topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Sunday December 15, 2024, 5:08 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Why I am done chasing AV scanners  (Read 2731 times)

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Why I am done chasing AV scanners
« on: December 25, 2015, 07:08 AM »
OK.  I am done chasing AV scanners.  They can create new scanners and malware db way faster than I can try to divine what the problem may be in 54 downloads in 60 some odd scanners.

Here is an illustration of what can be flagged as malware.  This program has three executables.  The reason is AHK can do the job really easily(recursively copy files) but it cannot compile genuine console(command line) programs.  AutoIt3 can do such compiles.  So I created an AutoIt3 console program that determines if you are on an x86 or x64 PC and runs either a 32 bit or 64 bit version of the exe that will actually do the copying.  The slave program issues an exit code with the number of files copied.  The launcing program reports this on the command line.  Simple.  Here is the AutoIt3 source.

#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <WinAPI.au3>

$slavePath = ""

If @OSArch = "X86" Then
$slaveProg = "rcopy_slave.exe"
Else
$slaveProg = "rcopy_slave_x64.exe"
EndIf

$slavePath = _WinAPI_PathFindOnPath($slaveProg, @WorkingDir)
If @error Then
ConsoleWrite("Required program: " & $slaveProg & " not found!" & @CRLF)
ConsoleWrite("For best results put rcopy.exe and " & $slaveProg & " in a folder in your PATH." & @CRLF)
Exit
EndIf
$result = ShellExecuteWait($slavePath, $CmdLineRaw)
ConsoleWrite($result & " File(s) Copied")

If I check this with VirusTotal the MBAM there clears it.  But on my Laptop I run MBAM, update the db and scann a folder full of downloads.  It does not like rcopy.zip.  I split out the zip file and run MBAM on that folder.  It does not like rcopy.exe the source of which you see above.

I tested all 54 zips with MBAM yesterday and it liked them all then.  I did an md5 test on a folder of all 54 zip downloads from yesterday and a fresh download from today.  They have not been modified in the web site.  So all that has changed is which scanners like which files.

I am not doing this crap to give away software anymore.  It says use at your own risk. I think what I will do now is check the md5 of zips I have not changed.  If I find an issue I will deal with it. But AV scanners can scan in hell afaic.   :down:

Do good deed goes unpunished.  :)


Edit:  A bit of a rant.  But I feel better now.  :)

« Last Edit: December 25, 2015, 05:00 PM by MilesAhead »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: Why I am done chasing AV scanners
« Reply #1 on: December 25, 2015, 04:59 PM »
FWIW, I compiled your source above using AutoIt v3.3.12.0 (I haven't updated yet), scanned with MBAM (latest DB) and it was fine.

EDIT: Compiled with AutoIt 3.3.14.2 and it still scans clean.
« Last Edit: December 25, 2015, 05:29 PM by 4wd »