flat assembler
Message board for the users of flat assembler.
Index
> Windows > Hello world FASM program detected as virus. Why? Goto page 1, 2, 3 Next |
Author |
|
LocoDelAssembly 15 Jan 2008, 00:12
Today everything is a virus, even those installer that auto-clicks the "do you want to install this unsigned driver" dialog are considered "trojan auto clicker".
Perhaps this time is that the heuristics found that the file has too few sections or the code section has too many permissions (read, write and execute instead of read/execute) and hence it surely must be packed and crypted. AV companies are so used to very bloated executables than now every non bloated thing is considered a virus. I wonder if there is an AV that is worth to be used nowadays... |
|||
15 Jan 2008, 00:12 |
|
revolution 15 Jan 2008, 00:23
I never have any problem with the AV programs running in my PC's. So what is my AV? My AV is nothing. I don't bother to use one.
Just turn off scripting in email and browsers, don't download all the crap available just because it looks nice, write all your own programs and never connect directly to the Internet (use a router). And for those times when you just want to make sure of something, go to virustotal.com. Simple and effective. Never had a virus. |
|||
15 Jan 2008, 00:23 |
|
OzzY 15 Jan 2008, 00:26
I'm thinking the same thing. I don't know what's worse, if it doesn't detect the virus or if it detects a program that's not virus as virus.
I'm thinking of trying this GPL'ed AV: http://sourceforge.net/projects/moonav It may not detect everything, but at least the source is available and it seems to not give too much false alarms. |
|||
15 Jan 2008, 00:26 |
|
OzzY 15 Jan 2008, 00:27
revolution wrote: I never have any problem with the AV programs running in my PC's. So what is my AV? My AV is nothing. I don't bother to use one. I do this. But family who don't know how to use the computer won't do that. And I hate cleanning crap. |
|||
15 Jan 2008, 00:27 |
|
vid 15 Jan 2008, 00:43
i quess it's unstandard layout of PE sections... this really doesn't appear in any real file.
|
|||
15 Jan 2008, 00:43 |
|
zxcv 15 Jan 2008, 01:04
Quote: Just turn off scripting in email and browsers, don't download all the crap available just because it looks nice, write all your own programs and never connect directly to the Internet (use a router). And for those times when you just want to make sure of something, go to virustotal.com. Simple and effective. Never had a virus. I have full scripting, old firefox, download all files (even i know its a virus), and im connect to internet with public ip having no firewall and no av. Didnt had any problem with virus/malware for ~3 years. Quote: Is it time to change the AV? Ask yourself, do you really need it. |
|||
15 Jan 2008, 01:04 |
|
revolution 15 Jan 2008, 01:09
zxcv wrote: I have full scripting, old firefox, download all files (even i know its a virus), and im connect to internet with public ip having no firewall and no av. Didnt had any problem with virus/malware for ~3 years. |
|||
15 Jan 2008, 01:09 |
|
zxcv 15 Jan 2008, 01:14
Quote: I suggest you check you are not spamming me and the rest of the world with your botnetted PC. Hmm, im not 100% immune, it would be hard to detect spoofed dll or smth. Howewer i know all my dlls and processes with locations, using non-system driver to scan them, and that gives me 99.(9)% of being safe. 30 seconds reading after boot its enought bo be sure, same after launching infected file. 3 years ago i had a troyan-horse, first and last time =) Thats how i started to learn about computers. |
|||
15 Jan 2008, 01:14 |
|
DOS386 15 Jan 2008, 06:02
Quote:
1. Known issue: see FAQ in Main 2. Amount of false positives is increasing. Why ? Increasing amount of "good" bloat and increasing amount of known viruses. There must be collisions. Further, as other people wrote, FASM produces "non-standard" executables You can report this issue to the maintainers, they probably will "fix" this, but I bet it will take less than 3 months before we get the next "Virus in FASM !!!" thread here PS: I don't use any "antivirus" program, and I don't have trouble with virii ... Last edited by DOS386 on 01 Dec 2008, 08:32; edited 3 times in total |
|||
15 Jan 2008, 06:02 |
|
LocoDelAssembly 15 Jan 2008, 15:03
No DOS386, it is a new issue, those links talks about a different "virus" and it is located on FASMW.exe while the problem with Ozzy is that FASMW.exe pass the shield but the very simple hello world example does not.
|
|||
15 Jan 2008, 15:03 |
|
OzzY 15 Jan 2008, 17:52
Would anyone be interested in creating a AV program in FASM?
It would be simple, light-weight and fast. |
|||
15 Jan 2008, 17:52 |
|
AlexP 16 Jan 2008, 01:14
lol string scanning?? I've always thought of an AV type that would create a fast hash of the file being scanned, and then search a binary tree quickly for it Like MD5, except virus writers could collide that probably. I can't even get MD5 going, the "little-endian" is getting very confusing as to how it is supposed to be. Almost little-endian'ized every constant in the whole algo to try and see what's wrong with it! Almost no complete doc's for a step-by-step MD5 hash either, like a FIPS or somethin'.
|
|||
16 Jan 2008, 01:14 |
|
DOS386 16 Jan 2008, 01:28
LocoDelAssembly wrote: it is a new issue I did notice ... but still both are false positives and the reason for them is very similar |
|||
16 Jan 2008, 01:28 |
|
edfed 16 Jan 2008, 01:44
yeah, i'm interrested in virii writing, toknow exactlly how to fix them.
because building a LAN os need to have a deep native protection. |
|||
16 Jan 2008, 01:44 |
|
OzzY 16 Jan 2008, 03:41
edfed: Are you interested in creating a simple AV for learning purposes?
I know nothing about creating AVs, but that would good research/knowledge. |
|||
16 Jan 2008, 03:41 |
|
edfed 16 Jan 2008, 03:53
i know how to make hardcore virus, because each time i cannot reach my objectives, i find a virus, something that can be very dangerous if broadcasted.
|
|||
16 Jan 2008, 03:53 |
|
AlexP 16 Jan 2008, 16:56
edfed: Pretty much anybody here can make a good metamorphic if they spend a few months on it, virus writing isn't at all like the movies. Like where they quick "hack into a port" in less than a second and execute something inside their OS remotely lol that would be crazy if a good enough glitch was found inside Windows, or just a cheap foreign driver nonetheless
|
|||
16 Jan 2008, 16:56 |
|
null1024 17 Jan 2008, 01:51
OT: It may just be that virus scanner. Avast! and Symantec turn up nothing after I assemble that code.
|
|||
17 Jan 2008, 01:51 |
|
OzzY 17 Jan 2008, 05:21
I used to code virus for fun, but I never release them into the wild. But it's fun to try them inside a testing box. And them create a cure for them.
A friend of mine got infected with the Brotok worm. He sent me a sample. I'll do some analisys and maybe create a removal tool for it. Although it seems to be pretty well packed. |
|||
17 Jan 2008, 05:21 |
|
Goto page 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.