Sign in to follow this  
Followers 0
akorx

Autoit script and Symantec Endpoint Protection 12 are very VERY slow

12 posts in this topic

#1 ·  Posted (edited)

Hi Guys,

I'm french so sorry for my bad english... i will try to explain one problem that i've got since 1 month. I've got a lot of autoit scripts that run on my LAN (compile scripts). I use the last version of autoit.

One month ago, my virus protection was "symantec endpoint portection 11" and now it's "symantec endpoint portection 12" (exactly : "12.1.1000.157 RU1"). Since this change there is something that is very strange : when i copy one of those scripts (it's the same thing with all my scripts) on a workstation with windows or dos, the copy takes 1 or 2 minutes (before it was immediate) but there no problem with others programs...

So what happens to my scripts ? the scan seems to be very but VERY VERY slow.

I've called the symantec enpoint support and given one my program : there is no virus... so they anwser me to do exceptions in the configuration of the proection but i don't want to do that (for a lot of reason : lot of programs and this is not a solution for me).

PS : I had scan my scrips with norton, symantec, and avast and there no problem...

Here is an exemple of one of this scripts :

#cs

ATTENTION

pour avoir un resultat dans une fenetre dos compiler de cette façon :

auto2exe /in <fichier.au3> /out <fichier.exe> /console

ou alors Scite with choose Tools => Compile and check the option "Create CUI instead of GUI EXE"

#ce

#cs ----------------------------------------------------------------------------

Effacement des fichiers d'un répertoire selon leur ancienneté...

#ce ----------------------------------------------------------------------------

#cs

Raccourci scite :

- crtl + T : tidy

- ctrl + F6 : Autoit Windows Info

- alt + M : koda

#ce

#region ; début de la section des directives

#AutoIt3Wrapper_Res_Icon_Add=./icone.ico ; icone à ajouter dans les sources de l'application

#AutoIt3Wrapper_Icon=./icone.ico ; icone de l'application compilée

#AutoIt3Wrapper_Run_Tidy=y ; utilisation de tidy lors du lancement du script

#Tidy_Parameters /kv 0 ; parametre de sauvegarde du script (0 = toutes les verions)

#AutoIt3Wrapper_UseUPX=y ; utilisation de la compression pour compiler l'exe

#AutoIt3Wrapper_Compression=2 ; taux de compresson de l'exe (2 est une bonne valeur)

#endregion ; début de la section des directives

#AutoIt3Wrapper_Change2CUI=Y

#NoTrayIcon

#include <GuiConstants.au3>

#include <Date.au3>

Global $msgHeader = "" ;Varible for the message header

$heure_actuelle = _NowCalc()

If $CmdLine[0] = 0 Then

ConsoleWrite('Cleanday is used to delete files and folders that are older than a certain number of days and that are directly placed under a specified path.' & @LF & _

'' & @LF & @LF & _

'Syntax:' & @TAB & 'cleanday.exe [-f] [-d] [folder] [number of days] [/verbose]' & @LF & @LF & _

'ex : cleanday.exe c:temparchives 3' & @LF & @LF & _

' -f : only files are delete (optional)' & @LF & _

' -d : only directories are delete (optional)' & @LF & _

' /verbose : display the name of the folder or the file that is delete with date of creation (optional)' & @LF & _

@LF)

Exit

EndIf

$f = 0

$d = 0

$v = 0

$rep = 0

$dbj = 0

$premier_rep = 0

$premier_nbj = 0

$sortie = 0

For $i = 1 To $CmdLine[0]

If $CmdLine[$i] = "-f" Then $f = 1 ; effacer les fichiers

If $CmdLine[$i] = "-d" Then $d = 1 ; effacer les repertoires

If $CmdLine[$i] = "/v" Then $v = 1 ; mode verbeux

If FileExists($CmdLine[$i]) = 1 Then

$rep = $CmdLine[$i]

$premier_rep = $premier_rep + 1

EndIf

If StringIsInt($CmdLine[$i]) = 1 Then

$nbj = $CmdLine[$i]

$premier_nbj = $premier_nbj + 1

EndIf

Next

If $premier_rep <> 1 Then

ConsoleWrite("=> Directory not found, please check your path !" & @LF & @LF)

$sortie = 1

EndIf

If $premier_nbj <> 1 Then

ConsoleWrite("=> Number of days must be an integer !" & @LF & @LF)

$sortie = 1

EndIf

If $sortie = 0 Then

Remove($f, $d, $rep, $nbj, $v)

Else

Exit

EndIf

Func Remove($s_f, $s_d, $s_rep, $s_nbj, $s_v, $flag = 1)

If $s_f = 1 And $s_d = 1 Then

ConsoleWrite("=> You have specified to keep files and directories !" & @LF & @LF)

Exit

EndIf

ConsoleWrite("Please wait..." & @LF & @LF)

If Not StringInStr(StringRight($s_rep, 1), "") Then $s_rep = $s_rep & ""

$ffff = FileFindFirstFile($s_rep & "*")

While 1

$ffnf = FileFindNextFile($ffff)

If @error Then ExitLoop

;EndIf

$t = FileGetTime($s_rep & $ffnf, 1)

$yyyymd = $t[0] & "/" & $t[1] & "/" & $t[2] & " " & $t[3] & ":" & $t[4] & ":" & $t[5]

If Not @error Then

$ecart = _DateDiff('D', $yyyymd, $heure_actuelle)

If $ecart >= $s_nbj Then

If StringInStr(FileGetAttrib($s_rep & $ffnf), "D") Then

If $s_f <> 1 Then

If $s_v = 1 Then ConsoleWrite($yyyymd & " : " & $s_rep & $ffnf & "" & @LF)

DirRemove($s_rep & $ffnf, $flag)

EndIf

Else

If $s_d <> 1 Then

If $s_v = 1 Then ConsoleWrite($yyyymd & " : " & $s_rep & $ffnf & @LF)

FileDelete($s_rep & $ffnf)

EndIf

EndIf

EndIf

EndIf

WEnd

FileClose($ffff)

EndFunc ;==>Remove

Edited by akorx

AkorxMail akorx@yahoo.fr

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I've tried another thing :

i make a new script that contains only this :

; hi

I make an exe and there is the same problem !!! so what happens during the compilation so that symantec endpoint protection takes one minute to scan it when i copy it after ?

Edited by akorx

AkorxMail akorx@yahoo.fr

Share this post


Link to post
Share on other sites

Do you use UPX to compress the EXE?

Press Ctrl+F7 in SciTE and on tab "AutoIt3/Aut2Exe" you will see if "Use UPX" is checked.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Do you use UPX to compress the EXE?

Press Ctrl+F7 in SciTE and on tab "AutoIt3/Aut2Exe" you will see if "Use UPX" is checked.

First, thank for your help...

Well, i've seen the "upx problem" that your are talking about (and that I didn't know) and then i've decided to had those lines to my first script :

#region

#AutoIt3Wrapper_UseUpx=n

#endregion

Now it's really better with all my scripts (the scans run now fast in one or two seconds when it took one or two minutes before) except for the first script that i've posted where it takes again one minute when i copy the exe to the disk (with "@copy myscript.exe c:temp*.* /y")...

Where is the problem ? which lines are not "correct" for the anti virus ?

NB : i've added another option that is #AutoIt3Wrapper_Compression=0 but it's the same thing... it's again slow with this script...

Edited by akorx

AkorxMail akorx@yahoo.fr

Share this post


Link to post
Share on other sites

If you only have problems with this particular script then I would remove statement by statement until the problem goes away. I would start with the #-statements.

Remove "#include <GuiConstants.au3>" because it is not necessary. Then continue with the #AutoIt3Wrapper directives etc.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I was getting the same issue. Now it is resolved. ;)

Point to be note here is that, whenever I's removing my network cable, it worked fine.

Thanks a lot for your support

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

We found that disabling the "Use Upx" option did not resolve this issue when using AutoIt version v3.3.8.1. However, disabling the "Use Upx" option did resolve the issue for us when we went back and tested with the v3.3.6.1 and v3.3.0.0 versions of AutoIt.

Edited by kckennedy

Share this post


Link to post
Share on other sites

Another solution can be to use Exception directories in your AV software.

I added in my AV software all my directories with AutoIt scripts to exclude list and I'm absolutely happy now.

Share this post


Link to post
Share on other sites

@OP:

There is a newer version of SEP. It is now at 12.1.1101.401 RU1 MP1.

I always had false positives and slow exe launch times with UPX compression enabled with SEP 12 and 12.1. Issues were resolved after disabling UPX compression on compiled exes. I think the issue is from the new Sonar Engine (introduced in version 12) not being able to find a reputable match on the files with UPX compression enabled.

Share this post


Link to post
Share on other sites

The new 12.1.1101.401 RU1 MP1 version is what we are testing now... The x64-bit install seems to perform fine with no issues on our Windows 7 64-bit machines. It's the x32 install on Windows XP we are having the issue even when compiling without UPX compression in Auto v3.3.8.1. If you go to Client Management settings and turn off their new "Insight lookups" function, the performance problems go away altogether (this is not recommended though - can lead to more false positives). Seems like Symantec could make this work similar between x32 and x64, but when we opened a ticket with them they also suggested doing exceptions. We are looking at that, but this is causing us problems with other executables besides compiled AutoIt scripts.

Share this post


Link to post
Share on other sites

You can also troubleshoot this by disabling the "Allow Insight lookups for threat detection (recommended)" option in the client under "Change Settings"; "Client Management"; "Configure Settings" button; Submissions tab.

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

I was also having this problem with SEP 12.1 and AutoIT 3.3.6.1

What fixed it for me was:

In Aut2Exe v3 go to Compression > Uncheck UPX Compress .exe Stub

Check the box for x64 - The first time I tried without checking x64 it didn't work. Started working after that (all my machines are 64 bit)

Set an application exception for the .exe in SEPM

Compiled scripts that were taking for some people 15 minutes to load are loading in a couple seconds now.

Edited by benjbong

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0