Autoit script and Symantec Endpoint Protection 12 are very VERY slow

akorx · April 19, 2012

Hi Guys,

I'm french so sorry for my bad english... i will try to explain one problem that i've got since 1 month. I've got a lot of autoit scripts that run on my LAN (compile scripts). I use the last version of autoit.

One month ago, my virus protection was "symantec endpoint portection 11" and now it's "symantec endpoint portection 12" (exactly : "12.1.1000.157 RU1"). Since this change there is something that is very strange : when i copy one of those scripts (it's the same thing with all my scripts) on a workstation with windows or dos, the copy takes 1 or 2 minutes (before it was immediate) but there no problem with others programs...

So what happens to my scripts ? the scan seems to be very but VERY VERY slow.

I've called the symantec enpoint support and given one my program : there is no virus... so they anwser me to do exceptions in the configuration of the proection but i don't want to do that (for a lot of reason : lot of programs and this is not a solution for me).

PS : I had scan my scrips with norton, symantec, and avast and there no problem...

Here is an exemple of one of this scripts :

#cs

ATTENTION

pour avoir un resultat dans une fenetre dos compiler de cette façon :

auto2exe /in <fichier.au3> /out <fichier.exe> /console

ou alors Scite with choose Tools => Compile and check the option "Create CUI instead of GUI EXE"

#ce

#cs ----------------------------------------------------------------------------

Effacement des fichiers d'un répertoire selon leur ancienneté...

#ce ----------------------------------------------------------------------------

#cs

Raccourci scite :

- crtl + T : tidy

- ctrl + F6 : Autoit Windows Info

- alt + M : koda

#ce

#region ; début de la section des directives

#AutoIt3Wrapper_Res_Icon_Add=./icone.ico ; icone à ajouter dans les sources de l'application

#AutoIt3Wrapper_Icon=./icone.ico ; icone de l'application compilée

#AutoIt3Wrapper_Run_Tidy=y ; utilisation de tidy lors du lancement du script

#Tidy_Parameters /kv 0 ; parametre de sauvegarde du script (0 = toutes les verions)

#AutoIt3Wrapper_UseUPX=y ; utilisation de la compression pour compiler l'exe

#AutoIt3Wrapper_Compression=2 ; taux de compresson de l'exe (2 est une bonne valeur)

#endregion ; début de la section des directives

#AutoIt3Wrapper_Change2CUI=Y

#NoTrayIcon

#include <GuiConstants.au3>

#include <Date.au3>

Global $msgHeader = "" ;Varible for the message header

$heure_actuelle = _NowCalc()

If $CmdLine[0] = 0 Then

ConsoleWrite('Cleanday is used to delete files and folders that are older than a certain number of days and that are directly placed under a specified path.' & @LF & _

'' & @LF & @LF & _

'Syntax:' & @TAB & 'cleanday.exe [-f] [-d] [folder] [number of days] [/verbose]' & @LF & @LF & _

'ex : cleanday.exe c:temparchives 3' & @LF & @LF & _

' -f : only files are delete (optional)' & @LF & _

' -d : only directories are delete (optional)' & @LF & _

' /verbose : display the name of the folder or the file that is delete with date of creation (optional)' & @LF & _

@LF)

Exit

EndIf

$f = 0

$d = 0

$v = 0

$rep = 0

$dbj = 0

$premier_rep = 0

$premier_nbj = 0

$sortie = 0

For $i = 1 To $CmdLine[0]

If $CmdLine[$i] = "-f" Then $f = 1 ; effacer les fichiers

If $CmdLine[$i] = "-d" Then $d = 1 ; effacer les repertoires

If $CmdLine[$i] = "/v" Then $v = 1 ; mode verbeux

If FileExists($CmdLine[$i]) = 1 Then

$rep = $CmdLine[$i]

$premier_rep = $premier_rep + 1

EndIf

If StringIsInt($CmdLine[$i]) = 1 Then

$nbj = $CmdLine[$i]

$premier_nbj = $premier_nbj + 1

EndIf

ConsoleWrite("=> Directory not found, please check your path !" & @LF & @LF)

$sortie = 1

EndIf

If $premier_nbj <> 1 Then

ConsoleWrite("=> Number of days must be an integer !" & @LF & @LF)

$sortie = 1

EndIf

If $sortie = 0 Then

Remove($f, $d, $rep, $nbj, $v)

Else

Exit

EndIf

Func Remove($s_f, $s_d, $s_rep, $s_nbj, $s_v, $flag = 1)

If $s_f = 1 And $s_d = 1 Then

ConsoleWrite("=> You have specified to keep files and directories !" & @LF & @LF)

Exit

EndIf

ConsoleWrite("Please wait..." & @LF & @LF)

If Not StringInStr(StringRight($s_rep, 1), "") Then $s_rep = $s_rep & ""

$ffff = FileFindFirstFile($s_rep & "*")

While 1

$ffnf = FileFindNextFile($ffff)

If @error Then ExitLoop

;EndIf

$t = FileGetTime($s_rep & $ffnf, 1)

$yyyymd = $t[0] & "/" & $t[1] & "/" & $t[2] & " " & $t[3] & ":" & $t[4] & ":" & $t[5]

If Not @error Then

$ecart = _DateDiff('D', $yyyymd, $heure_actuelle)

If $ecart >= $s_nbj Then

If StringInStr(FileGetAttrib($s_rep & $ffnf), "D") Then

If $s_f <> 1 Then

If $s_v = 1 Then ConsoleWrite($yyyymd & " : " & $s_rep & $ffnf & "" & @LF)

DirRemove($s_rep & $ffnf, $flag)

EndIf

Else

If $s_d <> 1 Then

If $s_v = 1 Then ConsoleWrite($yyyymd & " : " & $s_rep & $ffnf & @LF)

FileDelete($s_rep & $ffnf)

EndIf

WEnd

FileClose($ffff)

EndFunc ;==>Remove

Edited April 19, 2012 by akorx

akorx · April 19, 2012

I've tried another thing :

i make a new script that contains only this :

; hi

I make an exe and there is the same problem !!! so what happens during the compilation so that symantec endpoint protection takes one minute to scan it when i copy it after ?

Edited April 19, 2012 by akorx

water · April 19, 2012

Do you use UPX to compress the EXE?

Press Ctrl+F7 in SciTE and on tab "AutoIt3/Aut2Exe" you will see if "Use UPX" is checked.

akorx · April 24, 2012

Do you use UPX to compress the EXE?
Press Ctrl+F7 in SciTE and on tab "AutoIt3/Aut2Exe" you will see if "Use UPX" is checked.

First, thank for your help...

Well, i've seen the "upx problem" that your are talking about (and that I didn't know) and then i've decided to had those lines to my first script :

#region

#AutoIt3Wrapper_UseUpx=n

#endregion

Now it's really better with all my scripts (the scans run now fast in one or two seconds when it took one or two minutes before) except for the first script that i've posted where it takes again one minute when i copy the exe to the disk (with "@copy myscript.exe c:temp*.* /y")...

Where is the problem ? which lines are not "correct" for the anti virus ?

NB : i've added another option that is #AutoIt3Wrapper_Compression=0 but it's the same thing... it's again slow with this script...

Edited April 24, 2012 by akorx

water · April 24, 2012

If you only have problems with this particular script then I would remove statement by statement until the problem goes away. I would start with the #-statements.

Remove "#include <GuiConstants.au3>" because it is not necessary. Then continue with the #AutoIt3Wrapper directives etc.

hemal · April 24, 2012

I was getting the same issue. Now it is resolved.

Point to be note here is that, whenever I's removing my network cable, it worked fine.

Thanks a lot for your support

kckennedy · August 29, 2012

We found that disabling the "Use Upx" option did not resolve this issue when using AutoIt version v3.3.8.1. However, disabling the "Use Upx" option did resolve the issue for us when we went back and tested with the v3.3.6.1 and v3.3.0.0 versions of AutoIt.

Edited October 17, 2012 by kckennedy

Zedna · August 30, 2012

Another solution can be to use Exception directories in your AV software.

I added in my AV software all my directories with AutoIt scripts to exclude list and I'm absolutely happy now.

Reg2Post · August 30, 2012

@OP:

There is a newer version of SEP. It is now at 12.1.1101.401 RU1 MP1.

I always had false positives and slow exe launch times with UPX compression enabled with SEP 12 and 12.1. Issues were resolved after disabling UPX compression on compiled exes. I think the issue is from the new Sonar Engine (introduced in version 12) not being able to find a reputable match on the files with UPX compression enabled.

kckennedy · August 30, 2012

The new 12.1.1101.401 RU1 MP1 version is what we are testing now... The x64-bit install seems to perform fine with no issues on our Windows 7 64-bit machines. It's the x32 install on Windows XP we are having the issue even when compiling without UPX compression in Auto v3.3.8.1. If you go to Client Management settings and turn off their new "Insight lookups" function, the performance problems go away altogether (this is not recommended though - can lead to more false positives). Seems like Symantec could make this work similar between x32 and x64, but when we opened a ticket with them they also suggested doing exceptions. We are looking at that, but this is causing us problems with other executables besides compiled AutoIt scripts.

kckennedy · October 17, 2012

You can also troubleshoot this by disabling the "Allow Insight lookups for threat detection (recommended)" option in the client under "Change Settings"; "Client Management"; "Configure Settings" button; Submissions tab.

benjbong · November 16, 2012

I was also having this problem with SEP 12.1 and AutoIT 3.3.6.1

What fixed it for me was:

In Aut2Exe v3 go to Compression > Uncheck UPX Compress .exe Stub

Check the box for x64 - The first time I tried without checking x64 it didn't work. Started working after that (all my machines are 64 bit)

Set an application exception for the .exe in SEPM

Compiled scripts that were taking for some people 15 minutes to load are loading in a couple seconds now.

Edited November 16, 2012 by benjbong

Sign In

Autoit script and Symantec Endpoint Protection 12 are very VERY slow

Recommended Posts

akorx

akorx

water

akorx

water

hemal

kckennedy

Zedna

Reg2Post

kckennedy

kckennedy

benjbong

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta