Hi Paul,
i found some virus in the file GeneSys.zip when i downloaded it
Rui
It's a false positive; use a decent AV :U
Quote from: Ghirai on August 13, 2008, 03:24:06 PM
a decent AV :U
Hi Ghirai,
Could you give me one link to get it free, please
Thanks
Rui
RuiLoureiro ,
As Ghirai said, it's a false positive. Some codes can trigger the heuristics analysis.
A powerful and free antivirus : Avira AntiVir Personal (http://www.avira.com/en/download/index.html)
Hi Vortex,
Thank you for your help.
But it doesnt solve the problem because Avira AntiVir Personal was that found
the virus and you know what it does with it: delete, quarentine, etc.
It warns me the file had a virus Dropper.Gen and another ???
Is there another free AV, good
In any case, thanks
Rui
EDIT: i posted an image
[attachment deleted by admin]
Hi RuiLoureiro,
Is it the Extractor ( \GeneSys\examples\Extractor ) example triggering the AV software? I am using Avira and I get the same alert but you can ignore it. The Extractor example has full source code and does not contain any malicious code.
Quote from: Vortex on August 13, 2008, 06:14:05 PM
Is it the Extractor ( \GeneSys\examples\Extractor ) example triggering the AV software?
First it was in the file GeneSys.Zip and i tested some other files and i found it
in Data.rar too. I didnt test Extractor till now. I am running another AV just now.
Rui
Rui,
Data.rar contains all the examples so it will certainly yeild the same results. It is a false positive and should be reported as such to the distributor of the antiVirus software. If it is a certain sequence of opcodes that they are searching for they may not help but there are certainly no virus' in our code. Perhaps it does not like the fact that an EXE is being written to.
-- Paul
Thanks RuiLoureiro for alert,
I use Avast Antivirus v.4.8 and I get the same virus alert
Next I recompiled the source (because I'm not lazy and irresponsible as some people here)
and received the new Extractor.exe without viruses.(see attached file)
[attachment deleted by admin]
Lingo,
It really is not fair to say that I am lazy. I was unaware of the problem. Thanks to your nice efforts, though, I will do an upload right away.
Thank you for the help.
-- Paul
Lingo,
I did an alert only. Nothing else. It is not good an AV tell us there is a virus in our files,
whithout our Knowledge.
Hi Paul,
I can tell you i ran another AV and it didnt give me any virus report anywhere
( Ad-Aware 2008 free ). There's no problem.
Rui
Lingo,
Once again, you are demonstrating your "supposed professionalism" : the executable you created is immediately caught by Avira. It's not enough to test with only one AV software.
The next time you talk about nonsense in this subforum, your post will be edited without warning.
This new version of Extractor is now supported by Jeremy Collake's compression software. It's a simple SFX archive dumping the child executable to disc. Avira does not release now a false positive with this new demo.
[attachment deleted by admin]
Rui,
Please be aware that the editor in that package is not the newest ones and has some problems with console builds. You can download the most recent from my web site (http://pbrennick.freehosting.net/) or wait until tomorrow when the archive is replaced. The new installation will be available from Ghirai (the address in my signature) as usual.
Vortex,
Because I do not like positives or false positives because it drives potential users away, I have decided to do the major release instead of the patch. I have added all the new tools and examples but have not implemented the updated build method for the definition files as your notes to me were unclear as to whether I need to modify setup.exe or not. The installation will be valid, either way, anyway.
-- Paul
Paul,
It's the heuristics module of the AV software causing this issue. It's possible to avoid those false positives by applying other programming methods.
With thanks to RuiLoureiro who tested the new Extractor version, the case is over. No any false positive.
Quote from: PBrennick on August 14, 2008, 08:56:43 PM
Rui,
Please be aware that the editor in that package is not the newest ones and has some problems with console builds.
I have decided to do the major release instead of the patch.
Hi Paul and Vortex,
i wait for that new release.
Rui
Quote from: Vortex on August 13, 2008, 05:19:12 PM
RuiLoureiro ,
As Ghirai said, it's a false positive. Some codes can trigger the heuristics analysis.
A powerful and free antivirus : Avira AntiVir Personal (http://www.avira.com/en/download/index.html)
no, one day i write a silly fasm app and this AV detect it as a virus
Hi DASAz,
Welcome to the forum.
False positive is a serious problem. Unfortunately, this can happen with very modest asm code too.
Just to make sure it was really a virus I upload some tools to see every running executable. All of the tools is free for commercial or non-comercial use. It wasnot me who developed it.
How to use.
1. Check every executable that have an icon of non-executable files. For example if you find an .doc icon or .jpg icon and it was an executable file, it was a virus.
2. If you sure it was a virus, check out the executable address.
3. Terminate all the virus process. Make sure you terminate it all.
4. Delete the file.
If this information break the rules please forgive me because I dont think it will break the MASM forum rules.
[attachment deleted by admin]
Here is the second tool. It will repair your registry setting just in case the virus intercept explorer.exe.
[attachment deleted by admin]
Hi Onan,
Thanks for the CurrProcess utility. It's a nice tool by Nir Sofer.
I googled the word "komputeron.exe" ( the second tool you attached ) and I found this link below :
http://komputeron.livejournal.com/907.html
Is this the right link associated with the komputeron tool?
Quote from: Vortex on October 30, 2008, 06:17:50 PM
Hi Onan,
Thanks for the CurrProcess utility. It's a nice tool by Nir Sofer.
I googled the word "komputeron.exe" ( the second tool you attached ) and I found this link below :
http://komputeron.livejournal.com/907.html
Is this the right link associated with the komputeron tool?
Yes, I found it there. It was indonesian software.
Thanks for the info.
Quote from: Vortex on August 13, 2008, 05:19:12 PM
RuiLoureiro ,
As Ghirai said, it's a false positive. Some codes can trigger the heuristics analysis.
A powerful and free antivirus : Avira AntiVir Personal (http://www.avira.com/en/download/index.html)
? Avira always gives me a bunch of false positives
~ part of why I started using AVG
~AVG was saying it's a Trojan
Arhk,
I can assure you that there are no visus' in the Genesys package. However, a zip file 'can' become corrupted which really has nothing to do with GeneSys. If you are certain you are having a problem with the zip, delete it and re-download it. Chances are, though, it is just a false positive which is a real problem with some of these 'free' virus testers.
I wish I had a virus that would polish my shoes. :(
The above is a joke about how crazy these false positives can make a man. If we do not laugh about it, we would cry. As I have said before, how on earth can someone distribute their software if they constantly have to struggle with that?
Paul
I was always curious about how are you really suppose to distinguish malware from cleanware when components of many programs could be using components that would other wise be listed as malware if it were not whitelisted.
~ Wasn't saying he was putting out malware just said AVG detected it as such.
~ antimalware protection is indeed flawed.
~ scanners are becoming more & more paranoid if you ask me especially with these zero day scanners since they're looking for a even more less than perfect signature match to get suspicious about the supposed culprit.
Hi Arhk,
It's easy. You can monitor the actions of an application with a registry scanner. If the applications drops EXEs and \ or DLLs under the windows folder and creates suspicious enties in the registry then probably you can think that the application is a kind of malware. This scenario can be more complicated but malwares exhibit typical signs when they hit your system and this why you should do your testings under a restricted user account. Utilities like Sandboxie are very useful to create isoled environments to test applications.
Quote from: Vortex on February 15, 2009, 10:09:57 AM
Hi Arhk,
It's easy. You can monitor the actions of an application with a registry scanner. If the applications drops EXEs and \ or DLLs under the windows folder and creates suspicious enties in the registry then probably you can think that the application is a kind of malware. This scenario can be more complicated but malwares exhibit typical signs when they hit your system and this why you should do your testings under a restricted user account. Utilities like Sandboxie are very useful to create isoled environments to test applications.
I'll look into it
~ I guess today I have something new to study (yesterday was DoS attacks).
Arhk,
You are being very smart. it is best to know as much as possible about what is going on in your system. It is our responsibility to be as helpful as we can. We strive to achieve a balance by being very careful about what we put in our package. I might write some checksum type software, what do you think, Vortex. Of course, any solution can be defeated so at some point we have to say that enough is enough. GeneSys and any other installation I create may be bundled in a zip; but, the installation app, itself, does NOT use ZIP.
ZIP technology has been around for too long and is easily attacked. That is the reason why secure email systems such as GMail will not allow ZIP attachments. I am very comfortable using RAR and will continue to do so. The SDK itself is compressed using RAR. Next, this RAR is bundled with the Setup program and its DLL into another RAR (this becomes the actual installer) and finally, the entire thing is bundled into a ZIP. This makes it darn near impossible to attack the SDK. Nothing is totally impossible, the idea is to make it not worth the doing.
Paul
Hi Paul,
A checksum type software is a good idea.
Quote from: PBrennick on February 15, 2009, 03:37:24 PM
Arhk,
You are being very smart. it is best to know as much as possible about what is going on in your system.
~ :red ::) I try...
Vortex,
Remind me by putting on our todo list to do an integrity check of the package.
Paul
Hi Paul,
OK, I will have this item on the todo list.