Jump to content

Are my AutoIt exes really infected?


Recommended Posts

I have it fixed on my side, added an exception for that particular scan.

I was more or less posting for informational purposes of others that there is a new release so they can have a heads up.

 

For long term I am actually thinking of using a unqie file extension for my scripts and adding a extension exception so that any new false positives will not effect us. 

Link to comment
Share on other sites

  • Developers

Hey ViciousXUSMC two replies not bad ;)

Seriously guys you know you could stem all the repetition (by both posters and responders) by simply locking the thread.

 

 

​Agree, but let's then also agree  that this logic would apply to way too many threads, so that ain't happening unless they spin out of control. :)

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

 

 

For long term I am actually thinking of using a unqie file extension for my scripts and adding a extension exception so that any new false positives will not effect us. 

​It is quite an interesting approach ViciousXUSMC

Could you please give an example how would you do that?

Link to comment
Share on other sites

Firstly sorry if I somehow posted in a thread I should not have.  I figured we would have a community thread to post notices of new false positives for other users to get a heads up, this thread was the first to come up in a search.

Second topten.

All I did was go to HKLM\SOFTWARE\Classes\.exe and look at what registry keys .exe uses to be executed.

I then created my own key with my extension to tell Windows that .XXX is basically executed same as an .exe so that way a user would not get a "how should I open this file" dialog.

Rename any of my compiled AutoIT.exes to my new file extension.

In the corporate virus software control center add an exception to allow .XXX to run without being flagged as a virus.

This was the most "proactive" fix for me as it fixes it now and going forward with little risk.

The original short term fix was to just add the particular "virus" to the whitelist but then down the road a new one could come up and cause trouble all over again.

 

Regards,

Link to comment
Share on other sites

  • Developers

This is a pretty clever workaround with the only "limited" risk that a potential thread will read the registry and copy itself to this set extension which then also isn't AV scanned any more.
The real nice thing about it is that all your distributed script executables won't be all wiped in one go when the AV company has a FU in the definition updates.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

and now for something completely different:

from the beta 

unzipped with 7zip to au3beta

ESET NOD32 Antivirus detected Autoit3Help.exe

a variant of Win32/Injecto.ANNX trojan

Please note that ESET  never complains about AutoIt EXEs.  This is something new.

annx_trojan.png

Edited by Skysnake

Skysnake

Why is the snake in the sky?

Link to comment
Share on other sites

Symantec Released this today: Killing all my scripts out in the field and removing them via quarantine. 

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2015-050111-5257-99&vid=4294922793

I guess I should submit a false positive report but the damage is done pretty fast :/

 

​I had exactly the same problem today with one of my script.

Seems like it's a bad Symantec definitions update.
 

I will report this to them and hopefully they will fix it.

Link to comment
Share on other sites

  • Developers

Autoit3Help.exe is an C++ compiled program so is indeed not related to False positives regularly seen with the compiled scripts.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

​I had exactly the same problem today with one of my script.
Seems like it's a bad Symantec definitions update.
 

I will report this to them and hopefully they will fix it.

​Case 08763017 opened at Symantec Support with my company account.

Will give update here when they answer me!

Edited by Neutro
Link to comment
Share on other sites

  • Moderators

GoravG,

This whole thread tells you that is NOT the case - although it seems you have not bothered to read any of it before posting.

M23

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Link to comment
Share on other sites

​Case 08763017 opened at Symantec Support with my company account.

Will give update here when they answer me!

​Symantec asked me to fill a false positive report, which i did giving my source code, the compiled exe and a link to autoit website.

Currently waiting for an answer.

Link to comment
Share on other sites

Symantec answer:

In relation to submission xxxxx.

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html

Please note that whitelisting can take up to 24 hours to take effect.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor, why not take part in our whitelisting program?
To participate in this program, please complete the following form: https://submit.symantec.com/whitelist


Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

So it should be OK for the next virus definitions :)

Link to comment
Share on other sites

You don't understand the problem at all. The UPX program is a compressor that is used by a lot of software not just AutoIt. The problem is that the AV companies see all AutoIt scripts with the belief that it's "probably" a virus so lets flag it as such. The problem has been beaten to death, and the issue is that the AV companies are lazy.

Link to comment
Share on other sites

You don't understand the problem at all. The UPX program is a compressor that is used by a lot of software not just AutoIt. The problem is that the AV companies see all AutoIt scripts with the belief that it's "probably" a virus so lets flag it as such. The problem has been beaten to death, and the issue is that the AV companies are lazy.

​Yes, I do understand.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

  • 4 weeks later...

I am writing this, taking the risk of being banned: I realize that the previous topic I started on this subject was closed.

I have a lot of confidence in the developers, so I do believe that when they write that there is no Trojan in AutoIt3Help.exe, I believe them; however, they should know that scans by virusTotal.com show mixed results. (Report available on request). 26 out of 51 anti-virus programs show it to be infected.

Spoiler

CDebug Dumps values of variables including arrays and DLL structs, to a GUI, to the Console, and to the Clipboard

 

Link to comment
Share on other sites

  • Moderators

c.haslam,

No, you will not get banned - but you make yourself look very stupid. 

- Do you think you are the first to notice this? You are not.

- Is there a Trojan in the Help fie? No.

- Have the AV companies been informed? No doubt - I personally inform AVG every time they hit on an AutoIt file.

So what more do you want us to do?

M23

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Link to comment
Share on other sites

  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...