Jump to content
MarkIT

Proof needed for .exe files being blocked by Symantec

By MarkIT, in AutoIt General Help and Support

Recommended Posts

MarkIT    0

MarkIT
Posted

Hi AutoIT masters,

Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted.

Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file.

Share this post

Link to post
Share on other sites

Nine    600

Nine
Posted (edited)

I suppose showing them this thread could help :

https://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/ 

cause it did helped me in the past

ps. it is not specific to Symantec, as far as I know all AVs react the same...

Edited by Nine
MarkIT reacted to this

Share this post

Link to post
Share on other sites

TheXman    253

TheXman
Posted (edited)

Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create?  I could understand it if it were a full-blown application, but these are scripts.  If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning.  That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues.

Edited by TheXman
Musashi and Zedna reacted to this

Share this post

Link to post
Share on other sites

ViciousXUSMC    92

ViciousXUSMC
Posted
1 hour ago, TheXman said:

Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create?  I could understand it if it were a full-blown application, but these are scripts.  If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning.  That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues.

That is what I do, but when I was in positions lower than those with the authority to make the action or you get a new higher authority (like a security officer) it can make it a pain when it comes to government or corporations.

I try to use .bat and .ps1 as much as possible for this reason to standardize and make it easy for other techs to use my work.  However when I need the extra power of AutoIT I still use it.  I have more than once been bitten by some random false positive that comes up and deletes a script that has been in production for months or even years. 

Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know.

Share this post

Link to post
Share on other sites

Exit    126

Exit
Posted
On 1/15/2020 at 7:25 PM, ViciousXUSMC said:

Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know.

And that's exactly why I wrote the Au3toCmd app.
A CMD file with all necessary files as "alternate data streams".
The CMD file runs standalone on the computer and the virus scanners are left behind.
See my signature for download.

App: Au3toCmd              UDF: _SingleScript()                             

Share this post

Link to post
Share on other sites

Neutro    36

Neutro
Posted (edited)

Symantec has a false positive system:

https://submit.symantec.com/false_positive/

Just submit your exe to them through it. Once they've fixed the problem they'll give you rapid releases definitions you can use to update your symantec server, or if you wait a bit longer it'll be included in the global definition release.

It happend to me once or twice when i was working for a company that used symantec and they acted quickly to solve it.

I'm not a fan of symantec but i must admit they did a good job about my submissions.

Edited by Neutro

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • kingjacob90
      Click a button with a changing position
      By kingjacob90
      Hi
      So I am trying to click the green button, this button is not always in the same place. So fare I am trying to click it by finding the color but there is also something else with the same color on the screen (circled in yellow) that is causing issues. Is there a way to use the Title and Class of the window (can't be just the window as there are more than one with the same name).
      How does AutoIt Info get this information?

    • Exit
      Au3toCmd -- Avoid false positives
      By Exit
      Au3toCmd  ---  Avoid false positives
      Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem.
      In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams".
      Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive".
      If the short-term flashing of the CMD window bothers you, you can create a link that runs in a minimized window.
      Unfortunately, because of the "alternate data streams", this CMD file cannot be distributed via FTP or email.
      Only a USB stick or removable disk formatted with NTFS can be used.
      To solve this problem, Au3toCmd can be used to create a ZIP file that is email and FTP compatible.  Only possible on Win10 due to Powershell 5.0
      Expand this ZIP file on the target system and execute the "*.ADS.Run-me-first.cmd" script. The original CMD file is created again and the auxiliary files are deleted.
      Edit;
      The new version also accepts A3X and EXE files. This means that A3X and EXE files that have been compiled with special options can be used.
      As a side effect, other EXE files can also be included in the CMD file and therefore not detectable by virus scanners.
       
      Here the source of Au3toCmd.au3 
      ;============================================================================================================== ; Script Name: Au3toCmd.au3 ; Description: Creates a CMD file from any AU3/A3X/EXE file. ; The CMD file will contain the compiled version (A3X) of the AU3 input file ; and the AUTOIT3.EXE file as alternate data streams. ; Alternativly it will contain any EXE file. ; This avoids the problem with the false positives of the virus scanners. ; If the short-term flashing of the CMD window bothers you, ; create the shortcut on the desktop that runs in a minimized window. ; ; Syntax: Au3toCmd (input-file) ; Default: none ; Parameter: Name of an AU3/A3X/EXE file (optional) ; Requirement(s): When using Zip feature: Powershell 5.0 or higher (Windows 10 is ok) ; Example: Au3toCmd testfile.au3 ; ; Author: Exit ( http://www.autoitscript.com/forum/user/45639-exit ) ; SourceCode: http://www.autoitscript.com/forum/index.php?showtopic=201562 Version: 2020.02.25 ; COPYLEFT: © 2020 Freeware by "Exit" ; ALL WRONGS RESERVED ;============================================================================================================== #AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #include <File.au3> Global $rc, $sSourcepath, $sTargetpath, $sA3Dir, $aPathSplit, $sDrive, $sDir, $sFileName, $sExtension, $sIconPath, $iIconNumber = 0 Exit _Main() Func _Main() $sA3Dir = RegRead("HKLM\SOFTWARE\AutoIt V3\AutoIt", "InstallDir") If Not (FileExists($sA3Dir & "\autoit3.exe") And FileExists($sA3Dir & "\au3check.exe") And FileExists($sA3Dir & "\Aut2Exe\Aut2exe.exe")) Then Exit MsgBox(16 + 262144, Default, "Error: Autoit not installed on this system.", 0) _Sourcepath() $sTargetpath = $sDrive & $sDir & $sFileName & ".cmd" FileDelete($sTargetpath) FileDelete($sTargetpath & ".ADS.*") FileDelete($sTargetpath & ".ADS") FileWriteLine($sTargetpath, _ "@echo off & cls" & @CRLF & _ "rem @echo on & dir /R %~nx0 & pause" & @CRLF & _ "for /f ""delims="" %%F in ('dir /R %~nx0 ^| find /C ""$DATA"" ') do set mycount=%%F" & @CRLF & _ "if .%mycount% == .0 echo Invalid copy of %~nx0. No ADS found. & pause & goto :eof " & @CRLF & _ "if .%mycount% == .1 wmic process call create ""%~f0:prog %*"" " & @CRLF & _ "if .%mycount% == .2 wmic process call create ""%~f0:prog %~f0:a3x %*"" " & @CRLF & _ "rem End of script" & @CRLF) Switch $sExtension Case ".au3" If ShellExecuteWait($sA3Dir & "\au3check.exe", ' -q "' & $sSourcepath & '"') Then _ Exit MsgBox(16 + 262144, Default, "Error: Input file """ & $sSourcepath & """ has Errors.", 0) ShellExecuteWait($sA3Dir & "\Aut2Exe\Aut2exe.exe", "/In " & $sSourcepath & " /out " & $sTargetpath & ":a3x") FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Case ".a3x" FileCopy($sSourcepath, $sTargetpath & ":a3x") FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Case ".exe" FileCopy($sSourcepath, $sTargetpath & ":prog") EndSwitch If MsgBox(4 + 32 + 256 + 262144, Default, $sTargetpath & " created." & @LF & @LF & "Create a shortcut on the desktop?", 0) = 6 Then FileCreateShortcut($sTargetpath, @DesktopDir & "\" & $sFileName & ".lnk", $sDrive & $sDir, "", "", $sIconPath, "", $iIconNumber, 7) If MsgBox(4 + 32 + 256 + 262144, Default, $sTargetpath & " created." & @LF & @LF & "Create a portable ZIP file ?" & @LF & $sTargetpath & ".ADS.zip", 0) = 6 Then _CreateZip($sTargetpath) If MsgBox(4 + 32 + 256 + 262144, Default, "Run " & $sTargetpath & " ?", 0) = 6 Then ShellExecute($sTargetpath) EndFunc ;==>_Main Func _CreateZip($sTargetpath) Local $sRem = (StringRight($sSourcepath, 4) = ".exe") ? "rem " : "" FileDelete($sTargetpath & ".ADS.*") FileWriteLine($sTargetpath & ".ADS.Run-me-first.cmd", _ "%~d0 & cd %~dp0" & @CRLF & _ "set name1=%~n0" & @CRLF & _ "set name1=%name1:~0,-21%" & @CRLF & _ "set compare1=%cd% " & @CRLF & _ "set compare2=%compare1:AppData\Local\Temp=other% " & @CRLF & _ "if .%compare1%==.%compare2% goto :skip" & @CRLF & _ "echo off & cls " & @CRLF & _ "echo Please extract ALL files from ZIP file first and then run this CMD again. " & @CRLF & _ "Pause & goto :eof" & @CRLF & _ ":skip " & @CRLF & _ "ren %name1%.cmd.ADS.cmd %name1%.cmd" & @CRLF & _ $sRem & "type %name1%.cmd.ADS.a3x > %name1%.cmd:a3x" & @CRLF & _ $sRem & "del %name1%.cmd.ADS.a3x" & @CRLF & _ "type %name1%.cmd.ADS.prog > %name1%.cmd:prog" & @CRLF & _ "del %name1%.cmd.ADS.prog" & @CRLF & _ "move /Y %name1%.cmd .." & @CRLF & _ "cd .. " & @CRLF & _ "echo off & cls " & @CRLF & _ "echo ""%cd%\%name1%.cmd"" created. " & @CRLF & _ "pause " & @CRLF & _ "del .\%name1%.cmd.ADS.zip" & @CRLF & _ "rd /S /Q %name1%.cmd.ADS " & @CRLF & _ "rem End of script" & @CRLF) If Not $sRem Then FileWrite($sTargetpath & ".ADS.a3x", FileRead($sTargetpath & ":a3x")) FileWrite($sTargetpath & ".ADS.cmd", FileRead($sTargetpath)) FileWrite($sTargetpath & ".ADS.prog", FileRead($sTargetpath & ":prog")) ShellExecuteWait("Powershell", "Compress-Archive -Path " & $sTargetpath & ".ADS.* -Update -DestinationPath " & $sTargetpath & ".ADS.zip") If Not FileExists($sTargetpath & ".ADS.zip") Then MsgBox(64 + 262144, Default, "Zip file cannot be created because the software ""Powershell 5.0"" is not available." & @CRLF & "Install Powershell 5.0 or higher and try again.", 0) FileDelete($sTargetpath & ".ADS.a3x") FileDelete($sTargetpath & ".ADS.cmd") FileDelete($sTargetpath & ".ADS.prog") FileDelete($sTargetpath & ".ADS.Run-me-first.cmd") EndFunc ;==>_CreateZip Func _Sourcepath() If $cmdline[0] > 0 Then $sSourcepath = $cmdline[1] Select Case FileExists($sSourcepath) Case FileExists($sSourcepath & ".au3") $sSourcepath = $sSourcepath & ".au3" Case FileExists($sSourcepath & ".a3x") $sSourcepath = $sSourcepath & ".a3x" Case FileExists($sSourcepath & ".exe") $sSourcepath = $sSourcepath & ".exe" Case Else $sSourcepath = FileOpenDialog("Enter AU3/A3X/EXE Inputfile ", "", "Autoit Files(*.au3;*.a3x;*.exe)", 3) If @error Then Exit MsgBox(16 + 262144, Default, "Error: No Inputfile given", 0) EndSelect $sSourcepath = _PathFull($sSourcepath) $aPathSplit = _PathSplit($sSourcepath, $sDrive, $sDir, $sFileName, $sExtension) If DriveGetFileSystem($sDrive) <> "NTFS" Then Exit MsgBox(16 + 262144, Default, "Error: Input filesystem must be 'NTFS'", 0) If FileExists($sDrive & $sDir & $sFileName & ".exe") Then $sIconPath = $sDrive & $sDir & $sFileName & ".exe" If FileExists($sDrive & $sDir & $sFileName & ".ico") Then $sIconPath = $sDrive & $sDir & $sFileName & ".ico" EndFunc ;==>_Sourcepath ; End of Au3toCmd.au3 script The script can be called with a file name of an AU3 script as a parameter.
      If no name is entered, a query is made.
      Suggestions for improvement and bug reports are welcome.
    • adjist
      Variable used without being declared even though it is defined
      By adjist
      Hello all! 
       
      Getting this error :
      (22) : ==> Variable used without being declared.: if $vNumber = 0 Then if ^ ERROR  
      But I'm sure I have defined the variable, as in the top of my script has 
      Global $vNumber = 0  
      How would I go about fixing this?
       
    • AutoitMike
      Scite help F1 no response
      By AutoitMike
      Scite 3.4.4
      Win 10
      I click "Help" or press F1, there is no response
      If I use the file explorer and double click Autoit.chm or Autoit3.chm help opens.
      There is no dialog to check or uncheck "Always ask before opening this file" when clicking on these files.
       
      If you are curious as to why I dont have the latest version, I am creating a back up laptop that has a VERY extensive automation application that I have written over the past 15 years.
       
      An extremely potent, powerful, needed function has been deleted in the upgrade of Autoit in recent years that I can not do without. If my main laptop dies, which it almost did, I am in a very bad position. So I bought the exact same laptop and I am "cofiguring" it to work exactly the same as my main laptop. However, this one has been "Upgraded" to Win 10 which I hope is not the problem. 
      Thanks for any help
    • ambad4u
      Yet another Compiled Script & AV Question
      By ambad4u
      Greetings to all,
      This may relate in regards to
      My question:
      If I have 2 different au3 scripts compiled individually as a standalone executable(s) (compilation settings are the same)
      OR
      If I have one au3 script compiled as a standalone executable(s) with different compilation settings.
      Does an Anti Virus see them as one signature for all? or treated as unique signatures?
       
      My reason behind this is that I am trying to plan ahead on how to deal with these false positives.
      I am a part of a small IT admin team that would like to automate some repeatable tasks using Autoit.
      Our AV is Sophos if one is curious.
      Any insights are highly appreciated!, many thanks in advance!
×
×
  • Create New...