Author Topic: Have you experienced problems installing masm32 with lousy AV products ?  (Read 16416 times)

dedndave

  • Member
  • *****
  • Posts: 8751
  • Still using Abacus 2.0
    • DednDave
i suppose if the project is on the same (network) drive, it may work
i think the message is, you can't install masm32 on a network drive and build on a local drive

but, a USB flash drive is not the same as a network drive   :P

Cokaric

  • Guest
damn guys, I have never been on such a board when I post something and not one but two ppl answer in like 10 minutes... seems like I will stick to this board :)

Anyway I succeed to access C:\ drive, access to C:\ drive was also blocked. I copied files extractor created to my USB drive and I will test on other computer compiling my MASM project and report here. Just currently I am running out of time since I spent last hour figuring out how to temper with library security. Hopefully things I learned today will help me in future or change their minds about leaving stuff unprotected or protected at all since obviously their protection is useless...

I have network drive back home so will test that as well. But I think there should be no problem :)

Jeff

  • Guest
Symantec Endpoint Protection reports the following:
dlgmake.exe (Backdoor.Graybird) - Forced deletion with restart required
poasm1k.exe (Trogan.Gen.2) - Quarantined
zoomin.exe (Trojan.Startpage.G) - Deleted

I'm attempting to undo with Smc.exe and see if they get re-picked up by the AV scanner after reboot. :(
I'm on my corporate dev machine, so I have very little control over the AV.

jj2007

  • Member
  • *****
  • Posts: 7756
  • Assembler is fun ;-)
    • MasmBasic
Some AVs allow to exclude specific folders and their subfolders from scanning. That is generally the only option which really works for \Masm32... because executables below 100k are suspicious by definition in BloatOS :P

dedndave

  • Member
  • *****
  • Posts: 8751
  • Still using Abacus 2.0
    • DednDave
none of those files are critical to use of the package

restart required on dlgmake ??? - lol

the poasm1k file - i can see why it might have got that one   :P

Jeff

  • Guest
Symantec Endpoint Protection reports the following:
dlgmake.exe (Backdoor.Graybird) - Forced deletion with restart required
poasm1k.exe (Trogan.Gen.2) - Quarantined
zoomin.exe (Trojan.Startpage.G) - Deleted

I'm attempting to undo with Smc.exe and see if they get re-picked up by the AV scanner after reboot. :(
I'm on my corporate dev machine, so I have very little control over the AV.
After "undoing" the actions listed above with Endpoint Protection, then rebooting, they are still marked and deleted/quarantined...

Good to hear they are not critical.

Gunther

  • Member
  • *****
  • Posts: 3517
  • Forgive your enemies, but never forget their names
Jeff,

After "undoing" the actions listed above with Endpoint Protection, then rebooting, they are still marked and deleted/quarantined...

Good to hear they are not critical.

that are so called false positives. There's no danger by installing the MASM32 package. Trust me.  :icon_cool:

Gunther
Get your facts first, and then you can distort them.

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1209
Back when I was using NAV I have never had it find any problem in the MASM32 package, and the same for the MSE that I am currently using.
Well Microsoft, here’s another nice mess you’ve gotten us into.

Gunther

  • Member
  • *****
  • Posts: 3517
  • Forgive your enemies, but never forget their names
Michael,

Back when I was using NAV I have never had it find any problem in the MASM32 package, and the same for the MSE that I am currently using.

I'm unsatisfied with Avira (very annoying). What would you recommend?

Gunther
Get your facts first, and then you can distort them.

dedndave

  • Member
  • *****
  • Posts: 8751
  • Still using Abacus 2.0
    • DednDave
it seems that Michael is using MSE

i like AdAware
although, i don't like AV's that scan all the time
i disable it when i am not using it
it requires unchecking 2 items in MsConfig Startup tab and disabling 2 services (reboot)

but, it does a very good job of finding infected files - the best i have found, so far

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1209
Hi Gunther,

I have been using MSE for about 2 months now.

I have experimented with the configuration somewhat, and have for now settled on a default configuration with a small number of excluded file types (source files and similar, but note that I don’t know if these types of files would be scanned even if they were not excluded).

With real-time protection enabled MSE is frequently active, and monopolizing the CPU, during normal use of my system. This is at times somewhat irritating, but this activity does seem to be triggered by just the sort of things that I would expect, and there is the option of turning real-time protection off when necessary. My P3 system all but stops responding while this is going on, probably indicating that MSE is doing something more or less complex, and I think also that it expects to be running on a processor with multiple (physical) cores. Under these same conditions even my 3GHz P4 Northwood system with HT enabled is very slow to respond. In Task Manager the “engine” MsMpEng.exe typically shows ~20 threads.

Microsoft seems to update the definitions at least once per day. The definition updates are automatic, and AFAICT there is no option to control this.

The quick scan seems to run fairly fast. I recently had to rebuild my P3 system, and part of that involved a full scan of a ~15 year accumulation of files (numbering in the millions). The scan took ~60 hours, with the default 50% CPU usage limit, and my using the system for several hours during the scan. And it found only two potential problems in some KMD kits from years ago, and IIRC one of them was a Microsoft product. One irritation here is that during the scan MSE notifies you that it found one or more problems, but provides no details, and AFAICT the only way to get the details is to let the scan run to completion.

And on both systems, both running Windows XP SP3, minimizing the MSE window will sometimes leave an image of the window on the desktop. I’m not sure what this means, but I’m hoping it means that the developers are concentrating on the primary function of MSE, and ignoring cosmetic details.
Well Microsoft, here’s another nice mess you’ve gotten us into.

Gunther

  • Member
  • *****
  • Posts: 3517
  • Forgive your enemies, but never forget their names
Michael, Dave,

thank you for your fast answers. I'll check both ways.

Gunther
Get your facts first, and then you can distort them.

jj2007

  • Member
  • *****
  • Posts: 7756
  • Assembler is fun ;-)
    • MasmBasic
False negatives
« Reply #27 on: September 24, 2013, 07:55:16 AM »
With real-time protection enabled MSE is frequently active, and monopolizing the CPU

I have it disabled most of the time, for that reason. But even enabled it doesn't find anything suspicious in this snippet, which is actually surprising. Only VBA32 complains...

include ... you know what ;-)
.code
start:
        Let esi=FileRead$(Mirror$("daernu=noitca?php.xedni/draob/moc.23msam//:ptth"))        ; Jotti 1/22 (VBA32)
  invoke ExitProcess, 0
end start

Actually, I can launch it from C:\ (yes, the root), read a file and launch it - and not the faintest sign of "realtime protection" ::)

Magnum

  • Member
  • *****
  • Posts: 2242
Re: Have you experienced problems installing masm32 with lousy AV products ?
« Reply #28 on: September 24, 2013, 01:11:46 PM »
Symantec Endpoint Protection reports the following:
dlgmake.exe (Backdoor.Graybird) - Forced deletion with restart required
poasm1k.exe (Trogan.Gen.2) - Quarantined
zoomin.exe (Trojan.Startpage.G) - Deleted

I'm attempting to undo with Smc.exe and see if they get re-picked up by the AV scanner after reboot. :(
I'm on my corporate dev machine, so I have very little control over the AV.

I found Kaspersky to be among the better at not identifying a lot of false positives  as well as having a great rescue CD program.

Andy
Take care,
                   Andy

Ubuntu-mate-16.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

  • Member
  • *****
  • Posts: 3517
  • Forgive your enemies, but never forget their names
Re: Have you experienced problems installing masm32 with lousy AV products ?
« Reply #29 on: September 24, 2013, 06:45:44 PM »
Andy,

I found Kaspersky to be among the better at not identifying a lot of false positives  as well as having a great rescue CD program.

Andy

yes, Kaspersky isn't bad. I've installed it in parallel to Avira.

Gunther
Get your facts first, and then you can distort them.