Jump to content
JSThePatriot

Are my AutoIt EXEs really infected?

Recommended Posts

17 minutes ago, Sergeant_Shultz said:

Open to suggestions. 

Other than this list in the first post?:

There isn't too much we can do from our side but we are always open to suggestions.

Jos :)

 

 

 

Share this post


Link to post
Share on other sites

It isn't a matter of "abandoning support". The AutoIt team cannot control the false flags created by various AV companies. That is the point of this entire thread - of you are receiving false positives there is a method for reporting this to the AV company.

BTW I answered the same way in your email, and would clarify that you didn't "receive no response" in this thread, just not the one you were wanting. 

Share this post


Link to post
Share on other sites

Arg.   Windows has gone nuts this weekend and declared all my compiled programs to be infected.   Bad Microsoft Bad....   ok   Rant over.  I feel better.

Guess I need to install the full autoit for a coworker who needs my apps right now.  Its a bit frustrating when both my home machine and work machine delete stuff the moment I compile it.  I could ignore the dir but I'd rather not do that.  I've always just used the defaults when compiling.  Is there something I can change to hopefully prevent the false positive.   I've had this happen a few times but never to this extent.

Found the microsoft page to submit false positives.  I'll do that.   Just wondering if I have any options for now on my side.

 

Share this post


Link to post
Share on other sites

care to post the compiler flags you are using, and if it is defender what are the existing exclusions?   There is some due diligence to be exercised by the author and user before you need to include the vendors.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Right....  Thats what I'm asking about.  Current is default.  Right click and compile.  That is it.  I do not have any compile instructions in the au3.

No exclusions.  At least not before today.  I have excluded this one exe now on one coworkers computer to get it working.  I was going to install auto it but I have a few custom includes both from here and of my own.  I did not feel like replicating my file structure elsewhere and then having to maintain it.

Its not excluded on mine.  I run the au3 anyhow.  And I want to see if there is something I can do to help prevent the false positive.

I have not submitted anything yet to any vendors.  If its something I can change about they way I'm doing my compile then I'm happy to test that out first.  Hence my post.

Share this post


Link to post
Share on other sites
57 minutes ago, cal said:

I do not have any compile instructions in the au3

so playing with compiler flags will probably start to vary results, especially the recommendations throughout this thread.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Hey,

I've already seen the sticky thread on autoit virusses but the first post doesn't mention windows defender and the thread is quite inactive so I made a new one.

I tried sending a simple keycombination to a program when my pc starts using 1) task scheduler and then 2) windows autostart folder. In both cases it's detected as a virus. I also tried adding the files as exeptions to windows defender while they were in their original folder, the autostart folder and I chose the .exes as well as the .au3s

I also tried to add an exeption using the process name you can find on the task manager. (Tried to type in the name with .exe as well as without)

I also changed the properties of the scripts so that they are started as an administrator.

My script looks like this

Sleep(15000)
ControlSend ( "OBS 21.1.0 (64bit, windows) - Profil: Unbenannt - Szenen: Unbenannt", "", "[CLASS:Qt5QWindowIcon; INSTANCE:1]", "+{f8}" )

 

please help me... those guys from microsoft are mental

Share this post


Link to post
Share on other sites

I think its this..

ControlSend ( "OBS 21.1.0 (64bit, windows) - Profil: Unbenannt - Szenen: Unbenannt", "", "[CLASS:Qt5QWindowIcon; INSTANCE:1]", "+{f8}" )

Should be

ControlSend ( "OBS 21.1.0 (64bit, windows) - Profil: Tote Pferde, die ich geschlagen habe - Szenen: Unbenannt", "", "[CLASS:Qt5QWindowIcon; INSTANCE:1]", "+{f8}" )

 

Share this post


Link to post
Share on other sites

So what is stopping you to install avast on your comp that will disable windows defender cos he is running?

I had relatively easy time with him and false positive detection.


TCP server and client - Learning about TCP servers and clients connection
Au3 oIrrlicht - Irrlicht project
Au3impact - Another 3D DLL game engine for autoit. (3impact 3Drad related)



460px-Thief-4-temp-banner.jpg
There are those that believe that the perfect heist lies in the preparation.
Some say that it’s all in the timing, seizing the right opportunity. Others even say it’s the ability to leave no trace behind, be a ghost.

 

Share this post


Link to post
Share on other sites

eliass123,

Quote

I've already seen the sticky thread on autoit virusses but the first post doesn't mention windows defender and the thread is quite inactive so I made a new one.

And I have merged it into the sticky thread - we have it for a reason.

M23


Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites
1 hour ago, bogQ said:

So what is stopping you to install avast on your comp that will disable windows defender cos he is running?

I had relatively easy time with him and false positive detection.

avast didn't work but I used regedit to permanently disable windows defender #imoneofthehardones

Share this post


Link to post
Share on other sites

Did you turn upx off?  The fewer lines your code has, the more it matches malware sigs. Your script, to a robot, shares 99.999% of its code with other verified malicious compiled .au3s.  Its best to not compress it for detection purposes.

shell:startup is an awkward place to run interactive scripts from.  How about the script in the startup folder consists of one line that runs and exits, calling this script from another location.  Or use schedule tasks to create a task that runs on startup + X seconds

5b058bad23480_scheduledtask.PNG.3b223aa72a949634b5eea40aec718c63.PNG

 

and simply executes a command like

Run(@AutoItExe & ' /AutoIt3ExecuteLine "ControlSend (''OBS 21.1.0 (64bit, windows) - Profil: Tote Pferde, die ich geschlagen habe - Szenen: Unbenannt'', '''', ''[CLASS:Qt5QWindowIcon; INSTANCE:1]'', ''+{f8}'' )"')

 

 

nuking defender might not be necessary.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I had a file being tagged as "Trojan:Win32/Tilken.B!cl" by Windows Defender on Windows 10, with "severe" risk.

This was the only false positive among several of my scripts, so I decided to investigate the code...

Found out this particular script had "#pragma" directives, something I don't use anymore for quite a long time. So I replaced them with "#AutoIt3Wrapper" directives, recompiled and voilá, no more warnings on Windows Defender!

I have no idea the reason why, but this is definitely worth checking...

PS: It seems like UPX is unchecked by default by Autoit3Wrapper

PS2: Using version 3.3.14.2

Edited by Nomad_RJ

Share this post


Link to post
Share on other sites

My player is being killed by windows defender, got other programs that weren't flagged, lines and compile method is the same, im confused.

#Region ;Wrapper
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_UseX64=n
#AutoIt3Wrapper_Run_Tidy=y
#AutoIt3Wrapper_Res_SaveSource=y
#AutoIt3Wrapper_Run_Debug_Mode=n
#AutoIt3Wrapper_Icon=BPlayer.ico
#pragma compile(CompanyName, 'careca')
#pragma compile(x64, false)
#pragma compile(UPX, False)
#AutoIt3Wrapper_Res_Comment=By: Careca
#AutoIt3Wrapper_Res_Icon_Add=BPlayer.ico
#AutoIt3Wrapper_Res_Description=Audio Player
#AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7
#EndRegion ;Wrapper

 

screenshot - 03062018-0138.jpg

EDIT: after i submitted the file to windows defender support, they un-flagged it from the system for the future.

Edited by careca
Windows defender support unflagged the file.

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Share this post


Link to post
Share on other sites
1 minute ago, jonasmehler46 said:

Much obliged JS, does anyone have something else to include before I bolt this?

nah...  go ahead and bolt your stuff! ;)

Edited by Jos

Share this post


Link to post
Share on other sites

 

I'm sorry but I do not write in English I need to google translator

my first very simple script (autoit 3.3.14.5)
 

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=simple_32bit_3-3-14-5.exe
#AutoIt3Wrapper_Outfile_x64=simple_64bit_3-3-14-5.exe
#AutoIt3Wrapper_Compression=0
#AutoIt3Wrapper_Compile_Both=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
msgbox(0,0,0)

this is the virustotal result of the 32-bit version
https://www.virustotal.com/#/file/000a78b60fd3f9e3e5c0d27ba7d10914fb34972cb6babfe331ba57d4e2f3ba3e/detection
this is the virustotal result of the 64-bit version
https://www.virustotal.com/#/file/15ab96e9c663db258f36696f0cba61788d0d91ba2229bd5066a057abd16a9603/detection

my second very simple script (autoit 3.3.14.2)

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=simple_32bit_3-3-14-2.exe
#AutoIt3Wrapper_Outfile_x64=simple_64bit_3-3-14-2.exe
#AutoIt3Wrapper_Compression=0
#AutoIt3Wrapper_Compile_Both=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
msgbox(0,0,0)

this is the virustotal result of the 32-bit version

https://www.virustotal.com/#/file/7961c6b6a6dd492c2bcf36f45a07c81394c57d7b84775c84d448aa382233e82a/detection

this is the virustotal result of the 64-bit version

https://www.virustotal.com/#/file/5a65f4837ceea5a2e3387de9a69a773759dbe4a1b591a9ddf0ec8d0f0e559af5/detection

why are there different results?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...