The MASM Forum

Projects => MASM32 => AV Software sh*t list => Topic started by: vosk on November 21, 2015, 06:56:24 AM

Title: Avast antivirus prevent running new applications
Post by: vosk on November 21, 2015, 06:56:24 AM
Hello, recently I have installed MASM32 but I have experimented some strange thing, my avast is preventing to run whatever executable created through masm, even the testinst.exe generated on installation.

What happens is the process for the executable file appears on the task admin, but there's no cosole nor window pop, no way to stop process, and no way to delete exe file (until restart).

The only solution I've found is to stop antivirus file system scan while using masm32.

I'm not sure if this is a question to avast forum or I've placed on the right place, but I would like to know if someone else have experimented the same behavior.

Thanks in advance
And best regards

vosk
Title: Re: Avast antivirus prevent running new applications
Post by: jj2007 on November 21, 2015, 07:14:02 AM
Some AV are notoriously bad at distinguishing malware from legit software, most of us have seen this.

On the other hand, what you can do with assembler is often beyond the capacity of standard software, and therefore it is not totally stupid to shout alarm. Check if Avast has an option to exclude certain folders (such as \Masm32\ and all sub-folders) from scanning.
Title: Re: Avast antivirus prevent running new applications
Post by: vosk on November 21, 2015, 07:39:58 AM
Ok thanks for your reply

I've found on the avast setup the exclusion list, so I add the project dir's path and now I can go on with my work

Thank's jj2007 for your help
Regards

vosk
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 22, 2015, 01:36:22 AM
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. ( result of tests on further machine).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.

Title: Re: Avast antivirus prevent running new applications
Post by: vosk on November 22, 2015, 04:50:33 AM
Hello ToutEnMasm, thanks for your comment and time

I'm very new in all that, so sorry if I don't understand what you are talking about; on my MASM installation there's no msvcrt.lib and I'm not familiar enough with masm (nor other assemblers, for the moment I'm practicing with qeditor and also with winasm). I'll have in mind your advice, but for the moment let me play some days with the avast exclusion enabled as jj2007 suggested

Thanks again

Regards
vosk
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 22, 2015, 07:00:29 AM
WinXP msvcrt.lib

I would avoid those msvc++ msvcrt.lib.
Title: Re: Avast antivirus prevent running new applications
Post by: jj2007 on November 22, 2015, 07:14:16 AM
on my MASM installation there's no msvcrt.lib

Check \Masm32\lib\msvcrt.lib

It works fine, no reason to pick another one that might cause problems with other installations.

@TWell: What is the difference to the standard Masm32 lib?
Title: Re: Avast antivirus prevent running new applications
Post by: hutch-- on November 22, 2015, 07:20:09 AM
vosk,

MASM32 creates its own version of MSVCRT so it can use the MSVCRT dynamic link library functions. What is created is purely an IMPORT library where if you start using the VC libraries you start to pull in the main C runtime libraries which will make your executable files much larger. If you have a look at the MASM32 directory structure, you will see a "tools" directory that has a sub directory "makecimp". This is how the MASM32 version of MSVCRT is made. The whole idea of doing this is so you can use the VC DLL functions without the overhead of the VC runtime libraries.
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 22, 2015, 08:04:49 AM
@jj2007
Code: [Select]
msvcrtWinXP.def
___CxxCallUnwindDtor
___CxxDetectRethrow
___CxxExceptionFilter
___CxxQueryExceptionSize
___CxxRegisterExceptionObject
___CxxUnregisterExceptionObject
___DestructExceptionObject
____lc_codepage_func
____lc_handle_func
____mb_cur_max_func
____setlc_active_func
____unguarded_readlc_active_add_func
___crtCompareStringW
___crtGetStringTypeW
___crtLCMapStringW
___iob_func
___pctype_func
___wcserror
__aligned_free
__aligned_malloc
__aligned_offset_malloc
__aligned_offset_realloc
__aligned_realloc
__cgetws
__cputws
__cwprintf
__cwscanf
__getwch
__getwche
__putwch
__resetstkoflw
__scprintf
__scwprintf
__set_SSE2_enable
__snscanf
__snwscanf
__strtoi64
__strtoui64
__ungetwch
__vscprintf
__vscwprintf
__wcserror
__wcstoi64
__wcstoui64
__wtof
Title: Re: Avast antivirus prevent running new applications
Post by: Vortex on November 22, 2015, 08:43:59 AM
Hi ToutEnMasm,

Jochen and Hutch are right, no need to use other libraries from MS VC installations making things much more complicated. The import library from the Masm32 setup does all the job.
Title: Re: Avast antivirus prevent running new applications
Post by: jj2007 on November 22, 2015, 08:47:55 AM
__aligned_malloc

Functions that were not available before WinXP, right?
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 22, 2015, 06:49:54 PM

What is more simple ?
More simple is to use the given libraries as they are ,there is just need of include files.
Doing this offer many advantages,one of it is to be not recognize as a virus.
Title: Re: Avast antivirus prevent running new applications
Post by: Vortex on November 22, 2015, 08:29:14 PM

What is more simple ?
More simple is to use the given libraries as they are ,there is just need of include files.

Easy. You need to see the internals of the original MS libraries to make the judgement :

H:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\lib\msvcrt.lib from the VS2010 Express + Windows 7 installation

It contains a lot of highly decorated symbols which has no use for the Masm32 coders for general purpose programming :

Code: [Select]
??0?$_SpinWait@$00@details@Concurrency@@QAE@P6AXXZ@Z (public: __thiscall Concurrency::details::_SpinWait<1>::_SpinWait<1>(void (__cdecl*)(void)))

As you know, this is the C++ decoration scheme of MS.

\masm32\lib\msvcrt.lib does not contain them.

Quote
C run-time library (without iostream or standard C++ library) : msvcrt.lib
Associated DLL : msvcr100.dll

Characteristics : Multithreaded, dynamic link (import library for MSVCR100.DLL). Be aware that if you use the Standard C++ Library, your program will need MSVCP100.DLL to run.

It's about msvcrt100.dll and not msvcrt.dll

https://msdn.microsoft.com/en-us/library/abx4dbyh%28v=vs.100%29.aspx

Obviously, you can see that \masm32\lib\msvcrt.lib is more simple.

You would like to read this article :

Fighting the MSVCRT.DLL hell

http://www.syndicateofideas.com/posts/fighting-the-msvcrt-dll-hell

Quote
Doing this offer many advantages,one of it is to be not recognize as a virus.

Why the library msvcrt.lib supplied with Masm32 should be identified as a virus? You can check the report of Jotti :

https://virusscan.jotti.org/en-US/filescanjob/x7nmyskhu6
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 22, 2015, 09:04:04 PM
Problems are in user code, not in msvcrt.dll.
MSVC msvcrxxx.lib have code in it too. It isn't just an import-library.
Using some msvcrxxx doesn't help against virus-alarm.
For example jj2007 RtlRandomEx.zip ent.exe.
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 23, 2015, 12:43:56 AM
Quote
Why the library msvcrt.lib supplied with Masm32 should be identified as a virus? You can check the report of Jotti :
It is a build without the original msvcrt.lib who his identify as a virus.
There is some proc added by the linker who aren't in the masm32 package and aren't use in the asm source code.
Remenber what i said:
Quote
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. ( result of tests on further machine).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.

( result of tests on further machine). This one isn't only based on one sample,try to find a c++ sample (who use all the original msvcrt.lib) who generate a false positive.
I wait,the rule must be apply to all not to an exception,allways possible.
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 23, 2015, 12:58:11 AM
@ToutEnMasm
Example that without msvcrxxx witch is alarmed by Avast:
sdkrc7\examples\cherche.exe
Link it with 2015 linker and check if alarm dissapeared.
That link.exe insert useless crap into exe.
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 23, 2015, 02:02:21 AM
you are Talking in the Wind.
I know that this one need to be recompile with the original msvcrt.
Not talking in the Wind is to find a soluce for the false positive antivirus.
What is your soluce ????????????????
I want to know!
 
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 23, 2015, 03:23:08 AM
A simple thing i ask and you can't do that?
Just recompile that f... project with that you beloved 2015 linker.
To much to ask?
Then we know if virus-scanners are fooled with that.
You know results?
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 23, 2015, 03:29:41 AM
Yes i know the result,it is not the first prog I modify with success.

Quote
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. (>>>>>>>>>>>>>>>result of tests on further machine<<<<<<<<<<<<<).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.
Last test done there is one week with XP 3,avast actual version with my searchhttp (using c++ msvcrt.lib) and no false positive

Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 23, 2015, 03:33:35 AM
OK.
Quote
you are Talking in the Wind.
Title: Re: Avast antivirus prevent running new applications
Post by: Vortex on November 23, 2015, 04:18:45 AM
Quote
It is a build without the original msvcrt.lib who his identify as a virus.

ToutEnMasm, there are basically two options for you :

a) You are neglecting all what I am posting here.
b) You don't understand what I tell.

I know that you are an intelligent person, so please pay attention to what I am telling. I sent the report of Jotti, I repeat :

https://virusscan.jotti.org/en-US/filescanjob/x7nmyskhu6

Do you see any virus indication in the report?

Another question : what is the original version of msvcrt.lib? Is it the one shipped with VS5, VS6 or the latest Visual Studio 2015? What is it supposed to do?

Quote
There is some proc added by the linker who aren't in the masm32 package and aren't use in the asm source code.

Now, could you clarify us about the procedure added by a specific version of msvcrt.lib? Why should I need it?

Quote
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. ( result of tests on further machine).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.

I use msvcrt.lib because the DLL exports some useful functions. I can even create that library with my def2lib tool. Never had a false positive problem with that import library. Better to stay away from crappy AV products.

Quote
( result of tests on further machine). This one isn't only based on one sample,try to find a c++ sample (who use all the original msvcrt.lib) who generate a false positive.
I wait,the rule must be apply to all not to an exception,allways possible.

This is a subforum dedicated to assembly programming so why should I bother with the C++ example? Your comment fits rather the Compiler based Assembler section :

http://masm32.com/board/index.php?board=17.0

To make it clear, I am sending you a quick example built with msvcrt.lib supplied with the Masm32 package. No any false positive reported by Jotti :

Code: [Select]
.386
.model flat,stdcall
option casemap:none

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc
include     \masm32\include\msvcrt.inc

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\msvcrt.lib

.data

string      db 'Hello world!',0

.code

start:

    invoke  crt_printf,ADDR string
    invoke  ExitProcess,0

END start

https://virusscan.jotti.org/en-US/filescanjob/asrnuopyy2
Title: Re: Avast antivirus prevent running new applications
Post by: jj2007 on November 23, 2015, 04:32:03 AM
you are Talking in the Wind.

I Talk To The Wind (https://www.youtube.com/watch?v=jNCmHML4b5U)

Quote
Said the straight man to the late man
Where have you been
I've been here and I've been there
And I've been in between.

I talk to the wind
My words are all carried away
I talk to the wind
The wind does not hear
The wind cannot hear.

I'm on the outside looking inside
What do I see
Much confusion, disillusion
All around me.

You don't possess me
Don't impress me
Just upset my mind
Can't instruct me or conduct me
Just use up my time

I talk to the wind
My words are all carried away
I talk to the wind
The wind does not hear
The wind cannot hear.
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 23, 2015, 04:45:43 AM
Need just one anwer:
What is your soluce to avoid false positive with antivirus in asm,I stop here,without modifying the antivirus.
Title: Re: Avast antivirus prevent running new applications
Post by: Vortex on November 23, 2015, 04:55:27 AM
Hi ToutEnMasm,

All of us, we know that the false positive problem cannot be solved easily. The AV companies are becoming more and more aggressive and I will be not surprised to see that they will try to do every effort to "stay in the agenda." They best what I can tell is to analyze the binaries with a service like Jotti and contact the AV producer to submit an example demonstrating the false positive case.
Title: Re: Avast antivirus prevent running new applications
Post by: GoneFishing on November 23, 2015, 05:45:50 AM
Talking about the wind ... I like that expression  .
In Russia we have another idiom: Don't p*ss against the wind which sounds like a caution :biggrin:
In conclusion I want to quote myself :
Quote
Ahhh ... false positives
We got used to it
;)
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 23, 2015, 08:54:48 AM
After making some test with msvcrt.dll i saw that using different linker can help.
Like warning with polink and no warnings with MS link version 14
Title: Re: Avast antivirus prevent running new applications
Post by: hutch-- on November 26, 2015, 05:37:04 AM
> In Russia we have another idiom: Don't p*ss against the wind which sounds like a caution

Must be universal, in OZ idiom the expression "pissing into the wind" is usually the definition of futility.  :biggrin:
Title: Re: Avast antivirus prevent running new applications
Post by: ToutEnMasm on November 27, 2015, 05:10:30 AM
For TWell,
For test Here,a different version of cherche who just use the original msvcrt.lib
without using the crt functions.Code is the same,see if avast genere a false positive.
Normally not.
If miss DLL ,"c++ redistributable 2015",windows 10 compile
Title: Re: Avast antivirus prevent running new applications
Post by: TWell on November 27, 2015, 05:14:09 AM
No warnings with Avast :t
Needs VCRUNTIME140.dll  :(