JSThePatriot

Are my AutoIt EXEs really infected?

156 posts in this topic

2. Why the AV doesnt react on Process Hacker - which can kill the av, but gives trojans for a simple application MsgBox.exe?

I will try to paraphrase:  Why AVs dont react when you start Process Hacker.exe - and at the same time AVs are checking Autoit made exes with a simple content, something like msgbox (0, "", "") and keep saying that it is trojan

Is this way more understandable?

Share this post


Link to post
Share on other sites



I would assume it's because Process Hacker is a known piece of software, and being known, AV software knows what it does and doesn't flag it as a virus or malware because of this.

Very few of the well known AV software companies would flag an AutoIt script like that as a trojan. Shitty AV software might, or one that has a bad signature file update.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#83 ·  Posted (edited)

However, I would argue that it shouldn't take more than 2 seconds to figure this out. If you know enough to want to disable UPX, you should know it's a compressor therefore a quick look at the options will provide only one with "UPX" and "compress" in the name. Maybe it is mis-named and not implemented right, but I don't think it takes a computer science degree to figure out what it's for if you know enough about UPX to want to disable it in the first place. 

 

Edited by grisina

Share this post


Link to post
Share on other sites

Hi! I found out that when creating an AutoIT compiled EXE with the flags /comp 4, more antivirus flag the program as a virus.

Share this post


Link to post
Share on other sites

Need to remove malicious links:

http://api.exip.org/?call=ip          >>>>>>>>>>>>>>    http://sso.anbtr.com/domain/api.exip.org

This domain name redirected to malicious sites!
 

Func _GetIP()

“The world won’t care about your self-esteem. The world will expect you to accomplish something Before you feel good about yourself.”

Share this post


Link to post
Share on other sites

#87 ·  Posted (edited)

That site isn't used in the _GetIP function, so I'm not sure what you're referring to.

EDIT: Just found it, that site was in the old _GetIP function back in 3.3.10.x but has been gone for over a year. You need to upgrade.

Edited by BrewManNH

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Thanks BrewManNH


“The world won’t care about your self-esteem. The world will expect you to accomplish something Before you feel good about yourself.”

Share this post


Link to post
Share on other sites

I just wanted to add this to the heap (of false positives).

I've used Microsoft Security Essentials for two years with no detection problems.  But one of the definition updates a couple of weeks ago starting flagging an exe here and there.

But the latest one (today) halted a compile.  I'll look into sending this one in ... but it's discouraging to see them start to cast a wider net.  "Severe", they declare ... with no real knowledge of what's in the net.  "To a man with a hammer, everything starts to look like a nail."

I don't use UPX and I'm on Win7 Pro, using 3.3.12.0

post-29172-0-72902800-1427317264_thumb.p

Share this post


Link to post
Share on other sites

It is humorous to me that a sticky thread started to give people answers to their questions regarding false positiives, and thus keep them from unecessarily posting every time they see an AV issue with a script, is now 5 pages deep with people doing just that :)


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

 

unnecessarily posting every time they see an AV issue with a script

I, for one, don't see it that way at all.  AV detection is an evolving situation.  Whenever there's a significant development (for me, a change in MSE after 2 years of use), people need to have some way to become aware.

This thread—or some other one, if you prefer—should be about AV Issue Awareness.  If AU3 is ever going to break out of being looked at as a fringe language, it's going to have to come through wider awareness.  And making AV issues and the associated impact known can only help.

Again, my opinion.  Yours may differ.

Share this post


Link to post
Share on other sites

Again, my opinion.  Yours may differ.

Correct and also disagree ;)

This thread is about informing people what False positives are and where they should go for getting them fixed.

The original intent was to avoid the creation of unneeded threads&posts on this topic.

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#94 ·  Posted (edited)

People are going to post about alerts, no matter what.

Better in here I say.

EDIT:

Also, most of the posts in here are just discussion rather than alert reports.

Probably only about a dozen reports.

Edited by JohnOne

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

this is virus scan avast! win32Evogen but   :ILA2:


66726565776172656F6E74686973373737

Share this post


Link to post
Share on other sites

Simple method to repair infected file:

use themida

off Resources-Encryption

off Resources Compression

and use hard settings

Note:don't pack upx


66726565776172656F6E74686973373737

Share this post


Link to post
Share on other sites

Symantec Released this today: Killing all my scripts out in the field and removing them via quarantine. 

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2015-050111-5257-99&vid=4294922793

I guess I should submit a false positive report but the damage is done pretty fast :/

 

​Are you seriously expecting an answer assuming you read the initial post in this thread?


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#100 ·  Posted

 

I guess I should submit a false positive report but the damage is done pretty fast :/

​You admit you know what you should do...


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now