flat assembler
Message board for the users of flat assembler.

Index > Main > Heuristic Antivirus detects ALL programs compiled with FASM

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
toxx



Joined: 12 Jun 2008
Posts: 1
toxx 12 Jun 2008, 11:42
Hello,
All examples in FASM directory or all my programs compiled with FASM are detected by 2 Antivirus Sad
Why ?

Quote:

F-Prot 4.4.4.56 2008.06.12 W32/Zbot.I.gen!Eldorado
F-Secure 6.70.13260.0 2008.06.12 Suspicious:W32/Malware!Gemini

http://www.virustotal.com/analisis/6d980ee978e54b189ce3ad49f1b60e87

Anyone have a exemple of source undetected !?
Thanks Wink
Post 12 Jun 2008, 11:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20461
Location: In your JS exploiting you and your system
revolution 12 Jun 2008, 11:45
This very common. I think there are a few viruses out there that were (at least partially) written in fasm.

It is unfortunate, but difficult to do anything about.
Post 12 Jun 2008, 11:45
View user's profile Send private message Visit poster's website Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 12 Jun 2008, 17:13
No more giving back...


Last edited by kohlrak on 07 Aug 2008, 14:37; edited 1 time in total
Post 12 Jun 2008, 17:13
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 12 Jun 2008, 17:20
Hey kohlrak, heuristics doesn't always mean sigs. Maybe it just doesn't like something that FASM does and a compiler doesn't, possibly something in the header.
Post 12 Jun 2008, 17:20
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20461
Location: In your JS exploiting you and your system
revolution 12 Jun 2008, 17:22
False positives are an inconvenience. But false negatives are a show stopper, so AV companies have to play it safe.

Even if, as a community, we manage to make some sort of standard format that is not detected as a virus, guess what, the virus writers will also use that new format. So the cycle repeats, the AV companies add a new signature and were back where we started. Sad
Post 12 Jun 2008, 17:22
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 12 Jun 2008, 17:28
Good point, but virii are detected a lot of times by errors they create in the PE header, like forgetting to update a previously-valid checksum or having a section size wrong. If I remember correctly, I had disasmed a FASM created header to find that a section header had a larger physical size than virtual size! Could this be the invalidity that's being seen?
Post 12 Jun 2008, 17:28
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 12 Jun 2008, 18:22
First, you would have to start doing things "normal way". By that i mean layout of sections (code first), standard imports, jump for every imported function, etc. etc

After that, we can start looking for problem in FASM itself Razz
Post 12 Jun 2008, 18:22
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 12 Jun 2008, 18:32
No more giving back...


Last edited by kohlrak on 07 Aug 2008, 14:37; edited 1 time in total
Post 12 Jun 2008, 18:32
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 12 Jun 2008, 18:37
That's the price of heuristic. If only viruses and FASM apps use something easily detectable, will they think twice? (in case they know about FASM, btw)
Post 12 Jun 2008, 18:37
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 12 Jun 2008, 18:43
No more giving back...


Last edited by kohlrak on 07 Aug 2008, 14:36; edited 1 time in total
Post 12 Jun 2008, 18:43
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 12 Jun 2008, 18:45
Well, it could be a rootkit, it doesn't say good or bad
Post 12 Jun 2008, 18:45
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1905
DOS386 12 Jun 2008, 22:26
> All examples in FASM directory or all my programs compiled with FASM are detected

Already pointed 1'000'000'000 times:

http://board.flatassembler.net/topic.php?t=7302
http://board.flatassembler.net/topic.php?t=7310
http://board.flatassembler.net/topic.php?t=7807
http://board.flatassembler.net/topic.php?t=8154
http://board.flatassembler.net/topic.php?t=8818 (this one)

> Anyone have a exemple of source undetected !?

NO. Feel free to consider it as FASM's fault or fault of your "Antivirus" virus ... and throw away 1 of them then ...

vid wrote:

> First, you would have to start doing things "normal way".

Confused

> By that i mean layout of sections (code first), standard imports,
> jump for every imported function, etc. etc
> After that, we can start looking for problem in FASM itself

"better" way: delete PE support from FASM, just use M$-linker instead Confused
Even "better": drop FASM / ASM and switch to Visual Baysic Confused
Post 12 Jun 2008, 22:26
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4082
Location: vpcmpistri
bitRAKE 13 Jun 2008, 00:32
I have never used anti-virus software. The body is a good example of how to fight virii - common antigens are literally hunted for by the immune system. Trying to partially mimic this process in software might work at a larger scale, but the analogy fails at the individual computer level because multiple copies of software don't typically exist/operate on a single PC and software isn't typically designed to work in that fashion.

The human body doesn't care about false positives for the most part. Cells can be neutralized and everything continues working just fine. On a PC it is a completely different story - warnings can take considerable forensic work before knowing how to respond. Not just if it is a virus, but also how it's removal could impact the system. Anti-virus software fails on both counts, and merely provides psychological comfort. The resources are just not worth it when backups and virtual environments are so easy to setup.

Save your time and money by planning for system failure.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 13 Jun 2008, 00:32
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 13 Jun 2008, 01:39
Stop using substandard AV software. PROBLEM SOLVED

Q: What do you do when the AV software you're running is BROKEN???
A: You uninstall it and find an alternative.

If you really want to be nice send an email to the AV software's support address and tell them their software is broken.
Post 13 Jun 2008, 01:39
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 13 Jun 2008, 05:08
No more giving back...


Last edited by kohlrak on 07 Aug 2008, 14:35; edited 1 time in total
Post 13 Jun 2008, 05:08
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 25 Jul 2008, 20:02
AlexP wrote:
Hey kohlrak, heuristics doesn't always mean sigs. Maybe it just doesn't like something that FASM does and a compiler doesn't, possibly something in the header.
AFAIK, heuristics burrows deeper. At least, in AI. Wink
Post 25 Jul 2008, 20:02
View user's profile Send private message Reply with quote
Pinecone_



Joined: 28 Apr 2008
Posts: 180
Pinecone_ 26 Aug 2008, 10:28
kohlrak, whats up with "No more giving back..." posted 3 times in this thread by you, and in your signature.......?

edit: i also notice that all those posts have been edited once. Maybe they used to say something else?... lol i think too much

edit 2: (about 20 seconds after first edit!)
sorry Razz old-ish topic, but still... "No more giving back..."?
Post 26 Aug 2008, 10:28
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 26 Aug 2008, 10:47
And "All your base are belonged to us".
Please stop this "heuristics on FASM"-spam and should there be a sticky with detectable name so new users would stop creating new topics !? :S
Post 26 Aug 2008, 10:47
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 26 Aug 2008, 11:29
Quote:
should there be a sticky with detectable name so new users would stop creating new topics !? :S

Which one should get sticky? Or start a new thread?
Post 26 Aug 2008, 11:29
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 26 Aug 2008, 12:40
vid wrote:
Quote:
should there be a sticky with detectable name so new users would stop creating new topics !? :S

Which one should get sticky? Or start a new thread?

Very Happy I didn't even measure this scenario through. Yeah, maybe start a new one explaining the strange behavior and link all stray topics to this. I don't know what's the sanest thing to do.

_________________
My updated idol Very Happy http://www.agner.org/optimize/
Post 26 Aug 2008, 12:40
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.