Jump to content
ambad4u

Yet another Compiled Script & AV Question

Recommended Posts

Greetings to all,

This may relate in regards to

My question:
If I have 2 different au3 scripts compiled individually as a standalone executable(s) (compilation settings are the same)

OR

If I have one au3 script compiled as a standalone executable(s) with different compilation settings.

Does an Anti Virus see them as one signature for all? or treated as unique signatures?

 

My reason behind this is that I am trying to plan ahead on how to deal with these false positives.
I am a part of a small IT admin team that would like to automate some repeatable tasks using Autoit.
Our AV is Sophos if one is curious.

Any insights are highly appreciated!, many thanks in advance!

Share this post


Link to post
Share on other sites

Often it seems to me, that UPX is a factor in false positives.

So you could have one compiled version that doesn't use UPX compression ... or uses an older version of it ... or uses a different compressor program.

Depends on your file size requirement I guess.

The upx.exe program file can be found in the Aut2Exe folder.

That type of change might give you enough difference.

However, I don't know enough about signatures to comment on that side of it.


AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

What is the Secret Key? Life is like a Donut

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage)

userbar.png

Share this post


Link to post
Share on other sites

Thank you @TheSaint

I guess I may need to go to Sophos forums for this one and have the real examples for them to see if signatures differs or not.

Share this post


Link to post
Share on other sites

You could also just compile your scripts as .a3x "it's a radio option in the compiler" and then launch them via a shortcut created that points to the autoit3.exe and the .a3x file as a command line option.  I have been slowly moving all my automations over to that as they never seem to get flagged.


hmm... I guess I have to have a signature...

Share this post


Link to post
Share on other sites
Posted (edited)

Or just associate the .a3x file with wherever you have autoit3.exe located.

A good solution that has never occurred to me. No doubt successful because essentially just text based like a script (plus dependencies), and I have never seen a script flagged by AV. And autoit3.exe has been signed and doesn't change very often.

Edited by TheSaint

AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

What is the Secret Key? Life is like a Donut

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage)

userbar.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By BigDaddyO
      I've recently been getting hammered by Symantec SEP deleting all of my compiled scripts so I'm trying to figure out how I could run my scripts uncompiled.
      Problem is, these scripts are typically launched from inside Citrix sessions that I don't have control of so I can't install AutoIT in there to get all the #Include files that my scripts are using.
      I tried to use AU3Stripper and while, yes that did create a single file and I could run it. it put it in a state that I couldn't easily maintain going forward.
       
      Is there any existing way to pull all the functions and drop them at the end of the main script?  Not sure about the Globals and Constants though, I guess they would have to go to the top which shoves everything else down.  I also need to maintain the current script spacing and comments as I often have to update older scripts and need the comments to help with that.
    • By Jblz619
      Hi there I have The smtp mailer by Jos working perfectly I wrote a user friendly GUI for it and everything. Just one question can you send signatures at the bottom of the email through the smtp. I assume maybe clipboard put and clipboard get to copy and paste the email into the body of the script email. Idk please help. Maybe use html idk im looking every where and can't find any awnsers.
      Maybe if I get the full html code for the email signature save it to a txt file. And then use file read and put it at the bottom of the email body? I will test it and let you guys know.
       
       
    • By Leo1906
      Hey there,
      I didn't really know how to name the titel .. so let me explain it a bit further.
      You all might know that a compiled Autoit-Exe gives an error message containing the Error and the line when it crashes. Often those messages aren't usefull because it states the line in the compiled script is not the line in your script if you have used includes. Decompiling the exe often doesn't help either. Well .. I don't want to start a discussion about the benefits of those messages.
      I just want to disable them. I want my exe to just fail an crash and that's it. Nothing more. When there's an error there's an error. Autoit is the only language I have ever noticed those message boxes.
      I think now you can understand me ..
      Do you know any way to do this?
      Some compiler options or so? Or is it that deep implemented in Autoit that it can't be removed?
      Thanks for your help!
      Leo1906
    • By Anteaus
      Think this has been discussed before, but is there any way of signing a compiled script with a certificate?
      Reason I ask is that some AV products keep on producing 'Generic Trojan' false positives on compiled scripts. I'm told that signing with a certificate from a trusted source might reduce this problem.
    • By Skysnake
      Howdy, 
      In a bizarre twist of events a client installed McAfee Antivirus Plus (the paid version).  I have scripts running there, the simplest is a little HTTP downloader, which opens HTML pages and downloads some files.  These scripts have been running for years.  The new AV kills the process.  The process just "disappears" with no warning.
      I can not find an "exception" setting.  IT on site had to kill it in the Task Manager and restart the PC.  All other AV products (even the free ones) have an easily accessible Exception setting.
      Note that the standard McAfee that typically comes with Acrobat does not do this, yet.
      Any advice on this please? Other than "get a new AV"? This has been suggested and as they just dished out the cash, not a current option.
×
×
  • Create New...