Jump to content

Proof needed for .exe files being blocked by Symantec


Recommended Posts

Hi AutoIT masters,

Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted.

Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file.

Link to post
Share on other sites

Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create?  I could understand it if it were a full-blown application, but these are scripts.  If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning.  That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues.

Edited by TheXman
Link to post
Share on other sites
1 hour ago, TheXman said:

Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create?  I could understand it if it were a full-blown application, but these are scripts.  If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning.  That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues.

That is what I do, but when I was in positions lower than those with the authority to make the action or you get a new higher authority (like a security officer) it can make it a pain when it comes to government or corporations.

I try to use .bat and .ps1 as much as possible for this reason to standardize and make it easy for other techs to use my work.  However when I need the extra power of AutoIT I still use it.  I have more than once been bitten by some random false positive that comes up and deletes a script that has been in production for months or even years. 

Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know.

Link to post
Share on other sites
  • 3 weeks later...
On 1/15/2020 at 7:25 PM, ViciousXUSMC said:

Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know.

And that's exactly why I wrote the Au3toCmd app.
A CMD file with all necessary files as "alternate data streams".
The CMD file runs standalone on the computer and the virus scanners are left behind.
See my signature for download.

App: Au3toCmd              UDF: _SingleScript()                             

Link to post
Share on other sites

Symantec has a false positive system:

https://submit.symantec.com/false_positive/

Just submit your exe to them through it. Once they've fixed the problem they'll give you rapid releases definitions you can use to update your symantec server, or if you wait a bit longer it'll be included in the global definition release.

It happend to me once or twice when i was working for a company that used symantec and they acted quickly to solve it.

I'm not a fan of symantec but i must admit they did a good job about my submissions.

Edited by Neutro
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Exit
      Au3toCmd  ---  Avoid false positives
      Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem.
      In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams" "Base64" encoded data.
      Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive".
      If the short-term flashing of the CMD window bothers you, you can click the desktop shutcut that runs in a minimized window.
      Unfortunately, because the "alternate data streams", this CMD file cannot be distributed via FTP or email.
      Only a USB stiof ck or removable disk formatted with NTFS can be used.
      As the new version now uses Base64 data instead of ADS, this statement is out of date.
      For reasons of compatibility, the old version was sunk into the spoiler here.
       
       
      Here the new  version using base64 data
      ;============================================================================================================== ; Script Name: Au3toCmd.au3 ; Description: Creates a CMD file from any AU3 file. ; The CMD file will contain the compiled version (A3X) of the AU3 input file ; and the AUTOIT3.EXE file as BASE64 data. ; This avoids the problem with the false positives of the virus scanners on EXE files. ; To avoid the short-term flashing of the CMD window, a shortcut is created on the desktop ; that runs in a minimized window. You may delete or move it. ; ; ; Syntax: Au3toCmd (input-file) ; Default: none ; Parameter: Name of AU3 file (optional) ; can be set by using SHIFT+F8 in SciTE4AutoIt3 Editor. ; if parameter is empty, a FileOpenDialog prompts you. ; ; ; The execxution environment can be set by using the #AutoIt3Wrapper directives in the source code. ; #AutoIt3Wrapper_Version=Prod/P/0/Beta/B/1 ; #AutoIt3Wrapper_UseX64=Y/1/N/0 ; #AutoIt3Wrapper_Icon=C:\users\...\anyname.ico ; ; Example: Au3toCmd c:\testdir\testfile.au3 ; ; Author: Exit ( http://www.autoitscript.com/forum/user/45639-exit ) ; SourceCode: http://www.autoitscript.com/forum/index.php?showtopic=201562 Version: 2022.01.11 ; COPYLEFT: © 2020 Freeware by "Exit" ; ALL WRONGS RESERVED ;============================================================================================================== #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Version=Prod #AutoIt3Wrapper_UseX64=Y #AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** Global $_a2c_Debug =0 ; change to '1' for debugging informations on output console #include <File.au3> Global $sSourcepath, $sSourceData, $sTargetpath, $aPathSplit, $sDrive, $sDir, $sFileName, $sExtension, $sIconPath = "", $iIconNumber = 0, $sRDir Exit _Main() Func _Main() __DebugInfo() If Not _Sourcepath() Then Return SetError(1, 0, 0) If Not _IconPath() Then Return SetError(2, 0, 0) If Not _Targetpath() Then Return SetError(3, 0, 0) EndFunc ;==>_Main Func _Sourcepath() If $cmdline[0] > 0 Then $sSourcepath = $cmdline[1] If Not FileExists($sSourcepath) Then Beep(1000, 80) $sSourcepath = FileOpenDialog(" Enter AU3 Inputfile for Au3toCmd Application ", "", "Autoit Files(*.au3)", 3) If @error Then Return SetError(5, MsgBox(16 + 262144, Default, "Error: No Inputfile given", 3), 0) EndIf $sSourcepath = _PathFull($sSourcepath) $aPathSplit = _PathSplit($sSourcepath, $sDrive, $sDir, $sFileName, $sExtension) FileChangeDir($sDrive & $sDir) $sSourceData = FileRead($sSourcepath) __CW("Sourcepath: " & $sSourcepath & @LF) Return 1 EndFunc ;==>_Sourcepath Func _IconPath() Local $aTemp = StringRegExp($sSourceData, "(?m)\n#AutoIt3Wrapper_Icon=(.*)", 1) If IsArray($aTemp) And FileExists($aTemp[0]) Then $sIconPath = $aTemp[0] ElseIf FileExists($sDrive & $sDir & $sFileName & ".ico") Then $sIconPath = $sDrive & $sDir & $sFileName & ".ico" Else $sIconPath = @WindowsDir & "\system32\shell32.dll" ;~ $iIconNumber = 71 $iIconNumber = 132 EndIf __CW("IconNumber: " & $iIconNumber & " IconPath: " & $sIconPath & @CRLF) Return 1 EndFunc ;==>_IconPath Func _Targetpath() Local $sA3Dir, $sA3Ver, $hTargetpath, $t, $x64 = 0, $beta = 0 $sTargetpath = $sDrive & $sDir & $sFileName & ".cmd" FileDelete($sTargetpath) $beta = StringRegExp($sSourceData, "(?m)\n#AutoIt3Wrapper_Version=[bByY1]", 0) $sA3Dir = RegRead("HKLM\SOFTWARE" & ((@OSArch = 'X64') ? "\Wow6432Node" : "") & "\AutoIt v3\AutoIt", ($beta ? "beta" : "") & "InstallDir") $sA3Ver = RegRead("HKLM\SOFTWARE" & ((@OSArch = 'X64') ? "\Wow6432Node" : "") & "\AutoIt v3\AutoIt", ($beta ? "beta" : "") & "Version") __CW("Regread A3Dir: " & $sA3Dir & " Version: " & $sA3Ver & @CRLF) If Not (FileExists($sA3Dir & "\autoit3.exe") And FileExists($sA3Dir & "\au3check.exe") And FileExists($sA3Dir & "\Aut2Exe\Aut2exe.exe")) Then Return SetError(9, MsgBox(16 + 262144, Default, "Error: Autoit " & ($beta ? "Beta Version " : "") & "not installed on this system.", 0), 0) $x64 = StringRegExp($sSourceData, "(?m)\n#AutoIt3Wrapper_UseX64=[yY1]", 0) __CW("X64: >" & $x64 & "< beta: >" & $beta & "< A3Dir: " & $sA3Dir & @LF) If ShellExecuteWait($sA3Dir & "\au3check.exe", ' -q "' & $sSourcepath & '"', "", "", @SW_HIDE) Then Return SetError(10, MsgBox(16 + 262144, Default, "Error: Input file """ & $sSourcepath & """ has Errors according to Au3Check.exe. ", 0), 0) If ShellExecuteWait($sA3Dir & "\Aut2Exe\Aut2exe" & ($x64 ? '_x64' : '') & ".exe", "/In """ & $sSourcepath & """ /out """ & $sTargetpath & ".sa3x"" " & ($x64 ? '/X64' : ' ')) Then Return SetError(11, MsgBox(16 + 262144, Default, "Error : Cannot create target file """ & $sTargetpath & ".sa3x"" ", 0), 0) FileCopy($sA3Dir & "\Autoit3" & ($x64 ? '_x64' : '') & ".exe", $sTargetpath & ".sprog") $hTargetpath = FileOpen($sTargetpath, $FO_APPEND) FileWriteLine($hTargetpath, _ '@if not DEFINED _ set _=_ & start "" /min "%~f0" %* & exit' _ & @CRLF & 'cd /D %~dp0' _ & @CRLF & 'set r=%appdata%\Au3toCmd\' _ & @CRLF & 'set n=%~n0' _ & @CRLF & 'set ver=' & $sA3Ver _ & @CRLF & 'set x64=' & ($x64 ? "_64" : "") _ & @CRLF & 'if not exist "%r%exe\%ver%\AutoIt3%x64%.exe" (' _ & @CRLF & ' mkdir %r%exe\%ver%\' _ & @CRLF & ' more +35 %0 >~~' _ & @CRLF & ' certutil -decode -f ~~ "%r%exe\%ver%\AutoIt3%x64%.exe"' _ & @CRLF & ' del ~~' _ & @CRLF & ')' _ & @CRLF & 'call :ts %0 "%r%a3x\%n%.a3x"' _ & @CRLF & 'if %t1% geq %t2% (' _ & @CRLF & 'mkdir %r%a3x\' _ & @CRLF & 'certutil -decode -f %0 "%r%a3x\%n%.a3x"' _ & @CRLF & ')' _ & @CRLF & 'wmic process call create ''"%r%exe\%ver%\AutoIt3%x64%.exe" "%r%a3x\%n%.a3x" "%*"'' ' _ & @CRLF & 'rem pause' _ & @CRLF & 'exit' _ & @CRLF & ':ts t1 t2' _ & @CRLF & 'set t1=%~t1' _ & @CRLF & 'set t2=%~t2' _ & @CRLF & 'set t1=%t1:~3,2%%t1:~0,2%%t1:~11,2%%t1:~14,2%' _ & @CRLF & 'set t2=%t2:~3,2%%t2:~0,2%%t2:~11,2%%t2:~14,2%' _ & @CRLF & 'goto :eof' _ ) RunWait(@ComSpec & " /c " & 'certutil -encode -f "' & $sTargetpath & '.sa3x" "' & $sTargetpath & '.a3x"', "", @SW_HIDE) $t = FileRead($sTargetpath & '.a3x') FileDelete($sTargetpath & '.sa3x') FileDelete($sTargetpath & '.a3x') FileWriteLine($hTargetpath, $t) RunWait(@ComSpec & " /c " & 'certutil -encode -f "' & $sTargetpath & '.sprog" "' & $sTargetpath & '.prog"', "", @SW_HIDE) $t = FileRead($sTargetpath & '.prog') FileDelete($sTargetpath & '.sprog') FileDelete($sTargetpath & '.prog') FileWriteLine($hTargetpath, $t) FileClose($hTargetpath) If Not FileCreateShortcut($sTargetpath, @DesktopDir & "\" & $sFileName & ".lnk", $sDrive & $sDir, "", "", $sIconPath, "", $iIconNumber, 7) Then Return SetError(16, MsgBox(16 + 262144, Default, "Unable to create shortcut", 0), 0) __CW("$sTargetpath: " & $sTargetpath & @LF) MsgBox(64 + 262144, Default, $sTargetpath & " and " & @CRLF & @DesktopDir & "\" & $sFileName & ".lnk created." & @CRLF & @CRLF & "X64 Mode=" & ($x64 ? "Yes" : "No") & " Beta Mode=" & ($beta ? "Yes" : "No"), 0) Return 1 EndFunc ;==>_Targetpath Func __CW($sText) If Not Eval("_a2c_Debug") Then Return ;~ FileWriteLine(@ScriptFullPath & ".console.txt", $sText) ConsoleWrite($sText & @CRLF) EndFunc ;==>__CW Func __DebugInfo() FileDelete(@ScriptFullPath & ".console.txt") If @Compiled Then $_a2c_Debug = 0 If Not Eval("_a2c_Debug") Then Return __CW("============ Start of DebugInfo ===============") __CW("Au3toCmd Version: " & (StringRegExp(FileRead(@ScriptFullPath), "(?i)Version: (.*)", 1))[0]) __CW("@ScriptFullPath: " & @ScriptFullPath) __CW("@AutoItExe: " & @AutoItExe) __CW("@AutoItVersion: " & @AutoItVersion) __CW("@AutoItX64: " & @AutoItX64) __CW("@CPUArch: " & @CPUArch) __CW("@OSArch: " & @OSArch) __CW("@OSBuild: " & @OSBuild) __CW("@OSLang: " & @OSLang) __CW("@OSType: " & @OSType) __CW("@OSVersion: " & @OSVersion) __CW("@OSServicePack: " & @OSServicePack) __CW("@UserName: " & @UserName) __CW("@UserProfileDir: " & @UserProfileDir) __CW("============ End of DebugInfo ===============") EndFunc ;==>__DebugInfo ; End of Au3toCmd.au3 script The script can be called with a file name of an AU3 script as a parameter.
      If no name is entered, a query is made.
      Suggestions, improvements and bug reports are welcome.
    • By Jamestay97
      Hello! Thanks you for looking at my post
      **No source code I'm sorry work related can't copy information**
      I've been using autoit for about 1 year. 
      I'm having trouble automating a click on an internet explorer web page and I've tried a lot of examples from help pages and forums already. The object I'm trying to click on isnt always in the same spot so I can't use mouse click or control click, I have tried to use the different get collection options and clickbyname, or index or get object. I'm just struggling. 
      Description of object I'm trying to click -- 
      HTML Code looks like <a ng-click.. "Click Here" it appears it's just a click able object named "click here" that opens a hidden window by running a script inside the web page. I'm not able to grab the information from the window unless it's open so I have to automate this click somehow. 
       
      I understand it's difficult to assist without having something to look at, I apologize for that sincerely and appreciate and assistance and suggestions. 
    • By kingjacob90
      Hi
      So I am trying to click the green button, this button is not always in the same place. So fare I am trying to click it by finding the color but there is also something else with the same color on the screen (circled in yellow) that is causing issues. Is there a way to use the Title and Class of the window (can't be just the window as there are more than one with the same name).
      How does AutoIt Info get this information?

    • By adjist
      Hello all! 
       
      Getting this error :
      (22) : ==> Variable used without being declared.: if $vNumber = 0 Then if ^ ERROR  
      But I'm sure I have defined the variable, as in the top of my script has 
      Global $vNumber = 0  
      How would I go about fixing this?
       
    • By AutoitMike
      Scite 3.4.4
      Win 10
      I click "Help" or press F1, there is no response
      If I use the file explorer and double click Autoit.chm or Autoit3.chm help opens.
      There is no dialog to check or uncheck "Always ask before opening this file" when clicking on these files.
       
      If you are curious as to why I dont have the latest version, I am creating a back up laptop that has a VERY extensive automation application that I have written over the past 15 years.
       
      An extremely potent, powerful, needed function has been deleted in the upgrade of Autoit in recent years that I can not do without. If my main laptop dies, which it almost did, I am in a very bad position. So I bought the exact same laptop and I am "cofiguring" it to work exactly the same as my main laptop. However, this one has been "Upgraded" to Win 10 which I hope is not the problem. 
      Thanks for any help
×
×
  • Create New...