Jump to content
Sign in to follow this  
MadMakz

New False Positive in Norton blocks any App written in AutoIT

Recommended Posts

MadMakz

May 18, 2012 Trojan.Komodola false positive on probably any (i can confirm this for 3 tottaly different projects of mine) AutoIT compiled Programm.

For devs and users that use Symantec AV's together with AuotoIT Applications: Please help to verify and to get this sorted quick.

False Positives can be complained at https://submit.symantec.com/false_positive/ and make sure to ship a note that you'll get this issue with any (please test) AutoIT compiled executable.

Thanks

Update: Not all Apps seems to be issued. I'm rying to reproduce the similarities now.

Edited by MadMakz

Share this post


Link to post
Share on other sites
MadMakz

obfuscator triggers the issue already on uncompiled state. <script>_obfuscated.au3 wich would then be packed inside the .exe.

#AutoIt3Wrapper_Run_Obfuscator=Y
MsgBox(0, "Test", "Hello World!")

Compiling without Obfuscator renders the .exe clean.

#AutoIt3Wrapper_Run_Obfuscator=N
MsgBox(0, "Test", "Hello World!")
Edited by MadMakz

Share this post


Link to post
Share on other sites
water

Try this obfuscator settings so no encryption happens:

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Run_Obfuscator=y
#Obfuscator_Parameters=/striponly
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
MsgBox(0, "Test", "Hello World!")

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-06-01 - Version 1.4.9.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-01-27 - Version 1.3.3.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites
MadMakz

Thanks. Yes, this does indeed trigger no warning.

Done some more testing after you pointed to the settings;

/Convert_Strings=1
/Convert_Numerics=1

both trigger the issue independent.

/Convert_Funcs=1
/Convert_Vars=1
are fine. Edited by MadMakz

Share this post


Link to post
Share on other sites
jazzyjeff

We had this happen on utilities that we use this morning. A support all was made to Symantec and we have been told to wait between 24 and 36 hourS for a fix.p

Share this post


Link to post
Share on other sites
MadMakz

yes, but i opened this thread because symantec suddenly started to block autoit while there where no issues with legit autoit applications since ages and to point as many devs as possible to this recent event so symantec may act faster due to a larger f/p confirming rate.

@jazzyjeff; thanks for the info.

Edited by MadMakz

Share this post


Link to post
Share on other sites
Zedna

yes, but i opened this thread because symantec suddenly started to block autoit while there where no issues with legit autoit applications since ages ...

Then uninstall (shit) Symantec software a install some competition product.

There is no obligation to use Symantec.

EDIT: There is another possible solution - use exception from scanning for directories with AutoIt's EXE files

Edited by Zedna

Share this post


Link to post
Share on other sites
MadMakz

Then uninstall (shit) Symantec software a install some competition product.

There is no obligation to use Symantec.

EDIT: There is another possible solution - use exception from scanning for directories with AutoIt's EXE files

i have no control over the AV my "customers" are using.

i'm personally using symantec because i get free licences from my ISP.

Edited by MadMakz

Share this post


Link to post
Share on other sites
Bhrawn

Today from AVG Free I started getting virus warnings in every single one of my scripts (ok, so it's only 3, but all 3 were tagged) for: dropper.generic_c.MKS

Grrrrrr

Share this post


Link to post
Share on other sites
MadMakz

^as expected; others start to index it too. this is sh**

Share this post


Link to post
Share on other sites
jazzyjeff

This is what I received from Symantec.

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software.

Thanks to reports like yours we were able to quickly pinpoint the problem conditions that users like you were experiencing. In response to this issue, Symantec Security Response has removed this detection from the definitions.

You can retrieve the latest available Rapid Release definitions from here:

http://www.symantec.com/security_response/definitions.jsp

Or, you can retrieve the fix from LiveUpdate as well. Definition versions 20120522.018 and later contain the fix.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

Sincerely,

Symantec Security Response

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×