Author Topic: Another story about AV  (Read 5254 times)

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Another story about AV
« on: February 08, 2013, 09:31:58 AM »
At the moment, I've experimenting a bit with as and ld from the gnu compiler collection. I've written a small Win32 application, assembled it with as (performs very good) and linked it with ld to the running application. It displays only a message box with caption and text; that's not very exciting. If anyone should be interested, I could post the code in the Workshop.

I've done that inside VirtualPC with Windows XP, SP3. The equivalent C program has a size of 50 KB; the assembly language program has a size of 2048 Byte, which isn't so bad and no surprise. But the joke is: I had to copy the application from the VM into my Windows 7 system for testing purposes. During the copy process the real time AV scanner gave an alert: the EXE contains the trojan TR/Crypt.XPACK.Gen. What a garbage! I had to turn off the real time scanner to start the little program under Windows 7.

And what's the reason? I used for ld the command line switch -s, which strips all symbols from the running EXE. That makes another false positive, at least for the AVIRA scanner.

Gunther
Get your facts first, and then you can distort them.

Greenhorn

  • Member
  • **
  • Posts: 122
Re: Another story about AV
« Reply #1 on: February 08, 2013, 09:56:54 AM »
If anyone should be interested, I could post the code in the Workshop.

Hi Gunther,

I would appreciate to see the code (AT&T Syntax?), but more interesting for me would be the command line for ld.
I've never got ld working under Linux to link elf executables on my Linux (jcfuller's examples from JWasm).
So, you built a Win32 EXE on a Windoze System (with MinGW?) ?

Greenhorn

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Another story about AV
« Reply #2 on: February 08, 2013, 10:50:38 AM »
Hi Greenhorn,

I would appreciate to see the code (AT&T Syntax?), but more interesting for me would be the command line for ld.

No, no, Intel syntax. It's better readable. But if you wish, I could convert it to AT&T  :lol: :lol: :lol:.

I've never got ld working under Linux to link elf executables on my Linux (jcfuller's examples from JWasm).

I have some working examples with nasm + ld here: http://masm32.com/board/index.php?topic=436.0. Please check out build_demo1.sh for dynamic linking with ld; yasm will do the same job. Approximately Intel syntax, that's for sure.

So, you built a Win32 EXE on a Windoze System (with MinGW?) ?

Greenhorn

Yes, of course; that was my plan. I'll upload the source inside the Workshop, although it's not very exciting. The only interesting point is the usage of as and ld from MinGW.

Gunther
Get your facts first, and then you can distort them.

Magnum

  • Member
  • *****
  • Posts: 2325
Re: Another story about AV
« Reply #3 on: February 10, 2013, 06:16:39 PM »
At the moment, I've experimenting a bit with as and ld from the gnu compiler collection. I've written a small Win32 application, assembled it with as (performs very good) and linked it with ld to the running application. It displays only a message box with caption and text; that's not very exciting. If anyone should be interested, I could post the code in the Workshop.

I've done that inside VirtualPC with Windows XP, SP3. The equivalent C program has a size of 50 KB; the assembly language program has a size of 2048 Byte, which isn't so bad and no surprise. But the joke is: I had to copy the application from the VM into my Windows 7 system for testing purposes. During the copy process the real time AV scanner gave an alert: the EXE contains the trojan TR/Crypt.XPACK.Gen. What a garbage! I had to turn off the real time scanner to start the little program under Windows 7.

And what's the reason? I used for ld the command line switch -s, which strips all symbols from the running EXE. That makes another false positive, at least for the AVIRA scanner.

Gunther

Why do you have to test a 32 bit program in a VM under Win 7 ?

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Vortex

  • Member
  • *****
  • Posts: 2206
Re: Another story about AV
« Reply #4 on: February 10, 2013, 08:21:25 PM »
Hi Gunther,

I received the same warning messages for small executables from Avira. I know that it's a false-positive. Unfortunately, some AV softwares have high percentage of false-positives.

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Another story about AV
« Reply #5 on: February 10, 2013, 10:22:00 PM »
Hi Erol,

yesterday, I've downloaded qWords macro library: http://masm32.com/board/index.php?topic=1457.0. The same bad story.

Gunther
Get your facts first, and then you can distort them.

Vortex

  • Member
  • *****
  • Posts: 2206
Re: Another story about AV
« Reply #6 on: February 11, 2013, 03:30:44 AM »
Hi Gunther,

Do you have the option to try another AV?

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Another story about AV
« Reply #7 on: February 11, 2013, 03:57:32 AM »
Hi Erol,

Do you have the option to try another AV?

in the theory, yes. I would have to install the other scanner, probably to de-install Avira etc. etc. Is that worth the effort? On the other hand, what's a good AV, working under Win64?

Gunther
Get your facts first, and then you can distort them.