Protect yourself against false Virus detection

[storme]

G'day All

I see another "how do I fix these virus detection problems?" thread.

I'm lucky as all of the scripts I've put out there go into or under a directory that I set up an exception for.

For those that send scripts out to computers they have no control over can I suggest the following steps.

1. Submit your EXE to http://www.virustotal.com

2. Add a comment that it's safe maybe add a link to your site.

3. Extract the programs that have falsly identiifed your program.

4. Find how to present your program to those sites.

5. Present your program to those sites as a false positive.

6. Wait for a reply that it has been fixed.

6.5 Reanalyse with virustotal to see if it has been fixed. (if not got back to step 3)

7. Release your program to the world.

Looks farly straight forward to me and "very scriptable"

Maybe someone has done it already or partly done it and someone else can add to the work.

At this point in time it seems like a usefull program to keep the AV companies honest!

You never knwo if enough submit their "false positives" they might get their act together as far a AutoIT is concerned.

Good Luck!

[JohnOne]

I volunteer your good self to create the script to automate the upload and submission scripts so we dont have to

[storme]

I volunteer your good self to create the script to automate the upload and submission scripts so we dont have to

Shrug I have no need for it at the moment.

If I ever produce scripts that need it I'll have a go at it of course!

It's not really that hard a script to write and would mostly be welding a few existing scripts together then adding a bit of intellegence.

The GUI is the only thing I'd have trouble with... Just can never get my head around them and they look like rubbish.

But...Until then we'll just have to put up with "virus" threads and some reluctance to using AutoIT because of the false positives.

John Morrison

AKA

Storm-E

[Confuzzled]

Alternatively, every time there is any update to AutoIt, submit the following code (compiled):

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Compression=4
#AutoIt3Wrapper_Res_Comment=This is an empty AutoIT compiled file. The source file contents consist of just one semicolon. Used to check false positives of anti-malware vendors.
#AutoIt3Wrapper_Res_Description=Note: If scanning the contents of this file produces a positive, your detection algorithms are faulty and your product is bad!
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
;

That should give the various anti-malware researchers a heads up to update their signature detection routines.

Of course you shouldn't include the EICAR string in your submission, should you?

Edited May 13, 2012 by Confuzzled

[czardas]

Storm, that's a good idea. Someone kindly checked my app "The Big Rip.exe" after I reported I was having issues with it.

https://www.virustotal.com/file/baf09baa...1a36d94bd5c939acc5c/analysis/1

http://virusscan.jotti.org/en/scanresult/e04a13d001d0d8190aa8cc935534bdd3d196bbf0

[storme]

This is a good start for checking your apps easily

https://www.virustotal.com/documentation/desktop-applications/virustotal-uploader/

It will upload your app then open a web page to the scan results (if already scanned) or a page showing the current status of the scan.

If there were a way of automatically picking up the web page (could be IE, Firfox, Chrome, etc) then it coudl be used to tell who identifying your App as a virus.

[armoros]

It would be nice if we could somehow add a piece of code in an Autoit script that it gives the user an option to upload it first in VT for testing and then execute the main script if it is ok..

[guinness]

It would be nice if we could somehow add a piece of code in an Autoit script that it gives the user an option to upload it first in VT for testing and then execute the main script if it is ok..

Care to elaborate the 'we' part, do you mean the AutoIt developers or the coder?

[armoros]

Care to elaborate the 'we' part, do you mean the AutoIt developers or the coder?

Well i by my self i dont know how to do it...

but of course if the dev team or an experienced user like you could achieve it then it would be nice.

[meisandy]

I've just found the following post online which could prove very useful. There is a list of email addresses and/or online forms that allow you to inform practically every AV company about false positives! The author has even gone to effort of creating a 'mailto' link which includes all the email addresses.

http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm

[water]

We already have something similar in the wiki. It could be quite useful to add your link to this wiki page.

[orbs]

sorry to deprecate a noble cause, but automating the process seems like an overkill. unless your exe is really infected, VirusTotal will issue 1 to 3 warnings per 47 engines (as for today). none of them are from ruling vendors, which no longer detect AutoIt compiled scripts as false positive. that's the department of ridiculously-uncommon-and-comfortably-ignorable vendors. (like, who ever heard of F-Prot? and VBA32? that name itself sounds like a malware, and their url - www.anti-virus.by - sounds like a genuine phishing scam...)

i did found that what you can do to minimize false positive, is to disable the UPX compression. and anyway, UPX compression is not something you want nowadays, because it increases the exe load time, and the size reduction is of no importance (the uncompressed exe itself is under 2MB, worst case. and used RAM or virtual memory is not improved by compression).

i did bother in the past to submit my exe's to some vendors, with mixed results (to say the least). some never responded, some acknowledged but reverted in the next signature update. i trust them not, and my advice to the user who does encounter false positive, is as simple as it can be - kick your antivirus software out of the nearest window, and get a working one. i post this advise (in somewhat nicer phrasing) as a constant post on my program website.

b.t.w VirusTotal do have an API, but as i said, overkill.

wish us all healthy scripting.

[michaelslamet]

I'm using Avast. Beside false alarm, what annoying me is my script always marked "The file prevalence/reputation is low".

This is annoying because regular users dont know how to handle this plus fact that scripts on unattended pc are blocked because

there is no user there to confirm the execution.

Anybody using Avast here, maybe some trick to get away with this?

[michaelslamet]

I heard that avast "The file prevalence/reputation is low" issue can be solved if we digitally sign our autoit script.

Do we need to buy or pay for that?

[JLogan3o13]

I went through the same discussion with Avast, as it was what we were loading on all machines heading out the door. Their unwillingness to work with me frustrated me to the point I dumped them entirely for MSE.

[guinness]

I heard that avast "The file prevalence/reputation is low" issue can be solved if we digitally sign our autoit script.

Do we need to buy or pay for that?

You need to pay to have a valid certificate so as to 'sign' your applications.

[storme]

sorry to deprecate a noble cause, but automating the process seems like an overkill. unless your exe is really infected, VirusTotal will issue 1 to 3 warnings per 47 engines (as for today). none of them are from ruling vendors, which no longer detect AutoIt compiled scripts as false positive. that's the department of ridiculously-uncommon-and-comfortably-ignorable vendors. (like, who ever heard of F-Prot? and VBA32? that name itself sounds like a malware, and their url - www.anti-virus.by - sounds like a genuine phishing scam...)

i did found that what you can do to minimize false positive, is to disable the UPX compression. and anyway, UPX compression is not something you want nowadays, because it increases the exe load time, and the size reduction is of no importance (the uncompressed exe itself is under 2MB, worst case. and used RAM or virtual memory is not improved by compression).

i did bother in the past to submit my exe's to some vendors, with mixed results (to say the least). some never responded, some acknowledged but reverted in the next signature update. i trust them not, and my advice to the user who does encounter false positive, is as simple as it can be - kick your antivirus software out of the nearest window, and get a working one. i post this advise (in somewhat nicer phrasing) as a constant post on my program website.

b.t.w VirusTotal do have an API, but as i said, overkill.

wish us all healthy scripting.

 

Sorry I disagree!

I've got one script that is regularly deleted by multiple (main stream) antivirus programs.  I've even had it deleted when it's inside a zip file.  I've given up take note of which ones delete it.

I can't "kick" the antivirus because they are on my customers computers.

So every time I update the program I have to notify every antivirus company so they won't delete the program.

A program like this would make it easy.

BTW you stated "which no longer detect AutoIt compiled scripts as false positive" I haven't heard of this.  Where did you get this information?

thanks for your input.

John Morrison

[guinness]

Did anyone search for a VirusTotal UDF in the examples section? There is one.

[orbs]

@storme,

my sympathies. truly, this is unfortunate.

"I've got one script that is regularly deleted by multiple (main stream) antivirus programs" - is Symantec or McAfee one of them? just for my curiosity.

"I've even had it deleted when it's inside a zip file" - this is expected. if the antivirus engine can spot a threat (false or not) in the file itself, it'd better be able to detect it zipped. you wouldn't trust antivirus engine that can not do that.

 

"which no longer detect AutoIt compiled scripts as false positive" this is not declared anywhere, this is per my experience in the past few years, courtesy of VirusTotal. years back i had some exe's falsely detected by McAfee, eSafe & Trend-Micro, over time the situation turned end to end and now the unknown vendors, like F-Prot & GData are the troublemakers.

further suggestions:

most antivirus engine have heuristic option (the name may differ). is it in your scope to disable it, or to lower the intensity of the heuristic scan? the name of the "threat" by which the antivirus "detect" your script may direct you to the method in which it was "detected".

i assume you have tried to disable UPX when compiling the script, did this make any change?

very very long shot: is it possible that what your script is doing triggers the alarm? i mean, does the script get "detected" when passive, e.g. copied to the pc, or when active, i.e. when it is actually launched?

[storme]

@storme,

 

my sympathies. truly, this is unfortunate.

 

"I've got one script that is regularly deleted by multiple (main stream) antivirus programs" - is Symantec or McAfee one of them? just for my curiosity.

I'm not sure anymore. It's a file I don't use often but always copy onto my customers computers.

So it could be deleted on any one of them not just the one I notice it on.

Sometimes I catch it and add an exception but sometimes there is no warning I've seen.

I had to recopy it onto my USB drive a couple of weeks ago.

"which no longer detect AutoIt compiled scripts as false positive" this is not declared anywhere, this is per my experience in the past few years, courtesy of VirusTotal. years back i had some exe's falsely detected by McAfee, eSafe & Trend-Micro, over time the situation turned end to end and now the unknown vendors, like F-Prot & GData are the troublemakers.

I'll reserve judgement, I've seen this kind of lull before then it starts again.

One of my main scripts is now an a3x so it won't be detected and deleted that is how bad it got and that was only 6 months ago.

further suggestions:

 

most antivirus engine have heuristic option (the name may differ). is it in your scope to disable it, or to lower the intensity of the heuristic scan? the name of the "threat" by which the antivirus "detect" your script may direct you to the method in which it was "detected".

The trouble is, by that you are reducing the protection the antivirus gives to the user.

Much better to get the program excluded (if possible) before reducing the protection.

Also if a customer changes their antivirus then the script is/maybe gone and I'm not there to change the settings.

i assume you have tried to disable UPX when compiling the script, did this make any change?

It's disabled on all my scripts, has been for years.

very very long shot: is it possible that what your script is doing triggers the alarm? i mean, does the script get "detected" when passive, e.g. copied to the pc, or when active, i.e. when it is actually launched?

It's deleted when inactive just being copied onto the system.

The script in essence

- accesses a web site ticks a few boxes to select a package (IE UDF)

- Hits submit (IE UDF)

- gets the URL of the file (on the same site) (IE UDF)

- Downloads the file (Inetget)

- Executes it (run)

Yep looks suspicious just like any program that has an inbuilt update facility.

Which brings us back to an automated "false positive" submitter.

If it's submitted and THEY do their job right then it's excluded from being deleted.

Thanks for your feedback

John Morrison