flat assembler
Message board for the users of flat assembler.

Index > Windows > Just AVG again (I hope!)

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
My copy of AVG has just run a scan and reported that I had five infections... namely:

Both versions of fasmw167.zip and in particular the Minipad example exe.

They apparently all have the Trojan horse Generic12.QUJ virus.

I've looked through the forum and issues with AVG mismatches seem to have come up on a regular basis.

Is this just another AVG f up! Or do I really have a virus problem?

Has anyone else just starting having this problem at the moment too?

Thanks,

Kas.
Post 29 Nov 2008, 13:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
I suggest you send your file to virustotal.com. This will run 37 vrius scanner engines over it. If you see a lot of red indicators then it is time delete the file and download a new copy. Although it is quite common for just a few of the scanners to show hits even for perfectly safe files so don't be too alarmed if you get just a few hits.
Post 29 Nov 2008, 13:48
View user's profile Send private message Visit poster's website Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
Ok... I will. Thanks,

Kas
Post 29 Nov 2008, 13:51
View user's profile Send private message Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
Well I did as you suggested revolution... and I got a quite a few red checks coming up. So I then downloaded the latest fasmw zip and sent that to the virustotal website too. The report (minus about twenty passes) was as follows... seems scary to a non-virus expert like myself!

Antivirus Version Last Update Result
AntiVir 7.9.0.36 2008.11.28 TR/Crypt.XPACK.Gen
AVG 8.0.0.199 2008.11.29 Generic12.QUJ
CAT-QuickHeal 10.00 2008.11.29 Win32.TrojanDownloader.Small.gen!B.1
eSafe 7.0.17.0 2008.11.27 Suspicious File
Ikarus T3.1.1.45.0 2008.11.29 Virus.Win32.JunkPoly
Norman 5.80.02 2008.11.28 W32/Smalltroj.IEOU
SecureWeb-Gateway 6.7.6 2008.11.28 Trojan.Crypt.XPACK.Gen
Sophos 4.36.0 2008.11.29 Sus/UnkPacker
TrendMicro 8.700.0.1004 2008.11.28 PAK_Generic.001

What do you think? Is it just because I'm using an infected machine or is the download infected?

Kas.
Post 29 Nov 2008, 14:06
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
This is pretty normal, unfortunately. These virus programs tend to be quite conservative.

Here is my result from my machine. So I wouldn't worry about what you see.
Post 29 Nov 2008, 14:12
View user's profile Send private message Visit poster's website Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
What a pain... guess I just have to configure AVG to ignore fasm somehow... hopefully there'll be a whitelist somewhere.

Anyway, thanks again for the feedback revolution,

Kas.
Post 29 Nov 2008, 14:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
You're welcome, you owe me a drink when I am in the UK this coming January. Don't worry, I'm just kidding, no drinks required.
Post 29 Nov 2008, 14:25
View user's profile Send private message Visit poster's website Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
Is that mineral water? Laughing

Kas.
Post 29 Nov 2008, 14:33
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
Only if it comes from here.
Post 29 Nov 2008, 14:39
View user's profile Send private message Visit poster's website Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
God... some people! At $40-60 a 750ml bottle... I think it better be some bloody awesome glass of water!

Laughing
Post 29 Nov 2008, 14:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
kas wrote:
God...
Just calling me revolution will be fine. Cool
Post 29 Nov 2008, 14:50
View user's profile Send private message Visit poster's website Reply with quote
dacid



Joined: 31 Aug 2008
Posts: 57
dacid
all the antivirus (from evolution`s link) that gives suspicius results are pure shit...

I suggest you to use one of this:

DrWeb, F-prot, F-Secure, Kaspersky, McAfee, Nod32, Panda.
Post 29 Nov 2008, 15:01
View user's profile Send private message Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1288
Location: Paradise Falls
Picnic
kas wrote:
Both versions of fasmw167.zip and in particular the Minipad example exe.

Hi kas,
Same results may occur if you upload and test other assemblers too in virustotal.com
I check -quite some time ago- TASM 5.0 and MASM32 version 7, and output virus found results.
Post 29 Nov 2008, 23:14
View user's profile Send private message Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
Hi,

dacid - I'll check out your recommendations. One never knows how good or bad these virus checkers are at their job - even if they ignore FASM Rolling Eyes

thimis - I suppose when I think about it - it makes sense - as all assemblers are designed to manipulate opcodes and addresses - and virus checkers are on the lookout for programs that... manipulate opcodes and addresses. However, the problem they have with minipad.exe does seem surprising.

Thanks for both your replies,

Kas.
Post 30 Nov 2008, 04:29
View user's profile Send private message Reply with quote
OldTabby



Joined: 13 Dec 2008
Posts: 4
Location: Nova Scotia
OldTabby
It's been a while but this false positive file infection was reported to me today- AGAIN Rolling Eyes
I'm not a programmer, I manage the content for a download listing site & I have researched more false positive virus/trojan/malware/spyware reports than I can count. In over 10 years only two reports were valid threats & in both cases the author's server had been hacked.

I'm used to seeing a FASM report, it only takes a few minutes to be sure it's a false positive. Generic12.QUJ - the word 'Generic' is an immediate giveaway to me but I did a search anyway - it doesn't exist in AVG's database & Google has never heard of it! Chances of it being a brand new threat? About 1 in a million Exclamation

The reason I'm here is that I wanted to update my listing for Flat Assembler (I've now quoted & linked to your FAQs, hopefully that might help a little) & thought I'd also check the forum comments on false positives.

You guys are obviously plagued with FP's & do your best to find what causes them & fix it so I was surprised to see kas's comment:
Quote:

One never knows how good or bad these virus checkers are at their job

I assumed that programmers would understand how anti virus/trojan/malware programs work. I also assumed you would know that the AV producers don't give a damn how many FPs their programs throw out, the more the merrier usually, & getting them to fix one has been known to require a court case! FPs help to convince the vast array of inexperienced users that the program is doing its job & ensures they will open their wallets to buy whatever useless bloated 'upgrades' are offered:!:

kas these programs look for code that might do something bad, then they try to match it to a known threat, then they warn you. Look very carefully at the name of the threat then do a Google search AND an AVG (or whatever AV program you use) virus database search for it. The results will tell you what to do next Wink

I've used the free version of AVG for years, up to version 7.5 it was great. V. 8 is more than double the size but not doubly as good. I believe that there is now a better line-of-defense program & I personally recommend Malwarebytes' Anti-Malware (the free version of course!) Anti-Malware is proving to be better at identifying & removing the *real* threats & it reported ALL of the files in the Fast Assembler download as CLEAN.

Hope you find some of this info useful.

_________________
FreewareHome: we search for true freeware so you don't have to Very Happy
Post 13 Dec 2008, 22:51
View user's profile Send private message Visit poster's website Reply with quote
kas



Joined: 16 Jan 2008
Posts: 36
Location: UK
kas
Hi OldTabby,

Very interesting. After quite a bit of searching through the forum on what code gets marked as infected and what not - I've come to the conclusion that my estimation of virus checkers in general was way way too high.

I just assumed that any kind of professional virus checker would after an initial search of a binary file - check anything found as suspicious for some sort of tell-tail algorithm or behaviour... i.e. not just the crass approach looking for/matching "bad numbers"... then hey presto here's your scan results and you've DEFINATELY infected!

Oh well I'm amazed once more about what utterly crap code gets written by mainstream programmers.

Thanks for the reply and all the info OldTabby, appreciated.

Kas.
Post 13 Dec 2008, 23:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
OldTabby wrote:
I believe that there is now a better line-of-defense program & I personally recommend Malwarebytes' Anti-Malware (the free version of course!) Anti-Malware is proving to be better at identifying & removing the *real* threats & it reported ALL of the files in the Fast Assembler download as CLEAN.
It is a tricky thing to do. If the above program reports all fasm files as clean then great, but I also wonder how many viruses it would miss. There is a fine line between false positives and false negatives. False positives are simply an annoyance to the user, having to tell the AV to ignore it in the future, but false negatives can be devastating. This is why most major AVs are very conservative. They figure it is better to be safe than to be sorry.

This is not to say that the above AV is bad, just that it is less conservative. Some users may prefer that. Each to their own I guess.

I never use any AV so I don't really care about what they report, I can look at the code in my disassembler and decide for myself. But I would not expect that the average user is capable of that so I don't recommend everyone do that.
Post 14 Dec 2008, 01:15
View user's profile Send private message Visit poster's website Reply with quote
OldTabby



Joined: 13 Dec 2008
Posts: 4
Location: Nova Scotia
OldTabby
My apologies revolution I didn't make myself clear - Anti-Malware is NOT an anti virus program. If you don't use an AV then it's a useful program to have around if you want to check a file or folder quickly. If you do use an AV use Anti-Malware as a backup/second opinion.

I use AVG, it's never let me down & actually rarely reports a false positive. It told me the Minipad FASM file was infected so I ran an Anti-Malware check - it said it was clean, which we know it is! I still did Google & AVG database searches just to be sure Wink

_________________
FreewareHome: we search for true freeware so you don't have to Very Happy
Post 15 Dec 2008, 09:47
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17658
Location: In your JS exploiting you and your system
revolution
I like to use virustotal to check anything quickly.


Last edited by revolution on 15 Dec 2008, 10:39; edited 1 time in total
Post 15 Dec 2008, 10:05
View user's profile Send private message Visit poster's website Reply with quote
OldTabby



Joined: 13 Dec 2008
Posts: 4
Location: Nova Scotia
OldTabby
I think you'd better fix the spelling in the actual link revolution "virsutotal.com" goes to a Sedo parking search engine site Wink
The link you posted earlier in this thread is fine.
Post 15 Dec 2008, 10:26
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.