flat assembler
Message board for the users of flat assembler.
Index
> Windows > Antivirus issue |
Author |
|
AsmGuru62 22 Jun 2023, 03:59
An interesting question.
I think it is the functionality, like if your Windows program does not call CreateWindowEx -- SUSPICIOUS!. It may be small size or even some signature in code which is not generated by C/C++ compiler, but easily made with any Assembler. Not sure, but here is a fact: some time ago (in 2022) I coded the large x64 program with FASM. It was built as a resizable window with tabs. Full of controls and features: combo boxes, check boxes, lists, threads, etc. It was distributed to a person who ordered it and their AV did not flag it with anything suspicious. Only there was a box saying that program was from the Internet, so just beware. And you always can list the program or the whole folder with your FASM code as not to be scanned by your AV. But the question, indeed, is very interesting. If we ask the AV vendors how do they detect -- they are not going to give out their secrets. We can send them our programs for testing, but some of us will not want to disclose our own code also. So... no solution so far. |
|||
22 Jun 2023, 03:59 |
|
Flier-Mate 22 Jun 2023, 04:52
int0x50 wrote: what about filling the space and make any program above 16k bytes? like just fill it with msvcrt to make it look like legit ... will that work? I proposed to Overclick weeks ago (he also asked a similar question), to fill the code section with 64KB of 0xCC (used by MSVC as padding byte for alignment). Code: _bloat: times 64000 db 0xCC You may want to try it and see if it is still detected by AV as trojan. I have some of my programs also falsely detected as malware by Microsoft Defender, but only sometimes. For example, my "Simple Unicode code pointer converter" in Windows section was detected as trojan some time before, but not now anymore. |
|||
22 Jun 2023, 04:52 |
|
int0x50 22 Jun 2023, 05:18
i work on malware analysis, threat detection ;etc .. the malwares uses many ways to evade AV ... like avoiding calling the API's directly (there are more than dozens of methods here) ... packing the code... injecting into remote process .. obfuscation .. etc ... since most of these logic can be only be implemented via ASM, probably because of this the AV is flagging these ...
second ... these days, I am not sure what is the requirement to use ASM and avoid C, Python, Rust ;etc .. which industry requires someone to write assembly based tools in windows ecosystem (gaming, graphics, applications; etc) .. cyber security is obvious one ... mostly for offensive part ... one of the main application is the malware authors and exploit writers ... I could only think of these things ... |
|||
22 Jun 2023, 05:18 |
|
int0x50 22 Jun 2023, 05:21
@ Flier-Mate .. i feel very bad that I cannot write a very small and fast code, because AV is going to flag it ... i feel bad to fill my code with garbage .. ...
|
|||
22 Jun 2023, 05:21 |
|
revolution 22 Jun 2023, 12:53
The "real" solution is to get everyone to delete their AVs.
If we identify "tricks" to fool it, then it shows the AV is useless. Because malware writers can do exactly the same thing to make their code pass the tests. Not only that. the AVs update their algorithms and methods regularly and code that once passed fine might now be classed dangerous. So all the efforts end up wasted. When we deal with this nonsense with our customers, we simply tell them to throw out their misbehaving AV. We don't even try to "fix" the code to satisfy all the AV vendors. They are just crying wolf to get attention and "prove" they are worth the cost to the naive. |
|||
22 Jun 2023, 12:53 |
|
AsmGuru62 22 Jun 2023, 19:39
In my opinion "throw out every AV" is a solution from USSR (or today's Canada).
It seems too drastic. If your customer has a valid (paid) subscription with AV services then advise to your customer to make a service call and solve this. It is not your issue as a software vendor to solve the AV problems. |
|||
22 Jun 2023, 19:39 |
|
int0x50 23 Jun 2023, 05:44
Disabling or not using AV's is not all possible in an enterprise. Even for personal reasons. when ransomwares and threat actors are becoming major problem across the globe.
It's not just AV. now you have EDR, MDR, XDR .. and much more .. these software run across many points in the network (endpoints, windows systems, routers, firewalls, email)... monitor traffic, system events, co-relate and identify threats. having an organization without these security solutions is not going to help... leave alone the regulatory and other compliance requirements ... so, i create a legit tool to combat these threats in FASM .. but I am not sure how to deploy this (if AV is going to detect it) .. submitting the file and asking the AV vendor to whitelist my code is not a permanent solution ... may be, filling the code with junk OPcodes.. something like this ... |
|||
23 Jun 2023, 05:44 |
|
revolution 23 Jun 2023, 06:16
Write your code. If an AV has a problem with it then it is the fault of the AV, not yours. Have your customers/users write to the AV companies to complain that their products are falsely triggering. If they don't fix their stuff then that is their decision to keep their products misbehaving.
What not to do is to keep making changes until your code "passes". That is a path to endless tweaking till you die. And it is just busy work to keep the AV companies in profit for providing a substandard product. |
|||
23 Jun 2023, 06:16 |
|
Flier-Mate 23 Jul 2023, 15:47
I have a short-term solution, I set "Exception" for my project folder, so it won't report any malware detection if my source code and executable are in that "exception" folder.
|
|||
23 Jul 2023, 15:47 |
|
AsmGuru62 24 Jul 2023, 03:39
I do the same for development.
Once EXE file is out the door -- it is up to the client, contacting their AV providers and whatnot. |
|||
24 Jul 2023, 03:39 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.