flat assembler
Message board for the users of flat assembler.

Index > Feedback > FAsmG triggering anti-virus

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
bitRAKE



Joined: 21 Jul 2003
Posts: 3049
Location: vpcmipstrm
bitRAKE
You'd think that Virus Total would vet the tools they use in order to increase the validity of the data they provide, but that doesn't appear to happen either. If there is no process to reach exclusion (white list) then the process is one where the flags just grow. Which is a great business model for the uninformed.

Ideally, Virus Total would apply pressure to AV makers and then exclude them when they stay outside of their guidelines. Their database would give them a meaningful role in this process, but they don't do that. Which means they are meaningless. They need a transparent process of authority to bolster their validity.

...and they would still just be a collection of bad apples in the best case - the failed history of the malicious.

_________________
¯\(°_o)/¯ unlicense.org
Post 30 Sep 2020, 14:37
View user's profile Send private message Visit poster's website Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
Submitted Avast:

https://www.avast.com/false-positive-file-form.php?page=success

They did not provide an Incident # for tracking. Not sure the process they use to update their whitelist/blacklists. Maybe if the version keeps changing, they have nothing to compare with and then they run some primitive checks, which they are not updating, or maybe fasmg keeps evolving (like with calm) so they have a harder time updating their rules. I'm sure self-modifying assembly is a flag, beyond that, this is not surprising, but unfortunate since the version will keep updating and they need SOME WAY to accommodate this.
Post 18 Oct 2020, 01:34
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
There is no self-modifying code in fasmg, and no executable data section, CALM uses just a simple VM-like interpreter.
Post 18 Oct 2020, 08:54
View user's profile Send private message Visit poster's website Reply with quote
donn



Joined: 05 Mar 2010
Posts: 196
donn
Noted!

Heard back from Avast, will see if the clearing holds up on further releases:
Quote:
Avast: Report a URL https://flatassembler.net/fasmg.j27m.zip Request #11828291 ref:_00Db0Z3Sf._5005p2HzGs0:ref
Thank you for reporting this false positive.
Our virus specialists have now cleared its reputation in our database.
With URLs this change should be instant, but it might take up to 24 hours with files.
For future reference you might also find the following article to be useful:
Avast Clean Guidelines.
Post 22 Oct 2020, 14:52
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3049
Location: vpcmipstrm
bitRAKE
So, basically, Avast is flagging the file because it lacks a version info section/resource - as it doesn't fault in any other way listed.

_________________
¯\(°_o)/¯ unlicense.org
Post 22 Oct 2020, 22:42
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
We shouldn't be designing our .exe files just to please Avast, or any other AV.

Unless they put us on the payroll then those false positives and false negatives are their problems they can spend time to solve for themselves, not something we need to solve for them.
Post 22 Oct 2020, 22:57
View user's profile Send private message Visit poster's website Reply with quote
alexfru



Joined: 23 Mar 2014
Posts: 78
alexfru
bitRAKE wrote:
So, basically, Avast is flagging the file because it lacks a version info section/resource - as it doesn't fault in any other way listed.


Do you have an example pair of otherwise identical .EXEs to substantiate the claim?
If it's just some stupid section, I could throw it into my .EXEs.
Post 23 Oct 2020, 21:59
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3049
Location: vpcmipstrm
bitRAKE
I just reviewed their guidelines and groked that with what I know about fasmg. I'm not in favor of AV authors defining what an executable should consist of. Just like I'm not in favor of all this unwinding trash that programs need to be secure. Luckily, I don't need to bow down to this nonsense. This has nothing to do with the ability to comply.

_________________
¯\(°_o)/¯ unlicense.org
Post 24 Oct 2020, 00:25
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.