Sign in to follow this  
Followers 0
yutt

Kaspersky False Positives

21 posts in this topic

#1 ·  Posted (edited)

I know this has happened in the past. Is there anything we can do about it? Any application I make with AutoIT is being detected as "infected by Trojan-Downloader.Win32.Agent.axn" by Kaspersky.

It's ridiculous, as even a completely blank compiled script is detected as this trojan. I've contacted Kaspersky, but somehow don't think that will help much.

Edited by yutt

It is a waste of energy to be angry with a man who behaves badly, just as it is to be angry with a car that won't go. - Bertrand Russell

Share this post


Link to post
Share on other sites



I know this has happened in the past. Is there anything we can do about it? Any application I make with AutoIT is being detected as "infected by Trojan-Downloader.Win32.Agent.axn" by Kaspersky.

It's ridiculous, as even a completely blank compiled script is detected as this trojan. I've contacted Kaspersky, but somehow don't think that will help much.

If you compile with the official release 3.2.0.1 the .exe is signed so Kaspersky should trust. At least that what we design to have less false alarms. :)

Share this post


Link to post
Share on other sites

If you compile with the official release 3.2.0.1 the .exe is signed so Kaspersky should trust. At least that what we design to have less false alarms. :)

I'll try that out right now, thanks.

It is a waste of energy to be angry with a man who behaves badly, just as it is to be angry with a car that won't go. - Bertrand Russell

Share this post


Link to post
Share on other sites

No luck. Even a completely blank compiled script is being detected as infected with the trojan. You can test yourself here:

http://www.kaspersky.com/scanforvirus

Rather annoying, as I am uploading my application to a public site and many are suspicious to use it after someone detected the trojan. :)


It is a waste of energy to be angry with a man who behaves badly, just as it is to be angry with a car that won't go. - Bertrand Russell

Share this post


Link to post
Share on other sites

No luck. Even a completely blank compiled script is being detected as infected with the trojan. You can test yourself here:

http://www.kaspersky.com/scanforvirus

Rather annoying, as I am uploading my application to a public site and many are suspicious to use it after someone detected the trojan. :)

Compiled a script with 3.2.1.3

Kaspersky File Scanner

You're clean!

Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

* Download a trial version of Kaspersky Anti-Virus

* Purchase Kaspersky Anti-Virus in our E-Store

* Purchase Kaspersky Anti-Virus from a certified partner


[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

Compiled a script with 3.2.1.3

What is not so funny is the 3.2.1.3 is not signed. :)

Share this post


Link to post
Share on other sites

Beta worked, thanks very much guys. :)


It is a waste of energy to be angry with a man who behaves badly, just as it is to be angry with a car that won't go. - Bertrand Russell

Share this post


Link to post
Share on other sites

What is not so funny is the 3.2.1.3 is not signed. :)

JP, thinking about your remark: what would the signing do for the AV companies ?

I thought the signing only makes the check for legitimate binaries possible, but when AV companies make their AV kernel test for a portion of the Binary in stead of the actual script portion, this is the result.

I don't think the AutoitSC.bin is signed at all ....


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

JP, thinking about your remark: what would the signing do for the AV companies ?

I thought the signing only makes the check for legitimate binaries possible, but when AV companies make their AV kernel test for a portion of the Binary in stead of the actual script portion, this is the result.

I don't think the AutoitSC.bin is signed at all ....

My answer was derived from what JON tell me. I have to admit that I cannot understand how AutoItSC.bin can be signed and the resulting compiled .exe can be signed.

So I hope JON can clarify what he did to have less or none false alarm. :)

Share this post


Link to post
Share on other sites

My answer was derived from what JON tell me. I have to admit that I cannot understand how AutoItSC.bin can be signed and the resulting compiled .exe can be signed.

So I hope JON can clarify what he did to have less or none false alarm. :)

As far as I know he made it easier for the AV companies to detect which portion of the EXE is the Runtime module and which portion the "script" to enable them to recognise malicious scripts ....

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

As far as I know he made it easier for the AV companies to detect which portion of the EXE is the Runtime module and which portion the "script" to enable them to recognise malicious scripts ....

Yeah, the script portion of the .exe is wrapped by unique tags which in theory make it easy to find the script portion and write AV signatures for that...not that we've noticed.

The two other things were not compressing autoit3.exe (to make it more different from UPX compiled scripts) and adding a legitimate digital signature. The signature is more for XP SP2 and Vista where you get nasty "omg are you sure you want to run this unsigned installer??" messages and also it gives a better description in things like Windows Defender - not really anything to do with AV.

AutoItSC.bin is indeed NOT signed by us as compiled scripts would then be signed which would be crazy.

Share this post


Link to post
Share on other sites

I for one would LOVE to have this AV problem cleared-up once and for all

I have taken-on AVG, and reporting to them immediately any False positives..

But there are two many AV programs that could HURT US - BEFORE they update their respective data files

All previous programs are either deleted or place in a "vault" and most users wont touch that area.... its killing Autoit in reality

thanks for the efforts guys!

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites

You guys should compile a slightly different release of autoit for people who are serious about autoit and have proven themselves worthy of using such a program. This version would not be open to the public and only certain members of the forum would be able to access it once they have proven themselves to be trustworthy individuals. The compiled version would be a slightly different release and the antivirus scanners shouldn't detect them as viruses. This would work so long as the trustworthy individuals didn't write viruses themselves, which IMO, would be highly unlikely. At this point, any person with an internet connection has the ability to write a malicious script with autoit. This is similar to the problem you guys faced with having autoit completely open source; people were stealing it and using it in their own programs without giving you credit. This seems to be a similar problem because people are stealing you script engine to do their malicious bidding.

I don't know, just thought i would throw this out in the open.

The Kandie Man


"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Share this post


Link to post
Share on other sites

AutoIT Pro, AutoIT Lite, and AutoIT VE (virus edition)? :)

Share this post


Link to post
Share on other sites

I don't know, just thought i would throw this out in the open.


"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Share this post


Link to post
Share on other sites

I disabled AVG resident shield until they release new correct definition files.

You may also add exception directories to resident shield options instead of disabling it.

Look at other threads about that:

http://www.autoitscript.com/forum/index.ph...st&p=210483

http://www.autoitscript.com/forum/index.ph...st&p=217339

Share this post


Link to post
Share on other sites

You guys should compile a slightly different release of autoit for people who are serious about autoit and have proven themselves worthy of using such a program. This version would not be open to the public and only certain members of the forum would be able to access it once they have proven themselves to be trustworthy individuals. The compiled version would be a slightly different release and the antivirus scanners shouldn't detect them as viruses. This would work so long as the trustworthy individuals didn't write viruses themselves, which IMO, would be highly unlikely. At this point, any person with an internet connection has the ability to write a malicious script with autoit. This is similar to the problem you guys faced with having autoit completely open source; people were stealing it and using it in their own programs without giving you credit. This seems to be a similar problem because people are stealing you script engine to do their malicious bidding.

I don't know, just thought i would throw this out in the open.

The Kandie Man

Kandie Man are you kidding?

Absolutely nonsense!

Share this post


Link to post
Share on other sites

Kandie Man are you kidding?

Absolutely nonsense!

:)

# MY LOVE FOR YOU... IS LIKE A TRUCK- #

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0