Author Topic: Avast AV software delivers false positives with Pelle's linker.  (Read 700 times)

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4924
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Avast AV software delivers false positives with Pelle's linker.
« on: October 06, 2016, 01:44:39 PM »
I have always found it annoying that some heap of crap can flag a perfectly sound binary that fully conforms to the OS specification. I was trying out a technique that called an API used to determine if a debugger was being used and fed it through Jotti and 18 out of 19 got it right, Avast flagged the 64 bit binary as being possible infected with a virus called "Win64:Evo-gen". Knowing for certain that the file was clean, I changed the build setting from Pelle's linker to the Microsoft version, re-tested it and it cleared on 19 of 19 tests in Jotti.

Now its perfectly clear that Pelle's linker is sound and properly conforms to the Win 64 specification so the only alternative is some moron at Avast has done some dirty shortcut to make Avast look like its doing more that it actually can do. There is good reason to be hard on AV companies as they can destroy the reputation of competent programmers who write clean reliable software, simply because they are not competent at what they undertake to do.

Avast AV Software :icon13:  :eusa_naughty:
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

Gunther

  • Member
  • *****
  • Posts: 3517
  • Forgive your enemies, but never forget their names
Re: Avast AV software delivers false positives with Pelle's linker.
« Reply #1 on: October 07, 2016, 04:21:36 AM »
Now its perfectly clear that Pelle's linker is sound and properly conforms to the Win 64 specification so the only alternative is some moron at Avast has done some dirty shortcut to make Avast look like its doing more that it actually can do. There is good reason to be hard on AV companies as they can destroy the reputation of competent programmers who write clean reliable software, simply because they are not competent at what they undertake to do.

 :t

Gunther
Get your facts first, and then you can distort them.

GuruSR

  • Member
  • **
  • Posts: 116
  • Assembler (6500, 68k, Intel), C(all), VB6, no .Net
Re: Avast AV software delivers false positives with Pelle's linker.
« Reply #2 on: October 07, 2016, 03:44:21 PM »
I've had Avast on all my systems since the late 90's (yes, they've been around that long).  Before them was F-Prot (anyone remember that one?  Wrote a download/updater for it because theirs was... <SARCASM>"good"</SARCASM>).

I too ran into an issue with (and oddly enough) program icons!  I have some older icon packs I've had for... decades and well, apparently adding them to the app made Avast delete it and scream murder fowl.  So I got them on the phone (yeah, I know it), sent the guy the file and he checked it out, said it reported as a gen-pup or something, I forget the one it was registered as, then told him it was the icon causing it, so he took a look at the file and sure enough, laughed, apparently that icon was being malformed into the program during compilation and Avast was seeing a pattern compared to some of the other "image foolery" methods of running exploit code within jpegs.  That hole got plugged, he said wait 4 hours and update, should stop it from happening.  It did, until I tried doing another icon.  ::)  Now, I just use a .res and hand edit it to include the icon, makes less of an Avast is going to trash it and complain murder about it.  Still, it's better than...  Norton (anything is, it uses .Net), AVG, McAfee (couldn't stop a Cryptowall attack)...

Side note:  Any Anti-Virus that ever even touches .Net is asking to get crippled so darn easily that it's not funny...  Just have to add an assembly that takes .Net's core down, poof goes your Anti-Virus...  You'd think Symantec would get the drift...

GuruSR.
Learned 68k Motorola Asm instruction set in 30 minutes on the way to an Amiga Developer's Forum meeting.
Following week wrote a kernel level memory pool manager in 68k assembler for fun.

BlueMR2

  • Member
  • **
  • Posts: 115
Re: Avast AV software delivers false positives with Pelle's linker.
« Reply #3 on: October 08, 2016, 06:31:55 AM »
I remember F-Prot well!  That was back in the day...  :-)