Are my AutoIt exes really infected?

[jchd]

45 minutes ago, eagle4life69 said:

I think too many bad guys are using Autoit

The issue is elsewhere: since it's sooo easy to detect AutoIt exes, cheap AV companies believe it's a valuable move for to flag them all.  That increases their "success rate" at zero cost since they can't care less about false positives...

Call that " security through genocide".

[iamtheky]

Look at this from the distant past of....2 days ago

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Autoit-COE/detailed-analysis.aspx

An 828kb compiled exe?  The only way you get it under 850 is upx, and the only way you stay that way is if you dont do much of shit in that script.  That is the surefire 2 step way to  get flagged by every AV, and pretty much the only way aside from the occasional bad rule that gets pushed.

[Nine]

Started a week or two ago, one of my script (that I have been using for years) is being detected as a Trojan:Win32/Bearfoos.A!ml .  I am on Win7 with MSSE.  It is obviously another case of false positive.   Just wanted to let you know...

[Earthshine]

you can get them to white-list it, I had MS do it online, it's free and fast.

[fastlane65]

First - I love AutoIt.  Very entrenched in it.  But the virus issue has me hamstrung.

I work in the corporate world.  I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients.  Every script I compile is getting flagged.  I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

I use Autoit because I inherited the process from a retiree.  is there another comparable software that won't get flagged by AV?  InstallShield seems like overkill.  What else is out there? 

[Jos]

1 hour ago, fastlane65 said:

I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

Wrong forum to ask.  

Jos

[fastlane65]

16 minutes ago, Jos said:

Wrong forum to ask.  

Jos

What forum do you suggest?

[Jos]

Powershell probably is the way to go when you feel you really need to change, but have no recommendations other then "Google is your friend".
Autoit3 can work as well when the original Autoit3.exe is used and you run a3x versions of a script.....   your choice.  

Jos

[fastlane65]

I do  a lot of Powershell but many scripts need to be compiled for portability and security (passwords and such.)  Thanks.

 

[BrewManNH]

17 minutes ago, fastlane65 said:

security (passwords and such.) 

AutoIt isn't the language for you then, compiled scripts aren't secure unless dealing with just the usual user types.

[JLogan3o13]

38 minutes ago, fastlane65 said:

I do  a lot of Powershell but many scripts need to be compiled for portability and security (passwords and such.)  Thanks.

PowerShell is portable on anything built in the last 10 years.

If you are embedding passwords you're doing it wrong, regardless of the language you choose.

Edited July 19, 2019 by JLogan3o13

[iamtheky]

First, why cant you whitelist hashes locally on your corporate AV?

Next,

try upx=n prior, but if still fails then show us the script.

If you are just fileinstalling and running commands, then that should fix it.

You probably cant compress or obfuscate it if it is only those simple behaviors because it is literally, except for your path/filename, every autoit dropper ever. 

 

*Also, everyone who has the script can read those passwords in plain text with minimal effort and many different ways.

 

 

Edited July 19, 2019 by iamtheky

[Neutro]

On 7/19/2019 at 9:27 PM, fastlane65 said:

First - I love AutoIt.  Very entrenched in it.  But the virus issue has me hamstrung.

I work in the corporate world.  I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients.  Every script I compile is getting flagged.  I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

I use Autoit because I inherited the process from a retiree.  is there another comparable software that won't get flagged by AV?  InstallShield seems like overkill.  What else is out there? 

You need to understand that AV softwares work in 2 ways:

 - they detect files that have the same signature as already detected viruses files. This is what the first post of this topic is about. It's basically a "is this file identical to this one?" process.

- they use "heuristics detection systems" that inspect what the softwares are doing. It's basically a "does this software act alike what most virus are doing?" process.

The problem you're having here is that since you're developping exe that install softwares and change system setting they do similar things as what real viruses are doing, so it triggers the heuristic detection system of AV.

Which means even if you switch to another programming language you'll probably still encounter the same problems with AV.

In other words, there is no solution to your problem that would allow you to bypass AV checks. So you need to deal with them. Easiest and fastest way is to add your exe to whitelist system, at an AV server level preferably or client level if not possible.

Longer but more durable way is what we're all doing in this topic: after the fast way is ok, report the false positive to the different AV companies so that they update their signature base and heuristic detection system to work more precisely.

Welcome to our world

 

Edited August 23, 2019 by Neutro

[bowain]

On 7/19/2019 at 2:27 PM, fastlane65 said:

First - I love AutoIt.  Very entrenched in it.  But the virus issue has me hamstrung.

I work in the corporate world.  I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients.  Every script I compile is getting flagged.  I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

I use Autoit because I inherited the process from a retiree.  is there another comparable software that won't get flagged by AV?  InstallShield seems like overkill.  What else is out there? 

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

[mLipok]

Do any AV software have a feature to add exclusion which will allow to run exe but only when all following condition will fit:

1. specyfic selected single exe file
2. only for this single exe file version 
3. single known virus threat

What I want to achieve:
I want to add an exclusion for single file, but only for single known virus threat, and only for the EXE version which I know, because if the file was changed then this is not the same file which I give him a green light, and because the rule in security is to give permissions as little as possible, so why should I exclude a file from checking completely?

[Nine]

You could setup Window authorizations to limit any user to replace that specific .exe file.  Or simply put the file on readonly.  I never saw an AV that supported your 2. + 3. features. But I might be wrong 

[Danp2]

@mLipok With Webroot, you can add an exclusion based on MD5 hash.

[Jokerman]

On 8/23/2019 at 9:47 AM, bowain said:

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected months or years after they've been sitting idle in an archive folder, the same script being flagged intermittently each time I compile it, you name it. I knew that would be unacceptable if we released our product in that condition so I researched for many days (probably weeks) before our initial release. This is the route we ended up choosing and I honestly couldn't be happier with the results. After we started signing all of our executables using a reputable code signing cert we no longer get flagged by Windows Defender - even using UPX with maximum compression. We've had rare issues with other AV providers but they've been so rare (easily less than 10 total over the past 18 months) it's really been a non-issue. If you already have a corporation setup I highly recommend doing this sooner rather than later. To be upfront, it does have a cost - both in time (generally 1-4 weeks from application to receiving your cert) and money (<$100/year) - but user trust and peace of mind are (very nearly) priceless.

Once you have the code signing cert downloaded and installed you can simply add a line to the top of your script to have SciTE automatically sign your newly compiled exe as the final step in the compile process. Something like this:

#AutoIt3Wrapper_Run_After=""%ProgramFiles(x86)%\Windows Kits\....\signtool.exe" sign /tr http://timestamp.comodoca.com/?td=sha384 /td SHA384 /a "%out%""

Also, if you have concerns about Windows Defender being reliable and accurate AV software you can let those concerns go. While it's true Windows Defender has had issues in the past, they were in the beginning of Microsoft's attempts at AV and things have improved significantly since then. If you want to check it out for yourself you can Google it or go here: https://www.techspot.com/news/81396-windows-defender-ranked-joint-best-antivirus-program.html (Fyi, up until about 5 years ago I'd been in IT for >20 years doing anywhere from tech support to Windows/Network Admin. In other words, basically dealing with viruses/rootkits/malware/ransomware on a daily basis because of users or customers lacking the wherewithal to not click the link in the email from an unknown source claiming their inheritance is waiting. 🤦‍♂️)

Edit: Btw, in case anyone does want to go this route I can recommend https://www.thesslstore.com/. I'm not affiliated with them in any way except for that's where I purchased our cert from and I can attest that we received it and it works exactly as I've described. We went with the standard Comodo Code Signing cert. The EV certs are more expensive because they require more background evaluation to be done to verify the entity applying for the cert. It may be advantageous in particular circumstances but isn't necessary to simply avoid AV quarantine.

Also, the other unmentioned advantage is your exes are now digitally signed. While for most customers this won't make a difference, if you're using your scripts in a corporate environment this may be a major peace-of-mind bonus since it's easy to verify the authenticity of your exes and they have certain assurances the exes haven't been tampered with. 👍

Edited September 21, 2019 by Jokerman
Additional info

[Mobius]

Is it me or are AV companies and digital signature companies fading out hobbyist coders and not just those that use interpreted languages either, okay if you are in a corporate environment or are looking to sell your work fine pay your dues to this self sustaining industry, those that do this for fun and knowledge shouldn't really be held to ransom on the off chance we craft something worthy of distribution.

[JLogan3o13]

@Mobius Just curious, if you were one of the big AV companies - how would you police and decide who is a hobbyist and who is not, so that you could apply different levels of response logic?