Sign in to follow this  
Followers 0
marko001

Compiled obfuscated seen as Balero-G [Wrm] Alias

12 posts in this topic

Hmm, how to avoid it?

I obfuscate and compile and Avast recognize it as that Worm.

It works if I disable Avast for a while but when/if restarted it recognize again that worm in the compiled executable aswell.

Any way to solve this?

M.

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Any way to solve this?

Sure, don;t use Obfuscator or Avast.. . or maybe skip UPX? Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

any other hint as protector instead of Obfuscator?

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

The disable UPX suggestion didn't work?

By the way: Obfuscator doesn't protect your code at all, just makes it harder to read.

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Skipping UPX doesn't solve it.

Avast will skip folders just for manual scansion.

I disabled Avast and obfuscation worked but once Avast is again active it doesn't allow .exe to run and trashes it.

Looking now for other form of protection instead of Obfuscation, do you hava any hint?

M.

Share this post


Link to post
Share on other sites

So if you compile without using Obfusicator, Avast doesn't see it as a virus?

Share this post


Link to post
Share on other sites

First of all; right at the top if the index page for this forum we have

With Avast all you have to do is report it as a false positive and the problem will be solved within hours, often within minutes. They are particularily good about that. It also helps to let them know you are willing to send them the un-obfuscated script so they can check that. For sure they are used to looking at AutoIt scripts.

As a side note; I was looking at the virus updates for the last 30 days and there are 40 that have AutoIt in the virus name. That was yesterday and only for the last 30 days.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

I tend to not trust the VirusTotal website for accurate information. For example, I looked at the link that HappyTC posted for his test, and I have had Comodo AV on a system and it never flagged any of my scripts, compiled with or without UPX and with and with Obfuscating them, as a virus.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Besides usual case of UPX, I believe the second reason for the virus flag is because of "FileInstall" function.

Share this post


Link to post
Share on other sites

Looking now for other form of protection instead of Obfuscation, do you hava any hint?

You did see my second line in my post ..right?

What is it you want to protect?

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0