Author Topic: Avast antivirus prevent running new applications  (Read 5911 times)

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #15 on: November 23, 2015, 12:58:11 AM »
@ToutEnMasm
Example that without msvcrxxx witch is alarmed by Avast:
sdkrc7\examples\cherche.exe
Link it with 2015 linker and check if alarm dissapeared.
That link.exe insert useless crap into exe.

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #16 on: November 23, 2015, 02:02:21 AM »
you are Talking in the Wind.
I know that this one need to be recompile with the original msvcrt.
Not talking in the Wind is to find a soluce for the false positive antivirus.
What is your soluce ????????????????
I want to know!
 
Fa is a musical note to play with CL

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #17 on: November 23, 2015, 03:23:08 AM »
A simple thing i ask and you can't do that?
Just recompile that f... project with that you beloved 2015 linker.
To much to ask?
Then we know if virus-scanners are fooled with that.
You know results?

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #18 on: November 23, 2015, 03:29:41 AM »
Yes i know the result,it is not the first prog I modify with success.

Quote
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. (>>>>>>>>>>>>>>>result of tests on further machine<<<<<<<<<<<<<).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.
Last test done there is one week with XP 3,avast actual version with my searchhttp (using c++ msvcrt.lib) and no false positive

Fa is a musical note to play with CL

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #19 on: November 23, 2015, 03:33:35 AM »
OK.
Quote
you are Talking in the Wind.

Vortex

  • Member
  • *****
  • Posts: 1734
Re: Avast antivirus prevent running new applications
« Reply #20 on: November 23, 2015, 04:18:45 AM »
Quote
It is a build without the original msvcrt.lib who his identify as a virus.

ToutEnMasm, there are basically two options for you :

a) You are neglecting all what I am posting here.
b) You don't understand what I tell.

I know that you are an intelligent person, so please pay attention to what I am telling. I sent the report of Jotti, I repeat :

https://virusscan.jotti.org/en-US/filescanjob/x7nmyskhu6

Do you see any virus indication in the report?

Another question : what is the original version of msvcrt.lib? Is it the one shipped with VS5, VS6 or the latest Visual Studio 2015? What is it supposed to do?

Quote
There is some proc added by the linker who aren't in the masm32 package and aren't use in the asm source code.

Now, could you clarify us about the procedure added by a specific version of msvcrt.lib? Why should I need it?

Quote
To prevent false positive with avast,link your project with the vc++ msvcrt.lib,not the masm32 one. ( result of tests on further machine).
There is no need to use the msvcrt functions,result is the same.
That will be enough.Lib from sdk are also welcome.

I use msvcrt.lib because the DLL exports some useful functions. I can even create that library with my def2lib tool. Never had a false positive problem with that import library. Better to stay away from crappy AV products.

Quote
( result of tests on further machine). This one isn't only based on one sample,try to find a c++ sample (who use all the original msvcrt.lib) who generate a false positive.
I wait,the rule must be apply to all not to an exception,allways possible.

This is a subforum dedicated to assembly programming so why should I bother with the C++ example? Your comment fits rather the Compiler based Assembler section :

http://masm32.com/board/index.php?board=17.0

To make it clear, I am sending you a quick example built with msvcrt.lib supplied with the Masm32 package. No any false positive reported by Jotti :

Code: [Select]
.386
.model flat,stdcall
option casemap:none

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc
include     \masm32\include\msvcrt.inc

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\msvcrt.lib

.data

string      db 'Hello world!',0

.code

start:

    invoke  crt_printf,ADDR string
    invoke  ExitProcess,0

END start

https://virusscan.jotti.org/en-US/filescanjob/asrnuopyy2

jj2007

  • Member
  • *****
  • Posts: 7761
  • Assembler is fun ;-)
    • MasmBasic
Re: Avast antivirus prevent running new applications
« Reply #21 on: November 23, 2015, 04:32:03 AM »
you are Talking in the Wind.

I Talk To The Wind

Quote
Said the straight man to the late man
Where have you been
I've been here and I've been there
And I've been in between.

I talk to the wind
My words are all carried away
I talk to the wind
The wind does not hear
The wind cannot hear.

I'm on the outside looking inside
What do I see
Much confusion, disillusion
All around me.

You don't possess me
Don't impress me
Just upset my mind
Can't instruct me or conduct me
Just use up my time

I talk to the wind
My words are all carried away
I talk to the wind
The wind does not hear
The wind cannot hear.

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #22 on: November 23, 2015, 04:45:43 AM »
Need just one anwer:
What is your soluce to avoid false positive with antivirus in asm,I stop here,without modifying the antivirus.
Fa is a musical note to play with CL

Vortex

  • Member
  • *****
  • Posts: 1734
Re: Avast antivirus prevent running new applications
« Reply #23 on: November 23, 2015, 04:55:27 AM »
Hi ToutEnMasm,

All of us, we know that the false positive problem cannot be solved easily. The AV companies are becoming more and more aggressive and I will be not surprised to see that they will try to do every effort to "stay in the agenda." They best what I can tell is to analyze the binaries with a service like Jotti and contact the AV producer to submit an example demonstrating the false positive case.

GoneFishing

  • Member
  • ****
  • Posts: 967
  • Gone fishing
Re: Avast antivirus prevent running new applications
« Reply #24 on: November 23, 2015, 05:45:50 AM »
Talking about the wind ... I like that expression  .
In Russia we have another idiom: Don't p*ss against the wind which sounds like a caution :biggrin:
In conclusion I want to quote myself :
Quote
Ahhh ... false positives
We got used to it
;)

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #25 on: November 23, 2015, 08:54:48 AM »
After making some test with msvcrt.dll i saw that using different linker can help.
Like warning with polink and no warnings with MS link version 14
« Last Edit: November 23, 2015, 04:24:39 PM by TWell »

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4935
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Avast antivirus prevent running new applications
« Reply #26 on: November 26, 2015, 05:37:04 AM »
> In Russia we have another idiom: Don't p*ss against the wind which sounds like a caution

Must be universal, in OZ idiom the expression "pissing into the wind" is usually the definition of futility.  :biggrin:
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

ToutEnMasm

  • Member
  • *****
  • Posts: 1189
    • EditMasm
Re: Avast antivirus prevent running new applications
« Reply #27 on: November 27, 2015, 05:10:30 AM »
For TWell,
For test Here,a different version of cherche who just use the original msvcrt.lib
without using the crt functions.Code is the same,see if avast genere a false positive.
Normally not.
If miss DLL ,"c++ redistributable 2015",windows 10 compile
Fa is a musical note to play with CL

TWell

  • Member
  • ****
  • Posts: 748
Re: Avast antivirus prevent running new applications
« Reply #28 on: November 27, 2015, 05:14:09 AM »
No warnings with Avast :t
Needs VCRUNTIME140.dll  :(