Jump to content
Sign in to follow this  
Skysnake

McAfee Antivirus Plus killing my compiled scripts

Recommended Posts

Howdy, 

In a bizarre twist of events a client installed McAfee Antivirus Plus (the paid version).  I have scripts running there, the simplest is a little HTTP downloader, which opens HTML pages and downloads some files.  These scripts have been running for years.  The new AV kills the process.  The process just "disappears" with no warning.

I can not find an "exception" setting.  IT on site had to kill it in the Task Manager and restart the PC.  All other AV products (even the free ones) have an easily accessible Exception setting.

Note that the standard McAfee that typically comes with Acrobat does not do this, yet.

Any advice on this please? Other than "get a new AV"? This has been suggested and as they just dished out the cash, not a current option.

Edited by Skysnake

Skysnake

Why is the snake in the sky?

Share this post


Link to post
Share on other sites

Send a report?


UDF List:

 
_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_ArrayFilter/_ArrayReduce_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 22/04/2018

Share this post


Link to post
Share on other sites

i had the same problem, my au .exe was delete by Avira antivirus , and this is avira show

E:\autoit\automhk v1.exe (SHA-256: f9a02cff6eac9501572db4d5e8869051763eff68426e3b9d56ec3c7e6a1c7f7f)
[DETECTION] Contains suspicious code HEUR/APC (Cloud)

Share this post


Link to post
Share on other sites

So report these false positives to the AV companies - we can do nothing.

And we shut the cage door - again - to protect the poor old Oozlum bird. Thread locked.

M23

 

 


Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Exit
      Au3toCmd  ---  Avoid false positives
      Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem.
      In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams".
      Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive".
      If the short-term flashing of the CMD window bothers you, you can click the desktop shutcut that runs in a minimized window.
      Unfortunately, because of the "alternate data streams", this CMD file cannot be distributed via FTP or email.
      Only a USB stick or removable disk formatted with NTFS can be used.
      To solve this problem, Au3toCmd can be used to create a ZIP file that is email and FTP compatible.  Only possible on Win10 due to Powershell 5.0
      Expand this ZIP file on the target system and execute the "*.ADS.Run-me-first.cmd" script. The original CMD file is created again and the auxiliary files are deleted.
      Edit (2020.05.16)  The new version also accepts A3X and EXE files. This means that A3X and EXE files that have been compiled with special options can be used. As a side effect, other EXE files can also be included in the CMD file and therefore not detectable by virus scanners.
      Edit (2020.07.18)  Desktop shortcuts created automatically. Just delete them, if you don't like them.
      Edit (2020.07.22)  Using codepage 1252 
      Here the source of Au3toCmd.au3 
      This is a nice example of peaceful interaction between Autoit (*. au3), Dos (*. cmd), Powershell (*. ps1) and VSBasic (*. vbs)
      ;============================================================================================================== ; Script Name: Au3toCmd.au3 ; Description: Creates a CMD file from any AU3/A3X/EXE file. ; The CMD file will contain the compiled version (A3X) of the AU3 input file ; and the AUTOIT3.EXE file as alternate data streams. ; Alternativly it will contain any EXE file. ; This avoids the problem with the false positives of the virus scanners. ; To avoid the short-term flashing of the CMD window, a shortcut is created on the desktop ; that runs in a minimized window. ; ; Syntax: Au3toCmd (input-file) ; Default: none ; Parameter: Name of an AU3/A3X/EXE file (optional) ; Requirement(s): When using Zip feature: Powershell 5.0 or higher (Windows 10 is ok) ; Example: Au3toCmd testfile.au3 ; ; Author: Exit ( http://www.autoitscript.com/forum/user/45639-exit ) ; SourceCode: http://www.autoitscript.com/forum/index.php?showtopic=201562 Version: 2020.07.22 ; COPYLEFT: © 2020 Freeware by "Exit" ; ALL WRONGS RESERVED ;============================================================================================================== #AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #include <File.au3> #include <String.au3> Global $rc, $sSourcepath, $sTargetpath, $sA3Dir, $aPathSplit, $sDrive, $sDir, $sFileName, $sExtension, $sIconPath = "", $iIconNumber = 0 Exit _Main() Func _Main() $sA3Dir = RegRead("HKLM\SOFTWARE\AutoIt V3\AutoIt", "InstallDir") If Not (FileExists($sA3Dir & "\autoit3.exe") And FileExists($sA3Dir & "\au3check.exe") And FileExists($sA3Dir & "\Aut2Exe\Aut2exe.exe")) Then Exit MsgBox(16 + 262144, Default, "Error: Autoit not installed on this system.", 0) _Sourcepath() _IconPath() $sTargetpath = $sDrive & $sDir & $sFileName & ".cmd" FileDelete($sTargetpath) FileDelete($sTargetpath & ".ADS.*") If Not FileWriteLine($sTargetpath, _ "@echo off & cd /D %~dp0 & cls" & @CRLF & _ "for /f ""delims="" %%F in ('dir /R %~nx0 ^| find /C ""$DATA"" ') do set mycount=%%F" & @CRLF & _ "if .%mycount% == .0 echo Invalid copy of %~nx0. No ADS found. & pause & goto :eof " & @CRLF & _ "if .%mycount% == .1 wmic process call create ""%~f0:prog %*"" " & @CRLF & _ "if .%mycount% == .2 wmic process call create ""%~f0:prog %~f0:a3x %*"" ") Then _ Return MsgBox(16 + 262144, Default, "Error: Cannot write to output file '" & $sTargetpath & "'", 0) Switch $sExtension Case ".au3" If ShellExecuteWait($sA3Dir & "\au3check.exe", ' -q "' & $sSourcepath & '"') Then _ Exit MsgBox(16 + 262144, Default, "Error: Input file """ & $sSourcepath & """ has Errors.", 0) ShellExecuteWait($sA3Dir & "\Aut2Exe\Aut2exe.exe", "/In " & $sSourcepath & " /out " & $sTargetpath & ":a3x") FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Case ".a3x" FileCopy($sSourcepath, $sTargetpath & ":a3x") FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Case ".exe" FileCopy($sSourcepath, $sTargetpath & ":prog") EndSwitch FileCreateShortcut($sTargetpath, @DesktopDir & "\" & $sFileName & ".lnk", $sDrive & $sDir, "", "", $sIconPath, "", $iIconNumber, 7) If MsgBox(4 + 32 + 256 + 262144, Default, $sTargetpath & " and " & @LF & @DesktopDir & "\" & $sFileName & ".lnk created." & @LF & @LF & "Create a portable ZIP file " & @LF & $sTargetpath & ".ADS.zip ?", 0) = 6 Then _CreateZip($sTargetpath) If MsgBox(4 + 32 + 256 + 262144, Default, "Run " & $sTargetpath & " ?", 0) = 6 Then ShellExecute(@DesktopDir & "\" & $sFileName & ".lnk") EndFunc ;==>_Main Func _CreateZip($sTargetpath) If RunWait(@ComSpec & " /c " & 'powershell Compress-Archive -?', "", @SW_HIDE) Then Return MsgBox(64 + 262144, Default, "Zip file cannot be created because the software ""Powershell 5.0"" is not available." & @CRLF & "Install Powershell 5.0 or higher and try again.", 0) Local $sRem = (StringRight($sSourcepath, 4) = ".exe") ? "rem " : "" FileDelete($sTargetpath & ".ADS.*") FileWriteLine($sTargetpath & ".ADS.Run-me-first.cmd", _ "@echo off" & @CRLF & _ "%~d0 & cd %~dp0" & @CRLF & _ "chcp 1252" & @CRLF & _ "set name1=%~n0" & @CRLF & _ "set name1=%name1:~0,-21%" & @CRLF & _ "set compare1=%cd% " & @CRLF & _ "set compare2=%compare1:AppData\Local\Temp=other% " & @CRLF & _ "if .%compare1%==.%compare2% goto :skip" & @CRLF & _ "echo off & cls " & @CRLF & _ "echo. " & @CRLF & _ "echo Please extract ALL files from ZIP file first and then run this CMD again. Press any key to exit." & @CRLF & _ "Pause > NUL: & goto :eof" & @CRLF & _ ":skip " & @CRLF & _ "rem echo on " & @CRLF & _ "ren %name1%.cmd.ADS.cmd %name1%.cmd" & @CRLF & _ $sRem & "type %name1%.cmd.ADS.a3x > %name1%.cmd:a3x" & @CRLF & _ $sRem & "del %name1%.cmd.ADS.a3x" & @CRLF & _ "type %name1%.cmd.ADS.prog > %name1%.cmd:prog" & @CRLF & _ "del %name1%.cmd.ADS.prog" & @CRLF & _ "move /Y %name1%.cmd .." & @CRLF & _ "cd .. " & @CRLF & _ "rem echo name1: ---%name1%--- ---%cd%--- ---%~dp0%---" & @CRLF & _ "move /Y %~dp0\%name1%.cmd.ADS.ico .\%name1%.ico" & @CRLF & _ "rem dir /R %name1%.* " & @CRLF & _ "rem pause " & @CRLF & _ 'echo Set oWS = WScript.CreateObject("WScript.Shell") > ~~.vbs' & @CRLF & _ 'echo Set oLink = oWS.CreateShortcut("%userprofile%\desktop\%name1%.lnk") >> ~~.vbs' & @CRLF & _ 'echo oLink.TargetPath = "%cd%\%name1%.cmd" >> ~~.vbs' & @CRLF & _ 'echo oLink.Arguments = "" >> ~~.vbs' & @CRLF & _ 'echo oLink.Description = "Invoke %name1%.cmd" >> ~~.vbs ' & @CRLF & _ 'echo oLink.HotKey = "" >> ~~.vbs' & @CRLF & _ 'echo oLink.IconLocation = "%cd%\%name1%.ico" >> ~~.vbs' & @CRLF & _ 'echo oLink.WindowStyle = "7" >> ~~.vbs' & @CRLF & _ 'echo oLink.WorkingDirectory = "" >> ~~.vbs' & @CRLF & _ 'echo oLink.Save >> ~~.vbs' & @CRLF & _ 'cscript ~~.vbs >NUL: ' & @CRLF & _ 'del ~~.vbs ' & @CRLF & _ "rem pause " & @CRLF & _ "echo off & cls " & @CRLF & _ "echo. " & @CRLF & _ "@if not exist ""%userprofile%\desktop\%name1%.lnk"" echo ""%userprofile%\desktop\%name1%.lnk"" not created due to pathname with special characters. " & @CRLF & _ "@if exist ""%userprofile%\desktop\%name1%.lnk"" echo ""%userprofile%\desktop\%name1%.lnk"" created. " & @CRLF & _ "@if not exist ""%cd%\%name1%.cmd"" echo ""%userprofile%\desktop\%name1%.lnk"" not created due to pathname with special characters. " & @CRLF & _ "@if exist ""%cd%\%name1%.cmd"" echo ""%cd%\%name1%.cmd"" created. " & @CRLF & _ "echo. " & @CRLF & _ "echo. " & @CRLF & _ "echo Press any key to terminate." & @CRLF & _ "Pause > NUL: " & @CRLF & _ "del .\%name1%.cmd.ADS.zip" & @CRLF & _ "rd /S /Q %name1%.cmd.ADS " & @CRLF & _ "rem End of script" & @CRLF) If Not $sRem Then FileWrite($sTargetpath & ".ADS.a3x", FileRead($sTargetpath & ":a3x")) FileWrite($sTargetpath & ".ADS.cmd", FileRead($sTargetpath)) FileWrite($sTargetpath & ".ADS.prog", FileRead($sTargetpath & ":prog")) If $sExtension = ".exe" Then _CreateIconfile() Else FileWrite($sTargetpath & ".ADS.ico", FileRead($sIconPath)) EndIf ShellExecuteWait("Powershell", "Compress-Archive -Path " & $sTargetpath & ".ADS.* -Update -DestinationPath " & $sTargetpath & ".ADS.zip", "", "open", @SW_HIDE) If Not FileExists($sTargetpath & ".ADS.zip") Then MsgBox(64 + 262144, Default, "Zip file cannot be created because authorisation problems.", 0) FileDelete($sTargetpath & ".ADS.a3x") FileDelete($sTargetpath & ".ADS.cmd") FileDelete($sTargetpath & ".ADS.prog") FileDelete($sTargetpath & ".ADS.ico") FileDelete($sTargetpath & ".ADS.Run-me-first.cmd") EndFunc ;==>_CreateZip Func _Sourcepath() If $cmdline[0] > 0 Then $sSourcepath = $cmdline[1] Select Case FileExists($sSourcepath) Case FileExists($sSourcepath & ".au3") $sSourcepath = $sSourcepath & ".au3" Case FileExists($sSourcepath & ".a3x") $sSourcepath = $sSourcepath & ".a3x" Case FileExists($sSourcepath & ".exe") $sSourcepath = $sSourcepath & ".exe" Case Else $sSourcepath = FileOpenDialog("Enter AU3/A3X/EXE Inputfile ", "", "Autoit Files(*.au3;*.a3x;*.exe)", 3) If @error Then Exit MsgBox(16 + 262144, Default, "Error: No Inputfile given", 0) EndSelect $sSourcepath = _PathFull($sSourcepath) $aPathSplit = _PathSplit($sSourcepath, $sDrive, $sDir, $sFileName, $sExtension) If DriveGetFileSystem($sDrive) <> "NTFS" Then Exit MsgBox(16 + 262144, Default, "Sorry: Input filesystem must be 'NTFS'", 0) If StringInStr($sSourcepath, " ") Then Exit MsgBox(16 + 262144, Default, "Sorry: Pathnames with embedded blanks not yet supported.", 0) FileChangeDir($sDrive & $sDir) EndFunc ;==>_Sourcepath Func _IconPath() $sIconPath = "" If FileExists($sDrive & $sDir & $sFileName & ".ico") Then $sIconPath = $sDrive & $sDir & $sFileName & ".ico" Local $aTemp = _StringBetween(FileRead($sSourcepath), "#", ".ico") If Not @error Then $aTemp = StringSplit($aTemp[0], "=, ") If FileExists($aTemp[$aTemp[0]] & ".ico") Then $sIconPath = $aTemp[$aTemp[0]] & ".ico" EndIf EndIf ;~ MsgBox(64 + 262144, Default, "$sIconPath: >" & $sIconPath & "<", 0) If FileExists($sDrive & $sDir & $sFileName & ".exe") Then $sIconPath = $sDrive & $sDir & $sFileName & ".exe" ;~ MsgBox(64 + 262144, Default, "$sIconPath: >" & $sIconPath & "<",0) EndFunc ;==>_IconPath Func _CreateIconfile() FileWriteLine($sTargetpath & ".ADS.ps1", _ '### Pause' & @CRLF & _ 'Function ExtractIcon' & @CRLF & _ '{Param([Parameter(Mandatory=$true)][string]$exe,[string]$ExtractPath)' & @CRLF & _ '$Filepath = (Get-ChildItem -Path $exe -Filter *.exe -ErrorAction SilentlyContinue) | Select -First 1' & @CRLF & _ '[System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") | Out-Null' & @CRLF & _ '$baseName = [System.IO.Path]::GetFileNameWithoutExtension($Filepath.FullName)' & @CRLF & _ 'Write-Progress "Extracting Icon" $baseName' & @CRLF & _ '[System.Drawing.Icon]::ExtractAssociatedIcon($Filepath.FullName).ToBitmap().Save("$ExtractPath.png")' & @CRLF & _ '$b = [System.Drawing.Bitmap]::FromFile("$ExtractPath.png")' & @CRLF & _ '$icon = [System.Drawing.Icon]::FromHandle($b.GetHicon())' & @CRLF & _ '$file = New-Object System.IO.FileStream("$ExtractPath", "OpenOrCreate")' & @CRLF & _ '$icon.Save($file);$file.Close();$icon.Dispose()}' & @CRLF & _ 'ExtractIcon -exe "' & $sSourcepath & '" -Extractpath "' & $sTargetpath & '.ADS.ico"' & @CRLF & _ '### Pause' & @CRLF) RunWait(@ComSpec & " /c " & "Powershell -ExecutionPolicy Bypass " & $sTargetpath & ".ADS.ps1", @SW_HIDE) FileDelete($sTargetpath & ".ADS.ps1") FileDelete($sTargetpath & ".ADS.ico.png") EndFunc ;==>_CreateIconfile ; End of Au3toCmd.au3 script The script can be called with a file name of an AU3 script as a parameter.
      If no name is entered, a query is made.
      Suggestions for improvement and bug reports are welcome.
    • By MarkIT
      Hi AutoIT masters,
      Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted.
      Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file.
    • By ambad4u
      Greetings to all,
      This may relate in regards to
      My question:
      If I have 2 different au3 scripts compiled individually as a standalone executable(s) (compilation settings are the same)
      OR
      If I have one au3 script compiled as a standalone executable(s) with different compilation settings.
      Does an Anti Virus see them as one signature for all? or treated as unique signatures?
       
      My reason behind this is that I am trying to plan ahead on how to deal with these false positives.
      I am a part of a small IT admin team that would like to automate some repeatable tasks using Autoit.
      Our AV is Sophos if one is curious.
      Any insights are highly appreciated!, many thanks in advance!
    • By BigDaddyO
      I've recently been getting hammered by Symantec SEP deleting all of my compiled scripts so I'm trying to figure out how I could run my scripts uncompiled.
      Problem is, these scripts are typically launched from inside Citrix sessions that I don't have control of so I can't install AutoIT in there to get all the #Include files that my scripts are using.
      I tried to use AU3Stripper and while, yes that did create a single file and I could run it. it put it in a state that I couldn't easily maintain going forward.
       
      Is there any existing way to pull all the functions and drop them at the end of the main script?  Not sure about the Globals and Constants though, I guess they would have to go to the top which shoves everything else down.  I also need to maintain the current script spacing and comments as I often have to update older scripts and need the comments to help with that.
×
×
  • Create New...