New Free Software

Discussion in 'other anti-virus software' started by AndrewB, Apr 14, 2005.

Thread Status:
Not open for further replies.
  1. AndrewB

    AndrewB Guest

    Hello,

    im not sure if this post will be deleted, or if im within my rights to post here but here goes in the hopes it wont be deleted.

    I have just released a new free opensource Anti-Virus detection utility released under the GPL. If you would like to support this project then please send your comments to mail@lommage.co.uk . Im looking for good ideas and people willing to contribute (either testing or programming) to this project.

    Note by LowWaterMark: To anyone thinking about trying this software, please read the entire thread below before installing and running this program. A few people have had some difficulties and were concerned they might have to reinstall windows to fix it. So far it doesn't look like that was necessary, but just a fair warning for you.

    If you are not comfortable working in the registry, handling file associations, and changing startup keys, you may not want to try this software at this time.


    More information can be gathered here : http://www.lommage.co.uk/lomheuristic/ regarding who can use this software, how it works, and downloading the sourcecode.

    Its only in the first release and has much of the way to go, but its the closest thing we have to a free opensource detection system to accompany tds signiture scanning.

    Thanks for your reads

    Andrew
     
    Last edited by a moderator: Apr 14, 2005
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Looks good, can't wait to give it a spin :)
     
  3. Happy Bytes

    Happy Bytes Guest

    Code:
       If (FDosHeader.e_magic <> $5A4D) then Exit;
    
        FIsMSDos := True;
    
    Here we have problem number one: MSDos Executables starting also when you flip 'MZ' into 'ZM' :D you should also test for $4D5A beside of $5A4D :D

    Beside of this may i ask how you read the import tables of runtime compressed files ?! Thats the most important thing todays - almost all malware is runtime compressed!
     
  4. AndrewB

    AndrewB Guest

    Thank you for your comment, ill add a fix for that in 1.2 -

    im thinking of maybe unpacking common packers (upx etc) before execution, and unknown packers will have an extra security warning for the user - in these days and ages no exe really needs to be compressed with 20gb hard-drives and p4 :) - so i think notifying the user of it being compressed is also a good idea,

    Thank you

    Andrew
     
  5. Happy Bytes

    Happy Bytes Guest

    This will give a lot of false positives.

    TDS - compressed by PEComapct
    Total Commander compressed by ASPack; newer Versions by UPX
    RAR SFX Stub's compressed by UPX
    Lot's of freeware compressed by ASPack
    Lot's of tools compressed by FSG
    IDA + IDA Plugins compressed by ASPack

    etc etc
     
  6. Happy Bytes

    Happy Bytes Guest

    Next problem:

    Code:
    PEComExe: Boolean;          { Is the com file ran, a pe file? (not script) }
    You cannot flag files with *.COM extenstions which are Win32 PE Executables!

    I'll tell you why: Worm & Virus Cleaners using a *.COM extenstion to clean worms which messed up the *.EXE extension in the system!

    Because a COM File will always run - doesn't matter if the extension is registered in the registry. This Trick is used by virus cleaners to avoid "No Program is associated with *.exe" error after some worm infections.
     
  7. AndrewB

    AndrewB Guest

    ahh yes, but in these cases the user knows that they are running this software, therefore a false positive is dependant on what the user decides is a threat, in this case most users will click 'yes' if they see a software which they use is trying to run.

    Andrew
     
  8. Be careful ....very very careful with that program.

    It may knock your system for a loop....Darn I hate slow boring days at work

    I get into too much trouble experimenting...for a while looked like I'd have to
    do a format
     
  9. AndrewB

    AndrewB Guest

    if u cant give me a bug report of what you were doing at the time how can i rectify the problem :| its one thing to criticise, its another to contribute and help the development.

    Andrew
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Andrew,

    Welcome - and please register as a member over here, if only to avoid name spoofing which could turn against you and your software.

    regards,

    paul
     
  11. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Hello Andrew,

    Where's the uninstall utility for Lom Heuristics? What's the file name.

    I'm having a few problems with your program and need to remove it.

    Thanks.
     
  12. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Sounds like you were having the same experience as I am now.

    What did you do to fix it?

    AvianFlux
     
  13. All my Security apps didnt boot....msconfig....most programs would not work
    I finally got ewido to work....and deleted LOM from starting....
     
  14. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Yup! Same here. Unfortunately, I don't have ewido.

    There's supposed to be an uninstall utility included, but I can't find it. o_O
     
  15. Do a search for it....that should still work..delete the key....
    It does not show up in task manager....hmmmm do you have any programs
    that can delete start ups.....like hijack this.
    I think it put 3 entries in the start up....after deleting those, every was okay...but for a while there...I was sure worried
     
  16. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Jotti's Malware Scan returns the following when I try to upload the file.

    :eek:
     
  17. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    To AndrewB:

    Thanks for your nice software! Seemed to do more damage than even some trojans I've tried!

    I ran version 1.0 of this, now my Windows XP won't open any .EXE files (I just get the select program to associate .EXE files with window). It won't open anything in the Windows Control Panel because I only get error message about "C:\WINDOWS\system32\rundll32.exe is missing". I tried inserting the Windows XP CD and choosing the repair function but even that would not repair it.

    So for now I have reinstalled Windows XP on a different partition. If anyone can help with solving my little problem, I'd be very grateful!
     
  18. AndrewB

    AndrewB Guest

    simply run the installer again, u will be faced with an option to uninstall (its all part of the same exe).

    Andrew
     
  19. AndrewB

    AndrewB Guest

    someone doesnt read help files! (it even said in there how to remove it manually for v1.0)

    make a .reg file and do the following

    modify the default value in

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    to

    "%1" %*

    fyi i didnt test the software with other anti virus products as of yet, the utitlity is really aimed at those people who cannot / unwilling to spend money on security software.

    Andrew
     
  20. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Ok, which help file? The "Readme.txt.txt"? Here is the entire content of this file and I can't see anything about how to "remove" and undo the changes your program made:

    By the way, could you please tell me exactly what the .reg file I have to make will look like? Regedit.exe won't work.

    (Running the program again to uninstall/undo changes it made won't work, because of .EXE file association problems.)
     
  21. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Sorry to double-post...

    EDIT: Scratch what I wrote earlier, here is the fix for EXE file association problems.
     
    Last edited: Apr 14, 2005
  22. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    That's not what's happening here. When I run the installer I get a Windows dialog box requesting an application to execute the installer.

    I can't get into regedit either; the same request is made for an app to run that too.
     
  23. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    I wish. The download utility won't even launch when I click on the .exe fix link. :'(
     
  24. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    EDIT: TESTED AND KNOWN TO WORK ON WINDOWS XP ONLY! (Don't know about other Windows versions)

    Are you able to view any text files in Notepad? Try right-clicking a .txt file on your hard drive and opening it. Then go to "File", "New".

    Copy everything in this "Code quote" below:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"
    
    [HKEY_CLASSES_ROOT\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"
    
    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "TileInfo"="prop:FileDescription;Company;FileVersion"
    "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
    
    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"
    
    [HKEY_CLASSES_ROOT\exefile\shell]
    
    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_CLASSES_ROOT\exefile\shell\runas]
    
    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"
    
    [HKEY_CLASSES_ROOT\exefile\shellex]
    
    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
    @="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
    
    Then choose "File", "Save As...". Make sure "Save as type" is set to "All files", and choose a filename like for example: EXEFIX.REG

    Exit Notepad and double-click this file, and problem is solved. PS! You may have to restart your computer
     
  25. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    I don't agree with bashing someone's hard work, so take it easy on him guys.
    He did say:
    Now I am not having these issues as I did install it realized it wasn't what I was looking for and removed it, with no issues at all. By running the installer again. Granted a few times but it worked. BTW I am not running anything resident besides GData AVK 2005 Pro. So I have no idea if it could be a software issue.
     
Loading...
Thread Status:
Not open for further replies.