Avast WEBforum
Other => Viruses and worms => Topic started by: SmartCoder on June 15, 2010, 10:56:10 PM
-
1- Compile a blank project;
2- Add 1 or more sections with any appropriate tool (for example CFF explorer).
Result: Win32:VBMod [Trj] B (since few days ago)
Being a programmer, I find quite ridicolous detecting my applications just because I add a section to them! There is absolutely no malicious code, just one section more that can be used for many purposes.
Mind to fix this FP? :)
Thanks
-
Hi SmartCoder,
Heuristics are at the crux of the problem where FPs are involved, as are certain packers/obfuscators like for instance UPX found up as heuristic malware just because it is also used by malcreants. These issues can make a decent AV less reliable, so report this as a possible FP as soon as possible.
Re: http://virscan.org/report/e31154e6d6f859524b0431631aa3a914.html
These kind of FPs come into the category automated false positives, see this article:
http://research.pandasecurity.com/automated-false-positives/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PandaResearch+%28Panda+Research%29
polonus
-
Thank you for the quick answer!
hese issues can make a decent AV less reliable, so report this as a possible FP as soon as possible.
So, you mean that we need to report each single file with an added section detected as a FP?
Thanks
-
Hi SmartCoder,
No off course not, the generic find should be no longer flagged. Send avast a mail to report the problem and they are soon to react in an upcoming signature update as the FP is that crystal clear, exclude in the scanner for now to avoid the proverbial "pain in the neck",
thanks for reporting here and welcome to the forums and hope you report bugs here if any you find,
greets,
polonus
-
Thank you very much polonus for the welcome and the clear answers! I will send an email then.
Sure I will report other FPs if I'll occurr into them, it is in the interest also of many us programmers =)
Best regards
-
Hi SmartCoder,
Win32:VBMod [Trj] means Visual Basic Modified file. Adding section to compiled Visual Basic is in 99,9% cases used in malware (VB droppers). About ~10000 new MALWARE samples are detected by Win32:VBMod [Trj] each day. I'm looking forward to your email. If you have really GOOD reason to do this, we try to find solution. But our priority is protect our users
-
Hello, misak
what about if we use the new blank section to save custom data into it, which the executable needs to work correctly, after compile.
It can be used if a person has not access to the source code to store custom data and values; so on execution variables can be pointed to the position of these custom values inside the file code, which get read.
But a new section with some blank space is needed to contain the written values, we can't overwrite the file code somewhere with the custom data, it would be corrupted.
-
you can increase last section if you need to add something what will be mapped to current address space... there's no need to add an extra section.. anyway - such postprocessing of VB binaries "smells" and could trigger any heuristic detection by any AV engine..