PDA

View Full Version : MaxxMem showing constant latency of 150ns!!



KPRage
02-18-2013, 02:20 PM
Hey guys,

Finally got into tweaking with memory timings and, RAM OC.. After reading a lot of articles, I think I have a fair bit of idea on what goes on with the RAMs and, what to tweak.. However, just to see how things work with Default and, XMP mode, I ran the Maxxmem latency test.. It gave a latency of 150ns (which should not be the case even for 1333MHz 9-10-9-27 timings)! Still, I thought there might be something which is giving that latency, I put it to XMP mode (1866MHz 9-10-9-27) which should definitely reduce the latency! however, it still shows a latency of 150ns.. Is there any problem with the MaxxMem?? Is there any alternate tool I can use to test the latency??

Oh and, before I miss it, when I ran the MaxxMem, my anti-virus Kasperky showed a virus attack from Temp/cpuz.exe. I chose to terminated the cpuz.exe process. MaxxMem still ran, giving the results to be 22+GB/s for mem clock and, the latency remained at 150ns.

Just to make sure my understanding is right, shouldn't the latency be something like this: 9+10+9=27+~10ns = ~37ns for 1866Mhz and, CL9??

All other settings were left at auto and, CPU is Oc'd to 4.6Ghz. Other details in my sig.

Thanks,
KP

KPRage
02-18-2013, 03:00 PM
Hey.. Turned out to be that cpuz.exe had to run for me to get the latency right.. Not sure if my system is infected now.. :p

HiVizMan
02-18-2013, 05:43 PM
You are getting a false positive from your AV. There must be a couple of million people using CPUz. And certainly I have never had a AV flag using NOD32 :)

KPRage
02-19-2013, 03:39 AM
Yeah, for CPUz as such it doesn't say anything.. Its when I open MAxxMem, it gives a warning that cpuz.exe from Temp is trying to manipulate your software!! :D

Zka17
02-19-2013, 11:46 AM
I think, when you're running benchmarks, it's better to have the anti-virus softwares turned down...

KPRage
02-19-2013, 01:54 PM
Yep.. Will be having a dedicated hdd with, only what is required, running in it.. It shall be built only for benchmarks.. Z, HVM, Menthol, WhitePaw, 8 Packs, you guys have inspired me to go for the benching.. Though, the passion and, excitement is high, so is the money involved.. :p It is the only thing stopping me from doing a full blow benching set up.. :p Though, I am saving it up for this purpose now.. Can't wait to start off with the tweaks.. Its more fun doing the tweaks.. Benchmarks are the icing on the cake.. :)

HiVizMan
02-19-2013, 02:19 PM
The journey is what is exciting, and take your time. In benching it is all about knowing your system. Knowing the best set up (tweaking) for each benchmark.

Take your time and do not rush. It is a way of life.

KPRage
02-19-2013, 05:26 PM
HVM.. Yep sir.. Will do.. :) Thanks heaps and, tons to you.. You have been of awesome help all along.. :)

Cheers,
KP

Henkenator68NL
05-13-2013, 08:07 PM
You are getting a false positive from your AV. There must be a couple of million people using CPUz. And certainly I have never had a AV flag using NOD32 :)

The AV flag is from the file maxxmem2 when you click download the file through the HWBOT link...


Are you absolutely sure this is no virus??

https://www.virustotal.com/nl/file/34dc1c0ff8aa0d51de964c0f45cf39004f0b505bc26151342d ffba8de839396c/analysis/1361797622/

Check the url on Virus total.

I am not sure what to think ...

And I know to bench without antivirus ... but never download anything without !!!

flexnl
05-13-2013, 09:02 PM
i never install extra anti virus software...just the windows defender:p

Zka17
05-13-2013, 10:22 PM
Well, if you do 2D benching, then running anything in background will slow you down... for that reason I actually turn off the sound and network in BIOS, so when I'm installing the OS it won't even ask about those... (of course, no network cable is plugged in either)

Just use a separate small HDD for these things and re-format often then you don't have to deal with viruses...

Nodens
05-14-2013, 01:01 AM
The AV flag is from the file maxxmem2 when you click download the file through the HWBOT link...


Are you absolutely sure this is no virus??

https://www.virustotal.com/nl/file/34dc1c0ff8aa0d51de964c0f45cf39004f0b505bc26151342d ffba8de839396c/analysis/1361797622/

Check the url on Virus total.

I am not sure what to think ...

And I know to bench without antivirus ... but never download anything without !!!

It gets flagged because the executable is packed. Packing is method of compressing and/or encrypting an executable in a way that it's uncompressed and/or decrypted on the fly when you run it. Packing is used by developers that want to protect their applications against rudimentary crackers just throwing their application in a debugger (rudimentary because eventually everything can be unpacked). Unfortunately several malware developers pack their executables as well, so that antivirus' real time scanning engines can not examine the code in detail. It also slows down the effort of reverse engineers working for the Antivirus companies to analyze malware payload and signatures.

Packed executables are usually flagged by Antivirus programs in one way or another (unless the application is submitted to them, in that case they exclude a particular application). Some warn you that the executable is packed (the proper way), others outright mark it as malware in an attempt to "catch them all"(the wrong way)--yet they don't catch other important stuff heh.

So if you see something that is detected as "Packed" use it freely if you trust the source you got it from. In this particular case, I'm guessing HWBOT has packed the executable with multiple packers in order to make it really difficult for programmers to cheat on the benches.

Also you can trust NOD32 and Kaspersky. Avast is also a decent free solution. The rest are meh..

Henkenator68NL
05-14-2013, 07:20 AM
Well I am quite surprised by the reactions.

First of all: If you are benching and use software on a machine that does not contain any antivirus whatsoever. Trust me when I tell you that a lot of stuff is roaming the net that you are not aware off. Second Downloading the software you use; never do that without any antivirus program, better even use a service that offers antivirus combined with internet security (firewall and certainly a program that actively tracks programs that start en try to alter any register settings).

In the case off maxxmem: This is the report that Eset (previously NOD32) continues to give on the file at HWbot.
20635

It is in dutch but under threat is states: a version off Win32/Packed.Multipacked.N trojan horse, the file has been put in quarantine.

This file is an .exe file. Offering programs in a plain .exe file for download is not save. Most files you download are packed/zipped/compressed AND its content is checkable by the antivirus. Except when an unknown encription/compression code is used mostly in combination with a password -> this is always a sign that should trigger you to alert!

The thing I always do if I download and get a trojan flagg is go to virustotal.com -> the previously posted link is from the url off maxxmem2 on hwbot.

I have downloaded heaps off files, for myself but also for business. You will not believe the amount of virusses/malware/trojans I have intercepted.

On top off that, if you go to the developers homepage:
http://www.maxxpi.net/pages/downloads/maxxmemsup2---preview.php
You can clearly see that they offer a .zip file; this does not get any malicious code flag...

And do not forget; it is so easy to hack a server and replace a downloadable file with a slightly altered downloadable file.... And then you download it without any proper anti virus???

My advice: Buy yourself a proper internet security suite. Just some free stuff like Windows defender and avg ... they don't cut it. No protection=dangerous.

This is something completely different than doing benchmarks. Off course I know that you better shutdown all apps, cut your lan and wifi cards off in bios....

But think what will happen if you have just downloaded a test program (without proper protection) and you run it on your bench rigg. It will most probably not be able to contact the internet... But it might still be running and trying to ... so processes are running .... I thought it was the sole purpose of turning all unneeded hard and software off to get the amount off running processes as low as possible....

And what do you do after the test run? You take a screenshot right? And where does that screemshot go? Probably on a usb stick and you put it in an other pc, hello mr trojan has just travelled from system 1 to system 2 .....

Better save than sorry ...

I will run the maxmemm version from hardware bot in a sandbox and see which processes it is going to use.

Nodens
05-14-2013, 12:01 PM
In the case off maxxmem: This is the report that Eset (previously NOD32) continues to give on the file at HWbot.
20635

It is in dutch but under threat is states: a version off Win32/Packed.Multipacked.N trojan horse, the file has been put in quarantine.


Packed.Multipacked.N does not mean it's a trojan. This tag means what I already explained. That the executable is packed with several packers stacked on top of each other. I already told you why they have probably done this. It falls under this condition of HWBOT:


Any software or human interaction altering the perceived speed of the benchmark program, tricking it to believe it ran faster


NOD32 reports it as a Trojan because they have not examined it and stacking several packers usually means it's something bad hidden inside.



This file is an .exe file. Offering programs in a plain .exe file for download is not save. Most files you download are packed/zipped/compressed AND its content is checkable by the antivirus. Except when an unknown encription/compression code is used mostly in combination with a password -> this is always a sign that should trigger you to alert!


No. We are not talking about simple compression (eg zip/rar/7z/etc).

All runtime packers (PE packers) are not checkable by antivirus except the unmodified UPX packer which is the first and most rudimentary one. Every other packer uses secure encryption that makes examining the executable without running it, impossible.
Decryption can only happen in memory DURING execution. Forceful unpacking can only be done in a debugger by someone experienced in reverse engineering and it's a process that involves finding the OEP (Original Entry Point) of the PE-COFF image during runtime, then rebuilding the IAT (Import Address Table) and dumping the new PE-COFF image into a new executable file.
I will not get into more details about this process because it will essentially be a tutorial for cracking software.



And do not forget; it is so easy to hack a server and replace a downloadable file with a slightly altered downloadable file.... And then you download it without any proper anti virus???


This is true to an extend. It is easy to crack some servers. Big sites like HWBOT are not that easy to get into and usually requires a bit of social engineering or untrained site staff. Still it's not that easy to keep your unauthorized access hidden from any proper server administrator.
So my advice still stands. Only run packed executables if you trust the source.



I will run the maxmemm version from hardware bot in a sandbox and see which processes it is going to use.

This will not help you against any advanced malware. They may be loading Ring 0 drivers or utilizing rootkit methods (such as NTFS ADS) to hide from the operating system entirely. You can not examine this way. Only way is to unpack it and compare to original file or examine in a debugger. Give me half an hour and I will unpack this for you guys and report back.

EDIT: Done:) This is the version from HWBOT, unpacked by me : https://dl.dropboxusercontent.com/u/64810339/MaxxMEM2_preview_unpacked_Nodens.rar

You can now scan it with anything that makes you feel comfortable:)

For further information: The detection of the Antivirus was also wrong. It was not packed with multiple packers, it was just packed with PeCompact 2.x which is fairly easy to unpack. The antivirus engine for some reason thought there were multiple packers involved but there were not:)

Henkenator68NL
05-14-2013, 01:38 PM
Everything you state is exactly what I -tried- to pointed out ....

When in doubt ... question first.

Cybercrime is growing ... no servers are 100% save ..

A few weeks ago Dutch hackers attacked spamhouse in the biggest cyber attack yet.

He who thinks lives twice!

Nodens
05-14-2013, 01:41 PM
:D If you didn't see the edit at the post above, I added the unpacked executable from HWBOT:) Feel free to scan it. It's perfectly safe!

Henkenator68NL
05-14-2013, 02:06 PM
it is clean indeed

Nodens
05-14-2013, 06:54 PM
Let me add this up because I do not want to be misunderstood. When I said my advice is to download only from sources you trust I'm talking about files that already detected by your Antivirus as "Packed".

That means:
A) Having an antivirus is a must. As I've said a lot of times before (in other threads as well) I personally suggest NOD32 and Kaspersky after tests with my own custom code (all of them can catch things they know..what's important is catching things they don't). They have great Heuristics engines and are also the lightest solutions available. Very popular products like Norton and Mcafee are utter junk (they used to be very good back in the day..15+ years ago:p).

B) Relying on Windows Defender/Microsoft Security Essentials is not a good idea. Think about it, these products are enabled by default on Windows machines (Win8's Windows Defender is MSE actually), if they actually did their job properly then Windows machines would be malware free. They're not though:) If you want a free solution I suggest Avast. It's the best of the free ones available but it won't reach the quality of NOD32 and Kaspersky.

C) Things that are detected as Trojans, Malware, Viruses, Adware are probably not safe anyhow (there are exceptions to this such us some game trainers..the programming practices they use (editing an external process' memory/injecting dlls/etc) will flag them by most AV heuristics engines). But in order to know what is detected as what, a proper AV application is needed:)

Henkenator68NL
05-14-2013, 08:02 PM
I can only say : very nicely put, I completely agree with you!:-0

flexnl
05-14-2013, 08:25 PM
kick some virus butttt ! go henk :P