New False Positive in Norton blocks any App written in AutoIT

[MadMakz]

May 18, 2012 Trojan.Komodola false positive on probably any (i can confirm this for 3 tottaly different projects of mine) AutoIT compiled Programm.

For devs and users that use Symantec AV's together with AuotoIT Applications: Please help to verify and to get this sorted quick.

False Positives can be complained at https://submit.symantec.com/false_positive/ and make sure to ship a note that you'll get this issue with any (please test) AutoIT compiled executable.

Thanks

Update: Not all Apps seems to be issued. I'm rying to reproduce the similarities now.

Edited May 22, 2012 by MadMakz

[MadMakz]

obfuscator triggers the issue already on uncompiled state. <script>_obfuscated.au3 wich would then be packed inside the .exe.

#AutoIt3Wrapper_Run_Obfuscator=Y
MsgBox(0, "Test", "Hello World!")

Compiling without Obfuscator renders the .exe clean.

#AutoIt3Wrapper_Run_Obfuscator=N
MsgBox(0, "Test", "Hello World!")

Edited May 22, 2012 by MadMakz

[water]

Try this obfuscator settings so no encryption happens:

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Run_Obfuscator=y
#Obfuscator_Parameters=/striponly
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
MsgBox(0, "Test", "Hello World!")

[MadMakz]

Thanks. Yes, this does indeed trigger no warning.

Done some more testing after you pointed to the settings;

/Convert_Strings=1
/Convert_Numerics=1

both trigger the issue independent.

/Convert_Funcs=1
/Convert_Vars=1

are fine. Edited May 22, 2012 by MadMakz

[jazzyjeff]

We had this happen on utilities that we use this morning. A support all was made to Symantec and we have been told to wait between 24 and 36 hourS for a fix.p

[Zedna]

[MadMakz]

yes, but i opened this thread because symantec suddenly started to block autoit while there where no issues with legit autoit applications since ages and to point as many devs as possible to this recent event so symantec may act faster due to a larger f/p confirming rate.

@jazzyjeff; thanks for the info.

Edited May 22, 2012 by MadMakz

[Zedna]

yes, but i opened this thread because symantec suddenly started to block autoit while there where no issues with legit autoit applications since ages ...

Then uninstall (shit) Symantec software a install some competition product.

There is no obligation to use Symantec.

EDIT: There is another possible solution - use exception from scanning for directories with AutoIt's EXE files

Edited May 22, 2012 by Zedna

[MadMakz]

Then uninstall (shit) Symantec software a install some competition product.

There is no obligation to use Symantec.

EDIT: There is another possible solution - use exception from scanning for directories with AutoIt's EXE files

i have no control over the AV my "customers" are using.

i'm personally using symantec because i get free licences from my ISP.

Edited May 23, 2012 by MadMakz

[Chimaera]

i get free licences from my ISP.

Because its sh1t

[Bhrawn]

Today from AVG Free I started getting virus warnings in every single one of my scripts (ok, so it's only 3, but all 3 were tagged) for: dropper.generic_c.MKS

Grrrrrr

[MadMakz]

^as expected; others start to index it too. this is sh**

[jazzyjeff]

This is what I received from Symantec.

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software.

Thanks to reports like yours we were able to quickly pinpoint the problem conditions that users like you were experiencing. In response to this issue, Symantec Security Response has removed this detection from the definitions.

You can retrieve the latest available Rapid Release definitions from here:

http://www.symantec.com/security_response/definitions.jsp

Or, you can retrieve the fix from LiveUpdate as well. Definition versions 20120522.018 and later contain the fix.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

Sincerely,

Symantec Security Response