Jump to content

EZ AntiVirus

MattX
 Share

Recommended Posts

MattX Universalist

MattX

Posted
Posted

This may have been posted already but if not here goes - at the moment CA's EZ Antivirus has decided to remove most of my compiled scripts as it thinks they are worms [ Win32/Auti.A worm ]

Anyway I have recovered them from my backups and told the prog not to scan my scripts dir etc - so this is just a heads up for anyone using this AV product.

Apologies if someone has mentioned this already...

Link to comment
Share on other sites
MattX Universalist

MattX

Posted
  • Author
Posted

What signature pattern versions do you have loaded that are giving the false positives?

I've been trailing through the knowledge base of CA and can't fine much info on reporting false positives so I've given up - I have more important things to do..... :)

Link to comment
Share on other sites
MrSmiley Seeker

MrSmiley

Posted
Posted

On a related note, I recently had a problem with a certain compiled autoit script. The file kept being being deleted from the file server by a certain user, but the user himself denied doing anything to cause it. This drove me nuts for several weeks.

Finally, I discovered that "AOL - Security Edition" was the culprit. Apparently their spyware zapper or antivirus or whatever was seeing the file as a trojan and deleting it, but not, I hasten to point out, until AFTER it had already been executed.

Now how this benefits the end user I cannot begin to fathom; analogies about horses and barn doors spring to mind, but the real puzzler is why AOL feels it's appropriate to arbitrarily delete files from a file server without warning. :)

All part of that "user experience" I guess.

Unfortunately, it's physically impossible to communicate with AOL support unless you're a paying member, :( which is one thing I shall never ever be. I'd rather have all eight of my legs pulled off by a sadistic 10 year old than join AOL.

Link to comment
Share on other sites
MattX Universalist

MattX

Posted
  • Author
Posted

Err.. i got a few positives with ewido saying my scripts were trojans.. alot of them.

I'm curious what was the code?

This is the code of one of mine it deleted - odd thing is its a 8 line launch script !! How it thinks its a worm is beyond me...

; AutoIt Version:     3
; Language:         English
; Platform:         WinXP
; Author:             Matt 
; Script Function:  Script that Launches Boardworks Boardworks Science

Run("C:\Program Files\Boardworks\KS2 Science\KS2 Science.exe")
BlockInput(1)
Sleep(3000)
If WinExists("KS2 Science") Then
   Send("{ENTER}")
Else
   Exit
EndIf
Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

This is the code of one of mine it deleted - odd thing is its a 8 line launch script !! How it thinks its a worm is beyond me...

What AutoIt3 version did you compile it with ?

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
Blue_Drache Universalist

Blue_Drache

Posted
Posted (edited)

I'll guess that it's the way the .EXE is packed after compiling. Most viruses are disguised by an .EXE packer as an additional stealth layer, making it that much more difficult for an AV product to detect it.

I see two possible scenarios:

1) Pehaps the compiled form of a number of executables with the UPX backend falsely match a known virus pattern.

2) The AV company in question was sent an .EXE made with AutoIt that performed some sort of nasty operation.

Edited by Blue_Drache

Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache

Link to comment
Share on other sites
dbenoit Seeker

dbenoit

Posted
Posted

Hello the world,

This morning 2 of our cutomers calls us because of automatic udates of their anti-virus that had destroy all of their AutoIt scipts based .exe files.

I test it myself.

Zone Alarm and Inoculate, are deleting any AutoIt code install on a PC !!!!

On my own development machine, it had deleted 326 .exe files (some of my scripts was compiled 2 years ago).

This is a desaster.

Any solution to protect our work from davastating action of anti-viruses ?

Dominique

Link to comment
Share on other sites
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

Hello the world,

This morning 2 of our cutomers calls us because of automatic udates of their anti-virus that had destroy all of their AutoIt scipts based .exe files.

I test it myself.

Zone Alarm and Inoculate, are deleting any AutoIt code install on a PC !!!!

On my own development machine, it had deleted 326 .exe files (some of my scripts was compiled 2 years ago).

This is a desaster.

Any solution to protect our work from davastating action of anti-viruses ?

Dominique

Try compiling it with the latest release of Beta. Then contact the companys that are giving False Positives, and you will probably need to provide your code to prove this.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites
dbenoit Seeker

dbenoit

Posted
Posted

Try compiling it with the latest release of Beta. Then contact the companys that are giving False Positives, and you will probably need to provide your code to prove this.

I will do so, for sure...

This is a worldwide major issue for any of AutoIt developpers.

Even a one line AutoIt code like

EXIT, compiled with Autoit is deleted by Inoculan or by Zone Alarm.

This is new... Yesterday every thing was fine. Today, because of virus database updates, millions of AutoIt code users are going to loose their scripts.

In fact Anti-viruses are going to act as a destoying virus for many AuotIt users worldwide.

Dominique

Link to comment
Share on other sites
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

I will do so, for sure...

This is a worldwide major issue for any of AutoIt developpers.

Even a one line AutoIt code like

EXIT, compiled with Autoit is deleted by Inoculan or by Zone Alarm.

This is new... Yesterday every thing was fine. Today, because of virus database updates, millions of AutoIt code users are going to loose their scripts.

In fact Anti-viruses are going to act as a destoying virus for many AuotIt users worldwide.

Dominique

It makes you keep up with the changes for sure.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

The one bundled with ver 3.1.1

Do you think it makes a difference ?

Yes ... Try compiling with the Latest Beta .

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites
TheSaint Universalist

TheSaint

Posted
Posted (edited)

Yes ... Try compiling with the Latest Beta .

I hope that works for you, let us all know if it does ... some of us have a lot of older scripts - though I don't use the companies mentioned, you never know when the others might start doing the same thing (I use AVG & Sygate, and only ever manually do a scan (except emails, etc)).

Of course it always pays to backup (especially programs you put your heart & soul into).

I hope other AutoIt users take note of this, especially the keylogger lovers - we all need to be reminded, that we are at the mercy of the ANTI-VIRUS companies - they could make life very difficult for us. Any virus writers who love using AutoIt for other non viral activities, just remember ... DON'T SHIT IN THE BED YOU LIKE SLEEPING IN!

Edited by TheSaint

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

What is the Secret Key? Life is like a Donut

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage)

userbar.png

Link to comment
Share on other sites
TheSaint Universalist

TheSaint

Posted
Posted

I think it is "Don't shit where you eat."

Lar.

That too!

And while I've got your attention, can you please help me with Gui button click timed

I would greatly appreciate it from someone of your expertise!

Tim

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

What is the Secret Key? Life is like a Donut

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage)

userbar.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...