how to fix this false positives?

[FaridAgl]

First take a look on this report:

http://www.virustotal.com/file-scan/report.html?id=338d59b4e084b7f342929049383ca4c049167248370311f124e10346ff488ef1-1317642888

I exactly know what i write in my script and i really don't know why the Virus Scan result is 4/43.

i want to know what can be the reason of this, i mean what codes maybe will coz this result?

my script's includes:

WindowsConstants.au3

StaticConstants.au3

GUIConstantsEx.au3

ComboConstants.au3

EditConstants.au3

_UskinLibrary.au3

GuiTreeView.au3

NomadMemory.au3

String.au3

Misc.au3

If any one interested to help me i will share the script, it's about 2000 line.

[rcmaehl]

I don't see anything includes that would trigger those results, so please post the script.

EDIT: Then again it might just be UPX being sassed again.

Edited October 3, 2011 by rcmaehl

[FaridAgl]

it's not UPXed.

[kaotkbliss]

A while back, AVG started flagging a few of my scripts.

The things they had in common were FileInstall and ReWrite/RegDelete that weren't in other scripts. (At least not both)

When I could not find a "submit file for review" as they once had and it would still constantly flag files I marked as safe, I finally removed AVG and am now looking for a new AV.

Anyways, my point was

Maybe it's not the includes but something your script is doing (like fileinstall or reg edits) that your AV consideres Viral behavior?

I'm also suspicious of the NomadMemory as I could see messing with the ram as being a flag...

[FaridAgl]

I was using fileinstall, it coz 1 other false positive. i just removed fileinstall and now it has a result of 4/43

i will take a look at regwrite & regdelete.

tnx.

[BrewManNH]

3 of those 4 ding reports are telling you that it's an AutoIt3 script, I don't see a problem there most likely those POS AV softwares will flag anything that's an AU3 script as a possible problem. Note it says generic heuristic, not that it's any kind of virus. The other one is just because that AV software probably sucks.

[Mobius]

Hello D4RKON3,

If your project is not packed with upx I assume you are using no software armoring tools at all, so those 4 flags are just the standard flags for AutoIt3 interpreted executables.

Here is a little trick that might deter some of those flags for a while (assuming the flags are based on static and not behavioural analysis)

When you build your product instead of letting Aut2Exe append the a3x data to the tail of the interpreter as normal, create an a3x file.

Aut2Exe.exe /in MyProd.au3 /out MyProd.a3x

Then add the a3x file to the resource table of your interpreter with a resource editor. (or api)

Run it to see that the interpreter detects the a3x. (it will )

Then send / scan it yourself to see the results.

On an unrelated side note this method also allows for further editing of the resource table after your products build without risk of corrupting the a3x data. (unless of course you decide to pack it and forget to tell the packer not to pack the resource table entrance in which the a3x resides)

Of course this will not help you if said tools are simply looking for certain default components that make up the a3x file, and or the interpreter in its unpacked state or as said before they are getting hot under the collar because of your products actions and not its content.

Vlad

Edited October 3, 2011 by Mobius

[Skitty]

Or make a complaint to the AV fabricator and tell them how shitty their AV is and that your new mission in life is to spread the word about how crappy and fraudulent their product is due to the fact that (instead of developing the AV correctly) they are lazy good for nothing pricks that would rather flag everything you download as a threat as an excuse for bad development, that way, if you did end up as a part of a botnet and some one hacks Microsoft's server using your PC, they say "Oh, well we warned you buddy!".