Sign in to follow this  
Followers 0
MattX

EZ AntiVirus

17 posts in this topic

This may have been posted already but if not here goes - at the moment CA's EZ Antivirus has decided to remove most of my compiled scripts as it thinks they are worms [ Win32/Auti.A worm ]

Anyway I have recovered them from my backups and told the prog not to scan my scripts dir etc - so this is just a heads up for anyone using this AV product.

Apologies if someone has mentioned this already...

Share this post


Link to post
Share on other sites



What signature pattern versions do you have loaded that are giving the false positives?

Share this post


Link to post
Share on other sites

What signature pattern versions do you have loaded that are giving the false positives?

Sig are 2221 [ latest ]

Product Ver 7.0.6.7

Engine 12.4.1

Share this post


Link to post
Share on other sites

What signature pattern versions do you have loaded that are giving the false positives?

I've been trailing through the knowledge base of CA and can't fine much info on reporting false positives so I've given up - I have more important things to do..... :)

Share this post


Link to post
Share on other sites

On a related note, I recently had a problem with a certain compiled autoit script. The file kept being being deleted from the file server by a certain user, but the user himself denied doing anything to cause it. This drove me nuts for several weeks.

Finally, I discovered that "AOL - Security Edition" was the culprit. Apparently their spyware zapper or antivirus or whatever was seeing the file as a trojan and deleting it, but not, I hasten to point out, until AFTER it had already been executed.

Now how this benefits the end user I cannot begin to fathom; analogies about horses and barn doors spring to mind, but the real puzzler is why AOL feels it's appropriate to arbitrarily delete files from a file server without warning. :)

All part of that "user experience" I guess.

Unfortunately, it's physically impossible to communicate with AOL support unless you're a paying member, :( which is one thing I shall never ever be. I'd rather have all eight of my legs pulled off by a sadistic 10 year old than join AOL.

Share this post


Link to post
Share on other sites

Err.. i got a few positives with ewido saying my scripts were trojans.. alot of them.

I'm curious what was the code?

Share this post


Link to post
Share on other sites

Err.. i got a few positives with ewido saying my scripts were trojans.. alot of them.

I'm curious what was the code?

This is the code of one of mine it deleted - odd thing is its a 8 line launch script !! How it thinks its a worm is beyond me...

; AutoIt Version:     3
; Language:         English
; Platform:         WinXP
; Author:             Matt 
; Script Function:  Script that Launches Boardworks Boardworks Science

Run("C:\Program Files\Boardworks\KS2 Science\KS2 Science.exe")
BlockInput(1)
Sleep(3000)
If WinExists("KS2 Science") Then
   Send("{ENTER}")
Else
   Exit
EndIf

Share this post


Link to post
Share on other sites

This is the code of one of mine it deleted - odd thing is its a 8 line launch script !! How it thinks its a worm is beyond me...

What AutoIt3 version did you compile it with ?

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

I'll guess that it's the way the .EXE is packed after compiling. Most viruses are disguised by an .EXE packer as an additional stealth layer, making it that much more difficult for an AV product to detect it.

I see two possible scenarios:

1) Pehaps the compiled form of a number of executables with the UPX backend falsely match a known virus pattern.

2) The AV company in question was sent an .EXE made with AutoIt that performed some sort of nasty operation.

Edited by Blue_Drache

Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache

Share this post


Link to post
Share on other sites

Hello the world,

This morning 2 of our cutomers calls us because of automatic udates of their anti-virus that had destroy all of their AutoIt scipts based .exe files.

I test it myself.

Zone Alarm and Inoculate, are deleting any AutoIt code install on a PC !!!!

On my own development machine, it had deleted 326 .exe files (some of my scripts was compiled 2 years ago).

This is a desaster.

Any solution to protect our work from davastating action of anti-viruses ?

Dominique

Share this post


Link to post
Share on other sites

Hello the world,

This morning 2 of our cutomers calls us because of automatic udates of their anti-virus that had destroy all of their AutoIt scipts based .exe files.

I test it myself.

Zone Alarm and Inoculate, are deleting any AutoIt code install on a PC !!!!

On my own development machine, it had deleted 326 .exe files (some of my scripts was compiled 2 years ago).

This is a desaster.

Any solution to protect our work from davastating action of anti-viruses ?

Dominique

Try compiling it with the latest release of Beta. Then contact the companys that are giving False Positives, and you will probably need to provide your code to prove this.

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

Try compiling it with the latest release of Beta. Then contact the companys that are giving False Positives, and you will probably need to provide your code to prove this.

I will do so, for sure...

This is a worldwide major issue for any of AutoIt developpers.

Even a one line AutoIt code like

EXIT, compiled with Autoit is deleted by Inoculan or by Zone Alarm.

This is new... Yesterday every thing was fine. Today, because of virus database updates, millions of AutoIt code users are going to loose their scripts.

In fact Anti-viruses are going to act as a destoying virus for many AuotIt users worldwide.

Dominique

Share this post


Link to post
Share on other sites

I will do so, for sure...

This is a worldwide major issue for any of AutoIt developpers.

Even a one line AutoIt code like

EXIT, compiled with Autoit is deleted by Inoculan or by Zone Alarm.

This is new... Yesterday every thing was fine. Today, because of virus database updates, millions of AutoIt code users are going to loose their scripts.

In fact Anti-viruses are going to act as a destoying virus for many AuotIt users worldwide.

Dominique

It makes you keep up with the changes for sure.

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

What AutoIt3 version did you compile it with ?

The one bundled with ver 3.1.1

Do you think it makes a difference ?

Share this post


Link to post
Share on other sites

The one bundled with ver 3.1.1

Do you think it makes a difference ?

Yes ... Try compiling with the Latest Beta .

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

Yes ... Try compiling with the Latest Beta .

I hope that works for you, let us all know if it does ... some of us have a lot of older scripts - though I don't use the companies mentioned, you never know when the others might start doing the same thing (I use AVG & Sygate, and only ever manually do a scan (except emails, etc)).

Of course it always pays to backup (especially programs you put your heart & soul into).

I hope other AutoIt users take note of this, especially the keylogger lovers - we all need to be reminded, that we are at the mercy of the ANTI-VIRUS companies - they could make life very difficult for us. Any virus writers who love using AutoIt for other non viral activities, just remember ... DON'T SHIT IN THE BED YOU LIKE SLEEPING IN!

Edited by TheSaint

TheSaints' Robust Chat

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox

userbar.png

Share this post


Link to post
Share on other sites

I think it is "Don't shit where you eat."

Lar.

That too!

And while I've got your attention, can you please help me with Gui button click timed

I would greatly appreciate it from someone of your expertise!

Tim


TheSaints' Robust Chat

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox

userbar.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0