Jump to content
JSThePatriot

Are my AutoIt EXEs really infected?

Recommended Posts

Jos
52 minutes ago, bdr529 said:

why are there different results?

No idea but you really need to read and try to understand the first post in this thread! 

 

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
AutoBert

Ask the developer of the av-scanner, and tell them also it's a false positive.

Share this post


Link to post
Share on other sites
bdr529

I'm sorry but I do not write in English I need to google translator
it is strange that you get different results from different versions of the same software (Aut2exe.exe and Aut2exe_x64.exe)

Share this post


Link to post
Share on other sites
timmy2

Two apparent false positives. Probably unrelated. No action requested here, but I figured I should document them in case others encounter these issues.

Please know that I'm posting this after submitting a false positive report to MalwareBytes and Microsoft for Defender.

First, I installed AutoIt (v3.3.14.5 according to the associated Help file title page) on a W10 virtual machine (Windows ver 1803 (17134.407). I could not compile or even syntax check my AutoIt script because Defender kept blocking it. Defender cited this file: C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe\autAB90.tmp.exe. Said it's infected with Trojan:Win32/Zpevdo.A (Alert level: Severe). Defender popped up a window I've never seen before about some new feature they've added. I was too interested in testing my script idea to explore this anomaly so I just told Defender to exclude C:\FGCDIR. (come to think of it, where did that folder come from!?! Now that I have a moment I'll investigate)

Second, on my production machine, using AutoIt 3.3.14.2, I've hit a snag with Malwarebytes Premium quarantining anything I compile if I include GuiEdit.au3, citing a threat named "MachineLearning/Anomalous.100%".

Share this post


Link to post
Share on other sites
Jos
10 minutes ago, timmy2 said:

(come to think of it, where did that folder come from!?!

Which folder?

10 minutes ago, timmy2 said:

C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe

As already explained ample times, this directory should be excluded from AV scanning as the compiler activity often gives issues with AV activated.

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
timmy2

C:\FGCDIR

22 minutes ago, timmy2 said:

... so I just told Defender to exclude C:\FGCDIR.

The only reason I know this is because when I looked in Defender's Allowed Threats that folder was excluded on the same date that the threat was detected. Interesting that excluding the threat did not exclude C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe\ but excluded this oddball folder. I apologize for lack of detail. To me it was just another "what fresh hell is this?" moment.

Thank you for the heads-up about the AutoIt folder that should be excluded. Despite having used AutoIt for a fairly long time, albeit sporadically, I missed that memo. :>

Share this post


Link to post
Share on other sites
Jos
20 minutes ago, timmy2 said:

The only reason I know this is because when I looked in Defender's Allowed Threats that folder was excluded on the same date that the threat was detected. Interesting that excluding the threat did not exclude C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe\ but excluded this oddball folder. I apologize for lack of detail. To me it was just another "what fresh hell is this?" moment.

No clue what directory FGCDIR  has to do with the compile of your script unless you have files in there the script has an FileInstall() for.  A quick search gave this info, but obviously don't know  if that is also in your case:
 

Quote

What is the FGCDIR folder?

 
Does anyone know what the FGCDIR folder is for and whether it or any of its contents can be safely deleted?
----- Answer -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Remants of Virtual Sandbox and Fortes Grand antispyware / antimalware. Don't remove it if you are using that sofware.

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
timmy2

I did indeed test Fortres Grand's Clean Slate several days ago so that explains the presence of the folder. They probably added their folder to Defender's exclude list, and it just so happened that that was the same day I installed AutoIt and discovered that Defender blocked compiling, syntax checking, etc. I definitely could not make any progress with AutoIt until I told Defender to do something (exclude, ignore, whatever), but I no longer recall what I did, and for that I apologize.

Maybe if I find the time I'll revert the VM, install AutoIt, and try again. This was more of an observation in case others experience it, prompted mostly by Malwarebytes blocking me today --  a few days after the Defender issue. Coincidence I guess. Thank you!

Share this post


Link to post
Share on other sites
timmy2

Excluding C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe in Windows Defender solved the problem of Defender halting a Build. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×