JSThePatriot

Are my AutoIt EXEs really infected?

176 posts in this topic

Ok, I understand, UPX, malwares and all that sort of things, but...

Dont the people use other languages to write malwares? Dont they use c++, python and other languages to hook dlls etc? But as default AV companies dont mark their simple code such as "MsgBox (0,0,0)" as Autoit keylogger .gen trojan. Sincerely, I can live with this... But I want to be proud of my scripts.- not to be marked for such simple things

Share this post


Link to post
Share on other sites



AV companies often mark any Compiled script as virus for the simple fact they check on the included runtime module in stead of the real script section.
There is a simple reason why AutoIt3 is used to write illigal stuff because it is so damn simply to do.
In this case of autoit3help I have no clue why they make that as virus as it is a simple c++ program which opens the helpfile on the right topic/function page depending on the parameter provided.

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

I am interested to hear that the sources for AutoIt3Help.exe are written in C++. I thought Melba23 was rough on me because he was assuming that I knew that AutoIt3Help.exe is a compiled AutoIt script, which I now know is not so. AutoIt3Help.exe is not "my AutoIt EXE".

It must be tough on the moderators to face compiled AutoIt scripts being seen as infected.

Would it make sense to distribute an AutoIt3Help.au3 script? The antivirus guys, to my knowledge, don't tag scripts as infected,

...chris


...chris

Share this post


Link to post
Share on other sites

Yes they regularly do. Some .au3 are even sometimes their targets.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

I don't see what having an uncompiled help file would buy us, besides further confusion for new users.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#126 ·  Posted (edited)

I am interested to hear that the sources for AutoIt3Help.exe are written in C++.

You could have read a little but further back and see it was already stated by me on May 15 in this thread. :)

Autoit3Help.exe is an C++ compiled program so is indeed not related to False positives regularly seen with the compiled scripts.

Jos

I am also not sure why you read into Melba23's post that AutoIt3Help.exe is a compiled script. It used to be one which was converted to an EXE when we added some extra logic and to keep it smaller, so it's not going to be reverted. :)

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

#127 ·  Posted (edited)

You could have read a little but further back and see it was already stated by me on May 15 in this thread. :)

I am also not sure why you read into Melba23's post that AutoIt3Help.exe is a compiled script. It used to be one which was converted to an EXE when we added some extra logic and to keep it smaller, so it's not going to be reverted. :)

Jos

Actually, I didn't read (or post) to this thread yesterday, but to a new thread, because AutoIt3Help.exe is not my exe. Perhaps I missed the point, but the only reason I could see for Melba23's blast was that AutoIt3Help.exe is a compiled script. Perhaps I missed his point. I see your point for not reverting it to a compiled script.

May we win the war against the AV companies!

Edited by c.haslam

...chris

Share this post


Link to post
Share on other sites

#128 ·  Posted (edited)

May we win the war against the AV companies!

That will never happen, like AV companies will never catch all malicious programs.

Jos

Edited by Jos
1 person likes this

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

my script always become infected after using UPX Compression !! and sometimes even without using it

please help

 

Share this post


Link to post
Share on other sites

my script always become infected after using UPX Compression !! and sometimes even without using it

please help

 

Not sure what you are expecting for other help than already suggested in this thread,but assume you get false positives or else you have a serious problem we can't help you with..

Jos 


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Greetings, I actually have a script that allows you to quickly report your programs as false positives to all known anti virus vendors with a simple drag and drop operation. It takes what normally takes a person a couple of hours to do and does it in 30 seconds. You can get it from my signature below. It's called False Positive Reporter. Thank you for your time and have a great day. I hope this was of help to you.

1 person likes this

False Positive Reporter - Mass email all anti virus vendors with an attachment of your program for fast and easy whitelisting.

PortableApps.com App Creation Wizard  - A simple GUI-based Wizard for creating PortableApps.

SoundBoard - Play any song or sound you want at the press of a hotkey.

My GitHub Page: https://github.com/BetaLeaf

Share this post


Link to post
Share on other sites

#133 ·  Posted (edited)

In the following case the script isn't flagged as a virus but the problem is caused by an AV software:

  • You run Trend Micro AV software.
  • You get an AutoIt error message when running the script telling you "Unable to open the script file".
  • The size of this exe is a few kilobyte smaller then that of a working exe.
  • You do not get any error messages when compiling the script. Neither from Aut2xe nor from Trend Micro.

The problem - in my case - was caused by Trend Micro's Behavior Monitoring.
To solve the problem you simply have to disable this feature for Aut2Exe.exe.

Seemed that logging was disabled for the Behavior Monitoring as well (by default?) so we didn't find anything in the TM logs.
Details can be found in the following thread:
 

Edited by water
1 person likes this

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Is it really too much to ask that antivirus companies put quality before quantity, especially for the ones which charge annual fees for the service?  I work as a remote IT support specialist and service many different clients, and I often use Autoit scripts to assist my end users, which is made difficult when I get a slew of emails stating that a script I wrote (which includes a legitimate program installer, say, for an adobe reader update, and runs the installer unattended using my admin credentials) is being flagged as malicious by their antivirus programs.  I have the issue with antiviruses just flat out trying to automatically quarantine my files without so much as a warning, and I can tell you that opening my antivirus, restoring my quarantined file, and marking it or the folder it is in in the exception list just never gets old (sarcasm).  And the sad fact of the matter is that it is not just antiviruses which play a role in this.....frustration.  Now browsers are trying to get in on the action.  Even if, somehow, the file is not flagged as a virus, I still get emails from users using Google chrome who, when attempting to download the file, would receive a message stating "This file has not been downloaded very often and may harm your computer.  You should delete it" or something to that extent.  If they would just read the message and use this little thing called logic (I just wrote the script to meet your needs, so of course it hasn't been downloaded often), they could save themselves and myself the migraine, but when they see that red circle, they start freaking out and stop using their brains.  But I still blame the browser in the end for trying to nudge its way into malware detection and using a metric that is completely retarded in order to determine this. 

Share this post


Link to post
Share on other sites

I have never had a false for over 2 years since I stopped using compression.

Or.

Start creating a library of functions/methods/classes to do the work, in some other language, as I cannot see this problem ending anytime soon.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

I almost never compress my scripts, yet I still get false positives all the time. It's usually always 2 or 3 companies (ones I've never heard of if not for virustotal) that always flag autoit. Usually I get basically heuristics detections.


False Positive Reporter - Mass email all anti virus vendors with an attachment of your program for fast and easy whitelisting.

PortableApps.com App Creation Wizard  - A simple GUI-based Wizard for creating PortableApps.

SoundBoard - Play any song or sound you want at the press of a hotkey.

My GitHub Page: https://github.com/BetaLeaf

Share this post


Link to post
Share on other sites

The antivirus is the reason that I stopped using autoit to write public software. 
I am very sad and be forced to switched to using c++ it harder than AutoIt.
I hope people do not use autoit to write viruses.
I always love AutoIt.

 

Win32:Evo-gen [Susp]
Trojan: W32/AutoIt

 


Regards,
 

Share this post


Link to post
Share on other sites

It happens to me sometimes ,my AV says that my codes is infected .. I already contacted the AV company but still have always the same problem when I use some functions / methods .

Share this post


Link to post
Share on other sites

I don't know if someone already suggested this:
Get a code signing certificate from a certificate authority (Thawte, GlobalSign, etc.) and use it to digitally sign your applications.
Usually costs around 200-300$ per year (Just had a quick glance).

Usually AV solutions monitor the certificates issued by a CA and trust the applications signed with official certificates automatically.
Even if that's not the case, many AV solutions use a reputation system for the heuristic analysis of files.
Having a digital signature would improve the chances of your file being detected as "good".

If you want to use your software in any commercial way or in a professional environment, code signing would be the best way to get along with AV solutions.

Share this post


Link to post
Share on other sites

#140 ·  Posted

I just want you guys to know that currently Twister AV marked the entire AutoIt "engine". I contacted them and got no response. Anyone want to help me contact them?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now