FaridAgl 48 Posted October 3, 2011 First take a look on this report: http://www.virustotal.com/file-scan/report.html?id=338d59b4e084b7f342929049383ca4c049167248370311f124e10346ff488ef1-1317642888 I exactly know what i write in my script and i really don't know why the Virus Scan result is 4/43. i want to know what can be the reason of this, i mean what codes maybe will coz this result? my script's includes: WindowsConstants.au3 StaticConstants.au3 GUIConstantsEx.au3 ComboConstants.au3 EditConstants.au3 _UskinLibrary.au3 GuiTreeView.au3 NomadMemory.au3 String.au3 Misc.au3 If any one interested to help me i will share the script, it's about 2000 line. http://faridaghili.ir Share this post Link to post Share on other sites
rcmaehl 50 Posted October 3, 2011 (edited) I don't see anything includes that would trigger those results, so please post the script. EDIT: Then again it might just be UPX being sassed again. Edited October 3, 2011 by rcmaehl My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.My ProjectsCisco Finesse, Github, IRC UDF, WindowEx UDF Share this post Link to post Share on other sites
FaridAgl 48 Posted October 3, 2011 it's not UPXed. http://faridaghili.ir Share this post Link to post Share on other sites
kaotkbliss 146 Posted October 3, 2011 A while back, AVG started flagging a few of my scripts. The things they had in common were FileInstall and ReWrite/RegDelete that weren't in other scripts. (At least not both) When I could not find a "submit file for review" as they once had and it would still constantly flag files I marked as safe, I finally removed AVG and am now looking for a new AV. Anyways, my point was Maybe it's not the includes but something your script is doing (like fileinstall or reg edits) that your AV consideres Viral behavior? I'm also suspicious of the NomadMemory as I could see messing with the ram as being a flag... 010101000110100001101001011100110010000001101001011100110010000001101101011110010010000001110011011010010110011100100001My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueekWe're gonna need another Timmy! Share this post Link to post Share on other sites
FaridAgl 48 Posted October 3, 2011 I was using fileinstall, it coz 1 other false positive. i just removed fileinstall and now it has a result of 4/43 i will take a look at regwrite & regdelete. tnx. http://faridaghili.ir Share this post Link to post Share on other sites
BrewManNH 1,305 Posted October 3, 2011 3 of those 4 ding reports are telling you that it's an AutoIt3 script, I don't see a problem there most likely those POS AV softwares will flag anything that's an AU3 script as a possible problem. Note it says generic heuristic, not that it's any kind of virus. The other one is just because that AV software probably sucks. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way!I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Share this post Link to post Share on other sites
Mobius 89 Posted October 3, 2011 (edited) Hello D4RKON3, If your project is not packed with upx I assume you are using no software armoring tools at all, so those 4 flags are just the standard flags for AutoIt3 interpreted executables. Here is a little trick that might deter some of those flags for a while (assuming the flags are based on static and not behavioural analysis) When you build your product instead of letting Aut2Exe append the a3x data to the tail of the interpreter as normal, create an a3x file. Aut2Exe.exe /in MyProd.au3 /out MyProd.a3x Then add the a3x file to the resource table of your interpreter with a resource editor. (or api) Run it to see that the interpreter detects the a3x. (it will ) Then send / scan it yourself to see the results. On an unrelated side note this method also allows for further editing of the resource table after your products build without risk of corrupting the a3x data. (unless of course you decide to pack it and forget to tell the packer not to pack the resource table entrance in which the a3x resides) Of course this will not help you if said tools are simply looking for certain default components that make up the a3x file, and or the interpreter in its unpacked state or as said before they are getting hot under the collar because of your products actions and not its content. Vlad Edited October 3, 2011 by Mobius Share this post Link to post Share on other sites
Skitty 49 Posted October 23, 2011 Or make a complaint to the AV fabricator and tell them how shitty their AV is and that your new mission in life is to spread the word about how crappy and fraudulent their product is due to the fact that (instead of developing the AV correctly) they are lazy good for nothing pricks that would rather flag everything you download as a threat as an excuse for bad development, that way, if you did end up as a part of a botnet and some one hacks Microsoft's server using your PC, they say "Oh, well we warned you buddy!". Share this post Link to post Share on other sites