MattX Posted May 22, 2006 Share Posted May 22, 2006 This may have been posted already but if not here goes - at the moment CA's EZ Antivirus has decided to remove most of my compiled scripts as it thinks they are worms [ Win32/Auti.A worm ] Anyway I have recovered them from my backups and told the prog not to scan my scripts dir etc - so this is just a heads up for anyone using this AV product. Apologies if someone has mentioned this already... Link to comment Share on other sites More sharing options...
Confuzzled Posted May 22, 2006 Share Posted May 22, 2006 What signature pattern versions do you have loaded that are giving the false positives? Link to comment Share on other sites More sharing options...
MattX Posted May 22, 2006 Author Share Posted May 22, 2006 What signature pattern versions do you have loaded that are giving the false positives? Sig are 2221 [ latest ] Product Ver 7.0.6.7 Engine 12.4.1 Link to comment Share on other sites More sharing options...
MattX Posted May 22, 2006 Author Share Posted May 22, 2006 What signature pattern versions do you have loaded that are giving the false positives?I've been trailing through the knowledge base of CA and can't fine much info on reporting false positives so I've given up - I have more important things to do..... Link to comment Share on other sites More sharing options...
MrSmiley Posted May 22, 2006 Share Posted May 22, 2006 On a related note, I recently had a problem with a certain compiled autoit script. The file kept being being deleted from the file server by a certain user, but the user himself denied doing anything to cause it. This drove me nuts for several weeks. Finally, I discovered that "AOL - Security Edition" was the culprit. Apparently their spyware zapper or antivirus or whatever was seeing the file as a trojan and deleting it, but not, I hasten to point out, until AFTER it had already been executed. Now how this benefits the end user I cannot begin to fathom; analogies about horses and barn doors spring to mind, but the real puzzler is why AOL feels it's appropriate to arbitrarily delete files from a file server without warning. All part of that "user experience" I guess. Unfortunately, it's physically impossible to communicate with AOL support unless you're a paying member, which is one thing I shall never ever be. I'd rather have all eight of my legs pulled off by a sadistic 10 year old than join AOL. Link to comment Share on other sites More sharing options...
slightly_abnormal Posted May 22, 2006 Share Posted May 22, 2006 Err.. i got a few positives with ewido saying my scripts were trojans.. alot of them. I'm curious what was the code? Link to comment Share on other sites More sharing options...
MattX Posted May 22, 2006 Author Share Posted May 22, 2006 Err.. i got a few positives with ewido saying my scripts were trojans.. alot of them. I'm curious what was the code? This is the code of one of mine it deleted - odd thing is its a 8 line launch script !! How it thinks its a worm is beyond me... ; AutoIt Version: 3 ; Language: English ; Platform: WinXP ; Author: Matt ; Script Function: Script that Launches Boardworks Boardworks Science Run("C:\Program Files\Boardworks\KS2 Science\KS2 Science.exe") BlockInput(1) Sleep(3000) If WinExists("KS2 Science") Then Send("{ENTER}") Else Exit EndIf Link to comment Share on other sites More sharing options...
Developers Jos Posted May 22, 2006 Developers Share Posted May 22, 2006 This is the code of one of mine it deleted - odd thing is its a 8 line launch script !! How it thinks its a worm is beyond me...What AutoIt3 version did you compile it with ? SciTE4AutoIt3 Full installer Download page  - Beta files    Read before posting   How to post scriptsource   Forum etiquette Forum Rules  Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Blue_Drache Posted May 22, 2006 Share Posted May 22, 2006 (edited) I'll guess that it's the way the .EXE is packed after compiling. Most viruses are disguised by an .EXE packer as an additional stealth layer, making it that much more difficult for an AV product to detect it. I see two possible scenarios: 1) Pehaps the compiled form of a number of executables with the UPX backend falsely match a known virus pattern. 2) The AV company in question was sent an .EXE made with AutoIt that performed some sort of nasty operation. Edited May 22, 2006 by Blue_Drache Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache Link to comment Share on other sites More sharing options...
dbenoit Posted May 23, 2006 Share Posted May 23, 2006 Hello the world, This morning 2 of our cutomers calls us because of automatic udates of their anti-virus that had destroy all of their AutoIt scipts based .exe files. I test it myself. Zone Alarm and Inoculate, are deleting any AutoIt code install on a PC !!!! On my own development machine, it had deleted 326 .exe files (some of my scripts was compiled 2 years ago). This is a desaster. Any solution to protect our work from davastating action of anti-viruses ? Dominique Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted May 23, 2006 Moderators Share Posted May 23, 2006 Hello the world,This morning 2 of our cutomers calls us because of automatic udates of their anti-virus that had destroy all of their AutoIt scipts based .exe files.I test it myself.Zone Alarm and Inoculate, are deleting any AutoIt code install on a PC !!!!On my own development machine, it had deleted 326 .exe files (some of my scripts was compiled 2 years ago).This is a desaster.Any solution to protect our work from davastating action of anti-viruses ?DominiqueTry compiling it with the latest release of Beta. Then contact the companys that are giving False Positives, and you will probably need to provide your code to prove this. Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
dbenoit Posted May 23, 2006 Share Posted May 23, 2006 Try compiling it with the latest release of Beta. Then contact the companys that are giving False Positives, and you will probably need to provide your code to prove this.I will do so, for sure...This is a worldwide major issue for any of AutoIt developpers.Even a one line AutoIt code like EXIT, compiled with Autoit is deleted by Inoculan or by Zone Alarm.This is new... Yesterday every thing was fine. Today, because of virus database updates, millions of AutoIt code users are going to loose their scripts.In fact Anti-viruses are going to act as a destoying virus for many AuotIt users worldwide.Dominique Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted May 23, 2006 Moderators Share Posted May 23, 2006 I will do so, for sure...This is a worldwide major issue for any of AutoIt developpers.Even a one line AutoIt code like EXIT, compiled with Autoit is deleted by Inoculan or by Zone Alarm.This is new... Yesterday every thing was fine. Today, because of virus database updates, millions of AutoIt code users are going to loose their scripts.In fact Anti-viruses are going to act as a destoying virus for many AuotIt users worldwide.DominiqueIt makes you keep up with the changes for sure. Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
MattX Posted May 23, 2006 Author Share Posted May 23, 2006 What AutoIt3 version did you compile it with ?The one bundled with ver 3.1.1Do you think it makes a difference ? Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted May 23, 2006 Moderators Share Posted May 23, 2006 The one bundled with ver 3.1.1Do you think it makes a difference ?Yes ... Try compiling with the Latest Beta . Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
TheSaint Posted May 23, 2006 Share Posted May 23, 2006 (edited) Yes ... Try compiling with the Latest Beta .I hope that works for you, let us all know if it does ... some of us have a lot of older scripts - though I don't use the companies mentioned, you never know when the others might start doing the same thing (I use AVG & Sygate, and only ever manually do a scan (except emails, etc)).Of course it always pays to backup (especially programs you put your heart & soul into).I hope other AutoIt users take note of this, especially the keylogger lovers - we all need to be reminded, that we are at the mercy of the ANTI-VIRUS companies - they could make life very difficult for us. Any virus writers who love using AutoIt for other non viral activities, just remember ... DON'T SHIT IN THE BED YOU LIKE SLEEPING IN! Edited May 23, 2006 by TheSaint Make sure brain is in gear before opening mouth! Remember, what is not said, can be just as important as what is said. Spoiler What is the Secret Key? Life is like a Donut If I put effort into communication, I expect you to read properly & fully, or just not comment. Ignoring those who try to divert conversation with irrelevancies. If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it. I'm only big and bad, to those who have an over-active imagination. I may have the Artistic Liesense to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage) Link to comment Share on other sites More sharing options...
TheSaint Posted May 23, 2006 Share Posted May 23, 2006 I think it is "Don't shit where you eat."Lar.That too!And while I've got your attention, can you please help me with Gui button click timedI would greatly appreciate it from someone of your expertise!Tim Make sure brain is in gear before opening mouth! Remember, what is not said, can be just as important as what is said. Spoiler What is the Secret Key? Life is like a Donut If I put effort into communication, I expect you to read properly & fully, or just not comment. Ignoring those who try to divert conversation with irrelevancies. If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it. I'm only big and bad, to those who have an over-active imagination. I may have the Artistic Liesense to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now