Author Topic: Avast antivirus prevent running new applications  (Read 5016 times)

vosk

  • Regular Member
  • *
  • Posts: 3
Avast antivirus prevent running new applications
« on: November 21, 2015, 06:56:24 AM »
Hello, recently I have installed MASM32 but I have experimented some strange thing, my avast is preventing to run whatever executable created through masm, even the testinst.exe generated on installation.

What happens is the process for the executable file appears on the task admin, but there's no cosole nor window pop, no way to stop process, and no way to delete exe file (until restart).

The only solution I've found is to stop antivirus file system scan while using masm32.

I'm not sure if this is a question to avast forum or I've placed on the right place, but I would like to know if someone else have experimented the same behavior.

Thanks in advance
And best regards

vosk

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: Avast antivirus prevent running new applications
« Reply #1 on: November 21, 2015, 07:14:02 AM »
Some AV are notoriously bad at distinguishing malware from legit software, most of us have seen this.

On the other hand, what you can do with assembler is often beyond the capacity of standard software, and therefore it is not totally stupid to shout alarm. Check if Avast has an option to exclude certain folders (such as \Masm32\ and all sub-folders) from scanning.

vosk

  • Regular Member
  • *
  • Posts: 3
Re: Avast antivirus prevent running new applications
« Reply #2 on: November 21, 2015, 07:39:58 AM »
Ok thanks for your reply

I've found on the avast setup the exclusion list, so I add the project dir's path and now I can go on with my work

Thank's jj2007 for your help
Regards

vosk

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #3 on: November 22, 2015, 01:36:22 AM »
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. ( result of tests on further machine).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.

Fa is a musical note to play with CL

vosk

  • Regular Member
  • *
  • Posts: 3
Re: Avast antivirus prevent running new applications
« Reply #4 on: November 22, 2015, 04:50:33 AM »
Hello ToutEnMasm, thanks for your comment and time

I'm very new in all that, so sorry if I don't understand what you are talking about; on my MASM installation there's no msvcrt.lib and I'm not familiar enough with masm (nor other assemblers, for the moment I'm practicing with qeditor and also with winasm). I'll have in mind your advice, but for the moment let me play some days with the avast exclusion enabled as jj2007 suggested

Thanks again

Regards
vosk

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #5 on: November 22, 2015, 07:00:29 AM »
WinXP msvcrt.lib

I would avoid those msvc++ msvcrt.lib.

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: Avast antivirus prevent running new applications
« Reply #6 on: November 22, 2015, 07:14:16 AM »
on my MASM installation there's no msvcrt.lib

Check \Masm32\lib\msvcrt.lib

It works fine, no reason to pick another one that might cause problems with other installations.

@TWell: What is the difference to the standard Masm32 lib?

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4811
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Avast antivirus prevent running new applications
« Reply #7 on: November 22, 2015, 07:20:09 AM »
vosk,

MASM32 creates its own version of MSVCRT so it can use the MSVCRT dynamic link library functions. What is created is purely an IMPORT library where if you start using the VC libraries you start to pull in the main C runtime libraries which will make your executable files much larger. If you have a look at the MASM32 directory structure, you will see a "tools" directory that has a sub directory "makecimp". This is how the MASM32 version of MSVCRT is made. The whole idea of doing this is so you can use the VC DLL functions without the overhead of the VC runtime libraries.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #8 on: November 22, 2015, 08:04:49 AM »
@jj2007
Code: [Select]
msvcrtWinXP.def
___CxxCallUnwindDtor
___CxxDetectRethrow
___CxxExceptionFilter
___CxxQueryExceptionSize
___CxxRegisterExceptionObject
___CxxUnregisterExceptionObject
___DestructExceptionObject
____lc_codepage_func
____lc_handle_func
____mb_cur_max_func
____setlc_active_func
____unguarded_readlc_active_add_func
___crtCompareStringW
___crtGetStringTypeW
___crtLCMapStringW
___iob_func
___pctype_func
___wcserror
__aligned_free
__aligned_malloc
__aligned_offset_malloc
__aligned_offset_realloc
__aligned_realloc
__cgetws
__cputws
__cwprintf
__cwscanf
__getwch
__getwche
__putwch
__resetstkoflw
__scprintf
__scwprintf
__set_SSE2_enable
__snscanf
__snwscanf
__strtoi64
__strtoui64
__ungetwch
__vscprintf
__vscwprintf
__wcserror
__wcstoi64
__wcstoui64
__wtof

Vortex

  • Member
  • *****
  • Posts: 1704
Re: Avast antivirus prevent running new applications
« Reply #9 on: November 22, 2015, 08:43:59 AM »
Hi ToutEnMasm,

Jochen and Hutch are right, no need to use other libraries from MS VC installations making things much more complicated. The import library from the Masm32 setup does all the job.

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: Avast antivirus prevent running new applications
« Reply #10 on: November 22, 2015, 08:47:55 AM »
__aligned_malloc

Functions that were not available before WinXP, right?

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #11 on: November 22, 2015, 06:49:54 PM »

What is more simple ?
More simple is to use the given libraries as they are ,there is just need of include files.
Doing this offer many advantages,one of it is to be not recognize as a virus.
Fa is a musical note to play with CL

Vortex

  • Member
  • *****
  • Posts: 1704
Re: Avast antivirus prevent running new applications
« Reply #12 on: November 22, 2015, 08:29:14 PM »

What is more simple ?
More simple is to use the given libraries as they are ,there is just need of include files.

Easy. You need to see the internals of the original MS libraries to make the judgement :

H:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\lib\msvcrt.lib from the VS2010 Express + Windows 7 installation

It contains a lot of highly decorated symbols which has no use for the Masm32 coders for general purpose programming :

Code: [Select]
??0?$_SpinWait@$00@details@Concurrency@@QAE@P6AXXZ@Z (public: __thiscall Concurrency::details::_SpinWait<1>::_SpinWait<1>(void (__cdecl*)(void)))

As you know, this is the C++ decoration scheme of MS.

\masm32\lib\msvcrt.lib does not contain them.

Quote
C run-time library (without iostream or standard C++ library) : msvcrt.lib
Associated DLL : msvcr100.dll

Characteristics : Multithreaded, dynamic link (import library for MSVCR100.DLL). Be aware that if you use the Standard C++ Library, your program will need MSVCP100.DLL to run.

It's about msvcrt100.dll and not msvcrt.dll

https://msdn.microsoft.com/en-us/library/abx4dbyh%28v=vs.100%29.aspx

Obviously, you can see that \masm32\lib\msvcrt.lib is more simple.

You would like to read this article :

Fighting the MSVCRT.DLL hell

http://www.syndicateofideas.com/posts/fighting-the-msvcrt-dll-hell

Quote
Doing this offer many advantages,one of it is to be not recognize as a virus.

Why the library msvcrt.lib supplied with Masm32 should be identified as a virus? You can check the report of Jotti :

https://virusscan.jotti.org/en-US/filescanjob/x7nmyskhu6

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #13 on: November 22, 2015, 09:04:04 PM »
Problems are in user code, not in msvcrt.dll.
MSVC msvcrxxx.lib have code in it too. It isn't just an import-library.
Using some msvcrxxx doesn't help against virus-alarm.
For example jj2007 RtlRandomEx.zip ent.exe.

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #14 on: November 23, 2015, 12:43:56 AM »
Quote
Why the library msvcrt.lib supplied with Masm32 should be identified as a virus? You can check the report of Jotti :
It is a build without the original msvcrt.lib who his identify as a virus.
There is some proc added by the linker who aren't in the masm32 package and aren't use in the asm source code.
Remenber what i said:
Quote
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. ( result of tests on further machine).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.

( result of tests on further machine). This one isn't only based on one sample,try to find a c++ sample (who use all the original msvcrt.lib) who generate a false positive.
I wait,the rule must be apply to all not to an exception,allways possible.
Fa is a musical note to play with CL