Sign in to follow this  
Followers 0
FalconFour

Malwarebytes actively believes AutoIt is malware

13 posts in this topic

I wanted to drop by and point out some goings-on with what is, in my opinion as a PC repair tech, the #1 malware removal solution, Malwarebytes' Anti-Malware, versus false detections of compiled AutoIt scripts. As of the definitions around the beginning of this month, Malwarebytes is now flagging nearly all compiled AutoIt EXEs as "BackDoor.Bifrost".

The worst part about it is, they refuse to change their stance about detecting AutoIt executables as malware/PUPs. I haven't yet gotten a reply to my request for "reconsidering" this decision. It's a pretty bad deal, considering AutoIt is no different from any of the hundreds of other programming languages out there (BTW, congrats on that, AutoIt team! Excellent work on that).

I wanted to bring this to the AutoIt community's attention, see what you all think of it. I'm just one person and it seems like I'm the only person that has a problem with AutoIt being blanketed with the "malware" definition. Maybe the AutoIt team can help the Malwarebytes team with the detection of malware written with AutoIt... instead of just calling it all malware!

Share this post


Link to post
Share on other sites



How many thousands of times do we have to answer these? Report it as a false positive to MalwareBytes and READ THIS


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

How many thousands of times do we have to answer these? Report it as a false positive to MalwareBytes and READ THIS

Maybe if you'd read the topic instead of skimming, you'd not only see that it was already reported, but that Malwarebytes refuses to change their stance on it. Not only that, but I did read that, and Malwarebytes is nowhere to be found in that staggering list of useless AV programs. So it can generally be assumed - also by the fact that Google has next to no information relating to "malwarebytes autoit" - that the current issue, which ONLY STARTED LESS THAN A MONTH AGO, is still undocumented. Also, I'm not reporting that "omg my script is infeacted?!?!?!?", I'm reporting that a commonly used AV program is false-detecting scripts, and something needs to be done to support AutoIt on the MBAM forums.

Slow down, calm down, breathe a bit, then... maybe... go back and read OP?

Edited by FalconFour

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Tell them to contact Jon about flagging the compiled scripts properly. He can give them the necessary information. And then tell them they're being stupid and they're retarded developers that don't know what they're doing. Also tell them if they block AutoIt they might as well go and block everything else too... Because thats how stupid their stance is.

EDIT: Actually I'm just going to rip into them.

Edited by BrettF

Share this post


Link to post
Share on other sites

hahahaha

'Malwarebytes' i thought is was Malware..

pfff .. don't use malwarebytes anymore.. problem solved

1 person likes this

Best regards,Emiel Wieldraaijer

Share this post


Link to post
Share on other sites

hahahaha

'Malwarebytes' i thought is was Malware..

pfff .. don't use malwarebytes anymore.. problem solved

The problem is for developers who release their software to the public. I have several programs on softpedia and if they download it and see it as malware it might scare them off.


HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.

Share this post


Link to post
Share on other sites

hahahaha

'Malwarebytes' i thought is was Malware..

pfff .. don't use malwarebytes anymore.. problem solved

MBAM is actually the best software we've used. There are others, sure, but MBAM is very clean, efficient, and gets the job 100% done, at least 95% of the time. If MBAM runs, the system comes out the other side clean. So we use MBAM. It just gets to be a pain in the rear when MBAM keeps flagging my notification program - an AutoIt program that beeps the PC speaker when the scan completes - as malware itself.

@BrettF: Thanks! Glad to see I'm not the only one :D

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

whatever Edited by MvGulik

"Straight_and_Crooked_Thinking" : A "classic guide to ferreting out untruths, half-truths, and other distortions of facts in political and social discussions."
"The Secrets of Quantum Physics" : New and excellent 2 part documentary on Quantum Physics by Jim Al-Khalili. (Dec 2014)

"Believing what you know ain't so" ...

Knock Knock ...
 

Share this post


Link to post
Share on other sites

If you compile the script with the default AutoIt icon it flags it as BackDoor.Bifrost. If you compile it with any other icon it's clean.

From what that conversation said, it looks like they just flag the AutoIt icon. Gee, what a foolproof method of malware detection, wow. I am humbled by their superior intelligence and discernment. I wish to someday become as wise and powerful in the ways of anti malware.

Share this post


Link to post
Share on other sites

They seem to have listen somehow and be hopefully relaxing or waiving the FP flagging.

Flagging a static icon for BackDoor.Bifrost is what I'd call a skizophrenic overlook: much over, not much look.

That speaks by itself for the serious of their product.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Yea, we did it! Thanks to BrettF for the much-needed push we needed to get the topic the needed attention. Looks like it's getting removed from the detections until they figure out how to (properly) detect malware in AutoIt scripts :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0