JSThePatriot

Are my AutoIt EXEs really infected?

156 posts in this topic

:ILA2:

Thanks to the helpfull info and support here...

I have quickly looked through the posts and replies here and did not notice anything on the following. Maybe somebody has an answer to this or a pointer to where I can find an answer. I refer to my post on AVIRA's Q&A:

"AVIRA alerts when packing my scripts with AutoIt v3 Obfuscator"
"I develop applications using the AutoIt Scripting language. Recently I started getting AVIRA virus alerts when packing my scripts using the built in AutoIt v3 Obfuscator tools. AVIRA now reports my scripts (.exe) as "dr/autoit.gen" suspicious. When I don't use the script obfuscator when compiling scripts to .exe then AVIRA doesn't pop up saying it's a suspicious file. Why? The scripts/ programs I compile are clean. Online virus scans like VirusTotal and VirSCAN.org shows nothing."

AVIRA will obviously scan the file I've uploaded to them and analyse my code. Fair enough, so that sorts my problem when making softwares available to end-users, but still, I need to know why it's happening...as a scriptor/programmer..

Share this post


Link to post
Share on other sites



MetalloSoft,

 

I need to know why it's happening

It is happening because the AV companies are too lazy/stupid/incompetent to do anything other than look at a basic signature when analysing compiled AutoIt scripts. ;)

Just for interest, it is probably not Obfuscator being flagged (that just scrambles the code), but the upx compressor. In the next release this will not be run by default, but you could always add #AutoIt3Wrapper_UseUpx=n to your script to stop it running if you are still using 3.3.8.1. :)

And now please drop the subject and do not let the poor old Oozlum bird out again - there are multiple (locked) threads on this very subject already which you can find if you search. ;)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

seems pretty obvious to me, that the problem is UPX, or, rather the choice to use UPX that is the problem - not the AV companies nor anyone else. if you choose to use tools that are common with nefarious types, then you are likely going to get caught up in that (as AutoIt has). I'm very happy to see this is fixed in the next release, but common guys, lets stop pushing the blame. AutoIt has/had a problem that made it appear questionable to majority of AV programs, that's no skin off their back - only off the back of this community.

Share this post


Link to post
Share on other sites

You don't understand the problem at all. The UPX program is a compressor that is used by a lot of software not just AutoIt. The problem is that the AV companies see all AutoIt scripts with the belief that it's "probably" a virus so lets flag it as such. The problem has been beaten to death, and the issue is that the AV companies are lazy.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Way to live up to your moniker, KnowsNothing ;) AV companies block many programs, written in and compressed with different software, based on what a minority of individuals do with that software. It is foolish to blame the AutoIt language in its entirety for what a few individuals do with it.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Other day i posted question about latest release has no icon when compiled, as well as detected as Gen:Variant.Strictor.48409.

So i thought i had a virus and i scanned my comp. Found nothing that i would be conserd of using multiple programs.

i then realized that issue developed since update 3.3.10.2.

So i downgraded and compiled that same script and now its detected as Trojan.Autoit.Wirus as well as Win32/Injector.Autoit.SX

but atleast the default icon is now working http://virusscan.jotti.org/en/scanresult/afa96e2114235f1f17a028426151b93f6f171875

UPX use or no use make no difference.

I  my self is not worried about viruses, but i do make small app for work and dont want to get false alarm by their antivirus drawing attention to my station computer.

Share this post


Link to post
Share on other sites

If you took the two minutes to read through the release notes, you would see the default icon was removed by design by the Dev team. If you do not specify an icon, you will get the default Windows unknown app icon. If you would like an icon for your script, you can specify it this way:

#pragma compile(Icon, <path to icon>)

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Help!!

I have Norton installed on my computer, I delete the executables that I have created.
How can I make sure that I did not delete them?

Thanks to those who can help me

Alberto


Thank You

Alberto

---------------------------------------------------

I am translate with Google.

Share this post


Link to post
Share on other sites

If Norton deleted the files, and they are not in the quarrantine area, they are gone. Anything further regarding recovery you would have to post in the Norton forums.

In any case, you should still have your source to recompile.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

If Norton deleted the files, and they are not in the quarrantine area, they are gone. Anything further regarding recovery you would have to post in the Norton forums.

 

In any case, you should still have your source to recompile.

Hi, I have some source code and I can ricopilare.

The problem is that when I compile the file and maybe I start to test Norton sometimes stops me, it makes me wait a few minutes and then tells me that the file is infected and I delete it.

However, this has never happened before; I use the same machine with the same Norton for at least 6/8 months, and up to about 7 days ago I have never reported viruses in AutoIt.

I wanted to ask, you can not when you compile the file to make sure to insert the program's author, so you can then tell norton that the manufacturer file is safe?

Thanks

Salve, certo che ho i sorgenti e lo posso ricopilare.

Il problema è che quando io compilo il file e magari lo avvio per testarlo a volte Norton mi blocca , mi fa aspettare alcuni minuti, e poi mi dice che il file è infetto e me lo cancella.

Questo però non è mai successo prima ; io utilizzo la stessa macchina con lo stesso Norton da almeno 6/8 mesi, e fino a circa 7 giorni fa non mi ha mai segnalato virus nei file AUTOIT.

Volevo chiedere , non è possibile quando si compila il file fare in modo di inserire l'autore del programma , cosi da poter poi dire a norton che quel produttore di file è sicuro ??

Grazie


Thank You

Alberto

---------------------------------------------------

I am translate with Google.

Share this post


Link to post
Share on other sites

As J1 points out, think about what you're asking, and why an AV company might not just blindly accept any executable that has someone's name attached to it...

Again, all you can do is report the false positive to the AV company so they can address it.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

If an authors name is in a file, does that mean it can not be a virus?

Go and ask Norton about your problem.

 

As J1 points out, think about what you're asking, and why an AV company might not just blindly accept any executable that has someone's name attached to it...

Again, all you can do is report the false positive to the AV company so they can address it.

 

You're both right, but I wanted to ask a doanda to both.

x JohnOne: but if I mettessi the name of the file in the compilation, and the mettessi exception as accepted by my Nav, the problem is that the virus affects only let him carry me I know the author's name, and then insert the exception; For example, you can not relate, I do not know that we've made and then you could not arrange the exception.

x JLogan3o13: How do I report it to the Norton; What information should I give him because I do not like false positive signals.

Thanks

Avete ragione tutti e due, ma volevo porre una doanda ad entrambi.

x JohnOne : però se io mettessi il nome dell'autore del file nella compilazione , e lo mettessi come eccezzione accettata dal mio Nav , il problema che l'antivirus lo lasci eseguire riguarda solo me che so il nome dell'autore e che quindi inserisco l'eccezione; non potrebbe riguardare ad esempio te , che non sai che noi io ho messo e quindi non potresti predisporre l'eccezione.

x JLogan3o13 : Come posso fare a segnalare la cosa alla Norton ; che informazioni dovrei potergli dare perchè non me lo segnali come falso positivo.

Grazie


Thank You

Alberto

---------------------------------------------------

I am translate with Google.

Share this post


Link to post
Share on other sites

Im sorry about that stupid comment but...

Some people uses C# to make viruses. (by some i saw "a lot of")

So, tell to the companies to "tag" C# scripts/programs as a virus!!

Does that has sense?? Don't. By the same way, you can't tell that is a minority people using AutoIT the reason about the "virus tag".

Is not the number of users who do viruses.
Is not the number of number viruses made with it.
It's the lack and the lazyness of the AV companies, because they're shit.

If AutoIT grows to the top, AV companies will be forced to enhance it's detections on AutoIT scripts more deeply.

I've used UPX a lot of times on other scripts and no one was tagged as a Virus. (Including bambalam PHP to EXE compiler)

If the AutoIT 3.1.1 really works without that problem, AutoIT developer must revise it's code, not for my benefit, but yours. Add a workaround on Aut2Exe with compile as v3.1.1 for the people who don't use COM or any newest feature.

Sorry about my English, "a now is bad very full ha ha".

Regards. 


~ SELF SIGNED ~

How much warning points do i need to get my free spicy hammon?

Share this post


Link to post
Share on other sites

An extra note about "SEND MY SOURCE TO AV COMPANIES".

Fuck AV companies, all at once. The real virus is the AV because spy ALL your activity/files.
The good way is to send to AV the files you don't trust, not to set "ALL=Dont Trust" then let the AV decide for you, wich is the common way.

ALSO, the exceptions paths are a bad way. If the program determines what are a virus by it's signature, AV will let you to ALLOW that specific signature, not ANYTHING inside a path. I really don't understand wich type of idiots are under AV softwares.

Note: I wrote "Feel Like a Duck", but the editor just strip out to "Fuck" :D

 


~ SELF SIGNED ~

How much warning points do i need to get my free spicy hammon?

Share this post


Link to post
Share on other sites

#37 ·  Posted (edited)

Today I visited:

http://www.autoitscript.com/wiki/AutoIt_and_Malware

I upgraded a few entries.

If someone finds the missing entries on some anti-virus, please complete the wiki, or to report here in this thread on this forum, and I'll EDIT: make update a Wiki Page.

 

Best Regards,

mLipok

 

edit:

ps.

Changes you can see here.

Edited by mLipok

Wondering who uses AutoIT and what it can be used for ?


ADO.au3 UDF     POP3.au3 UDF     XML.au3 UDF    How to use IE.au3  UDF with  AutoIt v3.3.14.x  for other useful stuff click the following button:

Spoiler

Last update: 2017-03-27
Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAPPOP3.au3 UDF *  RTF Printer - UDF * XML.au3 - BETA * ADO.au3 UDF SMTP Mailer UDF * WinSCP UDF *

My contribution to others projects: * _sql.au3 UDF  *

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Best coding practices * 

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities *

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

 

Share this post


Link to post
Share on other sites

Yes, it is an ever changing target keeping that page up to date, as links change. I know I updated sometime back in 2013, but it was overdue for another look.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#39 ·  Posted (edited)

I am new to autoit, been using it for about a week. All of a sudden today, anytime I compile a script (atleast in x64), it is being flagged with Trojan horse injext2.algv). I am using AVG antivirus. What can I do to make my programs working again. I saw in in one of the previous posts to send the AV company a copy of the executatble and the script code. I cant send EXE cause I cant compile it atm in x64.

Any suggestion what I post as a false positive with the AV company, cause it is ANY script I compile in x64.

Any suggestions would be appreciated. I was making real progress with the program I am trying to get done. Would of had an EXE ready for test tonight if it were not for this issue.

Thanks ahead of time for any help/suggestions.

Edited by MacScript

Share this post


Link to post
Share on other sites

#40 ·  Posted (edited)

Hi macScript,

This is by no means a recommended long term fix for this issue, however some have suggested adding a directory exclusion rule (if your AV supports it) for the temporary directory used by the AutoIt standalone builder application Aut2exe which is:

%localappdata%AutoIt v3Aut2Exe

Which can sometimes thwart build time AV alerts and blocks, but unfortunately it will not help you if AVG takes offense at an already built standalone that exists outside of the excluded directory.

Can't you temporarily disable AVG's active scanning facility while you build your standalone if all you wish to do is send them a test binary? (admittedly this is a futile gesture for reasons already mentioned by you).

Edited by Mobius

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now