Index
> Main > Heuristic Antivirus detects ALL programs compiled with FASMGoto page 1, 2 Next |
| Author |
|
|
toxx
Hello,
All examples in FASM directory or all my programs compiled with FASM are detected by 2 Antivirus 
Why ? Quote:
http://www.virustotal.com/analisis/6d980ee978e54b189ce3ad49f1b60e87 Anyone have a exemple of source undetected !? Thanks  |
|||
12 Jun 2008, 11:42 |
|
|
revolution
This very common. I think there are a few viruses out there that were (at least partially) written in fasm.
It is unfortunate, but difficult to do anything about. |
|||
|
12 Jun 2008, 11:45 |
|
|
kohlrak
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:37; edited 1 time in total |
|||
|
12 Jun 2008, 17:13 |
|
|
AlexP
Hey kohlrak, heuristics doesn't always mean sigs. Maybe it just doesn't like something that FASM does and a compiler doesn't, possibly something in the header.
|
|||
|
12 Jun 2008, 17:20 |
|
|
AlexP
Good point, but virii are detected a lot of times by errors they create in the PE header, like forgetting to update a previously-valid checksum or having a section size wrong. If I remember correctly, I had disasmed a FASM created header to find that a section header had a larger physical size than virtual size! Could this be the invalidity that's being seen?
|
|||
|
12 Jun 2008, 17:28 |
|
|
vid
First, you would have to start doing things "normal way". By that i mean layout of sections (code first), standard imports, jump for every imported function, etc. etc
After that, we can start looking for problem in FASM itself  |
|||
|
12 Jun 2008, 18:22 |
|
|
kohlrak
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:37; edited 1 time in total |
|||
|
12 Jun 2008, 18:32 |
|
|
vid
That's the price of heuristic. If only viruses and FASM apps use something easily detectable, will they think twice? (in case they know about FASM, btw)
|
|||
|
12 Jun 2008, 18:37 |
|
|
kohlrak
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:36; edited 1 time in total |
|||
|
12 Jun 2008, 18:43 |
|
|
AlexP
Well, it could be a rootkit, it doesn't say good or bad
|
|||
|
12 Jun 2008, 18:45 |
|
|
DOS386
> All examples in FASM directory or all my programs compiled with FASM are detected
Already pointed 1'000'000'000 times: http://board.flatassembler.net/topic.php?t=7302 http://board.flatassembler.net/topic.php?t=7310 http://board.flatassembler.net/topic.php?t=7807 http://board.flatassembler.net/topic.php?t=8154 http://board.flatassembler.net/topic.php?t=8818 (this one) > Anyone have a exemple of source undetected !? NO. Feel free to consider it as FASM's fault or fault of your "Antivirus" virus ... and throw away 1 of them then ... vid wrote: > First, you would have to start doing things "normal way". 
> By that i mean layout of sections (code first), standard imports, > jump for every imported function, etc. etc > After that, we can start looking for problem in FASM itself "better" way: delete PE support from FASM, just use M$-linker instead
Even "better": drop FASM / ASM and switch to Visual Baysic |
|||
|
12 Jun 2008, 22:26 |
|
|
bitRAKE
I have never used anti-virus software. The body is a good example of how to fight virii - common antigens are literally hunted for by the immune system. Trying to partially mimic this process in software might work at a larger scale, but the analogy fails at the individual computer level because multiple copies of software don't typically exist/operate on a single PC and software isn't typically designed to work in that fashion.
The human body doesn't care about false positives for the most part. Cells can be neutralized and everything continues working just fine. On a PC it is a completely different story - warnings can take considerable forensic work before knowing how to respond. Not just if it is a virus, but also how it's removal could impact the system. Anti-virus software fails on both counts, and merely provides psychological comfort. The resources are just not worth it when backups and virtual environments are so easy to setup. Save your time and money by planning for system failure. |
|||
|
13 Jun 2008, 00:32 |
|
|
r22
Stop using substandard AV software. PROBLEM SOLVED
Q: What do you do when the AV software you're running is BROKEN??? A: You uninstall it and find an alternative. If you really want to be nice send an email to the AV software's support address and tell them their software is broken. |
|||
|
13 Jun 2008, 01:39 |
|
|
kohlrak
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:35; edited 1 time in total |
|||
|
13 Jun 2008, 05:08 |
|
|
baldr
AlexP wrote: Hey kohlrak, heuristics doesn't always mean sigs. Maybe it just doesn't like something that FASM does and a compiler doesn't, possibly something in the header. |
|||
|
25 Jul 2008, 20:02 |
|
|
Pinecone_
kohlrak, whats up with "No more giving back..." posted 3 times in this thread by you, and in your signature.......?
edit: i also notice that all those posts have been edited once. Maybe they used to say something else?... lol i think too much edit 2: (about 20 seconds after first edit!) sorry old-ish topic, but still... "No more giving back..."? |
|||
|
26 Aug 2008, 10:28 |
|
|
Madis731
And "All your base are belonged to us".
Please stop this "heuristics on FASM"-spam and should there be a sticky with detectable name so new users would stop creating new topics !? :S |
|||
|
26 Aug 2008, 10:47 |
|
|
vid
Quote: should there be a sticky with detectable name so new users would stop creating new topics !? :S Which one should get sticky? Or start a new thread? |
|||
|
26 Aug 2008, 11:29 |
|
|
Madis731
vid wrote:
 I didn't even measure this scenario through. Yeah, maybe start a new one explaining the strange behavior and link all stray topics to this. I don't know what's the sanest thing to do. |
|||
|
26 Aug 2008, 12:40 |
|
| Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|