[JSThePatriot]

If you have been using AutoIt for any length of time you will know that it is a great, and powerful scripting language. As with all powerful languages there comes a downside. Virus creation by those that are malicious.

AutoIt has no virii installed on your system, and if a script you have created has been marked as a virus, (and you're not malicious) then this is a false positive. They found a set of instructions in an AutoIt EXE out there somewhere, took the general signature of the file, and now all AutoIt EXE's are marked (or most of them). This can be due to several reasons.

• AutoIt is packed with UPX. UPX is an open source software compression packer. It is used with many virii (to make them smaller).
  
• Malicious scripter got the AutoIt script engine recognized as a virus.

And I am sure there are more ways your executable could be marked, but that covers the basics.

Now I am sure you are wanting to know what you can do to get back up and running without being recognized as a virus. You have to send in a report to the offending AV company alerting them to the false positive they have made. It never hurts to send in your source code along with a compiled exe, to help them realize their mistake.

You may have to wait up to 24 hours for them to release an update. The time it takes really depends on the offending AV company.

Anti-Virus Links

• AntiVir
  • Website
    
  • Contact
  
  
• Avast!
  • Website
    
  • Contact
  
  
• McAfee
  • Website
    
  • Contact (email address)
  
  
• Symantec (Norton)
  • Website
    
  • Contact
  
  
• AVG
  • Website
    
  • Contact (It says sales or other ?'s I assume this will work)
  
  
• ClamWin
  • Website
    
  • Contact
  
  
• ClamAV
  • Website
    
  • Contact (I would only contact the ones with "virusdb maintainer or virus submission management")
  
  
• BitDefender
  • Website
    
  • Contact
  
  
• ZoneLabs
  • Website
    
  • Contact
  
  
• Norman
  • Website
    
  • Contact (email address)
  
  
• eSafe
  • Website
    
  • Contact (login required)
  
  
• A² (A-Squared)
  • Website
    
  • Contact (email address)

Edit: Added Website links and Contact links.

I hope this helps you understand why your AutoIt executables are marked as virii.
JS

This post has been edited by JSThePatriot: 13 December 2006 - 04:38 AM

[Valik]

Thanks JS, does anybody have anything else to add before I lock this?

[Blue_Drache]

I would like to propose a workaround.

For those of you who can, downgrading from the newest version to version 3.1.1 does seem to work. Apparently there's something in the new AutoIt3.bin file included in versions after 3.1.1 that's creating a "lookalike" pattern during the compile and UPX compression.

I noticed this during the first round of false-positves with Norton's AV client. I'd not recompiled all my programs with the new version, but I did compile a few of the COM aware scripts that I'd written with the 3.1.1 betas. I also did some work on some old scripts, compiling them with the new version. All newly compiled scripts were eventually whacked, but those compiled with 3.1.1 were untouched.

This is the solution that I've decided to run with at this time. Though the new features in 3.2 (COM and whatnot) are absolutely awesome, I don't have any scripts that utelize said features and I don't want to deal with the hassle of 400 users saying "My xyz program doesn't work anymore! Fix it!" because of a false positive.

This post has been edited by Blue_Drache: 18 October 2006 - 03:36 PM

[Uten]

Rather than hacking upx or the runtime engine we should (as JS points out when he provided the contact information) make a request to the Antivirus maker to fix their scanner such that it does not detect our files as false positives.

Make sure to send them a copy of the file. If you are the author of the file it would benefit the comunity if you added instructions on how to decompile it to let them peek at the source.

So in your request:

• Use a real mail address. They should be able to contact you to get further information.
  
• Be polite. It is a business your dealing with. Negative wording and disrespectfull behaviour will not benefit you or us.
  
• Only use objective arguments.
  
• State clearly if you are the author of the file detected as a false positive.
  
• If you can, let them have a peek at the source (instructions on how to decompile).
  
• Let them know that you and most of the comunity are eager to find a solution. And will, as fare as our knowledge goes, do wathever we can to do so.

[Valik]

Talk to Jon, he's the one who wrote it, named it and mis-informed everybody with the above post.

However, I would argue that it shouldn't take more than 2 seconds to figure this out. If you know enough to want to disable UPX, you should know it's a compressor therefore a quick look at the options will provide only one with "UPX" and "compress" in the name. Maybe it is mis-named and not implemented right, but I don't think it takes a computer science degree to figure out what it's for if you know enough about UPX to want to disable it in the first place.

[Jon]

Valik, on Oct 19 2006, 09:45 PM, said:

Talk to Jon, he's the one who wrote it, named it and mis-informed everybody with the above post.

However, I would argue that it shouldn't take more than 2 seconds to figure this out. If you know enough to want to disable UPX, you should know it's a compressor therefore a quick look at the options will provide only one with "UPX" and "compress" in the name. Maybe it is mis-named and not implemented right, but I don't think it takes a computer science degree to figure out what it's for if you know enough about UPX to want to disable it in the first place.

Only just seen this. So. Oi! :)