AutoIT is detected as a Virus

[polps]

Hello,

I already know the problem regarding the UPX packer as explained in this topic.

I work in a very big company; I can compile and run AutoIT exe on my PC without problem.

The trouble is getting when I try to share my script with other colleagues trough email because the McAfee Security for Email Servers (McAfee GroupShield for Lotus Domino).

McAfee GroupShield for Lotus Domino discovered a problem with the following message :

Date/Time sent: 02 dic 2010 17:59:37

Subject:

From: ....

To: ....

Action taken: Deleted Message

Reason: Packer

File Name: prova.exe

Virus: AutoIT 3.2.6.x+

I tried to compile the exe without UPX and obfuscator but no result.

At the present, as a workaround, I'm zipping the file using the encryption method by WinZip (in this way I am forced to set and communicate a password!).

Are there some other method to bypass this problem avoiding the using of a password?

[BrewManNH]

The problem is that McAfee (I can't believe anyone uses that in an enterprise, or anywhere else for that matter) is flagging it as a false positive. If there's any way to submit a report to THEM that their scanner is misidentifying the program, then I would go that route.

[PsaltyDS]

Note the sticky for reference:

[saywell]

Get them to add autoit to their PCs, then email the .au3 file.

If McAffee still rejects it, rename to .txt and recipient renames it back to .au3.

William

[SadBunny]

The problem is that McAfee (I can't believe anyone uses that in an enterprise, or anywhere else for that matter) is flagging it as a false positive. If there's any way to submit a report to THEM that their scanner is misidentifying the program, then I would go that route.

Yes there is (found with one google):

False submissions should be sent via email to virus_research@avertlabs.com(mailto:virus_research@avertlabs.com) in a password protected zip (password needs to be the word 'infected' - without the quotes) - the subject line of the email should contain the word FALSE please.

Regards,

Dinesh K

McAfee Online Community Moderator

[Bert]

Once again the antivirus folks take the simple way out and flag anything built in AutoIt as bad. Stupid f@!kers.

[James]

Yes there is (found with one google):

Myself and Manadar setup "AutoAv" which automatically checked a one line script against an online scanner, then emailed the false reports to the relative AV company. We had it going for a few weeks. The topic is around in Chat.

James

[SadBunny]

Once again the antivirus folks take the simple way out and flag anything built in AutoIt as bad. Stupid f@!kers.

Wait a minute... This is way too harsh for my taste and doesn't do justice at all to the real situation. (For the Dutchies here: this shoots me fftjes completely in the wrong throathole )

I worked for an antivirus company for years... Algorithmically creating heuristics for AV detection is simply the only way these days that they can cope with all those self-morphing viruses, redownloading worms, all kinds of sh!t. The amount of malware is increasing at such an astronomical rate that if any and all new infections would need to be dealt with with enough care to avoid false positives completely, antivirus protection would be a) WAAAAAY to slow, and WAAAAY to expensive. In effect we would have no virus protection at all.

So yeah, if a file looks 98% like a virus, it's a VERY safe bet to kill it off (if it walks like a duck and talks like a duck...) and there's normally many many many more people helped than hindered... Remember that the number of AV customers that encounter virus attacks is way, way higher than the number of AV customers encountering a false positive. Ofcourse banning very idiotic errors in False Positive avoidance like having a common Windows Vista system file killed because of a FP detection... But that is very rare, luckily.

That all being said, please know that AV companies invest a shitload of money and effort in big clustered systems with millions of common files that every virus definition is tested against, day in day out, to avoid FP's. OFcourse, it's not about choosing the easy way out, it's not like they don't care about FP's. every FP hurts the company's image and their AV performance bigtime. BUT on the other hand, every second of delay in releasing AV definitions for a new virus also hurts their image and hurts the effectiveness of their protection even more! It's a very difficult balance and a thin line between racing against the clock to release AV definitions in time to protect their paying customers, and on the other hand making sure that everything is perfect enough not to harm all those thousands and thousands of different PC configurations of ALL their customers.

Please realize that most many normal software companies can take months or even years to finalize a simple bugfix update, while these guys only have hours (at most!) to release perfect antivirus definitions even if it's a type of virus no-one has ever thought of.

Sorry but this kind of crude nonsense about the companies that try and keep viruses AWAY from us, really is not an example of great understanding. Bash the virus makers that try to make money over unsuspecting users' backs! Not the people that try to protect everyone from them.

Thanks for the attention.

P.S. Don't give arguments like "if users were smarter there would be no viruses" / "I don't have an AV and I never had a virus" / "Why doesn't everyone just go to Linux" because ey, the fact is that the average computer user just does not fit that profile. It's just the way it is now, Windows is BIG, so Windows is vulnerable. Why is it so big? Because M$ does all it can to make users think that they make the easiest AND best operating system to work with. Well "easiest" is probably right in terms of learning curve, but "best", let's not go there. Hey... Their marketing is just better than Thorvald's ... And why is it vulnerable? Because it is big, and because M$ focuses on accessibility instead of security which is often a direct trade-off.

Edited December 2, 2010 by SadBunny

[martin]

Wait a minute... This is way too harsh for my taste and doesn't do justice at all to the real situation. (For the Dutchies here: this shoots me fftjes completely in the wrong throathole )

I worked for an antivirus company for years... Algorithmically creating heuristics for AV detection is simply the only way these days that they can cope with all those self-morphing viruses, redownloading worms, all kinds of sh!t. The amount of malware is increasing at such an astronomical rate that if any and all new infections would need to be dealt with with enough care to avoid false positives completely, antivirus protection would be a) WAAAAAY to slow, and WAAAAY to expensive. In effect we would have no virus protection at all.

So yeah, if a file looks 98% like a virus, it's a VERY safe bet to kill it off (if it walks like a duck and talks like a duck...) and there's normally many many many more people helped than hindered... Remember that the number of AV customers that encounter virus attacks is way, way higher than the number of AV customers encountering a false positive. Ofcourse banning very idiotic errors in False Positive avoidance like having a common Windows Vista system file killed because of a FP detection... But that is very rare, luckily.

That all being said, please know that AV companies invest a shitload of money and effort in big clustered systems with millions of common files that every virus definition is tested against, day in day out, to avoid FP's. OFcourse, it's not about choosing the easy way out, it's not like they don't care about FP's. every FP hurts the company's image and their AV performance bigtime. BUT on the other hand, every second of delay in releasing AV definitions for a new virus also hurts their image and hurts the effectiveness of their protection even more! It's a very difficult balance and a thin line between racing against the clock to release AV definitions in time to protect their paying customers, and on the other hand making sure that everything is perfect enough not to harm all those thousands and thousands of different PC configurations of ALL their customers.

Please realize that most many normal software companies can take months or even years to finalize a simple bugfix update, while these guys only have hours (at most!) to release perfect antivirus definitions even if it's a type of virus no-one has ever thought of.

Sorry but this kind of crude nonsense about the companies that try and keep viruses AWAY from us, really is not an example of great understanding. Bash the virus makers that try to make money over unsuspecting users' backs! Not the people that try to protect everyone from them.

Thanks for the attention.

P.S. Don't give arguments like "if users were smarter there would be no viruses" / "I don't have an AV and I never had a virus" / "Why doesn't everyone just go to Linux" because ey, the fact is that the average computer user just does not fit that profile. It's just the way it is now, Windows is BIG, so Windows is vulnerable. Why is it so big? Because M$ does all it can to make users think that they make the easiest AND best operating system to work with. Well "easiest" is probably right in terms of learning curve, but "best", let's not go there. Hey... Their marketing is just better than Thorvald's ... And why is it vulnerable? Because it is big, and because M$ focuses on accessibility instead of security which is often a direct trade-off.

Nothing you say excuse the appalling record of McAfee with false positives for AutoIt. After a few years of frequent misery using their AV (update1 gives false positives - oops sorry it will be fixed in next update. Update 2 ok. Update3 gives false positives - oops sorry ..... I really believe they are stupid.) I threw it out of every PC and I now age at the normal rate instead of twice.

[SadBunny]

Nothing you say excuse the appalling record of McAfee with false positives for AutoIt. After a few years of frequent misery using their AV (update1 gives false positives - oops sorry it will be fixed in next update. Update 2 ok. Update3 gives false positives - oops sorry ..... I really believe they are stupid.) I threw it out of every PC and I now age at the normal rate instead of twice.

Yeah, true I'm happy I didn't work for McAfee, we use it where I work now and it's a bitch to use it in a big network, it's slow and cumbersome (and lets not forget overfeatured) and they focus too much on speed of release and not on quality. I am not excusing a stupid FP avoidance regime; if they encounter an FP multiple times they should change their algorithms to define their autoit-related virus definitions more clearly. Many AV companies that actually try to be thrustworthy instead of just trying to be as big-ass as possible like McAfee, actually have algorithms to steer their FP avoidance in order to minimize recurring FP's - McAfee is certainly not the best one around in that respect

Still I think it's unwarranted to call them stupid easy-way-out-choosing fuckers... Maybe I ranted on too heavily though

Edited December 2, 2010 by SadBunny

[PsaltyDS]

AV companies that actually try to be thrustworthy...

Do we even want to know what it means for an AV company to be "thrustworthy"?

[SadBunny]

Do we even want to know what it means for an AV company to be "thrustworthy"?

Lol, sorry, I'm gonna bring up the not-a-native-speaker argument excuse Really laughing my ass of here, this is actually pretty freudian!

Whahaha, also notice that I used "big-ass" in the same sentence!

Edited December 2, 2010 by SadBunny

[polps]

Ok, thanks to all.

False submissions should be sent via email to virus_research@avertlabs.com(mailto:virus_research@avertlabs.com) in a password protected zip (password needs to be the word 'infected' - without the quotes) - the subject line of the email should contain the word FALSE please.

I will try to send the script to McAfee.

If McAffee still rejects it, rename to .txt and recipient renames it back to .au3.

And I will try this also.

[Mobius]

[RANTASTIC]

At the end of the day it is a self sustaining industry (that sucks anal eggs), malware writers (not skids but genuine authors) are out to make money (It is very big business), Antivirus solution companies are also in it to make money nothing more, if for some reason malware authors suddenly stopped writing malicious code then the Antivirus companies would simply employ people to write more.

If you have worked for an AV company and defend them then you are simply a corporate drone, and obviously not one of the ones sitting in the boardroom. I bet you a pot of (someone elses) gold that the key topic around said table was not "How can we prevent malware" or "how can we develop a solution to actually protect people against malware" it was "how can we make the most amount of money in the least amount of time and effort while at the same time continue to fool the masses that we actually know what we are doing and give a damn for thier safety"

Do AV solutions actually reverse engineer a target on the fly to detect if it is in fact malicious? Hell no, as someone else mentioned, said process would take too long (and humans so don't like to wait), but if they are not actually doing this very thing then they are doing NOTHING at all.

Okay but there are free AV solutions out there, true enough, but said companies do a free AND a retail version of thier software, what happens if you get infected with the free version? Well sir or madame if you had PAID for the retail version then you would have been a great deal safer....

Okay okay (your idealistic) so you work for a company that really cares about a human rather than the color of money, and are one of the drones employed to sit at your terminal and reverse engineer a target and develop signatures for the company to combat a piece of malware? What the hell is a signature anyway but a static value based on one or more static data sequences that exist in a target that you found either through static analysis or in a region of memory, by the time all this static has made the hairs on your arms stand to attention that target has already been reassembled in a fractionaly different manner to combat your signatures by someone being payed a great deal more than you are for your time.

What has all this got to do with this thread? Not a damn thing...

What can you or your company do to protect it/your self? Not a damn thing, but.....

Resistance is futile but not pointless, buying into a lie is just plain expensive and pointless.

[/RANTASTIC]

Edited December 3, 2010 by Mobius

[omikron48]

This is one of the reasons I removed Comodo Internet Security and reverted back to ZoneAlarm.

[BrewManNH]

This is one of the reasons I removed Comodo Internet Security and reverted back to ZoneAlarm.

Odd, I never had that many false positives from CIS. I never had an AutoIt program/script get flagged by it. But then I have also switched to another AV because I am testing it, the Microsoft Security Essentials on one of my computers.

[GEOSoft]

This subject has been getting beaten to death for years now and there was no need to open a new topic to prolong the agony. You get false positives on occasion so you can either report it to the AV company or live with it but we don't need to be rehashing it. That's why there is a sticky to begin with.

[James]

Again,

[KingNED]

Bullguard, or any AV that uses the BitDefender engine, doesn't see AU3 scripts, nor the installer as a virus. If you do some odd malicious code, then yes, it will be detected as a virus, but not the normal scripts.

Besides the one-time 'See every component of windows and every running process as Win32/FakeTrojan.5 (or something, don't remember the exact name lol)', its been perfect.