Jump to content

Are my AutoIt exes really infected?


Recommended Posts

On 8/23/2019 at 8:47 AM, bowain said:

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

Does a certificate really guarantee your app won't get flagged?  We have a client that says our app was getting quarantined, so we signed it with Entrust CA.  Apparently Windows Defender is still flagging it, but now at least he gets an option to run it anyway.  There's a little bit of an English issue, but we're going to set up a laptop here with the same version of MS Windows Defender and see if we can duplicate it in-house.

Link to comment
Share on other sites

29 minutes ago, quickbeam said:

Does a certificate really guarantee your app won't get flagged?

No, it has zero effect, not even what certs are for.

certificates verify the author (not that the file is certified clean), its the code equivalent of a pretty cursive signature.

 

**That being said, you can whitelist things in your Enterprise AV based off any value.  Cert is as valid a value in that sense as any other.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

  • 2 weeks later...

I create a website builder with Autoit. Method is to merge text files and photos to build the website. Very simple. I scan the au3 file with virustotal. No virus. But when I scan the exe file, it is regarded as maleware by some virus scanners. I submit the software to Cnet. They reply approval is not given unless the problem is solved. 

Link to comment
Share on other sites

1 hour ago, JLogan3o13 said:

@Musashi why would you link to the exact same thread? 

I have given the link to this thread as an answer in another thread. There the OP described his problems with "false positives". Later the thread was merged/moved in here by a moderator, including my contribution. Now my answer is outside the original context, and appears therefore pointless ;).

Perhaps it would be a good idea to simply remove the link.

Edited by Musashi

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to comment
Share on other sites

  • 2 weeks later...

Productive work with AutoIt Newest Version is no longer possible under Windows 10. Windows Defender permanently reports a virus when the script has been compiled and the ".EXE" file is saved in an automatically saved onedrive folder (e.g. Downloads or Desktop etc.). This means that online transfers to other users are no longer possible and no longer execute there.

best regards Chris

Link to comment
Share on other sites

  • Moderators
15 hours ago, Eishockeyfan said:

Productive work with AutoIt Newest Version is no longer possible under Windows 10.

Did you really think, for as long as AutoIt has supported Windows 10 (on systems with Defender), that if this was the case it wouldn't have been advertised far and wide??

In the future, rather than making a definitive statement such as this and then having to come back and retract it, perhaps start by asking a question in the forum about the problems you're encountering.

Edited by JLogan3o13

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

  • 1 year later...
  • Moderators

Well, if you can't submit to anyone, you're out of luck. Without source, no AV company can do anything.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

10 hours ago, Tripredacus said:

Some recent update to Defender in Windows 10 (noticed today) that some AutoIT .exe are being detected as Trojan:Win32/Fuerboos.D!cl and being quarantined automatically.

Considering your post count, you'll probably know the following info already ;). Furthermore, this has been mentioned numerous times in this and other threads. Just in case it has escaped your attention until now, here is a brief summary (simplified) :

Compile your scripts in a3x format instead of exe.

To execute a3x scripts on the target machine, there are several ways, e.g. :

  • Install AutoIt, then you can execute a3x scripts similar to .exe by double-clicking. However, this option is often not desired by the recipient. If the scripts should only run on your own computer this is irrelevant, because an AutoIt installation already exists.
  • Copy the appropriate file(s) AutoIt3.exe or AutoIt3_x64.exe to the target computer. Associate the extension a3x with the interpreter (AutoIt3.exe). Execution of a3x scripts by double-clicking possible. Since this requires a change in the registry of the target computer, it may also be undesirable.
  • Copy the appropriate file(s) AutoIt3.exe or AutoIt3_x64.exe to the target computer. a3x files can be executed e.g. via a .cmd or a shortcut. This is the least invasive variant.

I have switched all my scripts to the a3x format and since then virtually no problems with virus software anymore :).

Regarding security : au3 scripts will be embedded as a3x when compiling an .exe, so there are no differences.

 

==> Definitely worth a look is the solution from @Exit , see : au3tocmd-avoid-false-positives

Edited by Musashi
typo

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to comment
Share on other sites

  • 2 months later...

If at all possible, compile your exe's as 64-bit. This trick no longer works in AutoIt v3.3.16.0
When compiled as 32-Bit, I get as many as 12-18 virus detections from VirusTotal.
The exact same script, compiled as 64-Bit, only has 2-3 detections.

Almost all Windows computer systems these days are 64-Bit operating systems.

Take NOTICE: special considerations are required for the Windows Registry, Windows\System* files and ProgramFiles* directories.

Edited by Shark007
Link to comment
Share on other sites

  • 3 months later...
  • Moderators
On 7/18/2021 at 5:53 AM, IlanMS said:

When using VirusTotal, several anti-viruses that are not listed here false positive

Not surprising when the original list was compiled 15 years ago ;)

The workaround is the same, as mentioned numerous times throughout this thread, there are things you can do to mitigate false positives. Failing these suggestions, you need to contact the AV vendor.

 

 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

  • 1 month later...

2 weeks ago I starts having issue in time when I compile one of my projects.
Funny thing is that solution to all my problems was to add at the top of my scirpts, this following line:

If Not @Compiled Then ConsoleWrite('ESET')

Today it starts hapening for my other projects.

 

I also remember such case:

Several years ago, I was working on corrections to one of my projects. I have been correcting it for several hours of work.

At the end, when I achieved the desired effect, I noticed that I had a linguistic error (a typo) in one of the messages. So I literally corrected one letter and sent the amendment to the update server.

Then, in a remote connection (TeamViewer) at the client's workstation, I wanted to finally update the product.

It turned out that changing one letter in the program code regarding the displayed message may cause the heuristic methods of antivirus programs to recognize the program as a virus.

Edited by mLipok

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 *

 

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related:How to get reference to PDF object embeded in IE * IE on Windows 11

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2023-04-24

Link to comment
Share on other sites

  • 9 months later...

Not sure where to post this but this week I've been programming again and discovered that my new compiled scripts are being flagged as infected with "Trojan:Win32/Sabsik.FL.A!ml"

It's an obvious false positive. And Defender doesn't even let me create an exception (the only way around this is to tell Defender to skip the folder(s) where I am compiling the scripts).

IMPORTANT: this only affect the 32 bit version and not the 64 bit one. So at least there's a workaround. 

IMPORTANT: this also affect the beta version in the same way

I did send the 'offending' .EXE to Microsoft but there's no way of telling them this is a actual false positive.

 

Here are a few version numbers for you

AutoIt version : 3.3.16.0

Windows version : 19044.1706 (21H2) 

Defender client version : 4.18.2203.5

Defender engine : 1.1.19200.6

Defender version : 1.367.1454.0

Anti-Spyware version : 1.367.1454.0

 

Here's the script that got flagged (as you can see, there's nothing offending here). I've compiled a few scripts and I get the same issue. 

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Version=Beta
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
; Test 01 tester les clsid
; Ordinateur\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders --> {374DE290-123F-4565-9164-39C4925E467B}
#include <File.au3>
#include<Array.au3>

$sChemin = RegRead('HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders','{374DE290-123F-4565-9164-39C4925E467B}')
$aDir = _FileListToArray($sChemin,"*")

_ArrayDisplay($aDir)

If this is in the wrong section, please tell me where I can post this. 

Edited by obiwanceleri

Help a newbie, comment your code!

Link to comment
Share on other sites

  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...