flat assembler
Message board for the users of flat assembler.

Index > Windows > Antivirus issue

Author
Thread Post new topic Reply to topic
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 22 Jun 2023, 03:00
I could see that most of the Anti-virus software are trying to identify the codes that I write as suspicious. In fact, the FreshIDE as initially detected as suspicious.

If that is the case, it seems we cannot write legitimate tools in FASM (though it's not because of FASM) and publish? say for example, I want to write like PE explorer, some tools on malware analysis?

Disabling AV or whitelisting is not a best recommended option.

what are the solutions available?

I think it's because of small size the AV's detect it? .. what about filling the space and make any program above 16k bytes? like just fill it with msvcrt to make it look like legit ... will that work?

did anyone face this problem before ? and worked on this to fix?
Post 22 Jun 2023, 03:00
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1626
Location: Toronto, Canada
AsmGuru62 22 Jun 2023, 03:59
An interesting question.
I think it is the functionality, like if your Windows program does not call CreateWindowEx -- SUSPICIOUS!.
It may be small size or even some signature in code which is not generated by C/C++ compiler, but easily made with any Assembler.
Not sure, but here is a fact: some time ago (in 2022) I coded the large x64 program with FASM. It was built as a resizable window with tabs.
Full of controls and features: combo boxes, check boxes, lists, threads, etc.
It was distributed to a person who ordered it and their AV did not flag it with anything suspicious.
Only there was a box saying that program was from the Internet, so just beware.
And you always can list the program or the whole folder with your FASM code as not to be scanned by your AV.
But the question, indeed, is very interesting.

If we ask the AV vendors how do they detect -- they are not going to give out their secrets.

We can send them our programs for testing, but some of us will not want to disclose our own code also.

So... no solution so far.
Post 22 Jun 2023, 03:59
View user's profile Send private message Send e-mail Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 22 Jun 2023, 04:52
int0x50 wrote:
what about filling the space and make any program above 16k bytes? like just fill it with msvcrt to make it look like legit ... will that work?


I proposed to Overclick weeks ago (he also asked a similar question), to fill the code section with 64KB of 0xCC (used by MSVC as padding byte for alignment).

Code:
_bloat:   times 64000 db 0xCC         


You may want to try it and see if it is still detected by AV as trojan.

I have some of my programs also falsely detected as malware by Microsoft Defender, but only sometimes. For example, my "Simple Unicode code pointer converter" in Windows section was detected as trojan some time before, but not now anymore.
Post 22 Jun 2023, 04:52
View user's profile Send private message Reply with quote
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 22 Jun 2023, 05:18
i work on malware analysis, threat detection ;etc .. the malwares uses many ways to evade AV ... like avoiding calling the API's directly (there are more than dozens of methods here) ... packing the code... injecting into remote process .. obfuscation .. etc ... since most of these logic can be only be implemented via ASM, probably because of this the AV is flagging these ...

second ... these days, I am not sure what is the requirement to use ASM and avoid C, Python, Rust ;etc .. which industry requires someone to write assembly based tools in windows ecosystem (gaming, graphics, applications; etc) .. cyber security is obvious one ... mostly for offensive part ... one of the main application is the malware authors and exploit writers ...

I could only think of these things ...
Post 22 Jun 2023, 05:18
View user's profile Send private message Reply with quote
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 22 Jun 2023, 05:21
@ Flier-Mate .. i feel very bad that I cannot write a very small and fast code, because AV is going to flag it ... i feel bad to fill my code with garbage .. Sad ...
Post 22 Jun 2023, 05:21
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20341
Location: In your JS exploiting you and your system
revolution 22 Jun 2023, 12:53
The "real" solution is to get everyone to delete their AVs.

If we identify "tricks" to fool it, then it shows the AV is useless. Because malware writers can do exactly the same thing to make their code pass the tests.

Not only that. the AVs update their algorithms and methods regularly and code that once passed fine might now be classed dangerous. So all the efforts end up wasted.

When we deal with this nonsense with our customers, we simply tell them to throw out their misbehaving AV. We don't even try to "fix" the code to satisfy all the AV vendors. They are just crying wolf to get attention and "prove" they are worth the cost to the naive.

Crying or Very sad
Post 22 Jun 2023, 12:53
View user's profile Send private message Visit poster's website Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1626
Location: Toronto, Canada
AsmGuru62 22 Jun 2023, 19:39
In my opinion "throw out every AV" is a solution from USSR (or today's Canada).
It seems too drastic.
If your customer has a valid (paid) subscription with AV services then advise to your customer to make a service call and solve this.
It is not your issue as a software vendor to solve the AV problems.
Post 22 Jun 2023, 19:39
View user's profile Send private message Send e-mail Reply with quote
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 23 Jun 2023, 05:44
Disabling or not using AV's is not all possible in an enterprise. Even for personal reasons. when ransomwares and threat actors are becoming major problem across the globe.

It's not just AV. now you have EDR, MDR, XDR .. and much more .. these software run across many points in the network (endpoints, windows systems, routers, firewalls, email)... monitor traffic, system events, co-relate and identify threats.

having an organization without these security solutions is not going to help... leave alone the regulatory and other compliance requirements ...

so, i create a legit tool to combat these threats in FASM .. but I am not sure how to deploy this (if AV is going to detect it) .. submitting the file and asking the AV vendor to whitelist my code is not a permanent solution ...

may be, filling the code with junk OPcodes.. something like this ...
Post 23 Jun 2023, 05:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20341
Location: In your JS exploiting you and your system
revolution 23 Jun 2023, 06:16
Write your code. If an AV has a problem with it then it is the fault of the AV, not yours. Have your customers/users write to the AV companies to complain that their products are falsely triggering. If they don't fix their stuff then that is their decision to keep their products misbehaving.

What not to do is to keep making changes until your code "passes". That is a path to endless tweaking till you die. And it is just busy work to keep the AV companies in profit for providing a substandard product.
Post 23 Jun 2023, 06:16
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jul 2023, 15:47
I have a short-term solution, I set "Exception" for my project folder, so it won't report any malware detection if my source code and executable are in that "exception" folder.
Post 23 Jul 2023, 15:47
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1626
Location: Toronto, Canada
AsmGuru62 24 Jul 2023, 03:39
I do the same for development.
Once EXE file is out the door -- it is up to the client, contacting their AV providers and whatnot.
Post 24 Jul 2023, 03:39
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.