AutoIT executables as a virus

[Sandman2672]

This morning when I came to work I found our Trend Micro antivirus deleting my AutoIT exes because it said they were a virus. I sent one to Trend and they say it is malicious. Here is what I got in an email.

-----------------------------------------------------------------------------------------

Our Solution!

Greetings!

Thank you for consulting Trend Labs HQ.

We have verified the file that you have sent set_notesupgrades.exe (122,292 bytes) and found it to be malicious. Trend Micro will detect this as ADW_MAXFILES.B using the Spyware Control Pattern 288.25.

Trend Micro strongly encourages you to update your pattern files regularly. It will protect you from the latest as well as old malware and spyware threats. You can download the latest pattern file from the following link: http://pc-cillin-p.activeupdate.trendmicro...tern/tmaptn.zip

If you find any dead links above, please let us know so we can fix it.

Thank you and have a nice day.

----------------------------------------------------------------------------------------

If I try to use Aut2exe (3.1.1.0) Trend Deletes them each time. Now my older exes created with an older version of aut2exe are fine.

Anyone else having this problem? I will paste what is in the script. It is written with AdminScriptEditor.

;region Script Settings

;<settings><scriptpackager><process>autoit3.exe</process>

;<arguments>Set_LotusNotes.au3</arguments>

;<extractdir>%TEMP%</extractdir>

;<outputdir>\\*********\xxxxxx\Scripts\Scripts for Projects\LM2005</outputdir>

;<files>C:\Program Files\iTripoli\AdminScriptEditor\AutoIt3\AutoIt3.exe</files>

;<usedefaulticon>True</usedefaulticon>

;<icon></icon>

;<showinsystray>True</showinsystray>

;<tooltip></tooltip>

;<altcreds>False</altcreds>

;<efs>True</efs>

;<ntfs>True</ntfs>

;<local>False</local>

;<username></username>

;<domain></domain>

;<abortonfail>True</abortonfail>

;<product></product>

;<internalname></internalname>

;<version>1.0.0.1</version>

;<versionstring></versionstring>

;<description></description>

;<comments></comments>

;<company></company>

;</scriptpackager>

;</settings>

;

;endregion

;

; Script Packager Template

; creates variables For dynamic Use by raw script or packaged executable

;

; ©2004 iTripoli, Inc.

;

If EnvGet("ISEXE") = "1" Then

$HKCU = EnvGet("ASEHKCU")

$CRDIRPATH = EnvGet("ASESCRIPTPATH")

$CURDIR = EnvGet("ASEEXEPATH")

$SCRIPTARGS = EnvGet("ASEEXEARGS")

$CRDIRPATH1 = StringTrimRight($CRDIRPATH, 1)

$CURDIR1 = StringTrimRight($CURDIR, 1)

Else

$HKCU = "HKEY_CURRENT_USER"

$CURDIR1 = @ScriptDir

$CRDIRPATH = @ScriptDir & "\"

$SCRIPTARGS = "n/a"

$CRDIRPATH1 = StringTrimRight(@WorkingDir, 1)

EndIf

$tmp = EnvGet("temp")

$wdr = EnvGet("windir")

FileCopy("\\xxxxxxxx\branchsetup\rollout05\files\*.*", $wdr)

$vpn1 = StringInStr(@IPAddress1, "172.30.")

$vpn2 = StringInStr(@IPAddress1, "172.28.")

$ipnul = StringInStr(@IPAddress1, "0.0.")

If $vpn1 = 1 Then

Call ("vpn")

ElseIf $vpn2 = 1 Then

Call ("vpn")

ElseIf $ipnul = 1 Then

Call ("ipnul")

Else

Call ("notes")

EndIf

Func vpn1()

Exit

EndFunc

Func vpn2()

Exit

EndFunc

Func ipnul()

Exit

EndFunc

Func notes()

$allusrp = EnvGet("allusersprofile")

$cname = EnvGet("computername")

$reg1 = RegRead("HKEY_LOCAL_MACHINE\Software\Lotus\Notes", "Path")

$ver = FileGetVersion($reg1 & "\nlnotes.exe")

If $ver <> "6.5.40.5086" Then

Call ("Install")

EndIf

EndFunc

Func Install()

$reg = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\FB_APPS", "@PkgServer")

Run("C:\Program Files\Prism Pack\Client\Paclient.exe " & "/InstallPackage " & $reg & "lotusnotes6\654\LNInstall6-5-4.pwc /nobeforeprompt")

EndFunc

[t0ddie]

it probably treats all autoit scripts as a virus. even if they are completely empty when you compile them.

dont you love that?

[Chadboub]

I am getting this as well but it is the Office Scan not Spyware that is identifing the file as a virus. Trend is indicating that is a TROJ_DLOADER.ZS virus and deleting the file. I went back to the 3.1.0 version and everything is OK.

[seandisanti]

I am getting this as well but it is the Office Scan not Spyware that is identifing the file as a virus. Trend is indicating that is a TROJ_DLOADER.ZS virus and deleting the file. I went back to the 3.1.0 version and everything is OK.

<{POST_SNAPBACK}>

there are several threads about similar behavior with different scanners. it's a known issue that i believe they're working on trying to circumvent in an upcoming beta

[GaryFrost]

Check the following thread about Trend Micro:

#109003