Jump to content
Sign in to follow this  

how to fix this false positives?

Recommended Posts

First take a look on this report:


I exactly know what i write in my script and i really don't know why the Virus Scan result is 4/43.

i want to know what can be the reason of this, i mean what codes maybe will coz this result?

my script's includes:











If any one interested to help me i will share the script, it's about 2000 line.

Share this post

Link to post
Share on other sites

I don't see anything includes that would trigger those results, so please post the script.

EDIT: Then again it might just be UPX being sassed again.

Edited by rcmaehl

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects
Cisco FinesseGithubIRC UDFWindowEx UDF


Share this post

Link to post
Share on other sites

A while back, AVG started flagging a few of my scripts.

The things they had in common were FileInstall and ReWrite/RegDelete that weren't in other scripts. (At least not both)

When I could not find a "submit file for review" as they once had and it would still constantly flag files I marked as safe, I finally removed AVG and am now looking for a new AV.

Anyways, my point was

Maybe it's not the includes but something your script is doing (like fileinstall or reg edits) that your AV consideres Viral behavior?

I'm also suspicious of the NomadMemory as I could see messing with the ram as being a flag...



My Android cat and mouse game

We're gonna need another Timmy!

Share this post

Link to post
Share on other sites

3 of those 4 ding reports are telling you that it's an AutoIt3 script, I don't see a problem there most likely those POS AV softwares will flag anything that's an AU3 script as a possible problem. Note it says generic heuristic, not that it's any kind of virus. The other one is just because that AV software probably sucks.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post

Link to post
Share on other sites

Hello D4RKON3,

If your project is not packed with upx I assume you are using no software armoring tools at all, so those 4 flags are just the standard flags for AutoIt3 interpreted executables.

Here is a little trick that might deter some of those flags for a while (assuming the flags are based on static and not behavioural analysis)

When you build your product instead of letting Aut2Exe append the a3x data to the tail of the interpreter as normal, create an a3x file.

Aut2Exe.exe /in MyProd.au3 /out MyProd.a3x

Then add the a3x file to the resource table of your interpreter with a resource editor. (or api)

Run it to see that the interpreter detects the a3x. (it will :graduated:)

Then send / scan it yourself to see the results.

On an unrelated side note this method also allows for further editing of the resource table after your products build without risk of corrupting the a3x data. (unless of course you decide to pack it and forget to tell the packer not to pack the resource table entrance in which the a3x resides)

Of course this will not help you if said tools are simply looking for certain default components that make up the a3x file, and or the interpreter in its unpacked state or as said before they are getting hot under the collar because of your products actions and not its content.


Edited by Mobius


Share this post

Link to post
Share on other sites

Or make a complaint to the AV fabricator and tell them how shitty their AV is and that your new mission in life is to spread the word about how crappy and fraudulent their product is due to the fact that (instead of developing the AV correctly) they are lazy good for nothing pricks that would rather flag everything you download as a threat as an excuse for bad development, that way, if you did end up as a part of a botnet and some one hacks Microsoft's server using your PC, they say "Oh, well we warned you buddy!".

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...