Hi
My own project detected as Trojan on stupid Windows 11. Any idea?

Maybe fasm infected or what?

Overzealous AV.

Your options are to rewrite/reorder/change your code.

Or delete your AV.

Note that malware writers can do exactly the same to stop it triggering, so it brings into question the usefulness of AVs.

Hmm..
Could you explain what is AV? AudioVideo?

AntiVirus.

But that is default Windows Defender and I want my project to be easily used for anyone.
What kind of my code can be detected as that Trojan? I'm confused really. All I do is COM via audio devices, playback and stream to device. That was working for past year no problem until I tried it now.

I experienced it from Day 1 since I started FASM programming.

See My simple compiler generates an EXE identified as trojan

It is useless to submit to Microsoft for whitelisting, because it doesn't change their detection algorithm.

Like someone suggested in the thread above, might be useful to make the code bloated?

Perhaps add this somewhere in the .code section?


Of course this is not always practical for our programs.

That was my previous engine project and new one doesn't have that issue yet until I integrate all things together. Will see but I'm still surprised. Thanks Flier-Mate, I'll keep it in mind.

This and the increasing Windows Store integration are probably the top two reasons not to use Windows 11.

Something that might help is to add an exclusions to Microsoft Defender, but certainly not an option for anyone that might use your software.

I hate windows 11 same as 8-10 because of stupid mobile-choppy-touch-interface. But I had to moved to it for software support. And yes I have to make my project to be compatible for new generation.
But to be honest I have to notice the sound have MUCH BETTER quality on 11 instead of previous windows. Even my old project sounds perfect on it:
https://sourceforge.net/projects/stereo-to-7-1-converter/

I have the same problem with Hobby BASIC in Windows 10. Badly, I stopped looking for solutions, they seem to don't last. But It's my personal fun project and i don't care much. In Windows 10, real time protection won't even let me download it from the fasm forum. And that happens sometimes, not always. How to explained this?

Try to sign thour app even with untrusted certificate. AV usually skip signed ones.

If true then that would speak to how dumb AVs are.

But doesn't that then give another problem with Windows complaining that the binary is untrusted when anyone tries to run it?

Two security experts point out to me that if code section is writeable, it is easily flagged by AV as malicious.

I check three of my programs, what they said are true, all with characteristic E0000000 (code section) - RWX.
Single section .flat generated by FASM that is 1024 bytes is also this case.

Mystery solved for me. The security expert advised me to separate code and data, move writeable buffer to data section. Lesson learned.

I hope this would help anyone in the same boat.

Yes that writeable code section is a typical red flag. Few years ago I saw also a program without imports that was flagged as infected although it was doing nothing (you can scan kernel32.dll from the return address pushed on entrypoint into the program stack). Built-in antivirus ("Virus & threat real time protection" or whatever it is) is very stupid and based on fingerprints - some time ago I saw an activation script KMS_VL_ALL_AIO.cmd which was banned by this "antivirus" but after inserting some innocent line (like "@echo off") the OS built-in "protector" did not recognize it anymore due to different size and different CRC.

I once coded a small EXE with all the proper sections: code, data, import, etc.
The AV "quarantined" my EXE as soon as it was created by FASM.
It was not a small EXE -- maybe 11K or so.
The code was opening the file with a name hardcoded in 'data' section and loading it.
Then some (secret) analysis of file was done and another hardcoded-named file was created and results dumped into it.
I am still unclear as to why my AV would do this.
Excluding the FASM Projects folder from AV fixed the problem.

I made a blog post about this, citing comments from members here:


Top 4 Reasons Why Your EXE Are Falsely Detected As Malware
May 06, 2024

1. Your Windows program does not call CreateWindowExA[1]

CreateWindowExA is a Win32 API for GUI apps to create an overlapped, pop-up, or child window with an extended window style.[2]

2. May be small in size[1]

A comparison of "Hello, world" console apps show that assembler generated the smallest EXE (2KB) among Pascal (49KB), C# (4KB) with .NET dependency, and C++ (10KB).[3]

3. Code section is writeable[4]

It is easily flagged by AV as malicious, if code section had characteristic 0xE0000000 (RWX).

4. Your Windows program call WriteFile without corresponding ReadFile API[citation needed]



Solution:

1. Set "Exception" for your project folder.[5]

2. Your options are to rewrite/reorder/change your code.[6]

3. Always separate code and data, move writeable buffer to data section. [4]



Citation:

[1] https://board.flatassembler.net/topic.php?p=230958#230958

[2] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-createwindowexa

[3] https://forum.lowyat.net/index.php?showtopic=5029150

[4] https://board.flatassembler.net/topic.php?p=237892#237892

[5] https://board.flatassembler.net/topic.php?p=232007#232007

[6] https://board.flatassembler.net/topic.php?p=230607#230607

You missed the most effective and pleasant option:

0. Delete the AV.

irrelevant.

I found where the source is, it is in: (need to login to view)
https://board.flatassembler.net/topic.php?p=239181#239181