flat assembler
Message board for the users of flat assembler.
Index
> Windows > Trojan:Win32/Wacatac.B!ml |
Author |
|
Overclick 06 Jun 2023, 16:22
Hi
My own project detected as Trojan on stupid Windows 11. Any idea? Maybe fasm infected or what? |
|||
06 Jun 2023, 16:22 |
|
Overclick 06 Jun 2023, 16:38
Hmm..
Could you explain what is AV? AudioVideo? |
|||
06 Jun 2023, 16:38 |
|
revolution 06 Jun 2023, 16:40
AntiVirus.
|
|||
06 Jun 2023, 16:40 |
|
Overclick 06 Jun 2023, 16:49
But that is default Windows Defender and I want my project to be easily used for anyone.
What kind of my code can be detected as that Trojan? I'm confused really. All I do is COM via audio devices, playback and stream to device. That was working for past year no problem until I tried it now. |
|||
06 Jun 2023, 16:49 |
|
Flier-Mate 06 Jun 2023, 18:12
I experienced it from Day 1 since I started FASM programming.
See My simple compiler generates an EXE identified as trojan It is useless to submit to Microsoft for whitelisting, because it doesn't change their detection algorithm. Like someone suggested in the thread above, might be useful to make the code bloated? Perhaps add this somewhere in the .code section? Code: _bloat: times 64000 db 0xCC Of course this is not always practical for our programs. |
|||
06 Jun 2023, 18:12 |
|
Overclick 06 Jun 2023, 18:48
That was my previous engine project and new one doesn't have that issue yet until I integrate all things together. Will see but I'm still surprised. Thanks Flier-Mate, I'll keep it in mind.
|
|||
06 Jun 2023, 18:48 |
|
bitRAKE 06 Jun 2023, 19:04
This and the increasing Windows Store integration are probably the top two reasons not to use Windows 11.
Something that might help is to add an exclusions to Microsoft Defender, but certainly not an option for anyone that might use your software. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
06 Jun 2023, 19:04 |
|
Overclick 06 Jun 2023, 19:35
I hate windows 11 same as 8-10 because of stupid mobile-choppy-touch-interface. But I had to moved to it for software support. And yes I have to make my project to be compatible for new generation.
But to be honest I have to notice the sound have MUCH BETTER quality on 11 instead of previous windows. Even my old project sounds perfect on it: https://sourceforge.net/projects/stereo-to-7-1-converter/ |
|||
06 Jun 2023, 19:35 |
|
Picnic 07 Jun 2023, 05:53
I have the same problem with Hobby BASIC in Windows 10. Badly, I stopped looking for solutions, they seem to don't last. But It's my personal fun project and i don't care much. In Windows 10, real time protection won't even let me download it from the fasm forum. And that happens sometimes, not always. How to explained this?
|
|||
07 Jun 2023, 05:53 |
|
ProMiNick 07 Jun 2023, 08:11
Try to sign thour app even with untrusted certificate. AV usually skip signed ones.
|
|||
07 Jun 2023, 08:11 |
|
revolution 07 Jun 2023, 08:16
ProMiNick wrote: Try to sign thour app even with untrusted certificate. AV usually skip signed ones. But doesn't that then give another problem with Windows complaining that the binary is untrusted when anyone tries to run it? |
|||
07 Jun 2023, 08:16 |
|
MatQuasar 01 Feb 2024, 17:09
Two security experts point out to me that if code section is writeable, it is easily flagged by AV as malicious.
I check three of my programs, what they said are true, all with characteristic E0000000 (code section) - RWX. Single section .flat generated by FASM that is 1024 bytes is also this case. Mystery solved for me. The security expert advised me to separate code and data, move writeable buffer to data section. Lesson learned. I hope this would help anyone in the same boat. |
|||
01 Feb 2024, 17:09 |
|
Feryno 04 Feb 2024, 17:33
Yes that writeable code section is a typical red flag. Few years ago I saw also a program without imports that was flagged as infected although it was doing nothing (you can scan kernel32.dll from the return address pushed on entrypoint into the program stack). Built-in antivirus ("Virus & threat real time protection" or whatever it is) is very stupid and based on fingerprints - some time ago I saw an activation script KMS_VL_ALL_AIO.cmd which was banned by this "antivirus" but after inserting some innocent line (like "@echo off") the OS built-in "protector" did not recognize it anymore due to different size and different CRC.
|
|||
04 Feb 2024, 17:33 |
|
AsmGuru62 04 Feb 2024, 23:53
I once coded a small EXE with all the proper sections: code, data, import, etc.
The AV "quarantined" my EXE as soon as it was created by FASM. It was not a small EXE -- maybe 11K or so. The code was opening the file with a name hardcoded in 'data' section and loading it. Then some (secret) analysis of file was done and another hardcoded-named file was created and results dumped into it. I am still unclear as to why my AV would do this. Excluding the FASM Projects folder from AV fixed the problem. |
|||
04 Feb 2024, 23:53 |
|
MatQuasar 06 May 2024, 08:00
I made a blog post about this, citing comments from members here:
Top 4 Reasons Why Your EXE Are Falsely Detected As Malware May 06, 2024 1. Your Windows program does not call CreateWindowExA[1] CreateWindowExA is a Win32 API for GUI apps to create an overlapped, pop-up, or child window with an extended window style.[2] 2. May be small in size[1] A comparison of "Hello, world" console apps show that assembler generated the smallest EXE (2KB) among Pascal (49KB), C# (4KB) with .NET dependency, and C++ (10KB).[3] 3. Code section is writeable[4] It is easily flagged by AV as malicious, if code section had characteristic 0xE0000000 (RWX). 4. Your Windows program call WriteFile without corresponding ReadFile API[citation needed] Solution: 1. Set "Exception" for your project folder.[5] 2. Your options are to rewrite/reorder/change your code.[6] 3. Always separate code and data, move writeable buffer to data section. [4] Citation: [1] https://board.flatassembler.net/topic.php?p=230958#230958 [2] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-createwindowexa [3] https://forum.lowyat.net/index.php?showtopic=5029150 [4] https://board.flatassembler.net/topic.php?p=237892#237892 [5] https://board.flatassembler.net/topic.php?p=232007#232007 [6] https://board.flatassembler.net/topic.php?p=230607#230607 |
|||
06 May 2024, 08:00 |
|
revolution 06 May 2024, 08:13
MatQuasar wrote: Solution: 0. Delete the AV. |
|||
06 May 2024, 08:13 |
|
MatQuasar 06 May 2024, 08:21
revolution wrote: You missed the most effective and pleasant option: |
|||
06 May 2024, 08:21 |
|
Ali.Z 06 May 2024, 23:30
MatQuasar wrote: 1. Your Windows program does not call CreateWindowExA[1] irrelevant. _________________ Asm For Wise Humans |
|||
06 May 2024, 23:30 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.