MarkIT Posted January 15, 2020 Share Posted January 15, 2020 Hi AutoIT masters, Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted. Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file. Link to comment Share on other sites More sharing options...
Nine Posted January 15, 2020 Share Posted January 15, 2020 (edited) I suppose showing them this thread could help : https://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/ cause it did helped me in the past ps. it is not specific to Symantec, as far as I know all AVs react the same... Edited January 15, 2020 by Nine MarkIT 1 “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Screen Scraping Link to comment Share on other sites More sharing options...
MarkIT Posted January 15, 2020 Author Share Posted January 15, 2020 Thanks Nine! I will read the thread. Link to comment Share on other sites More sharing options...
TheXman Posted January 15, 2020 Share Posted January 15, 2020 (edited) Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create? I could understand it if it were a full-blown application, but these are scripts. If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning. That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues. Edited January 15, 2020 by TheXman Zedna and Musashi 2 CryptoNG UDF: Cryptography API: Next Gen jq UDF: Powerful and Flexible JSON Processor | jqPlayground: An Interactive JSON Processor Xml2Json UDF: Transform XML to JSON | HttpApi UDF: HTTP Server API | Roku Remote: Example Script About Me How To Ask Good Questions On Technical And Scientific Forums (Detailed) | How to Ask Good Technical Questions (Brief) "Any fool can know. The point is to understand." -Albert Einstein Link to comment Share on other sites More sharing options...
ViciousXUSMC Posted January 15, 2020 Share Posted January 15, 2020 1 hour ago, TheXman said: Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create? I could understand it if it were a full-blown application, but these are scripts. If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning. That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues. That is what I do, but when I was in positions lower than those with the authority to make the action or you get a new higher authority (like a security officer) it can make it a pain when it comes to government or corporations. I try to use .bat and .ps1 as much as possible for this reason to standardize and make it easy for other techs to use my work. However when I need the extra power of AutoIT I still use it. I have more than once been bitten by some random false positive that comes up and deletes a script that has been in production for months or even years. Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know. Link to comment Share on other sites More sharing options...
Exit Posted February 1, 2020 Share Posted February 1, 2020 On 1/15/2020 at 7:25 PM, ViciousXUSMC said: Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know. And that's exactly why I wrote the Au3toCmd app. A CMD file with all necessary files as "alternate data streams". The CMD file runs standalone on the computer and the virus scanners are left behind. See my signature for download. App: Au3toCmd UDF: _SingleScript() Link to comment Share on other sites More sharing options...
Neutro Posted February 1, 2020 Share Posted February 1, 2020 (edited) Symantec has a false positive system: https://submit.symantec.com/false_positive/ Just submit your exe to them through it. Once they've fixed the problem they'll give you rapid releases definitions you can use to update your symantec server, or if you wait a bit longer it'll be included in the global definition release. It happend to me once or twice when i was working for a company that used symantec and they acted quickly to solve it. I'm not a fan of symantec but i must admit they did a good job about my submissions. Edited February 1, 2020 by Neutro Identify active network connections and change DNS server - Easily export Windows network settings Clean temporary files from Windows users profiles directories - List Active Directory Groups members Export content of an Outlook mailbox to a PST file - File patch manager - IRC chat connect example Thanks again for your help Water! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now