News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Another story about AV

Started by Gunther, February 08, 2013, 09:31:58 AM

Previous topic - Next topic

Gunther

At the moment, I've experimenting a bit with as and ld from the gnu compiler collection. I've written a small Win32 application, assembled it with as (performs very good) and linked it with ld to the running application. It displays only a message box with caption and text; that's not very exciting. If anyone should be interested, I could post the code in the Workshop.

I've done that inside VirtualPC with Windows XP, SP3. The equivalent C program has a size of 50 KB; the assembly language program has a size of 2048 Byte, which isn't so bad and no surprise. But the joke is: I had to copy the application from the VM into my Windows 7 system for testing purposes. During the copy process the real time AV scanner gave an alert: the EXE contains the trojan TR/Crypt.XPACK.Gen. What a garbage! I had to turn off the real time scanner to start the little program under Windows 7.

And what's the reason? I used for ld the command line switch -s, which strips all symbols from the running EXE. That makes another false positive, at least for the AVIRA scanner.

Gunther
You have to know the facts before you can distort them.

Greenhorn

Quote from: Gunther on February 08, 2013, 09:31:58 AMIf anyone should be interested, I could post the code in the Workshop.

Hi Gunther,

I would appreciate to see the code (AT&T Syntax?), but more interesting for me would be the command line for ld.
I've never got ld working under Linux to link elf executables on my Linux (jcfuller's examples from JWasm).
So, you built a Win32 EXE on a Windoze System (with MinGW?) ?

Greenhorn
Kole Feut un Nordenwind gift en krusen Büdel un en lütten Pint.

Gunther

Hi Greenhorn,

Quote from: Greenhorn on February 08, 2013, 09:56:54 AM
I would appreciate to see the code (AT&T Syntax?), but more interesting for me would be the command line for ld.

No, no, Intel syntax. It's better readable. But if you wish, I could convert it to AT&T  :lol: :lol: :lol:.

Quote from: Greenhorn on February 08, 2013, 09:56:54 AM
I've never got ld working under Linux to link elf executables on my Linux (jcfuller's examples from JWasm).

I have some working examples with nasm + ld here: http://masm32.com/board/index.php?topic=436.0. Please check out build_demo1.sh for dynamic linking with ld; yasm will do the same job. Approximately Intel syntax, that's for sure.

Quote from: Greenhorn on February 08, 2013, 09:56:54 AM
So, you built a Win32 EXE on a Windoze System (with MinGW?) ?

Greenhorn

Yes, of course; that was my plan. I'll upload the source inside the Workshop, although it's not very exciting. The only interesting point is the usage of as and ld from MinGW.

Gunther
You have to know the facts before you can distort them.

Magnum

Quote from: Gunther on February 08, 2013, 09:31:58 AM
At the moment, I've experimenting a bit with as and ld from the gnu compiler collection. I've written a small Win32 application, assembled it with as (performs very good) and linked it with ld to the running application. It displays only a message box with caption and text; that's not very exciting. If anyone should be interested, I could post the code in the Workshop.

I've done that inside VirtualPC with Windows XP, SP3. The equivalent C program has a size of 50 KB; the assembly language program has a size of 2048 Byte, which isn't so bad and no surprise. But the joke is: I had to copy the application from the VM into my Windows 7 system for testing purposes. During the copy process the real time AV scanner gave an alert: the EXE contains the trojan TR/Crypt.XPACK.Gen. What a garbage! I had to turn off the real time scanner to start the little program under Windows 7.

And what's the reason? I used for ld the command line switch -s, which strips all symbols from the running EXE. That makes another false positive, at least for the AVIRA scanner.

Gunther

Why do you have to test a 32 bit program in a VM under Win 7 ?

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Vortex

Hi Gunther,

I received the same warning messages for small executables from Avira. I know that it's a false-positive. Unfortunately, some AV softwares have high percentage of false-positives.

Gunther

Hi Erol,

yesterday, I've downloaded qWords macro library: http://masm32.com/board/index.php?topic=1457.0. The same bad story.

Gunther
You have to know the facts before you can distort them.

Vortex

Hi Gunther,

Do you have the option to try another AV?

Gunther

Hi Erol,

Quote from: Vortex on February 11, 2013, 03:30:44 AM
Do you have the option to try another AV?

in the theory, yes. I would have to install the other scanner, probably to de-install Avira etc. etc. Is that worth the effort? On the other hand, what's a good AV, working under Win64?

Gunther
You have to know the facts before you can distort them.