JSThePatriot

Are my AutoIt EXEs really infected?

164 posts in this topic

#161 ·  Posted (edited)

Hi,

We've been using AutoIt v.3.3.6.1 to compile our .au3 scripts because the online virus scanner "virustotal.com", that scans the uploaded file using different scanners and gives you a report showing the results, have seemed to report fewer false positives on executables when using the old 3.3.6.1 compiler instead of more recent, higher versions of AutoIt. 

We compile using AutoIt2Exe without UDF compression and sign them using our code-signing certificate from a trusted vendor.

It has been a while since we compared scanning the same .au3 script compiled with different versions, and I was just wondering if version 3.3.6.1 still is the "safest" version or if people here have another preference for which AutoIt version / compiler that causes the least number of false positives?

Edited by DHL
typo and added fact that we use a cert to sign our exes

Share this post


Link to post
Share on other sites



#162 ·  Posted

I've never had any of my compiled execs flagged and I'm using the latest version. So, anything we tell you would depend on which unreliable AV you're using that's flagging them.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#163 ·  Posted

Same here, I routinely write and compile scripts in corporate environments, and have lately found myself doing a lot of AutoIt/PowerCLI cross scripting. Never any issues with the latest version and any of the major business AV suites out there. I'm sure I have run under just about everything in the top three sections of the magic quadrant:

https://solutionsreview.com/endpoint-security/gartner-2017-epp-magic-quadrant/


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#164 ·  Posted (edited)

do you mean 'without UDF compression'  OR  'without UPX (UCL) compression'? 

and have you tried just hashing your exe and uploading that to see if you are really popping for a signature?  or commenting out the whole thing, and uploading an exe that does a bunch of nothing to see if its all compiler flags, or if someone really did detonate you in a sandbox and you tripped heursitics.  If that last thing happened you need to bear in mind that all AutoIt exes look like 90% the same, so it really is on the author to perform their due diligence in getting it whitelisted.

That being said, I drop scripts all over monoliths in regulated environments, the last script I got flagged on was Carbon Black and that's because i was running the powershell invoke-obfuscation module, so that's hardly AutoIts fault.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now