flat assembler
Message board for the users of flat assembler.

Index > Windows > Hello world FASM program detected as virus. Why?

Goto page Previous  1, 2, 3
Author
Thread Post new topic Reply to topic
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
LocoDelAssembly wrote:
... the file has too few sections or the code section has too many permissions (read, write and execute instead of read/execute) and hence it surely must be packed and crypted...
What if I make hundred-section PE (16-byte all Wink containing silly code? Will it qualify as 100 % virus free? Wink
Post 25 Jul 2008, 19:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17665
Location: In your JS exploiting you and your system
revolution
baldr wrote:
What if I make hundred-section PE (16-byte all Wink containing silly code? Will it qualify as 100 % virus free? Wink
How about you try it and see what result you get. Don't forget to report the results here.
Post 14 Aug 2008, 20:33
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I tried actually but F-Prot/F-Secure (that was their names?), still reports virus. I tried compiling a very simple NASM app and I got only one detection and from a completely different anti-virus so if someone can take the time to see what is needed to remove the three detections by comparing both outputs and decide what should be in a third output do it.

The code I've tested that day
Code:
include 'win32a.inc'

format PE GUI 4.0

section '.code' code readable executable
  invoke ExitProcess, 0

repeat 99
  section '.data' data readable writable
    db 16 dup(%)
end repeat

data import
 library kernel32,'KERNEL32.DLL'

 import kernel32,\
        ExitProcess,'ExitProcess'
end data    
Post 15 Aug 2008, 14:30
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Alphonso created a modification that produces no fake detections at virustotal, check here.
Post 17 Aug 2008, 19:03
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7796
Location: Kraków, Poland
Tomasz Grysztar
I think we should make some sticky thread about this, where people would post about any new false reports encountered.
Post 03 Dec 2008, 07:59
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.