Author Topic: Beating the virus scanners  (Read 926 times)

Ascended

  • Member
  • ***
  • Posts: 331
Beating the virus scanners
« on: May 01, 2018, 09:33:51 AM »
Hi Guys,

As we know the virus scanners 'love' our assembly programs. So I thought I'd to a quick test to see if I can encourage the virus scanners to become less eager to jump to conclusions. I'm using virustotal.com for the virus test.

The test program

Code: [Select]
include c:\masm32\include\masm32rt.inc

.code
WinMain proc
WinMain endp
end WinMain

Results



9% of scanners hate us 'out of the box'.  :eusa_snooty:

Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #1 on: May 01, 2018, 09:38:12 AM »
One simple change, same code base.

Now down to 3% of haters.  8)



Any guesses as to what I did?


Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #2 on: May 01, 2018, 09:45:24 AM »
Got it down to one. Which is more of a 'warning' I guess. Never heard of 'Cylance' anyway. So we might be close to calling this a win.



This was an interesting one to achieve. This was done by marking the target as '.686'.

Siekmanski

  • Member
  • *****
  • Posts: 1674
Re: Beating the virus scanners
« Reply #3 on: May 01, 2018, 10:29:07 AM »
One simple change, same code base.

Now down to 3% of haters.  8)



Any guesses as to what I did?

Assembled with a resource file which has a icon, a manifest and a versioninfo block?
Creative coders use backward thinking techniques as a strategy.

Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #4 on: May 01, 2018, 10:34:58 AM »
Nope.  :biggrin:

Just swapped out ML and LINK with the ones in VS2017.  :t

zedd151

  • Member
  • ****
  • Posts: 850
Re: Beating the virus scanners
« Reply #5 on: May 01, 2018, 10:36:42 AM »
to add to what siekmanski said, probably added some actual code??  Maybe even a simple message box...

oh, you beat me to it. Yes the modern versions not the antiquated backward compatible to Win2000 versions.
I'm not always the sharpest knife in the drawer, but I have my moments.  :P

Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #6 on: May 01, 2018, 10:42:05 AM »
to add to what siekmanski said, probably added some actual code??  Maybe even a simple message box...

Nah, code remained the same.


Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #7 on: May 01, 2018, 10:44:07 AM »
Actually, this is an interesting read from the last remaining 'offending' engine.

Quote
"The Cylance engine is not an antivirus engine. Unlike AV, it doesn’t have a bias toward letting everything run. The technology doesn't assume a file is good until it’s evaluated. Our approach is to measure and decide on each and every file individually, and if it doesn't fit into our model of good, it leans towards bad.

"Without a bunch of data to base a decision on, and without any real patterns of goodness to identify it as such, the engine leaned heavily on the structural bits that are odd and drew a line towards bad in this case.

"When we train models, we train on hundreds of millions of good and hundreds of millions of bad files (samples). We look at several million potential data points (features) in each file...

"...In general, a piece of code can become "bad" by doing things that lean towards bad. But it can also lean towards bad by not doing things that lean towards good. So in the most basic example provided (hello world in debug build)"

jj2007

  • Member
  • *****
  • Posts: 8776
  • Assembler is fun ;-)
    • MasmBasic
Re: Beating the virus scanners
« Reply #8 on: May 01, 2018, 10:49:40 AM »
There are various factors that trigger false positives:

- my editor (RichMasm) gets 25 out of 65 - utterly bad, but the 'good' names, like Kaspersky, Avast, Avira etc flag it as clean. Now, the same identical code can get 5 out of 66 - provided it's not packed (the stupid AV scanners flag everything that is packed as 'suspicious'). When using a Win7 instead of the XP manifest, it's 4/66 but it won't run on XP any more...

Surprisingly, the usual hello world is entirely clean:
Code: [Select]
include \masm32\include\masm32rt.inc ; plain Masm32 for the fans of pure assembler

.code
AppName db "Masm32:", 0

start: MsgBox 0, "Hello World", addr AppName, MB_OK
exit

end start

A simple Masm32 Windows Gui app scores 2/66; add a resource section with XP manifest, and it goes up to 5/65 :(
With a tiny change, Win7 instead of XP manifest, you suddenly get 0/65 :P

There is only one clear rule: For software posted here by members with some 'history' on the forum, ignore the AV messages. We are coding in assembler, and the cheap AV crap cannot handle code that looks hand-made :biggrin:

Of course, if you code to earn a living, you have basically two choices:
- sue the companies for their false positives
- surrender (=give up assembler and start C/C++)

Btw this thread should be moved to the appropriate dedicated sub-forum called AV Software sh*t list.

Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #9 on: May 01, 2018, 10:53:46 AM »
Yeah, I avoid packers like UPX300 like the plague. Been bitten by sending out false positives in the past with software I created commercially.

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 5852
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Beating the virus scanners
« Reply #10 on: May 01, 2018, 11:23:05 AM »
Simple solution is to build an app in UI mode that has a manifest and version control block. That takes care of must of the junky AV scanners but just occasionally you will get a valid piece of code within an exe that triggers  a signature in an AV scanner list. The junky end of AV scanners take shortcuts so they can look like they catch more viruses but generally they are a risk because they are not smart enough to catch a new virus.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #11 on: May 01, 2018, 12:12:47 PM »
Nice!

I haven't played with manifests yet. That's on my to do list also  :t

Ascended

  • Member
  • ***
  • Posts: 331
Re: Beating the virus scanners
« Reply #12 on: May 01, 2018, 02:09:05 PM »
As my program gets bigger, so do the viruses - LOL.

I guess there is no beating 'cheap' virus detectors.

I found this interesting though. The website shows which functions get called from the Windows API.


jj2007

  • Member
  • *****
  • Posts: 8776
  • Assembler is fun ;-)
    • MasmBasic
Re: Beating the virus scanners
« Reply #13 on: May 01, 2018, 07:24:58 PM »
The website shows which functions get called from the Windows API.
Use Wayne's PeView for that - indeed a fantastic tool.

Raistlin

  • Member
  • ***
  • Posts: 379
Re: Beating the virus scanners
« Reply #14 on: May 03, 2018, 02:11:54 AM »
You know Virustotal.com is owned by Google right?
The same guys that are deleting my MASM exe\dll's
on Bl00dy Google drive, no matter the manifest, icon
version & info block. :(
Are you pondering what I'm pondering? It's time to take over the world ! - let's use ASSEMBLY...