Are my AutoIt exes really infected?

[Exit]

@obiwanceleri 
It is best not to use an EXE file, but a CMD file.
This is very easy to do with Au3toCmd. Just look in my signature.

[Skeletor]

I had this issue until I came across @argumentum digital signing tool.

Digitally Signing Your executable

[gi_jimbo]

I'm not a regular contributor here but if the @argumentum digital signing tool works, I think it would be good to add it to the "AutoIt and Malware" page (https://www.autoitscript.com/wiki/AutoIt_and_Malware) as well as the "solution" post on this thread.

Edited November 16, 2022 by gi_jimbo
clarification

[62mkv]

See for example here:
https://www.joesandbox.com/analysis/722827/0/html

and here:
https://www.virustotal.com/gui/file/8b7098c44275d0203c23f2ce56c0e913c0d6b6d2264bc537e8a9f0a9f07badc9/community

and here:
https://cuckoo.cert.ee/analysis/3853341/summary/

Maybe it makes sense to mention on the Downloads page and/or Wiki? So people are not getting too frustrated.

 

Or even reach out (if possible) to at least some of community resources to ask them to whitelist the AutoIt itself, by SHA256 maybe

[JLogan3o13]

7 hours ago, 62mkv said:

Maybe it makes sense to mention on the Downloads page and/or Wiki? So people are not getting too frustrated.

Wouldn't curb things as much as you might think. We have tried things like that in the past; there is even an entire thread dedicated to false positives that people see, why the occur, and what to do about them. Yet people continue to post issues they encounter because the don't stop to read. 

[kjpolker]

Not too sure if this is the kind of feedback this thread is looking for but as of lately I have been getting Windows Defender to flag my executable. This is a exe I have been using for years written entirely by me of course, not even additional UDF's outside of the included functions. Trojan:Win32/Bearfoos.A!ml

Edited July 12, 2023 by kjpolker
Added keywords

[CYCho]

Hiding an AutoIt GUI with WinSetState Triggers a False Detection

I think I found at least one of the reasons for false detection by Windows Defender. A couple of years ago, I submitted my zPlayer.exe to Microsoft Defender ATP team for malware analysis and they removed the detection. I repeated this process several times whenever I made small changes in the code. After about 10 times of this process, the false detection stopped and I thought  I was, sort of, given a freedom to make whatever changes I wanted. But it abruptly changed recently and Windows Defender statrted to flag my exe again. So I submitted the file again, and they said they had to maintain the detection. I compared the codes of the last previous version, which was not detected, with the current one and I found a clue. My program has video control GUI on top of the video image created by winmm.dll. The current version has a new function to hide the video image including the video control, and I used WinSetState command for both of them. The video image is not my GUI so GUISetState does not work on it anyway. I thought it would be OK to use WinSetState for the video control as well. And that was the mistake. Just out of curiosity I replaced WinSetState with GUISetState for hiding the video control and the false detection stopped. So the lesson I learned is: do not hide an AutoIt GUI with WinSetState.

Edited September 28, 2023 by CYCho

[Shark007]

To follow up with another possible issue I noticed tha triggers false positive is how arrays are formed.

This will trigger false positives,
Local $arrName = ['3G1', '3G2', '3G3', '3G4', '3G5', '3G6', '3G7', '3G8', '3G9']

This does not trigger false positives,
Local $arrName[9] = ['3G1', '3G2', '3G3', '3G4', '3G5', '3G6', '3G7', '3G8', '3G9']

[HAL9000]

Microsoft Defender detect  SQLite3_Setup_3.27.2.0.exe as trojan  in https://www.autoitscript.com/autoit3/pkgmgr/sqlite/

and MalwareBytes detect SQLITE3_SETUP_3.22.0.0.EXE as Generic.Malware.AI.DDS

Edited December 24, 2023 by Jos
Link changed.

[argumentum]

Publisher:  Unknown publisher

I think there's a push for having everything "known", as in who made it.
Even corporate PCs will be changed/replaced to those that have TPM. The CPU serial number was rejected by the community but now with all those "data hack/stolen/CallItWhatYouWill", the push, based on fear ( in my view ) to accept a "safe" everything, all it does is to have everything known. Who made it. Who is liable.
That is my conclusion, even tho each aspect have has it's own story line that will clearly toss away what I come to understand as superstition. My 2 cents.

Bottom line, software wise, is to apply an "Extended Validation (EV) Code Signing" or have a high volume of samples running around to ramp up the credit score fame score. Again, my 2 cents.

[Jos]

26 minutes ago, argumentum said:

Bottom line, software wise, is to apply an "Extended Validation (EV) Code Signing"

True, but that comes at a cost and I am only willing to provide my time to this and other projects.