved issues will appear.
(its as easy as upload a file to root of ftp or use a meta tag in the header of the html of the board)
Post 28 Sep 2016, 17:34
View user's profile Send private message Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1244
Location: Icarian Sea
Good day, sorry for digging up this old thread.

I just wondering, are there any general programming tips to reduce the chances of a simple windows console application being recognized as a virus? I just upload something to VirusTotal and 15 of 62 engines detected this file as suspicious. Mad
Post 16 Apr 2018, 10:06
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
Picnic wrote:
I just wondering, are there any general programming tips to reduce the chances of a simple windows console application being recognized as a virus?
Those virus engines change every day. Sometimes you can alter a few characters and get fewer detections. And then you find it is all changed after they update themselves again. It is a never ending game of back-and-forth. I gave up trying a long time ago, it just wasn't worth the time and effort.

There are too many false positives, and people get annoyed by them. Also there are too many false negatives and people get hacked thinking everything is fine.


Last edited by revolution on 16 Apr 2018, 11:07; edited 1 time in total
Post 16 Apr 2018, 10:37
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 301
Location: Belarus
I’d suggest just to go on writing the code. As soon as the executable becomes larger the false positives’ rate goes down. And if some perfectly valid piece of code (in HLL it might come from some third-party library) turns out to be in virus bases, there’s nothing we can do anyway.
Post 16 Apr 2018, 11:05
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2018, Tomasz Grysztar.

Powered by rwasa.