[German]Within this blog post I will outline the risk, users are facing by trusting anti virus scanners. Security expert Stefan Kanthak outlined a case to me, that shows, that you can't trust most virus scanners. Sometimes the don't detect malicious software – but in many cases they are reporting false positives. Stefan Kanthak demonstrated this to me with his tool CPUID Enumerator and Decoder.
Advertising
CPUID Enumerator and Decoder
CPUID Enumerator and Decoder is a command line alias console program for Microsoft® Windows® NT and newer, described on this web page. The CPUPRINT.EXE program decodes and prints the information obtained from the CPUID and XGETBV instructions of the processor. This gives the user an overview of which features a CPU creates:
- IBRS, STIBP, IBPB, L1D_FLUSH und SSBD,
- as well as the presence of the model-specific registers IA32_ARCH_CAPABILITIES and IA32_FLUSH_CMD.
The latter were introduced by AMD and Intel with firmware aka microcode updates in order to exploit the vulnerabilities:
- CVE-2017-5715 alias Branch Target Injection,
- CVE-2017-5753 alias Bounds Check Bypass,
- CVE-2017-5754 alias Rogue Data Cache Load,
- CVE-2018-3639 alias Speculative Store Bypass,
- CVE-2018-3640 alias Rogue System Register Read,
- CVE-2018-3693 alias Bounds Check Bypass Store, und C
- VE-2018-3615, CVE-2018-3620 plus fix CVE-2018-3646 aka L1 Termination Fault, better known by their nicknames Meltdown, Spectre, Spectre-NG and Foreshadow.
It also lists the alias features for processor capabilities PCID, which was introduced in 2010 in the first generation of Intel Core processors with Westmere microarchitecture, and INVPCID, which was introduced in 2013 in the fourth generation of Intel Core processors with Haswell microarchitecture. So, a very useful tool if you want to know about the capabilities of a CPU.
Guaranteed virus-free, but scanners sound the alarm
Stefan Kanthak wrote me the days in a mail: I build my CPUID-Decoder guaranteed virus-free with the Microsoft C compiler from the source code and my NOMSVCRT.LIB (instead of the MSVCRT). Thereby the following 4 variants are created: :
If you then upload the .exe files in question to Virustotal, you get a Christmas buildup of "red warnings" about how dangerous the programs are after all. Here are the links:
Advertising
- www.virustotal.com Example 1: 34 of 73
- www.virustotal.com Example 2: 12 of 70
- www.virustotal.com Example 3: 1 of 70
- www.virustotal.com Example 4: 0 of 71
Virustotal false positives
The tool is scanned in the relevant virus scanners, and they respond to certain code sequences, which are then reported as malicious. Note, however, that the above four links basically evaluate the same code, only as 32 or 64 bit and with UTF-16 or ASCII output.
Since all 4 programs perform the same accesses to CPUID functions, they would have to be equally classified as malicious. However, the difference between the ASCII and UNICODE variants is that the former use ASCII strings and the ASCII functions of the Win32 API, the latter use UNICODE strings and the UNICODE functions.
While in the first link still 34 of 71 virus scanners are responding, in the last link there is sunshine – no virus scanner is complaining. Stefan has built two more variants (32-, 64-bit), which do not decode as ASCII or UNICODE. With one variant 5 of 71 Scanner scanners hit, with the other variant 0 of 71 scanners flags that file as malicious.
An example that one should not trust the virus scanners of Virustotal (or the manufacturers participating there) – they are simply in some cases an estimation instrument, which indicates something.
Similar articles
Microsoft Defender Version 1.353.1874.0 version 1.353.1874.0 incorrectly reports Emotet
Windows 10/11: The risky "trusted" Apps-Installer – abused by Emotot gang
Examples of virus mails from a compromised Exchange servers
Phishing attacks by state hackers via new RTF template injection technique
Android App Barcod Scanner with Trojan – opens random websites
Excel XLL addins abused for malware installation
