Search the Community

Au3toCmd --- Avoid false virus positives Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem. See here for more information. In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams" "Base64" encoded data. Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive". If the short-term flashing of the CMD window bothers you, you can click the desktop shutcut that runs in a minimized window. Unfortunately, because the "alternate data streams", this CMD file cannot be distributed via FTP or email. Only a USB sti ck or removable disk formatted with NTFS can be used. As the new version now uses Base64 data instead of ADS, this statement is out of date. For reasons of compatibility, the old version was sunk into the spoiler here. The script can be called with a file name of an AU3 script as a parameter. If no name is entered, a query is made. For more information, see the header of the script. Suggestions, improvements and bug reports are welcome. Here the versions using base64 data Version: 2022.05.12 (Support blanks in pathnames) Version: 2022.06.23 (Support release candidates. Changed @CrLf to @Lf. Annual cleaning. Optimized #AutoIt3Wrapper handling) Version: 2022.07.22 (Support scripts with the same name but different content in different directories) Version: 2022.07.27 (Support blanks in usernames) Au3toCmd.au3 Version: 2022.09.01 (Optimized annual cleaning) Au3toCmd.au3

Hi AutoIT masters, Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted. Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file.

Greetings to all, This may relate in regards to My question: If I have 2 different au3 scripts compiled individually as a standalone executable(s) (compilation settings are the same) OR If I have one au3 script compiled as a standalone executable(s) with different compilation settings. Does an Anti Virus see them as one signature for all? or treated as unique signatures? My reason behind this is that I am trying to plan ahead on how to deal with these false positives. I am a part of a small IT admin team that would like to automate some repeatable tasks using Autoit. Our AV is Sophos if one is curious. Any insights are highly appreciated!, many thanks in advance!

I've recently been getting hammered by Symantec SEP deleting all of my compiled scripts so I'm trying to figure out how I could run my scripts uncompiled. Problem is, these scripts are typically launched from inside Citrix sessions that I don't have control of so I can't install AutoIT in there to get all the #Include files that my scripts are using. I tried to use AU3Stripper and while, yes that did create a single file and I could run it. it put it in a state that I couldn't easily maintain going forward. Is there any existing way to pull all the functions and drop them at the end of the main script? Not sure about the Globals and Constants though, I guess they would have to go to the top which shoves everything else down. I also need to maintain the current script spacing and comments as I often have to update older scripts and need the comments to help with that.

Think this has been discussed before, but is there any way of signing a compiled script with a certificate? Reason I ask is that some AV products keep on producing 'Generic Trojan' false positives on compiled scripts. I'm told that signing with a certificate from a trusted source might reduce this problem.

Howdy, In a bizarre twist of events a client installed McAfee Antivirus Plus (the paid version). I have scripts running there, the simplest is a little HTTP downloader, which opens HTML pages and downloads some files. These scripts have been running for years. The new AV kills the process. The process just "disappears" with no warning. I can not find an "exception" setting. IT on site had to kill it in the Task Manager and restart the PC. All other AV products (even the free ones) have an easily accessible Exception setting. Note that the standard McAfee that typically comes with Acrobat does not do this, yet. Any advice on this please? Other than "get a new AV"? This has been suggested and as they just dished out the cash, not a current option.

Malware Scanner Features: - Can detect over 500 malware's known fake processes. - Very small and easy to use. Note: 1. Some processes can be found as false positives. 2. Terminating a process may cause undesired results such as system's malfunction or shutdown. Please be careful! 3. This program is ONLY for advanced users! 4. Only tested on Windows 7 Home Premium, I need your testing result on other OS and machines! 5. This is only a tool just to check for fake processes by their name. Source Code: ;Malware Scanner ;1.0.0 ;3 Sep 2012 ;8:36 ;logmein ;AutoIT 3.3.8.1 #NoTrayIcon #include <ButtonConstants.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <Constants.au3> #include <ListViewConstants.au3> #include <GuiListView.au3> Global $TITLE = 'Malware Scanner', $VERSION = '1.0.0' #Region ### START Koda GUI section ### Form=C:Program Files (x86)AutoIt3SciTEKodaFormsForm1.kxf $formMain = GUICreate($TITLE & ' ' & $VERSION, 762, 376, Default, Default) GUISetFont(10, 400, 0, "Arial") $Label1 = GUICtrlCreateLabel("Scan your system for malware's processes:", 8, 8, 257, 20) $btnScan = GUICtrlCreateButton("&Scan", 8, 32, 83, 25) GUICtrlSetFont(-1, 10, 800, 0, "Arial") $btnAbout = GUICtrlCreateButton("&About", 96, 32, 75, 25) $Group1 = GUICtrlCreateGroup("Result", 8, 64, 745, 305, -1, $WS_EX_TRANSPARENT) $tabMain = GUICtrlCreateTab(16, 88, 729, 273) GUICtrlSetFont(-1, 10, 400, 0, "Arial") $tabProcess = GUICtrlCreateTabItem("&Process") $listProcess = GUICtrlCreateListView("Name|PID|Path", 24, 120, 714, 206) $hdlListProcess = GUICtrlGetHandle(-1) GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 200) GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 100) GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 400) GUICtrlSetFont(-1, 10, 400, 0, "Arial") ;$btnKill = GUICtrlCreateButton("&Kill", 584, 328, 75, 25) GUICtrlSetFont(-1, 10, 400, 0, "Arial") $btnKill = GUICtrlCreateButton("&Kill", 664, 328, 75, 25) GUICtrlSetFont(-1, 10, 400, 0, "Arial") GUICtrlCreateTabItem("") GUICtrlCreateGroup("", -99, -99, 1, 1) GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $btnScan _Scan() Case $btnKill _EndProcess () Case $btnAbout MsgBox (64,'About',StringUpper($TITLE) & @CRLF & 'Version: ' & $VERSION & @CRLF & 'Author: logmein (AutoITScript.com)' & @crLf & 'Special Thanks to: PsaltyDS' & @CRLF &@CRLF &'To report any suspicious process or false positives, please contact me at: minhthanh.autoit@gmail.com. I appreciate your help!','',$formMain) EndSwitch WEnd Func _scan () _GUICtrlListView_DeleteAllItems ($hdlListProcess) If Not FileExists ('database.3db') Then MsgBox (32,$TITLE,'Database not found!','',$formMain) Return EndIf ProgressOn ($TITLE,'Scanning for suspicious processes...','',Default,Default,18) $processlist = _ProcessListProperties() $read = FileRead ('database.3db') $split = StringSplit ($read,@CRLF) If $processlist[0][0] <> 0 Then For $i = 1 To $processlist[0][0] ProgressSet (Int($i*100/$processlist[0][0]),$processlist[$i][0]) For $u =1 To $split[0] if $processlist[$i][0] = $split[$u] Then $index = _GUICtrlListView_AddItem($hdlListProcess, $processlist[$i][0]);name _GUICtrlListView_AddSubItem($hdlListProcess, $index, $processlist[$i][1], 1);pid _GUICtrlListView_AddSubItem($hdlListProcess, $index, $processlist[$i][5], 2);path EndIf Next Next ProgressOff () Else MsgBox(32, $TITLE, 'Can''t build process list!') EndIf EndFunc Func _EndProcess() $select = _GUICtrlListView_GetSelectedIndices($hdlListProcess, 'True');Retrieve indices of selected item (position) If $select[0] <> 0 Then $Msg = MsgBox(16 + 4, $TITLE, 'Are you sure to end this process? Ending a process will cause undesired result!', '', $formMain) If $Msg = 6 Then $GetItem = _GUICtrlListView_GetItem($hdlListProcess, $select[1], 1);retrieve process ID to be closed MsgBox (64,$GetItem[3],'') ProcessClose($GetItem[3]) If Not @error Then _GUICtrlListView_DeleteItem($hdlListProcess, $select[1]) MsgBox(64, $TITLE, 'Process ended!', '', $formMain) ;_log($GetItem[3], 5) Else MsgBox(16, $TITLE, 'Can not end this process!', '', $formMain) EndIf EndIf EndIf EndFunc ;==>_EndProcess ;=============================================================================== ; Function Name: _ProcessListProperties() ; Description: Get various properties of a process, or all processes ; Call With: _ProcessListProperties( [$Process [, $sComputer]] ) ; Parameter(s): (optional) $Process - PID or name of a process, default is "" (all) ; (optional) $sComputer - remote computer to Get list from, default is local ; Requirement(s): AutoIt v3.2.4.9+ ; Return Value(s): On Success - Returns a 2D array of processes, as in ProcessList() ; with additional columns added: ; [0][0] - Number of processes listed (can be 0 If no matches found) ; [1][0] - 1st process name ; [1][1] - 1st process PID ; [1][2] - 1st process Parent PID ; [1][3] - 1st process owner ; [1][4] - 1st process priority (0 = low, 31 = high) ; [1][5] - 1st process executable path ; [1][6] - 1st process CPU usage ; [1][7] - 1st process memory usage ; [1][8] - 1st process creation date/time = "MM/DD/YYY hh:mm:ss" (hh = 00 to 23) ; [1][9] - 1st process command line string ; ... ; [n][0] thru [n][9] - last process properties ; On Failure: Returns array with [0][0] = 0 and sets @Error to non-zero (see code below) ; Author(s): PsaltyDS at http://www.autoitscript.com/forum ; Date/Version: 12/01/2009 -- v2.0.4 ; Notes: If an integer PID or string process name is provided and no match is found, ; Then [0][0] = 0 and @error = 0 (not treated as an error, same as ProcessList) ; This function requires admin permissions to the target computer. ; All properties come from the Win32_Process class in WMI. ; To Get time-base properties (CPU and Memory usage), a 100ms SWbemRefresher is used. ;=============================================================================== Func _ProcessListProperties($Process = "", $sComputer = ".") Local $sUserName, $sMsg, $sUserDomain, $avProcs, $dtmDate Local $avProcs[1][2] = [[0, ""]], $n = 1 ; Convert PID If passed as string If StringIsInt($Process) Then $Process = Int($Process) ; Connect to WMI and Get process objects $oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy, (Debug)}!" & $sComputer & "rootcimv2") If IsObj($oWMI) Then ; Get collection processes from Win32_Process If $Process == "" Then ; Get all $colProcs = $oWMI.ExecQuery("select * from win32_Process") ElseIf IsInt($Process) Then ; Get by PID $colProcs = $oWMI.ExecQuery("select * from win32_Process where ProcessId = " & $Process) Else ; Get by Name $colProcs = $oWMI.ExecQuery("select * from win32_Process where Name = '" & $Process & "'") EndIf If IsObj($colProcs) Then ; Return for no matches If $colProcs.count = 0 Then Return $avProcs ; Size the array ReDim $avProcs[$colProcs.count + 1][10] $avProcs[0][0] = UBound($avProcs) - 1 ; For each process... For $oProc In $colProcs ; [n][0] = process name $avProcs[$n][0] = $oProc.name ; [n][1] = process PID $avProcs[$n][1] = $oProc.ProcessId ; [n][2] = Parent PID $avProcs[$n][2] = $oProc.ParentProcessId ; [n][3] = owner ;If $oProc.GetOwner($sUserName, $sUserDomain) = 0 Then $avProcs[$n][3] = $sUserDomain & "" & $sUserName ; [n][4] = Priority $avProcs[$n][4] = $oProc.Priority ; [n][5] = Executable path $avProcs[$n][5] = $oProc.ExecutablePath ; [n][8] = Creation date/time $dtmDate = $oProc.CreationDate If $dtmDate <> "" Then ; Back referencing RegExp pattern from weaponx Local $sRegExpPatt = "A(d{4})(d{2})(d{2})(d{2})(d{2})(d{2})(?:.*)" $dtmDate = StringRegExpReplace($dtmDate, $sRegExpPatt, "$2/$3/$1 $4:$5:$6") EndIf $avProcs[$n][8] = $dtmDate ; [n][9] = Command line string $avProcs[$n][9] = $oProc.CommandLine ; increment index $n += 1 Next Else SetError(2); Error getting process collection from WMI EndIf ; release the collection object $colProcs = 0 ; Get collection of all processes from Win32_PerfFormattedData_PerfProc_Process ; Have to use an SWbemRefresher to pull the collection, or all Perf data will be zeros Local $oRefresher = ObjCreate("WbemScripting.SWbemRefresher") $colProcs = $oRefresher.AddEnum($oWMI, "Win32_PerfFormattedData_PerfProc_Process").objectSet $oRefresher.Refresh ; Time delay before calling refresher Local $iTime = TimerInit() Do Sleep(20) Until TimerDiff($iTime) >= 100 $oRefresher.Refresh ; Get PerfProc data For $oProc In $colProcs ; Find it in the array For $n = 1 To $avProcs[0][0] If $avProcs[$n][1] = $oProc.IDProcess Then ; [n][6] = CPU usage $avProcs[$n][6] = $oProc.PercentProcessorTime ; [n][7] = memory usage $avProcs[$n][7] = $oProc.WorkingSet ExitLoop EndIf Next Next Else SetError(1); Error connecting to WMI EndIf ; Return array Return $avProcs EndFunc ;==>_ProcessListProperties And the most important part: Database, see attached file. Download, extract and put it into your @ScriptDir. Thanks PsaltyDS for your useful script:) database.zip