Windows Template Library support list (windowing extension for ATL).

Nenad Stefanović | 20 Jan 2012 03:10

Picon

_ATL_MIN_CRT triggers Avast Sandbox

Hi everybody,

I have Avast 6.0 anti-virus and I noticed that now Avast triggers Sandbox
for apps built with _ATL_MIN_CRT. Any apps, including projects that do
nothing but display a window. I contacted Avast support, but they were not
helpful at all.

Has anybody else noticed this? Any ideas why is this happening?

I think this is an important issue. If the problem is a real one, WTL
should then drop support for _ATL_MIN_CRT.

Cheers,
Nenad

[Non-text portions of this message have been removed]

------------------------------------

Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/wtl/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/wtl/join
    (Yahoo! ID required)

(Continue reading)

Philipp Kursawe | 20 Jan 2012 07:29

Picon

RE: _ATL_MIN_CRT triggers Avast Sandbox

You could just compile without this setting or better yet uninstall
that snake oil software of Avast and just use the free MS security
essentials if you think you need it.

Phil
From: Nenad Stefanović
Sent: 20.01.2012 03:11
To: wtl@...
Subject: [wtl] _ATL_MIN_CRT triggers Avast Sandbox
Hi everybody,

I have Avast 6.0 anti-virus and I noticed that now Avast triggers Sandbox
for apps built with _ATL_MIN_CRT. Any apps, including projects that do
nothing but display a window. I contacted Avast support, but they were not
helpful at all.

Has anybody else noticed this? Any ideas why is this happening?

I think this is an important issue. If the problem is a real one, WTL
should then drop support for _ATL_MIN_CRT.

Cheers,
Nenad

[Non-text portions of this message have been removed]

------------------------------------

Yahoo! Groups Links

(Continue reading)

Nenad Stefanović | 21 Jan 2012 04:40

Picon

Re: _ATL_MIN_CRT triggers Avast Sandbox

Hi Phil,

I could, but this is not about my project, it is about WTL and its support
for _ATL_MIN_CRT.

Have you had any problems with Avast? Works fine for me in general.

Cheers,
Nenad

On Thu, Jan 19, 2012 at 10:29 PM, Philipp Kursawe <phil.kursawe@...>wrote:

> You could just compile without this setting or better yet uninstall
> that snake oil software of Avast and just use the free MS security
> essentials if you think you need it.
>
> Phil
> From: Nenad Stefanović
> Sent: 20.01.2012 03:11
> To: wtl@...
> Subject: [wtl] _ATL_MIN_CRT triggers Avast Sandbox
> Hi everybody,
>
> I have Avast 6.0 anti-virus and I noticed that now Avast triggers Sandbox
> for apps built with _ATL_MIN_CRT. Any apps, including projects that do
> nothing but display a window. I contacted Avast support, but they were not
> helpful at all.
>
> Has anybody else noticed this? Any ideas why is this happening?
>

(Continue reading)

Philipp Kursawe | 21 Jan 2012 11:38

Picon

Re: _ATL_MIN_CRT triggers Avast Sandbox

Hello,

I do not understand the problem. If the _ATL_MIN_CRT is causing you
problems just don't compile your project with this setting enabled.

I have had no problems with Avast in particular, but you should know that
all antivirii software is nothing more but snake oil. They do not protect
you from unknown threats and what they call heuristics algos is just
another word for "we do not know what to do". And for these reasons I will
never pay for anti virii software but rather use the free MS Security
Essentials. Which also has no problems with the mentioned WTL compile
setting.

Phil

On Sat, Jan 21, 2012 at 4:40 AM, Nenad Stefanović <nenad2001@...>wrote:

> Hi Phil,
>
> I could, but this is not about my project, it is about WTL and its support
> for _ATL_MIN_CRT.
>
> Have you had any problems with Avast? Works fine for me in general.
>
> Cheers,
> Nenad
>
>
>
>

(Continue reading)

Angus Comber | 21 Jan 2012 13:44

Re: _ATL_MIN_CRT triggers Avast Sandbox

I am trying to work out what ATL_MIN_CRT does.  I can see in the compilation of WTL it uses its own string
handling functions to avoid the CRT startup code.  But how does it change the link process?  It must be
setting some flag to exlude use of the C runtime?  How does it do that?

  ----- Original Message ----- 
  From: Nenad Stefanović 
  To: Philipp Kursawe 
  Cc: wtl@... 
  Sent: Saturday, January 21, 2012 3:40 AM
  Subject: Re: [wtl] _ATL_MIN_CRT triggers Avast Sandbox

  Hi Phil,

  I could, but this is not about my project, it is about WTL and its support
  for _ATL_MIN_CRT.

  Have you had any problems with Avast? Works fine for me in general.

  Cheers,
  Nenad

  On Thu, Jan 19, 2012 at 10:29 PM, Philipp Kursawe <phil.kursawe@...>wrote:

  > You could just compile without this setting or better yet uninstall
  > that snake oil software of Avast and just use the free MS security
  > essentials if you think you need it.
  >
  > Phil
  > From: Nenad Stefanović

(Continue reading)

Nenad Stefanović | 24 Jan 2012 02:02

Picon

Re: _ATL_MIN_CRT triggers Avast Sandbox

Hi Angus,

_ATL_MIN_CRT replaces the CRT startup code by replacing main() function.
You still link to CRT library, but can't use any of the CRT functions that
require startup code. When you do, you get unresolved function main() while
linking. The advantage of doing this is that resulting executable is much
smaller. This is useful for small apps or DLLs.

Cheers,
Nenad

On Sat, Jan 21, 2012 at 4:44 AM, Angus Comber <angus@...> wrote:

> **
>
>
> I am trying to work out what ATL_MIN_CRT does. I can see in the
> compilation of WTL it uses its own string handling functions to avoid the
> CRT startup code. But how does it change the link process? It must be
> setting some flag to exlude use of the C runtime? How does it do that?
>
>
> ----- Original Message -----
> From: Nenad Stefanović
> To: Philipp Kursawe
> Cc: wtl@...
> Sent: Saturday, January 21, 2012 3:40 AM
> Subject: Re: [wtl] _ATL_MIN_CRT triggers Avast Sandbox
>
> Hi Phil,

(Continue reading)

Gabriel Kniznik | 21 Jan 2012 15:07

Re: _ATL_MIN_CRT triggers Avast Sandbox

Hi, Nenad

         I just tried three projects compiled with _ATL_MIN_CRT with 
Avast 6.0.1367 installed and nothing happened (no sandbox).
We should grep the whole library and check what may be wrong. My system 
is Windows 7 64 bit.

Best regards,

Gabriel

------------------------------------

Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/wtl/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/wtl/join
    (Yahoo! ID required)

<*> To change settings via email:
    wtl-digest@... 
    wtl-fullfeatured@...

<*> To unsubscribe from this group, send an email to:

(Continue reading)

Dick Dievendorff | 21 Jan 2012 15:33

Picon

RE: Re: _ATL_MIN_CRT triggers Avast Sandbox

Nenad:

I author a program that uses WTL (incidentally compiled with ATL_MIN_CRT)
that at one time was diagnosed by one anti-malware version as being infected
with a Trojan.

I would think that many of these programs use pattern matching, and there's
tension between finding malware and "false positives" caused by finding a
common pattern in "normal" as well as "bad" code. Perhaps some malware used
ATL_MIN_CRT and the anti-malware pattern author used something in the ATL
code added with ATL_MIN_CRT as the pattern to identify the malware.  

The problem may just go away with an Avast pattern file update that corrects
their pattern match.  I wouldn't change anything in WTL for this.  I'd try
to contact the anti-malware vendor to report this "false positive" situation
(my attempts at this have all failed). It's good to let the ATL community
know so that the poor authors that use ATL_MIN_CRT have a chance to respond
to their users who can perhaps influence their anti-malware vendor. Having a
list of other anti-malware software that doesn't complain about ATL_MIN_CRT
might help, but I took the approach that my customers had to make their own
own decision about who to trust.  I installed the offending anti-malware and
scanned many times without finding a "hit".  One of my customers ran my
executable thru an anti-virus gauntlet web site that passed.   The whole
thing blew over after a few weeks when the anti-malware vendor made a
database update.  I never heard from them, though.

Dick Dievendorff

Happy WTL user

(Continue reading)

Nenad Stefanović | 24 Jan 2012 02:07

Picon

Re: Re: _ATL_MIN_CRT triggers Avast Sandbox

Hi Dick,

I agree completely with you.

The only people that can help here are guys working on Avast, that they
don't seem to be very helpful. That is really too bad. At this point we can
only wait and see if there are any changes.

Cheers,
Nenad

On Sat, Jan 21, 2012 at 6:33 AM, Dick Dievendorff <dieven@...>wrote:

> **
>
>
> Nenad:
>
> I author a program that uses WTL (incidentally compiled with ATL_MIN_CRT)
> that at one time was diagnosed by one anti-malware version as being
> infected
> with a Trojan.
>
> I would think that many of these programs use pattern matching, and there's
> tension between finding malware and "false positives" caused by finding a
> common pattern in "normal" as well as "bad" code. Perhaps some malware used
> ATL_MIN_CRT and the anti-malware pattern author used something in the ATL
> code added with ATL_MIN_CRT as the pattern to identify the malware.
>
> The problem may just go away with an Avast pattern file update that

(Continue reading)

Nenad Stefanović | 24 Jan 2012 02:04

Picon

Re: Re: _ATL_MIN_CRT triggers Avast Sandbox

Hi Gabriel,

That is very interesting. It is probably because Avast is different on
64-bit. Unfortunately, I don't have any 64-bit machine to try that on.

Cheers,
Nenad

On Sat, Jan 21, 2012 at 6:07 AM, Gabriel Kniznik <gkniznik@...>wrote:

> **
>
>
> Hi, Nenad
>
> I just tried three projects compiled with _ATL_MIN_CRT with
> Avast 6.0.1367 installed and nothing happened (no sandbox).
> We should grep the whole library and check what may be wrong. My system
> is Windows 7 64 bit.
>
> Best regards,
>
> Gabriel
>
>  
>

[Non-text portions of this message have been removed]

------------------------------------

(Continue reading)

Peter Kvitek | 3 Feb 2012 23:46

RE: _ATL_MIN_CRT triggers Avast Sandbox

Our WTL based app has millions of installations and roughly twice a year one
or the other antivirus package starts flagging it as malware after virus
definitions update. We routinely contact the antivirus vendor and they
release an update that fixes the problem the next day or the day after.

It's still very confusing for our users, so at some point I had a meeting
with one of the big name antivirus vendors' devs trying to figure out a way
to prevent this from happening. Unfortunately, the process they use is
largely heuristic, so false positives are expected and there is not much we
can do about it.

In this particular case the pattern was probably acquired from the malware
executable that happened to be built with ATL in _ATL_MIN_CRT mode.
Anti-virus package should be smart enough to find unique pattern that
identifies the malware executable, so bits coming from the commonly used
library or framework cannot be part of it.

/Peter

From: wtl@...
[mailto:wtl@...] On Behalf Of Nenad
Stefanovic
Sent: Thursday, January 19, 2012 6:11 PM
To: wtl@...
Subject: [wtl] _ATL_MIN_CRT triggers Avast Sandbox

Hi everybody,

I have Avast 6.0 anti-virus and I noticed that now Avast triggers Sandbox
for apps built with _ATL_MIN_CRT. Any apps, including projects that do

(Continue reading)

Nenad Stefanović | 4 Feb 2012 00:34

Picon

Re: _ATL_MIN_CRT triggers Avast Sandbox

Hi Peter,

Thanks for sharing this info. Based on it, we have to conclude that there
is nothing really wrong with the _ATL_MIN_CRT code. And that is very good
thing to know.

Cheers,
Nenad

On Fri, Feb 3, 2012 at 2:46 PM, Peter Kvitek <pete@...> wrote:

> **
>
>
> Our WTL based app has millions of installations and roughly twice a year
> one
> or the other antivirus package starts flagging it as malware after virus
> definitions update. We routinely contact the antivirus vendor and they
> release an update that fixes the problem the next day or the day after.
>
> It's still very confusing for our users, so at some point I had a meeting
> with one of the big name antivirus vendors' devs trying to figure out a way
> to prevent this from happening. Unfortunately, the process they use is
> largely heuristic, so false positives are expected and there is not much we
> can do about it.
>
> In this particular case the pattern was probably acquired from the malware
> executable that happened to be built with ATL in _ATL_MIN_CRT mode.
> Anti-virus package should be smart enough to find unique pattern that
> identifies the malware executable, so bits coming from the commonly used

(Continue reading)

Return

Return to gmane.comp.windows.wtl.

Project Web Page

Windows Template Library support list (windowing extension for ATL).

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane