Jump to content

Trojan Horse... in Autoit exe files

Valuater
 Share

Recommended Posts

i542 Universalist

i542

Posted
Posted

I just recently updated my Beta and Scite 3/4 days ago and since then my virus scan has deleted all my compiled scripts... ( normal... even the older exe's ), however this time it is after the SciTE Updatedefs.exe

Maybe is virus be in your PC before downloading. Who knows :D (JdeB, tnx on correction, my English is very bad, other you know).

i542.

I can do signature me.

Link to comment
Share on other sites
herewasplato Universalist

herewasplato

Posted
Posted

...then why wouldn't it have flagged a false positive at the first scan I did after a fresh install instead of waiting until now?...

Okay, let me see if I can layout a scenario/timeline that would explain this...

Some dates are mythical:

A new version of SciTE4AutoIt3 was released 02 June 2006

(The file named UpdateDefs.exe was packed with UPX version 1.25 and some beta version of AutoIt.)

You installed SciTE4AutoIt3 on - let's say - 05 June 2006

(and AVG had no problem with the file named UpdateDefs.exe at that time)

On 12 June 2006, AVG discovers a "bad file" written in a language other than AutoIt, but packed with UPX version 1.25.

That same day, AVG releases a signature update file that marks all files packed with UPX version 1.25 as bad. It now marks all compiled AutoIt scripts as bad. Some person(s) sends one or more false positive report(s) to AVG with respect to AutoIt files. AVG modifies the sig file to look for a combination of the UPX packer and a signature unique to the version(s) of AutoIt submitted as a false positive(s).

On 13 June 2006, you download/install the latest sig file and scan your HD. It flags UpdateDefs.exe because it was packed with UPX version 1.25 and a version of AutoIt not submitted as a false positive.

If you are still awake...

I do not use complied AutoIt scripts except to give to others. (Okay, I use one or two that are not critical.) I've had all compiled AutoIt3 scripts be flagged by AVG, then I restore them after the next AVG update (restored from a server running trendmicro AV) and they are okay... then about a month later - they are marked as bad again (and nothing changed on my end). This cycle continued until I uninstalled AVG and stopped recommending it to those I support. I had no fear of the scripts since I wrote them and for comparison - I kept Symantec's corporate version AV software running (and set to the highest heuristic level). SAV never flagged an AutoIt related file.

I now install avast where I can, but I cannot keep as close of an eye on its performance track record because it will not install along side of SAV corp edition.

I will give AVG credit for fast updates (but perhaps they are too aggressive)... more than once, AVG caught a "bad file" coming in thru e-mail several hours before SAV released a sig file for that same file (and I update the sig file for SAV every hour).

Add to the mix the fact that there are some "bad files" made with AutoIt3 and you can see how AVG might revert back to triggering off of the UPX pack only until further effort can be put into past AutoIt related false positive reports and until new false positive reports come in.

A new version of UPX (2.01) was released on 06 June 2006... maybe packing UpdateDefs.au3 with that version will make your AVG software happy. [i think that is what JdeB was saying in his post.] Or just wait for a better sig file from AVG.

[size="1"][font="Arial"].[u].[/u][/font][/size]

Link to comment
Share on other sites
i542 Universalist

i542

Posted
Posted

Who is here cat, who mouse?

Let to see what avast! says (updated 2 minutes ago)...

No viruses! I run:

  • one compiled script
  • autoit program file
i542

P.S. No viruses at all.

I can do signature me.

Link to comment
Share on other sites
Nomad Universalist

Nomad

Posted
Posted

:P

Ain't mixed noting except that hell's "keine".

Um... we know that this isn't a trojan, read the posts. We were discussing why it was being flagged as a trojan when it isn't. :D The point isn't what scanner you use, it's what other people use that are going to be using your programs. I don't want my programs being flagged as a virus with ANY scanner, but it seems this is an unrealistic dream at the present date.

HereWasPlato:

Thanks for the reply. I understand now. I don't know a whole lot about the funtionality of virus scanners. But your post has helped to further my understanding.

Nomad :D

Link to comment
Share on other sites
i542 Universalist

i542

Posted
Posted

I don't want my programs being flagged as a virus with ANY scanner, but it seems this is an unrealistic dream at the present date.

Include that information in readme file. Create some Sci-Fi code, you are extreme programers, not I. Contact antivirus company and tell it to delete that info. This is as killing air.

i542.

I can do signature me.

Link to comment
Share on other sites
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

I got tired of AVG killing my exe files. I finally gave up and went to avast!

No issues since.

I second that, only took once for me, and that was once too many!! Avast is a treat to use.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...