flat assembler
Message board for the users of flat assembler.

Index > Windows > Trojan:Win32/Wacatac.B!ml

Author
Thread Post new topic Reply to topic
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 06 Jun 2023, 16:22
Hi
My own project detected as Trojan on stupid Windows 11. Any idea? Surprised

Maybe fasm infected or what?
Post 06 Jun 2023, 16:22
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 06 Jun 2023, 16:29
Overzealous AV.

Your options are to rewrite/reorder/change your code.

Or delete your AV.

Note that malware writers can do exactly the same to stop it triggering, so it brings into question the usefulness of AVs.
Post 06 Jun 2023, 16:29
View user's profile Send private message Visit poster's website Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 06 Jun 2023, 16:38
Hmm..
Could you explain what is AV? AudioVideo?
Post 06 Jun 2023, 16:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 06 Jun 2023, 16:40
AntiVirus.
Post 06 Jun 2023, 16:40
View user's profile Send private message Visit poster's website Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 06 Jun 2023, 16:49
But that is default Windows Defender and I want my project to be easily used for anyone.
What kind of my code can be detected as that Trojan? I'm confused really. All I do is COM via audio devices, playback and stream to device. That was working for past year no problem until I tried it now.
Post 06 Jun 2023, 16:49
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 06 Jun 2023, 18:12
I experienced it from Day 1 since I started FASM programming.

See My simple compiler generates an EXE identified as trojan

It is useless to submit to Microsoft for whitelisting, because it doesn't change their detection algorithm.

Like someone suggested in the thread above, might be useful to make the code bloated?

Perhaps add this somewhere in the .code section?
Code:
_bloat:   times 64000 db 0xCC     


Of course this is not always practical for our programs.
Post 06 Jun 2023, 18:12
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 06 Jun 2023, 18:48
That was my previous engine project and new one doesn't have that issue yet until I integrate all things together. Will see but I'm still surprised. Thanks Flier-Mate, I'll keep it in mind.
Post 06 Jun 2023, 18:48
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4073
Location: vpcmpistri
bitRAKE 06 Jun 2023, 19:04
This and the increasing Windows Store integration are probably the top two reasons not to use Windows 11.

Something that might help is to add an exclusions to Microsoft Defender, but certainly not an option for anyone that might use your software.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 06 Jun 2023, 19:04
View user's profile Send private message Visit poster's website Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 06 Jun 2023, 19:35
I hate windows 11 same as 8-10 because of stupid mobile-choppy-touch-interface. But I had to moved to it for software support. And yes I have to make my project to be compatible for new generation.
But to be honest I have to notice the sound have MUCH BETTER quality on 11 instead of previous windows. Even my old project sounds perfect on it:
https://sourceforge.net/projects/stereo-to-7-1-converter/
Post 06 Jun 2023, 19:35
View user's profile Send private message Visit poster's website Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1403
Location: Piraeus, Greece
Picnic 07 Jun 2023, 05:53
I have the same problem with Hobby BASIC in Windows 10. Badly, I stopped looking for solutions, they seem to don't last. But It's my personal fun project and i don't care much. In Windows 10, real time protection won't even let me download it from the fasm forum. And that happens sometimes, not always. How to explained this?
Post 07 Jun 2023, 05:53
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 804
Location: Russian Federation, Sochi
ProMiNick 07 Jun 2023, 08:11
Try to sign thour app even with untrusted certificate. AV usually skip signed ones.
Post 07 Jun 2023, 08:11
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 07 Jun 2023, 08:16
ProMiNick wrote:
Try to sign thour app even with untrusted certificate. AV usually skip signed ones.
If true then that would speak to how dumb AVs are. Razz

But doesn't that then give another problem with Windows complaining that the binary is untrusted when anyone tries to run it?
Post 07 Jun 2023, 08:16
View user's profile Send private message Visit poster's website Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 01 Feb 2024, 17:09
Two security experts point out to me that if code section is writeable, it is easily flagged by AV as malicious.

I check three of my programs, what they said are true, all with characteristic E0000000 (code section) - RWX.
Single section .flat generated by FASM that is 1024 bytes is also this case.

Mystery solved for me. The security expert advised me to separate code and data, move writeable buffer to data section. Lesson learned.

I hope this would help anyone in the same boat.
Post 01 Feb 2024, 17:09
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 04 Feb 2024, 17:33
Yes that writeable code section is a typical red flag. Few years ago I saw also a program without imports that was flagged as infected although it was doing nothing (you can scan kernel32.dll from the return address pushed on entrypoint into the program stack). Built-in antivirus ("Virus & threat real time protection" or whatever it is) is very stupid and based on fingerprints - some time ago I saw an activation script KMS_VL_ALL_AIO.cmd which was banned by this "antivirus" but after inserting some innocent line (like "@echo off") the OS built-in "protector" did not recognize it anymore due to different size and different CRC.
Post 04 Feb 2024, 17:33
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1671
Location: Toronto, Canada
AsmGuru62 04 Feb 2024, 23:53
I once coded a small EXE with all the proper sections: code, data, import, etc.
The AV "quarantined" my EXE as soon as it was created by FASM.
It was not a small EXE -- maybe 11K or so.
The code was opening the file with a name hardcoded in 'data' section and loading it.
Then some (secret) analysis of file was done and another hardcoded-named file was created and results dumped into it.
I am still unclear as to why my AV would do this.
Excluding the FASM Projects folder from AV fixed the problem.
Post 04 Feb 2024, 23:53
View user's profile Send private message Send e-mail Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 06 May 2024, 08:00
I made a blog post about this, citing comments from members here:


Top 4 Reasons Why Your EXE Are Falsely Detected As Malware
May 06, 2024

1. Your Windows program does not call CreateWindowExA[1]

CreateWindowExA is a Win32 API for GUI apps to create an overlapped, pop-up, or child window with an extended window style.[2]

2. May be small in size[1]

A comparison of "Hello, world" console apps show that assembler generated the smallest EXE (2KB) among Pascal (49KB), C# (4KB) with .NET dependency, and C++ (10KB).[3]

3. Code section is writeable[4]

It is easily flagged by AV as malicious, if code section had characteristic 0xE0000000 (RWX).

4. Your Windows program call WriteFile without corresponding ReadFile API[citation needed]



Solution:

1. Set "Exception" for your project folder.[5]

2. Your options are to rewrite/reorder/change your code.[6]

3. Always separate code and data, move writeable buffer to data section. [4]



Citation:

[1] https://board.flatassembler.net/topic.php?p=230958#230958

[2] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-createwindowexa

[3] https://forum.lowyat.net/index.php?showtopic=5029150

[4] https://board.flatassembler.net/topic.php?p=237892#237892

[5] https://board.flatassembler.net/topic.php?p=232007#232007

[6] https://board.flatassembler.net/topic.php?p=230607#230607
Post 06 May 2024, 08:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 06 May 2024, 08:13
MatQuasar wrote:
Solution:

1. Set "Exception" for your project folder.[5]

2. Your options are to rewrite/reorder/change your code.[6]

3. Always separate code and data, move writeable buffer to data section. [4]
You missed the most effective and pleasant option:

0. Delete the AV.
Post 06 May 2024, 08:13
View user's profile Send private message Visit poster's website Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 06 May 2024, 08:21
revolution wrote:
You missed the most effective and pleasant option:

0. Delete the AV.


Very Happy
Post 06 May 2024, 08:21
View user's profile Send private message Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 732
Ali.Z 06 May 2024, 23:30
MatQuasar wrote:
1. Your Windows program does not call CreateWindowExA[1]


irrelevant.

_________________
Asm For Wise Humans
Post 06 May 2024, 23:30
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.