Jump to content
MarkIT

Proof needed for .exe files being blocked by Symantec

Recommended Posts

Hi AutoIT masters,

Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted.

Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file.

Share this post


Link to post
Share on other sites

I suppose showing them this thread could help :

https://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/ 

cause it did helped me in the past

ps. it is not specific to Symantec, as far as I know all AVs react the same...

Edited by Nine

Share this post


Link to post
Share on other sites

Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create?  I could understand it if it were a full-blown application, but these are scripts.  If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning.  That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues.

Edited by TheXman

Share this post


Link to post
Share on other sites
1 hour ago, TheXman said:

Why go through the hassle of dealing with a behemoth like Symantec, or any other AV company for that matter, over scripts that you create?  I could understand it if it were a full-blown application, but these are scripts.  If it were me, and I had control over my environment (as any IT department or professional should), I would designate a folder structure that scripts can be run from, apply the appropriate ACLs to that structure, and exclude that folder structure from AV scanning.  That way, you don't have to play whack-a-mole with AV companies and you can rest assured that your scripts wont be quarantined due to any AV-related issues.

That is what I do, but when I was in positions lower than those with the authority to make the action or you get a new higher authority (like a security officer) it can make it a pain when it comes to government or corporations.

I try to use .bat and .ps1 as much as possible for this reason to standardize and make it easy for other techs to use my work.  However when I need the extra power of AutoIT I still use it.  I have more than once been bitten by some random false positive that comes up and deletes a script that has been in production for months or even years. 

Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know.

Share this post


Link to post
Share on other sites
On 1/15/2020 at 7:25 PM, ViciousXUSMC said:

Infact I may soon try to just start keeping a local copy of AutoIT on the machines and keep a copy of the script compiled as an a3x and run it as a parameter, this is also a way to work around the problem as far as I know.

And that's exactly why I wrote the Au3toCmd app.
A CMD file with all necessary files as "alternate data streams".
The CMD file runs standalone on the computer and the virus scanners are left behind.
See my signature for download.


App: Au3toCmd              UDF: _SingleScript()                             

Share this post


Link to post
Share on other sites

Symantec has a false positive system:

https://submit.symantec.com/false_positive/

Just submit your exe to them through it. Once they've fixed the problem they'll give you rapid releases definitions you can use to update your symantec server, or if you wait a bit longer it'll be included in the global definition release.

It happend to me once or twice when i was working for a company that used symantec and they acted quickly to solve it.

I'm not a fan of symantec but i must admit they did a good job about my submissions.

Edited by Neutro

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Jamestay97
      Hello! Thanks you for looking at my post
      **No source code I'm sorry work related can't copy information**
      I've been using autoit for about 1 year. 
      I'm having trouble automating a click on an internet explorer web page and I've tried a lot of examples from help pages and forums already. The object I'm trying to click on isnt always in the same spot so I can't use mouse click or control click, I have tried to use the different get collection options and clickbyname, or index or get object. I'm just struggling. 
      Description of object I'm trying to click -- 
      HTML Code looks like <a ng-click.. "Click Here" it appears it's just a click able object named "click here" that opens a hidden window by running a script inside the web page. I'm not able to grab the information from the window unless it's open so I have to automate this click somehow. 
       
      I understand it's difficult to assist without having something to look at, I apologize for that sincerely and appreciate and assistance and suggestions. 
    • By kingjacob90
      Hi
      So I am trying to click the green button, this button is not always in the same place. So fare I am trying to click it by finding the color but there is also something else with the same color on the screen (circled in yellow) that is causing issues. Is there a way to use the Title and Class of the window (can't be just the window as there are more than one with the same name).
      How does AutoIt Info get this information?

    • By Exit
      Au3toCmd  ---  Avoid false positives
      Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem.
      In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams".
      Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive".
      If the short-term flashing of the CMD window bothers you, you can create a link that runs in a minimized window.
      Unfortunately, because of the "alternate data streams", this CMD file cannot be distributed via FTP or email.
      Only a USB stick or removable disk formatted with NTFS can be used.
      To solve this problem, Au3toCmd can be used to create a ZIP file that is email and FTP compatible.  Only possible on Win10 due to Powershell 5.0
      Expand this ZIP file on the target system and execute the "*.ADS.Run-me-first.cmd" script. The original CMD file is created again and the auxiliary files are deleted.
      Edit;
      The new version also accepts A3X and EXE files. This means that A3X and EXE files that have been compiled with special options can be used.
      As a side effect, other EXE files can also be included in the CMD file and therefore not detectable by virus scanners.
       
      Here the source of Au3toCmd.au3 
      ;============================================================================================================== ; Script Name: Au3toCmd.au3 ; Description: Creates a CMD file from any AU3/A3X/EXE file. ; The CMD file will contain the compiled version (A3X) of the AU3 input file ; and the AUTOIT3.EXE file as alternate data streams. ; Alternativly it will contain any EXE file. ; This avoids the problem with the false positives of the virus scanners. ; If the short-term flashing of the CMD window bothers you, ; create the shortcut on the desktop that runs in a minimized window. ; ; Syntax: Au3toCmd (input-file) ; Default: none ; Parameter: Name of an AU3/A3X/EXE file (optional) ; Requirement(s): When using Zip feature: Powershell 5.0 or higher (Windows 10 is ok) ; Example: Au3toCmd testfile.au3 ; ; Author: Exit ( http://www.autoitscript.com/forum/user/45639-exit ) ; SourceCode: http://www.autoitscript.com/forum/index.php?showtopic=201562 Version: 2020.02.25 ; COPYLEFT: © 2020 Freeware by "Exit" ; ALL WRONGS RESERVED ;============================================================================================================== #AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #include <File.au3> Global $rc, $sSourcepath, $sTargetpath, $sA3Dir, $aPathSplit, $sDrive, $sDir, $sFileName, $sExtension, $sIconPath, $iIconNumber = 0 Exit _Main() Func _Main() $sA3Dir = RegRead("HKLM\SOFTWARE\AutoIt V3\AutoIt", "InstallDir") If Not (FileExists($sA3Dir & "\autoit3.exe") And FileExists($sA3Dir & "\au3check.exe") And FileExists($sA3Dir & "\Aut2Exe\Aut2exe.exe")) Then Exit MsgBox(16 + 262144, Default, "Error: Autoit not installed on this system.", 0) _Sourcepath() $sTargetpath = $sDrive & $sDir & $sFileName & ".cmd" FileDelete($sTargetpath) FileDelete($sTargetpath & ".ADS.*") FileDelete($sTargetpath & ".ADS") FileWriteLine($sTargetpath, _ "@echo off & cls" & @CRLF & _ "rem @echo on & dir /R %~nx0 & pause" & @CRLF & _ "for /f ""delims="" %%F in ('dir /R %~nx0 ^| find /C ""$DATA"" ') do set mycount=%%F" & @CRLF & _ "if .%mycount% == .0 echo Invalid copy of %~nx0. No ADS found. & pause & goto :eof " & @CRLF & _ "if .%mycount% == .1 wmic process call create ""%~f0:prog %*"" " & @CRLF & _ "if .%mycount% == .2 wmic process call create ""%~f0:prog %~f0:a3x %*"" " & @CRLF & _ "rem End of script" & @CRLF) Switch $sExtension Case ".au3" If ShellExecuteWait($sA3Dir & "\au3check.exe", ' -q "' & $sSourcepath & '"') Then _ Exit MsgBox(16 + 262144, Default, "Error: Input file """ & $sSourcepath & """ has Errors.", 0) ShellExecuteWait($sA3Dir & "\Aut2Exe\Aut2exe.exe", "/In " & $sSourcepath & " /out " & $sTargetpath & ":a3x") FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Case ".a3x" FileCopy($sSourcepath, $sTargetpath & ":a3x") FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Case ".exe" FileCopy($sSourcepath, $sTargetpath & ":prog") EndSwitch If MsgBox(4 + 32 + 256 + 262144, Default, $sTargetpath & " created." & @LF & @LF & "Create a shortcut on the desktop?", 0) = 6 Then FileCreateShortcut($sTargetpath, @DesktopDir & "\" & $sFileName & ".lnk", $sDrive & $sDir, "", "", $sIconPath, "", $iIconNumber, 7) If MsgBox(4 + 32 + 256 + 262144, Default, $sTargetpath & " created." & @LF & @LF & "Create a portable ZIP file ?" & @LF & $sTargetpath & ".ADS.zip", 0) = 6 Then _CreateZip($sTargetpath) If MsgBox(4 + 32 + 256 + 262144, Default, "Run " & $sTargetpath & " ?", 0) = 6 Then ShellExecute($sTargetpath) EndFunc ;==>_Main Func _CreateZip($sTargetpath) Local $sRem = (StringRight($sSourcepath, 4) = ".exe") ? "rem " : "" FileDelete($sTargetpath & ".ADS.*") FileWriteLine($sTargetpath & ".ADS.Run-me-first.cmd", _ "%~d0 & cd %~dp0" & @CRLF & _ "set name1=%~n0" & @CRLF & _ "set name1=%name1:~0,-21%" & @CRLF & _ "set compare1=%cd% " & @CRLF & _ "set compare2=%compare1:AppData\Local\Temp=other% " & @CRLF & _ "if .%compare1%==.%compare2% goto :skip" & @CRLF & _ "echo off & cls " & @CRLF & _ "echo Please extract ALL files from ZIP file first and then run this CMD again. " & @CRLF & _ "Pause & goto :eof" & @CRLF & _ ":skip " & @CRLF & _ "ren %name1%.cmd.ADS.cmd %name1%.cmd" & @CRLF & _ $sRem & "type %name1%.cmd.ADS.a3x > %name1%.cmd:a3x" & @CRLF & _ $sRem & "del %name1%.cmd.ADS.a3x" & @CRLF & _ "type %name1%.cmd.ADS.prog > %name1%.cmd:prog" & @CRLF & _ "del %name1%.cmd.ADS.prog" & @CRLF & _ "move /Y %name1%.cmd .." & @CRLF & _ "cd .. " & @CRLF & _ "echo off & cls " & @CRLF & _ "echo ""%cd%\%name1%.cmd"" created. " & @CRLF & _ "pause " & @CRLF & _ "del .\%name1%.cmd.ADS.zip" & @CRLF & _ "rd /S /Q %name1%.cmd.ADS " & @CRLF & _ "rem End of script" & @CRLF) If Not $sRem Then FileWrite($sTargetpath & ".ADS.a3x", FileRead($sTargetpath & ":a3x")) FileWrite($sTargetpath & ".ADS.cmd", FileRead($sTargetpath)) FileWrite($sTargetpath & ".ADS.prog", FileRead($sTargetpath & ":prog")) ShellExecuteWait("Powershell", "Compress-Archive -Path " & $sTargetpath & ".ADS.* -Update -DestinationPath " & $sTargetpath & ".ADS.zip") If Not FileExists($sTargetpath & ".ADS.zip") Then MsgBox(64 + 262144, Default, "Zip file cannot be created because the software ""Powershell 5.0"" is not available." & @CRLF & "Install Powershell 5.0 or higher and try again.", 0) FileDelete($sTargetpath & ".ADS.a3x") FileDelete($sTargetpath & ".ADS.cmd") FileDelete($sTargetpath & ".ADS.prog") FileDelete($sTargetpath & ".ADS.Run-me-first.cmd") EndFunc ;==>_CreateZip Func _Sourcepath() If $cmdline[0] > 0 Then $sSourcepath = $cmdline[1] Select Case FileExists($sSourcepath) Case FileExists($sSourcepath & ".au3") $sSourcepath = $sSourcepath & ".au3" Case FileExists($sSourcepath & ".a3x") $sSourcepath = $sSourcepath & ".a3x" Case FileExists($sSourcepath & ".exe") $sSourcepath = $sSourcepath & ".exe" Case Else $sSourcepath = FileOpenDialog("Enter AU3/A3X/EXE Inputfile ", "", "Autoit Files(*.au3;*.a3x;*.exe)", 3) If @error Then Exit MsgBox(16 + 262144, Default, "Error: No Inputfile given", 0) EndSelect $sSourcepath = _PathFull($sSourcepath) $aPathSplit = _PathSplit($sSourcepath, $sDrive, $sDir, $sFileName, $sExtension) If DriveGetFileSystem($sDrive) <> "NTFS" Then Exit MsgBox(16 + 262144, Default, "Error: Input filesystem must be 'NTFS'", 0) If FileExists($sDrive & $sDir & $sFileName & ".exe") Then $sIconPath = $sDrive & $sDir & $sFileName & ".exe" If FileExists($sDrive & $sDir & $sFileName & ".ico") Then $sIconPath = $sDrive & $sDir & $sFileName & ".ico" EndFunc ;==>_Sourcepath ; End of Au3toCmd.au3 script The script can be called with a file name of an AU3 script as a parameter.
      If no name is entered, a query is made.
      Suggestions for improvement and bug reports are welcome.
    • By adjist
      Hello all! 
       
      Getting this error :
      (22) : ==> Variable used without being declared.: if $vNumber = 0 Then if ^ ERROR  
      But I'm sure I have defined the variable, as in the top of my script has 
      Global $vNumber = 0  
      How would I go about fixing this?
       
    • By AutoitMike
      Scite 3.4.4
      Win 10
      I click "Help" or press F1, there is no response
      If I use the file explorer and double click Autoit.chm or Autoit3.chm help opens.
      There is no dialog to check or uncheck "Always ask before opening this file" when clicking on these files.
       
      If you are curious as to why I dont have the latest version, I am creating a back up laptop that has a VERY extensive automation application that I have written over the past 15 years.
       
      An extremely potent, powerful, needed function has been deleted in the upgrade of Autoit in recent years that I can not do without. If my main laptop dies, which it almost did, I am in a very bad position. So I bought the exact same laptop and I am "cofiguring" it to work exactly the same as my main laptop. However, this one has been "Upgraded" to Win 10 which I hope is not the problem. 
      Thanks for any help
×
×
  • Create New...