News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

AV Comedy

Started by hutch--, January 07, 2023, 05:50:45 AM

Previous topic - Next topic

hutch--

I have just about worn out my welcome at "jotti" but fixed the first file flagged as malicious.

The latest version of "cpicker.exe" was flagged as having,

    BitDefender Antivirus Jan 6, 2023 Gen:Variant.Razy.683884
    MicroWorld eScan Jan 6, 2023 Gen:Variant.Razy.683884
    G DATA Jan 6, 2023 Gen:Variant.Razy.683884

The Mickey Mouse Club in action out of their common database.

Changed the icon to a 32 bit version and changed the order of the procedures in the source file and BINGO, no false positive.  :tongue:

Identical procedures in the source file with order change of 2 procedures and a bigger icon solved their crap scan, wotta buncha jurx !  :thdn:

The technology these clowns are using would have to be classed as suspect.

hutch--

This is the next piece of genius from the AV crapheaps.

Bye bye to -> F-Secure Anti-Virus Jan 6, 2023 Heuristic.HEUR/AGEN.1253024

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    LOCAL hMem  :QWORD
    LOCAL lMem  :QWORD
    LOCAL pMem  :QWORD
    LOCAL aLen  :QWORD
    LOCAL wLen  :QWORD
    LOCAL hIcon :QWORD
    LOCAL hInstance :QWORD

    mov hInstance, rv(GetModuleHandle,0)        ; unneeded, added for crap AV scanners

    mov hMem, rvcall(load_file,"icon.ico")      ; load the file
    mov lMem, rcx                               ; get its length
    mov rax, lMem

    lea rax, [rax*4]                            ; mul length by 4
    mov aLen, rax

    mov pMem, alloc(aLen)                       ; allocate the output buffer
    mov wLen, rvcall(bin2hex,hMem,lMem,pMem)    ; convert the source to hex
    rcall save_file,"bin2hex.txt",pMem,wLen     ; write the file to disk

    mfree pMem                                  ; free the allocated memory
    mfree hMem                                  ; free the file memory

    exec "\masm64\teditor.exe bin2hex.txt"

    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end

HSE

 :biggrin:

A little file size is what trigger alerts, then any suspicious byte sequence make binary flagged as malicious.

Time ago somebody pasted a big useless objet to exes end. I don't remeber who, but say that always worked.
Equations in Assembly: SmplMath

hutch--

The next piece of genius comes from Avast. Anything that is not reported in their local database is flagged as "FileRepMalware" unrelated to the files content.

I have been a bit spoilt by using the Kaspersky KVRT.EXE which is not part of the Mickey Mouse Club and is super reliable.

avcaballero

> A little file size is what trigger alerts, then any suspicious byte sequence make binary flagged as malicious.

Yeah, I think so. Maybe the solution would be adding dozens of NOP operations   :bgrin:

When I code, usually disable the AV for some time.