Windows Defender blocking resource updates during compile, reports Trojan:Win32/AutoitShellInj!pz

[SteveSchumacher]

Using 3.3.14.5, tested also on current version 3.3.16.1, same problem.

This popup during a compile attempt (compiled fine about a week ago):

+>09:17:55 AU3Check ended.rc:0
>Running:(3.3.14.5):C:\Program Files (x86)\AutoIt3\aut2exe\aut2exe_x64.exe  /in "D:\TFS\***\Dev\Install\AutoIT\9.4\***.au3" /out "C:\Users\****\AppData\Local\AutoIt v3\Aut2exe\~AUA723.tmp.exe" /nopack /icon "D:\TFS\***\Dev\Install\AutoIT\9.4\Install.ico" /comp 2
+>09:17:59 Aut2exe.exe ended.C:\Users\*******\AppData\Local\AutoIt v3\Aut2exe\~AUA723.tmp.exe. rc:0
>09:17:59 Performing the Program Resource Update steps:
!>09:17:59 Error: Failed to enumerate RT_VERSION resources, using defaults.
! Removal UpdateResource: RT_VERSION/1 - LastError:87:The parameter is incorrect.
+ UpdateResources other: $result[0] = 0 - LastError:87:The parameter is incorrect.
...>Updating Program Version information.
!>09:17:59 Error: Failed to enumerate RT_MANIFEST resources, using defaults.
...>Setting Program ExecutionLevel Manifest information to asInvoker
...>Setting Program Compatibility Manifest information to Windows10
+ UpdateResources other: $result[0] = 0 - LastError:87:The parameter is incorrect.
...>Updating Program Manifest information.
!>09:18:00 Error: EndUpdateResource: Returncode = 0 - LastError:1400:Invalid window handle.rc:2
!>09:18:00 Error: Program Resource updating Failed. The output program will not contain the Resource updates!rc:2

If I comment out the #AutoIt3Wrapper_Res_<RESOURCENAME=***> lines, this avoids the problem

If I add (I can't add exclusions at work but am about to request one) an exclusion for the directory %userprofile%\AppData\Local\AutoIt v3, this avoids the problem.

What Windows Defender reports:

 

[argumentum]

5 minutes ago, SteveSchumacher said:

If I comment out the #AutoIt3Wrapper_Res_<RESOURCENAME=***> lines, this avoids the problem

then, what is the resource that triggers the antivirus ?

[SteveSchumacher]

Guessing it was the method used of inserting any resource, but good thought, I'll try inserting one at a time and see if it's one in particular. As said, this compiled as is, resource-wise, just fine, I think Dec. 8th.

[SteveSchumacher]

Uncommented out the first resource "Description", and this caused the failure. Will try each of the others singly...
Fileversion, ProductName, ProductVersion, CompanyName, LegalCopyright, Language, each of these singly triggered the error and the Windows Defender finding.

[Andreik]

I got this error too yesterday in the same situation by adding description at compile time. I turned off Real Time Protection of Windows Defender and it was done. This app is the real malware.

[SteveSchumacher]

Agreed. I'm too dumb to know if AutoIT's method of resource adding is suspect versus any other development package's method or if it's just that a non-MS-stamped exe did the deed, or tried to. 

[Andreik]

Just disable WD and compile your executable. AutoIt it's just fine.

[Nine]

Or Just whitelist those :

AutoIt3 folder

AppData folder

Script folder

[pseakins]

There was a Windoze update last night. Just went to recompile a script  and got the same error.
Followed @Nine's advice and whitelisted AutoIt3 folder, AppData folder and Script folder.

I don't want this Microsoft big brother protection but they make it very hard to disable.

[Andreik]

7 minutes ago, pseakins said:

I don't want this Microsoft big brother protection but they make it very hard to disable.

It's not that hard. I disabled Windows Defender permanently from Group Policy.

Edited December 15, 2023 by Andreik

[argumentum]

31 minutes ago, pseakins said:

big brother protection but they make it very hard to disable.

; Microsoft Defender is a pain to disable on your system because of multiple fail-safe methods built into Windows Security.
; So, disable Tamper Protection and then run this below to disable Microsoft Defender.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reboot
; However, do not leave your system open to malware infestation, and use a third-party antivirus if you don’t like Defender.

 

[JuergenAlfing]

Hy there
had the same problem today but find a solution

Simple use #pragma 
that works @ my site WIN10 22H2 latest security updates
 

#Region ;**** Directives created by AutoIt3Wrapper_GUI ; That works only****
#AutoIt3Wrapper_Icon=X:\OM_MUC\MopsIt\MucDecode.ico
#AutoIt3Wrapper_Outfile_x64=MucDecode64.exe
#AutoIt3Wrapper_UseX64=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

;~ Try pragma's for further APP infos instead of using  AutoIt3Wrapper_<Resources>
#pragma compile(AutoItExecuteAllowed, True)
#pragma compile(ExecLevel, asInvoker)
#pragma compile(FileDescription, DB Browser for My SQLITE Base)
#pragma compile(ProductName, MucDecode )
#pragma compile(ProductVersion, 3.3.16.1)
#pragma compile(FileVersion, 2023.12.19.65) ; The last parameter is optional.
#pragma compile(LegalCopyright, © My Company System Incorporated)
#pragma compile(CompanyName, 'My Company System Incorporated')

see more in AutoIt Help  #pragma ....

Watch results in details of EXE properties ....