flat assembler
Message board for the users of flat assembler.
Index
> Main > Heuristic Antivirus detects ALL programs compiled with FASM Goto page 1, 2 Next |
Author |
|
toxx 12 Jun 2008, 11:42
Hello,
All examples in FASM directory or all my programs compiled with FASM are detected by 2 Antivirus Why ? Quote:
http://www.virustotal.com/analisis/6d980ee978e54b189ce3ad49f1b60e87 Anyone have a exemple of source undetected !? Thanks |
|||
12 Jun 2008, 11:42 |
|
kohlrak 12 Jun 2008, 17:13
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:37; edited 1 time in total |
|||
12 Jun 2008, 17:13 |
|
AlexP 12 Jun 2008, 17:20
Hey kohlrak, heuristics doesn't always mean sigs. Maybe it just doesn't like something that FASM does and a compiler doesn't, possibly something in the header.
|
|||
12 Jun 2008, 17:20 |
|
revolution 12 Jun 2008, 17:22
False positives are an inconvenience. But false negatives are a show stopper, so AV companies have to play it safe.
Even if, as a community, we manage to make some sort of standard format that is not detected as a virus, guess what, the virus writers will also use that new format. So the cycle repeats, the AV companies add a new signature and were back where we started. |
|||
12 Jun 2008, 17:22 |
|
AlexP 12 Jun 2008, 17:28
Good point, but virii are detected a lot of times by errors they create in the PE header, like forgetting to update a previously-valid checksum or having a section size wrong. If I remember correctly, I had disasmed a FASM created header to find that a section header had a larger physical size than virtual size! Could this be the invalidity that's being seen?
|
|||
12 Jun 2008, 17:28 |
|
vid 12 Jun 2008, 18:22
First, you would have to start doing things "normal way". By that i mean layout of sections (code first), standard imports, jump for every imported function, etc. etc
After that, we can start looking for problem in FASM itself |
|||
12 Jun 2008, 18:22 |
|
kohlrak 12 Jun 2008, 18:32
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:37; edited 1 time in total |
|||
12 Jun 2008, 18:32 |
|
vid 12 Jun 2008, 18:37
That's the price of heuristic. If only viruses and FASM apps use something easily detectable, will they think twice? (in case they know about FASM, btw)
|
|||
12 Jun 2008, 18:37 |
|
kohlrak 12 Jun 2008, 18:43
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:36; edited 1 time in total |
|||
12 Jun 2008, 18:43 |
|
AlexP 12 Jun 2008, 18:45
Well, it could be a rootkit, it doesn't say good or bad
|
|||
12 Jun 2008, 18:45 |
|
DOS386 12 Jun 2008, 22:26
> All examples in FASM directory or all my programs compiled with FASM are detected
Already pointed 1'000'000'000 times: http://board.flatassembler.net/topic.php?t=7302 http://board.flatassembler.net/topic.php?t=7310 http://board.flatassembler.net/topic.php?t=7807 http://board.flatassembler.net/topic.php?t=8154 http://board.flatassembler.net/topic.php?t=8818 (this one) > Anyone have a exemple of source undetected !? NO. Feel free to consider it as FASM's fault or fault of your "Antivirus" virus ... and throw away 1 of them then ... vid wrote: > First, you would have to start doing things "normal way". > By that i mean layout of sections (code first), standard imports, > jump for every imported function, etc. etc > After that, we can start looking for problem in FASM itself "better" way: delete PE support from FASM, just use M$-linker instead Even "better": drop FASM / ASM and switch to Visual Baysic |
|||
12 Jun 2008, 22:26 |
|
bitRAKE 13 Jun 2008, 00:32
I have never used anti-virus software. The body is a good example of how to fight virii - common antigens are literally hunted for by the immune system. Trying to partially mimic this process in software might work at a larger scale, but the analogy fails at the individual computer level because multiple copies of software don't typically exist/operate on a single PC and software isn't typically designed to work in that fashion.
The human body doesn't care about false positives for the most part. Cells can be neutralized and everything continues working just fine. On a PC it is a completely different story - warnings can take considerable forensic work before knowing how to respond. Not just if it is a virus, but also how it's removal could impact the system. Anti-virus software fails on both counts, and merely provides psychological comfort. The resources are just not worth it when backups and virtual environments are so easy to setup. Save your time and money by planning for system failure. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
13 Jun 2008, 00:32 |
|
r22 13 Jun 2008, 01:39
Stop using substandard AV software. PROBLEM SOLVED
Q: What do you do when the AV software you're running is BROKEN??? A: You uninstall it and find an alternative. If you really want to be nice send an email to the AV software's support address and tell them their software is broken. |
|||
13 Jun 2008, 01:39 |
|
kohlrak 13 Jun 2008, 05:08
No more giving back...
Last edited by kohlrak on 07 Aug 2008, 14:35; edited 1 time in total |
|||
13 Jun 2008, 05:08 |
|
baldr 25 Jul 2008, 20:02
AlexP wrote: Hey kohlrak, heuristics doesn't always mean sigs. Maybe it just doesn't like something that FASM does and a compiler doesn't, possibly something in the header. |
|||
25 Jul 2008, 20:02 |
|
Pinecone_ 26 Aug 2008, 10:28
kohlrak, whats up with "No more giving back..." posted 3 times in this thread by you, and in your signature.......?
edit: i also notice that all those posts have been edited once. Maybe they used to say something else?... lol i think too much edit 2: (about 20 seconds after first edit!) sorry old-ish topic, but still... "No more giving back..."? |
|||
26 Aug 2008, 10:28 |
|
Madis731 26 Aug 2008, 10:47
And "All your base are belonged to us".
Please stop this "heuristics on FASM"-spam and should there be a sticky with detectable name so new users would stop creating new topics !? :S |
|||
26 Aug 2008, 10:47 |
|
vid 26 Aug 2008, 11:29
Quote: should there be a sticky with detectable name so new users would stop creating new topics !? :S Which one should get sticky? Or start a new thread? |
|||
26 Aug 2008, 11:29 |
|
Madis731 26 Aug 2008, 12:40
vid wrote:
I didn't even measure this scenario through. Yeah, maybe start a new one explaining the strange behavior and link all stray topics to this. I don't know what's the sanest thing to do. |
|||
26 Aug 2008, 12:40 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.