flat assembler
Message board for the users of flat assembler.
Index
> Windows > Program gets flagged by anti-virus |
Author |
|
asmhack 23 Aug 2008, 23:49
Thaorius wrote: Any ideas on how to avoid it? Thanks yep, avoid your antivirus... or don't use URLDownloadToFile api |
|||
23 Aug 2008, 23:49 |
|
Thaorius 23 Aug 2008, 23:56
What other API can I use that comes with the system? This program is supposed to be a lightweight application downloader, there for it must not have dependencies but those that are guaranteed to be present.
Thanks |
|||
23 Aug 2008, 23:56 |
|
DOS386 24 Aug 2008, 00:26
asmhack wrote:
Right FASM is "by design" suspicious & downloaders are "by design" suspicious http://board.flatassembler.net/topic.php?t=7302 http://board.flatassembler.net/topic.php?t=7310 http://board.flatassembler.net/topic.php?t=7807 http://board.flatassembler.net/topic.php?t=8154 http://board.flatassembler.net/topic.php?t=8818 http://board.flatassembler.net/topic.php?t=8977 http://board.flatassembler.net/topic.php?t=9118 (this one) |
|||
24 Aug 2008, 00:26 |
|
r22 25 Aug 2008, 01:11
Please rename this thread to: (for my entertainment)
"Malware gets flagged by anti-virus" or ... "HELP! AV Flags My Malware!!!" or maybe ... "Help me build better malware" |
|||
25 Aug 2008, 01:11 |
|
asmhack 25 Aug 2008, 03:09
r22, are you making those antiviruses ?
|
|||
25 Aug 2008, 03:09 |
|
r22 25 Aug 2008, 18:54
@asmhack: no I have a boring job.
|
|||
25 Aug 2008, 18:54 |
|
dxl 03 Sep 2008, 09:04
A downloader program that executes what it has just downloaded?
Who need such tool? antiviruses take into account heuristic like functions imported. URLDownloadToFile + ShellExecuteA is probably highly suspect. There are several ways to hide functions a program is importing. |
|||
03 Sep 2008, 09:04 |
|
smallfish 18 Sep 2008, 14:38
av current virtual machine heuristic , Needs through a number of techniques to bypass.
anti av Code: Code: xor esi, esi i WinExec, 'cmd.exe', esi i FindWindow, 'ConsoleWindowClass', esi or eax, eax je _end xchg eax, ebx ; Virus Code i SendMessage, ebx, WM_CLOSE, esi, esi _end: i ExitProcess, esi |
|||
18 Sep 2008, 14:38 |
|
revolution 18 Sep 2008, 14:40
smallfish: We don't post virus code here.
|
|||
18 Sep 2008, 14:40 |
|
OzzY 18 Sep 2008, 16:25
This is really a problem. My AV is detecting all FASM-assembled .EXEs as an unknown virus (heuristics).
|
|||
18 Sep 2008, 16:25 |
|
iic2 18 Sep 2008, 19:17
First I like to say thanks for all of the help in my previous post, where members founded the solution and finalized it, than leaving food for thought, creating a new thread with a life of it own. Thank you everybody
.... .... OzzY, do heuristics mean that the AV keeps these files in a list of suspects while still allowing the FASM file to run without knowing THIS. If so, which folder or dll do it keep that/or hidden log file in. Also, which AV version are you using. I'm using AntiVir (Avira) 8.0.0.2.7, updated only once, about 6 months ago. I never turn it on unless I needed to test or finalize something. Seem to me, the next step which may now be in full-effect is the OS itself (VISTA - Windows 7 or next runner-up) is trying to figuring out how to legalize incorporating these features in the OS excluding the turn-off switch (The free and dirty ticket to walk the stack). You are dame right this is a problem and it got to be fix right now. .. |
|||
18 Sep 2008, 19:17 |
|
OzzY 19 Sep 2008, 16:19
I emailed AVIRA and they removed the detection from the quetannon FASM example and probably other FASM-assembled EXEs too.
I use AVIRA Antivir too. It's good free AV. |
|||
19 Sep 2008, 16:19 |
|
iic2 20 Sep 2008, 05:22
That's what I call TCB and you have new friends. I'm sure FASM coders will make sure it stays that way. That goes to show they are people too. AVIRA is one of the best if not d best, and they still came down-to-earth in a flash. Just for that they got my money and I hope they thank you for helping to enhance their business and saving the world from you know what.
Thanks OzzY and don't ever stop Knowing right from wrong allow us work in peace. |
|||
20 Sep 2008, 05:22 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.