The MASM Forum

Projects => MASM32 => AV Software sh*t list => Topic started by: jj2007 on November 12, 2016, 01:15:03 AM

Title: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on November 12, 2016, 01:15:03 AM
Inspired by my experience with Microsoft Security Essentials, a steaming pile of sh*t (http://masm32.com/board/index.php?topic=5795.0), I consulted several testing sites (example (https://www.av-test.org/en/antivirus/home-windows/windows-7/august-2016/bitdefender-internet-security-2016-163191/)) and found that Bitdefender looked very interesting. So I ditched MSE and installed Bitdefender Antivirus Free Edition (http://www.bitdefender.it/solutions/free.html).

Installation went smoothly, but then it started playing havoc with my Masm32 installation: Over 300 "threats" detected, exclusively absolutely innocuous files that I have assembled myself. And what does Bitdefender in these cases? IT DELETES THEM! No quarantine where you could recover these files, they are LOST :dazzled:

Fortunately, I have all sources, of course. When trying to rebuild some, it seems that BD blocks the linker, too.

At one moment, BD pops up and says "update failed, error 1609" - oh my dear coder friends, can't you understand that numeric errors are a no-no???

So I decided to give them a chance, and registered at the BD forum. The usual process - give your name, wait for a confirmation mail. Which didn't arrive, but later I found it in the spam folder. OK, so I click confirm and go back to the forum, but no luck, it just doesn't work, whatever I tried.

There is also a login option from the UI (utterly confused and crappy, windows with captions but no text, ... sheer horror), but it ends up with a cryptic error message:
Code: [Select]
The address wasn't understood

Firefox doesn't know how to open this address, because one of the following protocols (native) isn't associated with any program or is not allowed in this context.

In short: Hands off.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GuruSR on November 14, 2016, 07:53:19 AM
Oh, sorry.  Should have suggested to avoid that like the plague...  Kaspersky and Avast are the only ones I would trust, although, Avast decided to let me compile a program today 1 time, run it, found a mistake, ended it, recompiled it and poof, it went away!  Apparently Avast thought the "fixed" compile was EVIL and ate it, but it was in the quarantine so I could get it back out, but I recompiled it anyways and this time it didn't do anything with it, so I probably found a linker bug...  Ah well, it's good.  But those are the only 2 viable anti-viruses I would trust that have quarantines.

GuruSR.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: hutch-- on November 14, 2016, 10:12:06 AM
Avast is also a bug ridden heap of sh*t. Anything that drops false positives on perfectly sound binaries has something wrong with it. In the case of Avast it drops false positives on anything that was linked with POLINK when you know for certain that there is nothing wrong with the format of PE header that it produces. There is every reason to put the boot into sloppy AV vendors as their mistakes with false positives destroy the work of decent programmers who develop in properly secured environments.

Over years, Eset, Kaspersky and the Microsoft AV scanners have been the best in terms of false positives but anyone who sets up consumer freeware in a development profile is asking for trouble, if you know what you are doing in terms of security, only ever run "on demand" AV scanning and here MALWAREBYTES is the one to go for. (With thanks to sinsi for the original suggestion some years ago).
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GuruSR on November 14, 2016, 11:50:28 AM
I know there are issues and I can understand from a coder's point of view, it's a hassle, and it is, but actually, in most cases, it should be.  The AV is detecting similarities with viruses/malware, I'd rather it do that then ignore something that IS similar and I didn't write it.  Heuristics is not an exact science, hence the reason why it's "guess work".  I'd rather Avast, Kaspersky, etc, guess that what it saw *may* be dangerous rather than anti-viruses like AVG totally ignore it when it really IS.

I know, it's not a great thing, but as a programmer, it's up to us to make sure our code isn't going to do a false positive and if one AV is doing it, make sure to contact them to find out where it is flagging it as such (as most of the ones I've dealt with, do give me insight, Avast told me it was not liking the resources of the AppIcon, it apparently had the header wrong, again, linker issue from the looks of it).

As for Malwarebytes, good people, good software, which also ripped my code a new one (removed half of my coding directly, labeling most of it as malware [gen], thankfully I had backups).  I still have MWB on this machine, but I only run it to "look but don't touch", as I know it'll want to nuke those folders again.  (And half of them were tutorial asm files.)

GuruSR.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on November 14, 2016, 12:12:59 PM
Avast told me it was not liking the resources of the AppIcon, it apparently had the header wrong, again, linker issue

Now this is good advice for malware coders:
- use boring standard icons
- always add a manifest
- always use the standard Microsoft linker
- bloat your code as much as possible (e.g. with QT - about 8MB for a Hello World)
- do not pack your code; ClamAV will get you (https://virusscan.jotti.org/en-US/filescanjob/qpn35waaqg), as well as the geniuses from Trend Micro:
Quote
PAK_GENERIC.005 (http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/pak_generic.005)

This is the Trend Micro detection for possibly malicious executable files that are compressed using Win32 compression tools. ...
It is a heuristic detection based on well-established characteristics inherent to compressed malware.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: hutch-- on November 14, 2016, 12:33:23 PM
We probably have a different view on this subject, Microsoft publish the 32 and 64 bit portable executable specifications and if an AV company does not fully understand these specifications, they should get off their arse and learn them. If you follow the route of having to fit into the comprehension of AV companies, you are passing the design of the OS specifications into the hands of the illiterate. The OS manufacturer is the only one competent to set the specifications of their system and any AV company that either does not understand that OR only passes a subset of the OS specifications needs to get off their arse and do it properly according to the OS specifications.

Now regarding resource data, primarily image data, there have been risks in the past of malware being embedded in image data and the solution is to use image creation applications that produce the correct format, often tools from other OS types save in slightly different formats and this may be the problem you have had with Avast. RE: Avast, if I get a posted APP that someone finds a problem with I send it to JOTTI which at last count passes the app through 19 different AV scanners, when the only one that shows an error is Avast, Avast is the problem. That is why this forum has an AV sh*t list.

The last complain with Avast was any 64 bit app linked with Pelle's POLINK where you can garrantee that it produces a correctly formed PE header. Their blunder is they don't properly understand how the 64 bit header works and flag these apps as having a generic virus.

Now something that any programmer working on post XP OS versions should know is that you must have both a manifest AND a version control block and while malicious software can have both, it shuts up most crappy AV scanners. If their heuristic scanner design was up to scratch they should be able to track if there is some branch after the PE header that leads to malicious code instead of the normal entry point of an application. False positives add to their score count at the expense of proper evaluation of potentially malicious software, anyone who does this is writing crap to improve their advertising while increasing the risk of a viral/trojan/rootkit infection.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: hutch-- on November 14, 2016, 12:44:56 PM
Just as a note on the last posting by JJ, UPX while being a high quality executable compressor for both 32 and 64 bit executable files, it is crippled by the assumptions of the original authors, their theory is that all executables should be available to decompressing them and be able to recompress the exe. This makes it the preferred tool for a vast number of virus/trojan writers as they can open a file, install a virus into it then recompress it. Various AV companies know how it is used and flag anything compressed by UPX as dangerous. I read a very good article from one of the team members of the Microsoft AV scanner on detecting modified versions of UPX that try and avoid its detection but they also know how to detect the UPX stub.

It is easy enough to cripple the decompressions stub by overwriting the section header names with anything else you like, overwriting their copyright string is just as easy as long as you are careful but unless you are only using UPX locally, treat it like the plague as AV companies will treat it as a suspicious file simply because it is compressed with UPX.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GuruSR on November 14, 2016, 01:41:02 PM
The biggest problem with watching for valid PE headers and resources are:

badsoftware.tmp

And it's opened as an exe, see that all the time.  It's got a valid header, even probably has a manifest and the resources too, so an AV that blindly ignores the manifest and PE header is going to scan that file the same way as it does an exe, com or dll.  Could blame them for being "lazy", but for them to include such things would increase scan time and slow the system even farther with more code, not sure anyone wants that.

And yes, I've contemplated using compression for executables, but the long history of what it was abused for and how AV (MalwareBytes is also guilty of this) treat the file as bad, has had it ruined it being useful for those of us who actually wanted it for a good reason.

As for the difference between 64 and 32 bit executables, most AV software is 32 bit and a good deal of them ignore most of the PE, which reminds me, have to find that PE header viewer I had and re-install it (handy little thing for telling me the PE header on any file I right click on).

GuruSR.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on November 14, 2016, 08:40:17 PM
they should be able to track if there is some branch after the PE header that leads to malicious code instead of the normal entry point of an application.

Come on, you and I and Guru know how easy it would be to make an application that looks like a duck, walks like a duck, smells like a duck, uncompressed and with VCB and all that crap, only with a little jump table well after the normal entry point, five levels deep, with ecx set to some unsuspicious value at level 2, etc etc. You can bet that the more dangerous viruses and trojans look exactly like a duck but use that kind of trick.

Problem with heuristics is that they can only sort out applications that have been written by script kiddies in their early learning phase. Everything more sophisticated (stuxnet, ...) would require that the heuristics algo understands what's going on - and that's impossible. Heuristic scanners were OK some ten years ago, today they are just an anachronism.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: caballero on November 14, 2016, 09:47:33 PM
There are hundred of av's. Many of them gives many false +. Google and others searchers base their navigation in such reports, hence many pages are labeled as suspicious. Well, it would be great that anybody would make any page that marks some av as suspicious too, according to its trust level, its reports should have a level of veracity too. I had to erase my site to clean it from such acreditations and then make for everything:

- use boring standard icons
- always add a manifest

... when I have time :)
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: hutch-- on November 14, 2016, 11:40:13 PM
Its really easy to determine if a file is a PE exe or not, DOS header with leading MZ and a structure member that gives you an offset to the PE header with PE as its lead, these are easy and fast. The combined header size is less than 1k. If they are scanning on the basis of the file extension, they are easy meat for the virus brigade. Some just do it better than others with AV scanners and one of the simplest tests is the number of false positives, the more that occur, the crappier the AV scanner and there is some real crap out there. AVG is a shocker, freeware for consumer users but a nightmare for a programmer.

To deal with this chyte, I had to design a set of tests in the MASM32 installer to test executable read, write and delete then when the install had completed I had to test if the libraries had been written correctly because some of these piles of chyte silently deleted binary libraries and left the install broken. Some years ago I had some bunch of jerks from Germany playing vigilante who made a complaint to a hosting company I was using about a number of 1995 zip files that were archived on the site being infected because some crapheap AV scanner they were using thought that they were infected by an un-named generic virus that was written about 2010, 15 years after the files had been zipped.

Since they cause me some inconvenience in having to deal with the hosting company, I typed up a reply to these phuking morons which my hosting company sent back to them which referred them to the Microsoft Portable Executable specifications and my views on self elected vigilante groups. As you can imagine I did not receive any further response. As I have seen many people who write clean, tidy executables trashed by morons like this and crapheap AV scanners, I am all in favour of sh*tcanning them until they get off their arse and learn how to write decent code that does not drop false positives.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GuruSR on November 15, 2016, 04:20:22 AM
Actually, I don't mind Avast eating my compiles (well, I did at first until I found the reason out), tells me that somewhere some bug hit that messed the compile up, means other AVs will probably catch it too, so I compile again after a clean exit and restart of the IDE and re-compile again.  Though if I know Avast is *going* to whine about something in a section, I simply tell it to ignore that folder (Angry IP Scanner is one such folder) and I also go into the settings for the File System Shield component and set "Suspicious" to "No Action" and it usually doesn't whine.

One thing I do like about Avast's options, is the ability to turn it into IDIOT mode, where if the people's kids come home from school with a USB stick with "a friend's cool game" on it, it won't let them run it, complains to them.  Now typically when that happens, they never say "boo" to their parents about it (because they're too ignorant to know what I did) and I'm sure their parents are happy I *did* that to it, so their children can't be idiots with unknown software.

I guess the best thing to say about AVs, if you're programming, don't have one, at all, turn it off, disable it, uninstall it, just don't surf.  99% of the time I surf fine without an AV (or malware) and in the past 15+ years, I've never gotten hit by anything.

For those 1%'s out there, stay off the porn sites...

GuruSR.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on November 15, 2016, 08:54:45 AM
For those 1%'s out there, stay off the porn sites...

1%?? You are putting the World's population at a whopping 41 Billion :dazzled:

412M Accounts Breached on FriendFinder Sex Sites (https://www.wired.com/2016/11/hack-brief-412m-accounts-breached-friendfinder-sex-sites/)
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GoneFishing on November 15, 2016, 09:24:56 AM

412M Accounts Breached on FriendFinder Sex Sites (https://www.wired.com/2016/11/hack-brief-412m-accounts-breached-friendfinder-sex-sites/)

Only 62,6M accounts belong to so called "erotic" videochat  + 7M Penthouse subscribers = 70M ( or exactly 1% !!!)
Looks like Guru is not only coding guru  :dazzled:
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: hutch-- on November 15, 2016, 11:00:10 AM
My main complaint about internet porn apart from the scams to raise money is that it is second hand sex for people who are not capable of finding it first hand. I think pretty girls are wonderful things and in the summer time in Sydney the quality of pretty girls running around the city comfortably exceeds the trash you see on the internet. I have always got on well with "young sheilas" which is handy as you can find out if they have a good looking maiden aunt.  :P
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GoneFishing on November 15, 2016, 09:23:48 PM
It was her who's done that  :biggrin:
(http://static.fjcdn.com/pictures/Ellen+fapper_30f94f_3417800.jpg)

see also Fox news "Ellen farber VS Louies c.k" (Original)  (https://www.youtube.com/watch?v=jY3FiaK4GG4)
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: anunitu on November 15, 2016, 10:07:23 PM
Masturbation,just keep it to yourself.. :biggrin:
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GuruSR on November 16, 2016, 08:45:58 AM
Well, I guess we have to really thank the children of yesterday gone by, for making an industry a pain in the @$$ for us programmers...  Basically those children who had money to buy the computers, hack servers, write code, transmit that code, and watch the fun, compete against other rival groups to see who can hack the most.  Early day computer terrorism and yet, Obama ignores it, maybe, just maybe, if we all wish hard enough (just safely, don't burst a brain cell on this), that Trump will actually class computer hackers as terrorists and go after them too and maybe he won't make it a death penalty.

As for Porn, you're "safe" so long as you don't use a hackable browser, and that is basically most of them.

IE, Firefox, Chrome, Edge, any Chromium based browser that supports their addons, are all easily hacked.  So avoid those and find something that isn't.  Opera 12.17[12.18 maybe, never did test that version, but 12.17 was the better), not the new Opera/Vivaldi [Chromium based].  The one I'm preferring now is called Maxthon, it's chromium based BUT has it's own market and does come with Ad-Block Plus included. So Avast is being used via the web proxy only, there is no plugin/addon for it, means no Avast notice about my surfing.

And I don't bother with porn sites, basically they're soap operas without clothing (and sappier, if thats even possible).

GuruSR.
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on November 16, 2016, 09:22:58 AM
Update on topic:

Bitdefender keeps sending me emails reassuring me that they take my issue damn seriously, and inviting me at the same time to provide "support tool logs". If they had ever read my mails or this thread, they would know that no support log can heal the crappy behaviour of BD. No AV should ever delete executables, they may quarantine them until the user gives the OK to delete them, fullstop.

There is a dedicated page for Bitdefender at http://www.customerservicescoreboard.com/BitDefender :
Quote
153 Negative Comments out of 158 Total Comments is 96.84%
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GuruSR on November 16, 2016, 12:20:39 PM
OH, OH, OH, you'll LOVE this one.

While I was readying stuff on tinyupload.com to post links here for people to try stuff, I decided to see if the website I had some of them on was still around and found Mediafire said one of them was "Dangerous", well, after going to Mediafire, I found out it said one of the *INSTALLERS* of one of my programs that has been on the web since 2002, was flagged by...  wait for it... BITDEFENDER as being infected!

So, I went through the process of going onto MediaFire, seeing what stupid BitDerender said, removing everything off of that dumb storage site and logged out. Well, I tossed all the programs for fear that BitDerender would eat more of them.  Back to the website I did in 2002 for those freeware programs, wildly enough it's still there, but, they moved it to Lycos and now to some other place, but in order for me to delete it (and get rid of it since the files no longer exist), I had to... reactivate it and email verify that!  Then when it was reactivated, I could delete it, umm, what moron thought that up, if it's inactive why is it still visible on the web?

GuruSR.

P.S.  I'll find a spot to post the links and programs, somewhere around here, definitely not in this forum sub section.
Title: Bitdefender Customer Care - a bunch of lousy bots
Post by: jj2007 on November 28, 2016, 01:52:14 AM
Update on a non-existing "customer care service": currently, a dozen mails received, none of them shows the faintest sign of an attempt to look at the issue (which is that Sh*tdefender deletes executables without asking for permission), or of any human intervention :icon13:

I have highlighted in red the part where they are not lying :biggrin:

Quote
Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Please be informed that you have an open Customer Care request, ticket no: 2016111112290001, that requires further information from your side to complete. Since we have not heard back from you in a while, please reply to our last e-mail with the necessary information so tha…
ThursdayBitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Thank you for your reply. We have sent you a email regarding this case, it would seem that email did not reach your Inbox. Please check your Spam Folder or any active rules you may have setup. We have attached the contents of the previous email for your convenience. In order to as…
TuesdayBitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Please be informed that we are currently working on resolving your Customer Care request, ticket no: 2016111112290001, and will be getting back to you shortly. Thank you for your patience. Regards, Bitdefender Customer Care Team [Bitdefender Awake](http://www.bitdefend…
November 19Me
Hey, tell your coder that you are a really lousy bot :-)
November 19Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Please be informed that you have an open Customer Care request, ticket no: 2016111112290001, that requires further information from your side to complete. Since we have not heard back from you in a while, please reply to our last e-mail with the necessary information so tha…
November 16Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Thank you for your reply. In order to assist you with the encountered issue we require the logs from the Bitdefender Support Tool and samples. Without the requested information we are unable to see what happened on that machine that caused this behavior and be able to reproduce th…
November 15Me
Here is my reply. <http://masm32.com/board/index.php?topic=5796.0>
November 15Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Thank you for your reply.First of all, we are sorry for the delay of our answer and we hope to assist you in a timely fashion from now on. Kindly be informed that we have not received your support tool log. Because of the situation you have encountered and not being able to sent us …
November 14Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Please be informed that we are currently working on resolving your Customer Care request, ticket no: 2016111112290001, and will be getting back to you shortly. Thank you for your patience. Regards, Bitdefender Customer Care Team [Bitdefender Awake](http://www.bitdefend…
November 11Me
Solved??? You are kidding. Do you read mails? And don't be surprised if Google sends your victims, pardon: clients to http://masm32.com/board/index.php?topic=5796.0 Incredible, this "service".
November 11Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Thank you for your last email. We are very glad that the issue has been solved. Please don't hesitate to contact us, should you need any assistance in the future. Have a wonderful day! Best Regards, Emma Murganic Bitdefender Support Team -------------------------- http://www.bi…
November 11Me
Dear Bitdefender team, That sounds complicated, but fortunately I've done most of the work already, see http://masm32.com/board/index.php?topic=5796.0 Have a nice day, too Jochen On 11.11.16 14:26, Bitdefender Support Center wrote: > > > Dear Jochen, > > > Thank you for choosing our sec…
November 11Me
Dear Bitdefender team, That sounds complicated, but fortunately I've done most of the work already, see http://masm32.com/board/index.php?topic=5796.0 Have a nice day, too Jochen
November 11Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Dear Jochen, Thank you for choosing our security solution, Bitdefender. In order to troubleshoot the issue you are encountering please send us the following: 1. A Support Tool log; 2. Autoruns log 3. Minidumps 1. How to generate a Support Tool log: - Navigate to this location: C:\Program Fi…
November 11Bitdefender Support Center <bdsupport@tickets.bitdefender.com>
Gentile Jochen, La ringraziamo per aver contattato il Servizio di Supporto Bitdefender. Questo e' un messaggio automatico per confermare che abbiamo ricevuto la sua richiesta e che stiamo lavorando per risolvere la situazione segnalata nel piu' breve tempo possibile. Il numero di ticket…
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GoneFishing on November 28, 2016, 02:50:48 AM
Hi Jochen,
May I call you Jesus for short ?
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on November 28, 2016, 03:06:40 AM
Hi Jochen,
May I call you Jesus for short ?

I am indeed far too patient with them :P
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: GoneFishing on November 28, 2016, 03:18:51 AM
Mmmm , Emma Murganic ... I'll meditate on it tonight !

P.S.: sounds sexy , almost like  fata Morgana  :biggrin:
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: rrr314159 on November 28, 2016, 07:26:00 AM
I think I'll stick with Ellen Fapper
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: jj2007 on May 03, 2017, 05:23:55 PM
Update on Bitdefender: It seems a real scam, judging by these comments. (https://disqus.com/home/discussion/pcmag/bitdefender_antivirus_plus_2015/)
Title: Re: Bitdefender: A complete disaster, hands off!
Post by: Mondragon on August 18, 2017, 06:05:07 PM
One trick that's worked for me is to go into the AV's settings BEFORE your first scan, and place your development folders into a whitelist (not scanned by AV). Be careful to add them to the in-memory scans as well as the file system scans and you should be good. The thing is, you just can't forget to do this if you create a new directory outside of the one you already specified or else it's back to the drawing board again. I use Symantec and they have a setting hidden way deep in the AV settings for disabling memory and file system scans on a per-directory basis. Not sure about the others but that should do it for Symantec at least.


Oh also: BitDefender is the only AV who licenses their engine out... So basically if BitDefender has a false positive, it will also show on like 8 other AV platforms because they all use the BD engine. It is extremely anal and flags a lot of false positives, so yes BD is not the best :)