Sign in to follow this  
Followers 0
polps

AutoIT is detected as a Virus

19 posts in this topic

Hello,

I already know the problem regarding the UPX packer as explained in this topic.

I work in a very big company; I can compile and run AutoIT exe on my PC without problem.

The trouble is getting when I try to share my script with other colleagues trough email because the McAfee Security for Email Servers (McAfee GroupShield for Lotus Domino).

McAfee GroupShield for Lotus Domino discovered a problem with the following message :

Date/Time sent: 02 dic 2010 17:59:37

Subject:

From: ....

To: ....

Action taken: Deleted Message

Reason: Packer

File Name: prova.exe

Virus: AutoIT 3.2.6.x+

I tried to compile the exe without UPX and obfuscator but no result.

At the present, as a workaround, I'm zipping the file using the encryption method by WinZip (in this way I am forced to set and communicate a password!).

Are there some other method to bypass this problem avoiding the using of a password?

Share this post


Link to post
Share on other sites



The problem is that McAfee (I can't believe anyone uses that in an enterprise, or anywhere else for that matter) is flagging it as a false positive. If there's any way to submit a report to THEM that their scanner is misidentifying the program, then I would go that route.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Get them to add autoit to their PCs, then email the .au3 file.

If McAffee still rejects it, rename to .txt and recipient renames it back to .au3.

William

Share this post


Link to post
Share on other sites

The problem is that McAfee (I can't believe anyone uses that in an enterprise, or anywhere else for that matter) is flagging it as a false positive. If there's any way to submit a report to THEM that their scanner is misidentifying the program, then I would go that route.

Yes there is (found with one google):

False submissions should be sent via email to virus_research@avertlabs.com(mailto:virus_research@avertlabs.com) in a password protected zip (password needs to be the word 'infected' - without the quotes) - the subject line of the email should contain the word FALSE please.

Regards,

Dinesh K

McAfee Online Community Moderator


Roses are FF0000, violets are 0000FF... All my base are belong to you.

Share this post


Link to post
Share on other sites

Yes there is (found with one google):

Myself and Manadar setup "AutoAv" which automatically checked a one line script against an online scanner, then emailed the false reports to the relative AV company. We had it going for a few weeks. The topic is around in Chat.

James

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

Once again the antivirus folks take the simple way out and flag anything built in AutoIt as bad. Stupid f@!kers.

Wait a minute... This is way too harsh for my taste and doesn't do justice at all to the real situation. (For the Dutchies here: this shoots me fftjes completely in the wrong throathole :()

I worked for an antivirus company for years... Algorithmically creating heuristics for AV detection is simply the only way these days that they can cope with all those self-morphing viruses, redownloading worms, all kinds of sh!t. The amount of malware is increasing at such an astronomical rate that if any and all new infections would need to be dealt with with enough care to avoid false positives completely, antivirus protection would be a) WAAAAAY to slow, and :graduated: WAAAAY to expensive. In effect we would have no virus protection at all.

So yeah, if a file looks 98% like a virus, it's a VERY safe bet to kill it off (if it walks like a duck and talks like a duck...) and there's normally many many many more people helped than hindered... Remember that the number of AV customers that encounter virus attacks is way, way higher than the number of AV customers encountering a false positive. Ofcourse banning very idiotic errors in False Positive avoidance like having a common Windows Vista system file killed because of a FP detection... But that is very rare, luckily.

That all being said, please know that AV companies invest a shitload of money and effort in big clustered systems with millions of common files that every virus definition is tested against, day in day out, to avoid FP's. OFcourse, it's not about choosing the easy way out, it's not like they don't care about FP's. every FP hurts the company's image and their AV performance bigtime. BUT on the other hand, every second of delay in releasing AV definitions for a new virus also hurts their image and hurts the effectiveness of their protection even more! It's a very difficult balance and a thin line between racing against the clock to release AV definitions in time to protect their paying customers, and on the other hand making sure that everything is perfect enough not to harm all those thousands and thousands of different PC configurations of ALL their customers.

Please realize that most many normal software companies can take months or even years to finalize a simple bugfix update, while these guys only have hours (at most!) to release perfect antivirus definitions even if it's a type of virus no-one has ever thought of.

Sorry but this kind of crude nonsense about the companies that try and keep viruses AWAY from us, really is not an example of great understanding. Bash the virus makers that try to make money over unsuspecting users' backs! Not the people that try to protect everyone from them.

Thanks for the attention.

P.S. Don't give arguments like "if users were smarter there would be no viruses" / "I don't have an AV and I never had a virus" / "Why doesn't everyone just go to Linux" because ey, the fact is that the average computer user just does not fit that profile. It's just the way it is now, Windows is BIG, so Windows is vulnerable. Why is it so big? Because M$ does all it can to make users think that they make the easiest AND best operating system to work with. Well "easiest" is probably right in terms of learning curve, but "best", let's not go there. Hey... Their marketing is just better than Thorvald's :D ... And why is it vulnerable? Because it is big, and because M$ focuses on accessibility instead of security which is often a direct trade-off.

Edited by SadBunny

Roses are FF0000, violets are 0000FF... All my base are belong to you.

Share this post


Link to post
Share on other sites

Wait a minute... This is way too harsh for my taste and doesn't do justice at all to the real situation. (For the Dutchies here: this shoots me fftjes completely in the wrong throathole :()

I worked for an antivirus company for years... Algorithmically creating heuristics for AV detection is simply the only way these days that they can cope with all those self-morphing viruses, redownloading worms, all kinds of sh!t. The amount of malware is increasing at such an astronomical rate that if any and all new infections would need to be dealt with with enough care to avoid false positives completely, antivirus protection would be a) WAAAAAY to slow, and :graduated: WAAAAY to expensive. In effect we would have no virus protection at all.

So yeah, if a file looks 98% like a virus, it's a VERY safe bet to kill it off (if it walks like a duck and talks like a duck...) and there's normally many many many more people helped than hindered... Remember that the number of AV customers that encounter virus attacks is way, way higher than the number of AV customers encountering a false positive. Ofcourse banning very idiotic errors in False Positive avoidance like having a common Windows Vista system file killed because of a FP detection... But that is very rare, luckily.

That all being said, please know that AV companies invest a shitload of money and effort in big clustered systems with millions of common files that every virus definition is tested against, day in day out, to avoid FP's. OFcourse, it's not about choosing the easy way out, it's not like they don't care about FP's. every FP hurts the company's image and their AV performance bigtime. BUT on the other hand, every second of delay in releasing AV definitions for a new virus also hurts their image and hurts the effectiveness of their protection even more! It's a very difficult balance and a thin line between racing against the clock to release AV definitions in time to protect their paying customers, and on the other hand making sure that everything is perfect enough not to harm all those thousands and thousands of different PC configurations of ALL their customers.

Please realize that most many normal software companies can take months or even years to finalize a simple bugfix update, while these guys only have hours (at most!) to release perfect antivirus definitions even if it's a type of virus no-one has ever thought of.

Sorry but this kind of crude nonsense about the companies that try and keep viruses AWAY from us, really is not an example of great understanding. Bash the virus makers that try to make money over unsuspecting users' backs! Not the people that try to protect everyone from them.

Thanks for the attention.

P.S. Don't give arguments like "if users were smarter there would be no viruses" / "I don't have an AV and I never had a virus" / "Why doesn't everyone just go to Linux" because ey, the fact is that the average computer user just does not fit that profile. It's just the way it is now, Windows is BIG, so Windows is vulnerable. Why is it so big? Because M$ does all it can to make users think that they make the easiest AND best operating system to work with. Well "easiest" is probably right in terms of learning curve, but "best", let's not go there. Hey... Their marketing is just better than Thorvald's :D ... And why is it vulnerable? Because it is big, and because M$ focuses on accessibility instead of security which is often a direct trade-off.

Nothing you say excuse the appalling record of McAfee with false positives for AutoIt. After a few years of frequent misery using their AV (update1 gives false positives - oops sorry it will be fixed in next update. Update 2 ok. Update3 gives false positives - oops sorry ..... I really believe they are stupid.) I threw it out of every PC and I now age at the normal rate instead of twice.


Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

Nothing you say excuse the appalling record of McAfee with false positives for AutoIt. After a few years of frequent misery using their AV (update1 gives false positives - oops sorry it will be fixed in next update. Update 2 ok. Update3 gives false positives - oops sorry ..... I really believe they are stupid.) I threw it out of every PC and I now age at the normal rate instead of twice.

Yeah, true :graduated: I'm happy I didn't work for McAfee, we use it where I work now and it's a bitch to use it in a big network, it's slow and cumbersome (and lets not forget overfeatured) and they focus too much on speed of release and not on quality. I am not excusing a stupid FP avoidance regime; if they encounter an FP multiple times they should change their algorithms to define their autoit-related virus definitions more clearly. Many AV companies that actually try to be thrustworthy instead of just trying to be as big-ass as possible like McAfee, actually have algorithms to steer their FP avoidance in order to minimize recurring FP's - McAfee is certainly not the best one around in that respect :(

Still I think it's unwarranted to call them stupid easy-way-out-choosing fuckers... Maybe I ranted on too heavily though :D

Edited by SadBunny

Roses are FF0000, violets are 0000FF... All my base are belong to you.

Share this post


Link to post
Share on other sites

AV companies that actually try to be thrustworthy...

Do we even want to know what it means for an AV company to be "thrustworthy"?

:graduated:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

Do we even want to know what it means for an AV company to be "thrustworthy"?

:graduated:

Lol, sorry, I'm gonna bring up the not-a-native-speaker argument excuse :( Really laughing my ass of here, this is actually pretty freudian! :D

Whahaha, also notice that I used "big-ass" in the same sentence! :D

Edited by SadBunny

Roses are FF0000, violets are 0000FF... All my base are belong to you.

Share this post


Link to post
Share on other sites

Ok, thanks to all.

False submissions should be sent via email to virus_research@avertlabs.com(mailto:virus_research@avertlabs.com) in a password protected zip (password needs to be the word 'infected' - without the quotes) - the subject line of the email should contain the word FALSE please.

I will try to send the script to McAfee.

If McAffee still rejects it, rename to .txt and recipient renames it back to .au3.

And I will try this also.

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

[RANTASTIC]

At the end of the day it is a self sustaining industry (that sucks anal eggs), malware writers (not skids but genuine authors) are out to make money (It is very big business), Antivirus solution companies are also in it to make money nothing more, if for some reason malware authors suddenly stopped writing malicious code then the Antivirus companies would simply employ people to write more.

If you have worked for an AV company and defend them then you are simply a corporate drone, and obviously not one of the ones sitting in the boardroom. I bet you a pot of (someone elses) gold that the key topic around said table was not "How can we prevent malware" or "how can we develop a solution to actually protect people against malware" it was "how can we make the most amount of money in the least amount of time and effort while at the same time continue to fool the masses that we actually know what we are doing and give a damn for thier safety"

Do AV solutions actually reverse engineer a target on the fly to detect if it is in fact malicious? Hell no, as someone else mentioned, said process would take too long (and humans so don't like to wait), but if they are not actually doing this very thing then they are doing NOTHING at all.

Okay but there are free AV solutions out there, true enough, but said companies do a free AND a retail version of thier software, what happens if you get infected with the free version? Well sir or madame if you had PAID for the retail version then you would have been a great deal safer....

Okay okay (your idealistic) so you work for a company that really cares about a human rather than the color of money, and are one of the drones employed to sit at your terminal and reverse engineer a target and develop signatures for the company to combat a piece of malware? What the hell is a signature anyway but a static value based on one or more static data sequences that exist in a target that you found either through static analysis or in a region of memory, by the time all this static has made the hairs on your arms stand to attention that target has already been reassembled in a fractionaly different manner to combat your signatures by someone being payed a great deal more than you are for your time.

What has all this got to do with this thread? Not a damn thing...

What can you or your company do to protect it/your self? Not a damn thing, but.....

Resistance is futile but not pointless, buying into a lie is just plain expensive and pointless.

[/RANTASTIC]

Edited by Mobius

Share this post


Link to post
Share on other sites

This is one of the reasons I removed Comodo Internet Security and reverted back to ZoneAlarm.

Share this post


Link to post
Share on other sites

This is one of the reasons I removed Comodo Internet Security and reverted back to ZoneAlarm.

Odd, I never had that many false positives from CIS. I never had an AutoIt program/script get flagged by it. But then I have also switched to another AV because I am testing it, the Microsoft Security Essentials on one of my computers.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

This subject has been getting beaten to death for years now and there was no need to open a new topic to prolong the agony. You get false positives on occasion so you can either report it to the AV company or live with it but we don't need to be rehashing it. That's why there is a sticky to begin with.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Bullguard, or any AV that uses the BitDefender engine, doesn't see AU3 scripts, nor the installer as a virus. If you do some odd malicious code, then yes, it will be detected as a virus, but not the normal scripts.

Besides the one-time 'See every component of windows and every running process as Win32/FakeTrojan.5 (or something, don't remember the exact name lol)', its been perfect.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0