Jump to content
LukeWCS

Suggestion for Aut2exe: An option with which the script can be embedded unencrypted.

Recommended Posts

Posted (edited)

Hello everybody

This is meant as a suggestion.

I've been using AI since version 2 and use it especially for tasks where dependencies on runtime libraries would be a hindrance. For example for support tools. However, there is a big problem with the generated EXEs: false positives in a number of virus scanners. In my opinion, the cause of this is the fact that the scripts are encrypted and embedded in the generated EXE. Incidentally, this encryption also increases the entropy extremely, which is another cause of false detections.

An effective way to increase the acceptance of AI programs and to reduce the problems with false postivies would be an option when creating the EXE that embeds the script unencrypted in the EXE. If that were optional, everyone could decide for themselves whether they want it or not.

This would make it a lot easier for virus scanners as well as experienced programmers to analyze and classify an EXE generated by AI. Because the effectively executable part, i.e. the AI core, has long been established as trustworthy. If the actual program, i.e. the script, could also be read directly, this would ensure a high level of transparency and ultimately acceptance.

Offering the source code does not solve the real problem.

 

The following code serves as an example:

MsgBox(0, "example", "Hello world")

This example was converted to an EXE (without UPX) with AutoIt 3 and uploaded to VirusTotal. The report can be found under the following link. Please also have a look there in the comments.

https://www.virustotal.com/gui/file/fe30f6bb70145512ce3fbfadabff7919fba084be6e22d7cc03e78445104a7151/detection

 

edit 2020-10-03: Added example with link to a VT report

edit 2020-10-04: Title formulated more precisely

Edited by LukeWCS

Share this post


Link to post
Share on other sites
6 minutes ago, Exit said:

#AutoIt3Wrapper_Res_SaveSource=y
 

This have nothing to do with my suggestion. ;) I know this feature:  "Save a copy of the Script_source in the EXE resources."

 

Share this post


Link to post
Share on other sites

Since I created the Test EXE and opened this topic, I have updated the VT Report twice. This gives the following result:

  • 12 false positives on first upload. (2020-10-03)
  • 22 false positives at the first report update (a few days ago)
  • 26 false positives in the second report update (2020-10-16)

See link in the starting post.

I suspect that the result depends primarily on 2 things: the actuality of the signature database of the individual AV scanners and the entropy of the encrypted script. The latter is probably also responsible, if the same source code is converted several times to an EXE, that the VT result can look different in each case.

The result also shows that several AV scanners obviously use the same signature database. But that's more of a general problem and not a specific problem of AI. But it only exacerbates the problem because it increases the number of false positives over time.

Share this post


Link to post
Share on other sites

It seems too me that runnning a 64-bit .exe gives less positive perhaps none at least with Windefender

Share this post


Link to post
Share on other sites

@LukeWCS :

Do you have any concerns about generating the script as .a3x file? You can provide the corresponding interpreter (AutoIt3.exe / AutoIt3_64.exe) without a full installation of AutoIt. The interpreter itself is usually classified as trustworthy by antivirus programs.

BTW : AI as abbreviation for AutoIt is not the best option ;).

Edited by Musashi

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Share this post


Link to post
Share on other sites
6 hours ago, jpm said:

It seems too me that runnning a 64-bit .exe gives less positive perhaps none at least with Windefender

I just tested it with the "Hello world" script as well as with one of my larger projects with about 4000 lines of code. The number of false positives is actually considerably smaller, even with my real project. What is that related to?

However, I cannot apply this to every project. There are still 32Bit environments where my tools run. And I also have projects that have certain UDFs that don't work with 64Bit. And to make them compatible for 64Bit, I either don't have the time or the knowledge or both.

 

6 hours ago, Musashi said:

@LukeWCS :

Do you have any concerns about generating the script as .a3x file? You can provide the corresponding interpreter (AutoIt3.exe / AutoIt3_64.exe) without a full installation of AutoIt. The interpreter itself is usually classified as trustworthy by antivirus programs.

BTW : AI as abbreviation for AutoIt is not the best option ;).

I've just tested that too, at least in theory that would be an option. I say theoretically, because I use AI precisely because it is easy to use, because it has virtually no dependencies. If I now deliver the projects separately as a3x and with the interpreter, then I have to explain again how this is to be handled. That would be okay in special cases, but not with tools that are publicly available and downloaded by a correspondingly large number of users.

One can of course consider what the lesser evil is. To lead endlessly long and endlessly tiring discussions about false positives with the users, or to explain to them how to get this "funny" a3x to work. ^^

As for the abbreviation: So when I'm with the neighbors (other communities) then I also use "AutoIt", because probably nobody knows what is meant by AI3 or associates something completely different with it. But when I'm practically at home (here in the forum), everyone should know what that means. ;)


As far as the actual problem is concerned: Of course you can "calm down" the AV scanner with one or the other trick. But from my point of view, the best option would still be if the AI3 programmer could decide for himself whether he wants to embed the script encrypted or unencrypted in the EXE.

edit: 
And one of the options that I've been without for many years is UPX. From the standpoint of AV detection and transparency, UPX has long been a clear NoGo. In the case of most virus scanners, the presence of UPX alone causes a significant devaluation. From a technical point of view, UPX is also no longer relevant. The times when you had to fight for every KB are long gone. But UPX is only a tiny detail.

Edited by LukeWCS
Added UPX note

Share this post


Link to post
Share on other sites
1 hour ago, LukeWCS said:

One can of course consider what the lesser evil is. To lead endlessly long and endlessly tiring discussions about false positives with the users, or to explain to them how to get this "funny" a3x to work. ^^

I agree with you, that there is no perfect solution (as many of us have painfully experienced :'().

If you offer tools for download by unknown customers, you may not get a feedback in case of 'false positives'. This means, you won't even get the opportunity to have tiring discussions with the customer at all, because he will simply delete your program.

For such cases I create a small Setup.exe (using Inno Setup ). It contains the AutoIt Interpreter, the .a3x file and a .cmd to start the script.

There is another issue you should keep under consideration :

Offering AutoIt-Exe's for download can harm the reputation of your website. In the worst case it will be blacklisted by the search engines.

This is e.g. the reason, why you are not supposed to upload self-created .exe's (not even within a .zip) to the forum. @Jos : Please correct me if I am wrong.


Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Share this post


Link to post
Share on other sites
17 hours ago, LukeWCS said:

And I also have projects that have certain UDFs that don't work with 64Bit. And to make them compatible for 64Bit, I either don't have the time or the knowledge or both.

Which one ?
Please enumerate them.


I know my Chilkat UDF, QuickPDF UDF and maybe few others .

 

Edited by mLipok
typo

Signature beginning:   Wondering who uses AutoIT and what it can be used for ?
* GHAPI UDF - modest beginning - communication with GitHub REST API Forum Rules *
Include Dependency Tree (Tool for analyzing script relations)
ADO.au3 UDF     POP3.au3 UDF     XML.au3 UDF    How to use IE.au3  UDF with  AutoIt v3.3.14.x  for other useful stuff click the following button

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library *

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) *

PDF Related:https://www.autoitscript.com/forum/topic/177368-how-to-get-reference-to-pdf-object-embeded-in-ie/ *

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2020-11-20

Share this post


Link to post
Share on other sites
13 hours ago, Musashi said:

If you offer tools for download by unknown customers, you may not get a feedback in case of 'false positives'. This means, you won't even get the opportunity to have tiring discussions with the customer at all, because he will simply delete your program.

Yes, unfortunately. But it is also understandable. If I download a tool and upload it to VT for checking and then immediately get a dozen virus findings reported, I would think twice about whether I really want to start the EXE.

Also because I'm an application programmer, not a security expert. That is why I have made several "assumptions" on this topic, which are simply based on my experience and research.

 

Quote

For such cases I create a small Setup.exe (using Inno Setup ). It contains the AutoIt Interpreter, the .a3x file and a .cmd to start the script.

I also used Inno Setup for our game project. Otherwise I have been using NSIS (Nullsoft Scriptable Install System) for a long time. But creating an installer just to get around the virus scanner problems is not ideal. Problems should be solved, not circumvented.

Especially because one of the strengths of AI3 is its independence. Some of the suggestions made here would undermine this strength. Don't get me wrong, I'm interested in solutions.

 

13 hours ago, mLipok said:

Which one ?
Please enumate them.

I can't answer by heart. But tonight I can look it up on the relevant PC. At least I still know which community the tool belongs to and where there were problems with the UDFs. And I also know for sure that this was not a standard UDF of the AI3 package, but either from here or from another AI3 forum. Since the tool definitely doesn't need a 64-bit environment, I didn't write any notes back then. At that time I had just tested it out of interest. Then there is another tool, which is no longer being developed anyhow. It's still used, but it has lost its relevance.

 

23 hours ago, jpm said:

It seems too me that runnning a 64-bit .exe gives less positive perhaps none at least with Windefender

I have now applied your tip and tested my current project with the 64 bit core. It all seems to be working. Then I will create the next update - in which more than 30KB of code has been added - with the 64 bit variant. According to the current VT report, there are "only" 12 false positives instead of 18. After all. But that's still way too much. ^^

Share this post


Link to post
Share on other sites
19 hours ago, LukeWCS said:

As for the abbreviation: So when I'm with the neighbors (other communities) then I also use "AutoIt", because probably nobody knows what is meant by AI3 or associates something completely different with it. But when I'm practically at home (here in the forum), everyone should know what that means. ;)

Uh... well, when you abbreviated AutoIt as AI, I assumed Artificial Intelligence until I read Musashi's post... If I had to abbreviate AutoIt, I'd probably use Au3, but even that's a stretch.

17 hours ago, Musashi said:

using Inno Setup

Ooooh, I like that! Thanks for the suggestion!


All my code provided is Public Domain... but it may not work. ;) Use it, change it, break it, whatever you want.

Spoiler

My Humble Contributions:
Personal Function Documentation - A personal HelpFile for your functions
Acro.au3 UDF - Automating Acrobat Pro
ToDo Finder - Find #ToDo: lines in your scripts

Share this post


Link to post
Share on other sites
5 hours ago, seadoggie01 said:

Ooooh, I like that! Thanks for the suggestion!

I created a little innoscript for you with which you can add an .a3x file, a starter .cmd and the suitable AutoIt.exe into a Setup.

I extracted the code from one of my much more comprehensive scripts, but it should fit. I still use the Inno Setup Software 5.6.1. (there is a newer one available).

-> Install the current version of Inno-Setup and create a project directory (e.g. c:\Innoprojects\MyTool)

-> Copy the attached .zip file into this directory and unzip it there.

-> Open MyTool.iss with the Inno-Editor and click on BUILD -> COMPILE (CTRL + F9)

==> The result is a setup file that installs (more precisely copies) the relevant files into a directory of your choice.

==> The AutoIt script 'MyTool' itself is just a dummy application and serves only for demonstration purposes.

I named the project 'MyTool', but you can change the name and the .bmp's to whatever you like. If you still have questions, you are welcome to write me a PM (others of course as well). Maybe it would even be better to create an own thread in a more suitable forum area.

Testfiles.zip


Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Share this post


Link to post
Share on other sites

Hey guys, you could check my way of trying to avoid false positives too. Maybe you can find something of interest.

Any feedback is also appreciated.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...