Author Topic: Bitdefender: A complete disaster, hands off!  (Read 2869 times)

jj2007

  • Member
  • *****
  • Posts: 7542
  • Assembler is fun ;-)
    • MasmBasic
Bitdefender: A complete disaster, hands off!
« on: November 12, 2016, 01:15:03 AM »
Inspired by my experience with Microsoft Security Essentials, a steaming pile of sh*t, I consulted several testing sites (example) and found that Bitdefender looked very interesting. So I ditched MSE and installed Bitdefender Antivirus Free Edition.

Installation went smoothly, but then it started playing havoc with my Masm32 installation: Over 300 "threats" detected, exclusively absolutely innocuous files that I have assembled myself. And what does Bitdefender in these cases? IT DELETES THEM! No quarantine where you could recover these files, they are LOST :dazzled:

Fortunately, I have all sources, of course. When trying to rebuild some, it seems that BD blocks the linker, too.

At one moment, BD pops up and says "update failed, error 1609" - oh my dear coder friends, can't you understand that numeric errors are a no-no???

So I decided to give them a chance, and registered at the BD forum. The usual process - give your name, wait for a confirmation mail. Which didn't arrive, but later I found it in the spam folder. OK, so I click confirm and go back to the forum, but no luck, it just doesn't work, whatever I tried.

There is also a login option from the UI (utterly confused and crappy, windows with captions but no text, ... sheer horror), but it ends up with a cryptic error message:
Code: [Select]
The address wasn't understood

Firefox doesn't know how to open this address, because one of the following protocols (native) isn't associated with any program or is not allowed in this context.

In short: Hands off.

GuruSR

  • Member
  • **
  • Posts: 116
  • Assembler (6500, 68k, Intel), C(all), VB6, no .Net
Re: Bitdefender: A complete disaster, hands off!
« Reply #1 on: November 14, 2016, 07:53:19 AM »
Oh, sorry.  Should have suggested to avoid that like the plague...  Kaspersky and Avast are the only ones I would trust, although, Avast decided to let me compile a program today 1 time, run it, found a mistake, ended it, recompiled it and poof, it went away!  Apparently Avast thought the "fixed" compile was EVIL and ate it, but it was in the quarantine so I could get it back out, but I recompiled it anyways and this time it didn't do anything with it, so I probably found a linker bug...  Ah well, it's good.  But those are the only 2 viable anti-viruses I would trust that have quarantines.

GuruSR.
Learned 68k Motorola Asm instruction set in 30 minutes on the way to an Amiga Developer's Forum meeting.
Following week wrote a kernel level memory pool manager in 68k assembler for fun.

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4807
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Bitdefender: A complete disaster, hands off!
« Reply #2 on: November 14, 2016, 10:12:06 AM »
Avast is also a bug ridden heap of sh*t. Anything that drops false positives on perfectly sound binaries has something wrong with it. In the case of Avast it drops false positives on anything that was linked with POLINK when you know for certain that there is nothing wrong with the format of PE header that it produces. There is every reason to put the boot into sloppy AV vendors as their mistakes with false positives destroy the work of decent programmers who develop in properly secured environments.

Over years, Eset, Kaspersky and the Microsoft AV scanners have been the best in terms of false positives but anyone who sets up consumer freeware in a development profile is asking for trouble, if you know what you are doing in terms of security, only ever run "on demand" AV scanning and here MALWAREBYTES is the one to go for. (With thanks to sinsi for the original suggestion some years ago).
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

GuruSR

  • Member
  • **
  • Posts: 116
  • Assembler (6500, 68k, Intel), C(all), VB6, no .Net
Re: Bitdefender: A complete disaster, hands off!
« Reply #3 on: November 14, 2016, 11:50:28 AM »
I know there are issues and I can understand from a coder's point of view, it's a hassle, and it is, but actually, in most cases, it should be.  The AV is detecting similarities with viruses/malware, I'd rather it do that then ignore something that IS similar and I didn't write it.  Heuristics is not an exact science, hence the reason why it's "guess work".  I'd rather Avast, Kaspersky, etc, guess that what it saw *may* be dangerous rather than anti-viruses like AVG totally ignore it when it really IS.

I know, it's not a great thing, but as a programmer, it's up to us to make sure our code isn't going to do a false positive and if one AV is doing it, make sure to contact them to find out where it is flagging it as such (as most of the ones I've dealt with, do give me insight, Avast told me it was not liking the resources of the AppIcon, it apparently had the header wrong, again, linker issue from the looks of it).

As for Malwarebytes, good people, good software, which also ripped my code a new one (removed half of my coding directly, labeling most of it as malware [gen], thankfully I had backups).  I still have MWB on this machine, but I only run it to "look but don't touch", as I know it'll want to nuke those folders again.  (And half of them were tutorial asm files.)

GuruSR.
Learned 68k Motorola Asm instruction set in 30 minutes on the way to an Amiga Developer's Forum meeting.
Following week wrote a kernel level memory pool manager in 68k assembler for fun.

jj2007

  • Member
  • *****
  • Posts: 7542
  • Assembler is fun ;-)
    • MasmBasic
Re: Bitdefender: A complete disaster, hands off!
« Reply #4 on: November 14, 2016, 12:12:59 PM »
Avast told me it was not liking the resources of the AppIcon, it apparently had the header wrong, again, linker issue

Now this is good advice for malware coders:
- use boring standard icons
- always add a manifest
- always use the standard Microsoft linker
- bloat your code as much as possible (e.g. with QT - about 8MB for a Hello World)
- do not pack your code; ClamAV will get you, as well as the geniuses from Trend Micro:
Quote
PAK_GENERIC.005

This is the Trend Micro detection for possibly malicious executable files that are compressed using Win32 compression tools. ...
It is a heuristic detection based on well-established characteristics inherent to compressed malware.

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4807
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Bitdefender: A complete disaster, hands off!
« Reply #5 on: November 14, 2016, 12:33:23 PM »
We probably have a different view on this subject, Microsoft publish the 32 and 64 bit portable executable specifications and if an AV company does not fully understand these specifications, they should get off their arse and learn them. If you follow the route of having to fit into the comprehension of AV companies, you are passing the design of the OS specifications into the hands of the illiterate. The OS manufacturer is the only one competent to set the specifications of their system and any AV company that either does not understand that OR only passes a subset of the OS specifications needs to get off their arse and do it properly according to the OS specifications.

Now regarding resource data, primarily image data, there have been risks in the past of malware being embedded in image data and the solution is to use image creation applications that produce the correct format, often tools from other OS types save in slightly different formats and this may be the problem you have had with Avast. RE: Avast, if I get a posted APP that someone finds a problem with I send it to JOTTI which at last count passes the app through 19 different AV scanners, when the only one that shows an error is Avast, Avast is the problem. That is why this forum has an AV sh*t list.

The last complain with Avast was any 64 bit app linked with Pelle's POLINK where you can garrantee that it produces a correctly formed PE header. Their blunder is they don't properly understand how the 64 bit header works and flag these apps as having a generic virus.

Now something that any programmer working on post XP OS versions should know is that you must have both a manifest AND a version control block and while malicious software can have both, it shuts up most crappy AV scanners. If their heuristic scanner design was up to scratch they should be able to track if there is some branch after the PE header that leads to malicious code instead of the normal entry point of an application. False positives add to their score count at the expense of proper evaluation of potentially malicious software, anyone who does this is writing crap to improve their advertising while increasing the risk of a viral/trojan/rootkit infection.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4807
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Bitdefender: A complete disaster, hands off!
« Reply #6 on: November 14, 2016, 12:44:56 PM »
Just as a note on the last posting by JJ, UPX while being a high quality executable compressor for both 32 and 64 bit executable files, it is crippled by the assumptions of the original authors, their theory is that all executables should be available to decompressing them and be able to recompress the exe. This makes it the preferred tool for a vast number of virus/trojan writers as they can open a file, install a virus into it then recompress it. Various AV companies know how it is used and flag anything compressed by UPX as dangerous. I read a very good article from one of the team members of the Microsoft AV scanner on detecting modified versions of UPX that try and avoid its detection but they also know how to detect the UPX stub.

It is easy enough to cripple the decompressions stub by overwriting the section header names with anything else you like, overwriting their copyright string is just as easy as long as you are careful but unless you are only using UPX locally, treat it like the plague as AV companies will treat it as a suspicious file simply because it is compressed with UPX.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

GuruSR

  • Member
  • **
  • Posts: 116
  • Assembler (6500, 68k, Intel), C(all), VB6, no .Net
Re: Bitdefender: A complete disaster, hands off!
« Reply #7 on: November 14, 2016, 01:41:02 PM »
The biggest problem with watching for valid PE headers and resources are:

badsoftware.tmp

And it's opened as an exe, see that all the time.  It's got a valid header, even probably has a manifest and the resources too, so an AV that blindly ignores the manifest and PE header is going to scan that file the same way as it does an exe, com or dll.  Could blame them for being "lazy", but for them to include such things would increase scan time and slow the system even farther with more code, not sure anyone wants that.

And yes, I've contemplated using compression for executables, but the long history of what it was abused for and how AV (MalwareBytes is also guilty of this) treat the file as bad, has had it ruined it being useful for those of us who actually wanted it for a good reason.

As for the difference between 64 and 32 bit executables, most AV software is 32 bit and a good deal of them ignore most of the PE, which reminds me, have to find that PE header viewer I had and re-install it (handy little thing for telling me the PE header on any file I right click on).

GuruSR.
Learned 68k Motorola Asm instruction set in 30 minutes on the way to an Amiga Developer's Forum meeting.
Following week wrote a kernel level memory pool manager in 68k assembler for fun.

jj2007

  • Member
  • *****
  • Posts: 7542
  • Assembler is fun ;-)
    • MasmBasic
Re: Bitdefender: A complete disaster, hands off!
« Reply #8 on: November 14, 2016, 08:40:17 PM »
they should be able to track if there is some branch after the PE header that leads to malicious code instead of the normal entry point of an application.

Come on, you and I and Guru know how easy it would be to make an application that looks like a duck, walks like a duck, smells like a duck, uncompressed and with VCB and all that crap, only with a little jump table well after the normal entry point, five levels deep, with ecx set to some unsuspicious value at level 2, etc etc. You can bet that the more dangerous viruses and trojans look exactly like a duck but use that kind of trick.

Problem with heuristics is that they can only sort out applications that have been written by script kiddies in their early learning phase. Everything more sophisticated (stuxnet, ...) would require that the heuristics algo understands what's going on - and that's impossible. Heuristic scanners were OK some ten years ago, today they are just an anachronism.

caballero

  • Member
  • ****
  • Posts: 760
    • Abre Ojos Ensamblador
Re: Bitdefender: A complete disaster, hands off!
« Reply #9 on: November 14, 2016, 09:47:33 PM »
There are hundred of av's. Many of them gives many false +. Google and others searchers base their navigation in such reports, hence many pages are labeled as suspicious. Well, it would be great that anybody would make any page that marks some av as suspicious too, according to its trust level, its reports should have a level of veracity too. I had to erase my site to clean it from such acreditations and then make for everything:

- use boring standard icons
- always add a manifest

... when I have time :)
En un lugar de la Mancha de cuyo nombre no quiero acordarme

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4807
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Bitdefender: A complete disaster, hands off!
« Reply #10 on: November 14, 2016, 11:40:13 PM »
Its really easy to determine if a file is a PE exe or not, DOS header with leading MZ and a structure member that gives you an offset to the PE header with PE as its lead, these are easy and fast. The combined header size is less than 1k. If they are scanning on the basis of the file extension, they are easy meat for the virus brigade. Some just do it better than others with AV scanners and one of the simplest tests is the number of false positives, the more that occur, the crappier the AV scanner and there is some real crap out there. AVG is a shocker, freeware for consumer users but a nightmare for a programmer.

To deal with this chyte, I had to design a set of tests in the MASM32 installer to test executable read, write and delete then when the install had completed I had to test if the libraries had been written correctly because some of these piles of chyte silently deleted binary libraries and left the install broken. Some years ago I had some bunch of jerks from Germany playing vigilante who made a complaint to a hosting company I was using about a number of 1995 zip files that were archived on the site being infected because some crapheap AV scanner they were using thought that they were infected by an un-named generic virus that was written about 2010, 15 years after the files had been zipped.

Since they cause me some inconvenience in having to deal with the hosting company, I typed up a reply to these phuking morons which my hosting company sent back to them which referred them to the Microsoft Portable Executable specifications and my views on self elected vigilante groups. As you can imagine I did not receive any further response. As I have seen many people who write clean, tidy executables trashed by morons like this and crapheap AV scanners, I am all in favour of sh*tcanning them until they get off their arse and learn how to write decent code that does not drop false positives.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

GuruSR

  • Member
  • **
  • Posts: 116
  • Assembler (6500, 68k, Intel), C(all), VB6, no .Net
Re: Bitdefender: A complete disaster, hands off!
« Reply #11 on: November 15, 2016, 04:20:22 AM »
Actually, I don't mind Avast eating my compiles (well, I did at first until I found the reason out), tells me that somewhere some bug hit that messed the compile up, means other AVs will probably catch it too, so I compile again after a clean exit and restart of the IDE and re-compile again.  Though if I know Avast is *going* to whine about something in a section, I simply tell it to ignore that folder (Angry IP Scanner is one such folder) and I also go into the settings for the File System Shield component and set "Suspicious" to "No Action" and it usually doesn't whine.

One thing I do like about Avast's options, is the ability to turn it into IDIOT mode, where if the people's kids come home from school with a USB stick with "a friend's cool game" on it, it won't let them run it, complains to them.  Now typically when that happens, they never say "boo" to their parents about it (because they're too ignorant to know what I did) and I'm sure their parents are happy I *did* that to it, so their children can't be idiots with unknown software.

I guess the best thing to say about AVs, if you're programming, don't have one, at all, turn it off, disable it, uninstall it, just don't surf.  99% of the time I surf fine without an AV (or malware) and in the past 15+ years, I've never gotten hit by anything.

For those 1%'s out there, stay off the porn sites...

GuruSR.
Learned 68k Motorola Asm instruction set in 30 minutes on the way to an Amiga Developer's Forum meeting.
Following week wrote a kernel level memory pool manager in 68k assembler for fun.

jj2007

  • Member
  • *****
  • Posts: 7542
  • Assembler is fun ;-)
    • MasmBasic
Re: Bitdefender: A complete disaster, hands off!
« Reply #12 on: November 15, 2016, 08:54:45 AM »
For those 1%'s out there, stay off the porn sites...

1%?? You are putting the World's population at a whopping 41 Billion :dazzled:

412M Accounts Breached on FriendFinder Sex Sites

GoneFishing

  • Member
  • ****
  • Posts: 950
  • Gone fishing
Re: Bitdefender: A complete disaster, hands off!
« Reply #13 on: November 15, 2016, 09:24:56 AM »

412M Accounts Breached on FriendFinder Sex Sites

Only 62,6M accounts belong to so called "erotic" videochat  + 7M Penthouse subscribers = 70M ( or exactly 1% !!!)
Looks like Guru is not only coding guru  :dazzled:

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4807
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Bitdefender: A complete disaster, hands off!
« Reply #14 on: November 15, 2016, 11:00:10 AM »
My main complaint about internet porn apart from the scams to raise money is that it is second hand sex for people who are not capable of finding it first hand. I think pretty girls are wonderful things and in the summer time in Sydney the quality of pretty girls running around the city comfortably exceeds the trash you see on the internet. I have always got on well with "young sheilas" which is handy as you can find out if they have a good looking maiden aunt.  :P
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin: