Jump to content
JSThePatriot

Are my AutoIt EXEs really infected?

Recommended Posts

45 minutes ago, eagle4life69 said:

I think too many bad guys are using Autoit

The issue is elsewhere: since it's sooo easy to detect AutoIt exes, cheap AV companies believe it's a valuable move for to flag them all.  That increases their "success rate" at zero cost since they can't care less about false positives...

Call that " security through genocide".


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Look at this from the distant past of....2 days ago

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Autoit-COE/detailed-analysis.aspx

An 828kb compiled exe?  The only way you get it under 850 is upx, and the only way you stay that way is if you dont do much of shit in that script.  That is the surefire 2 step way to  get flagged by every AV, and pretty much the only way aside from the occasional bad rule that gets pushed.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Started a week or two ago, one of my script (that I have been using for years) is being detected as a Trojan:Win32/Bearfoos.A!ml .  I am on Win7 with MSSE.  It is obviously another case of false positive.   Just wanted to let you know...

Share this post


Link to post
Share on other sites

First - I love AutoIt.  Very entrenched in it.  But the virus issue has me hamstrung.

I work in the corporate world.  I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients.  Every script I compile is getting flagged.  I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

I use Autoit because I inherited the process from a retiree.  is there another comparable software that won't get flagged by AV?  InstallShield seems like overkill.  What else is out there? 

Share this post


Link to post
Share on other sites
1 hour ago, fastlane65 said:

I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

Wrong forum to ask. ;) 

Jos

Share this post


Link to post
Share on other sites

Powershell probably is the way to go when you feel you really need to change, but have no recommendations other then "Google is your friend".
Autoit3 can work as well when the original Autoit3.exe is used and you run a3x versions of a script.....   your choice.  

Jos

Share this post


Link to post
Share on other sites

I do  a lot of Powershell but many scripts need to be compiled for portability and security (passwords and such.)  Thanks.

 

Share this post


Link to post
Share on other sites
17 minutes ago, fastlane65 said:

security (passwords and such.) 

AutoIt isn't the language for you then, compiled scripts aren't secure unless dealing with just the usual user types.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
Posted (edited)
38 minutes ago, fastlane65 said:

I do  a lot of Powershell but many scripts need to be compiled for portability and security (passwords and such.)  Thanks.

PowerShell is portable on anything built in the last 10 years.

If you are embedding passwords you're doing it wrong, regardless of the language you choose.

Edited by JLogan3o13

Share this post


Link to post
Share on other sites
Posted (edited)

First, why cant you whitelist hashes locally on your corporate AV?

Next,

try upx=n prior, but if still fails then show us the script.

If you are just fileinstalling and running commands, then that should fix it.

You probably cant compress or obfuscate it if it is only those simple behaviors because it is literally, except for your path/filename, every autoit dropper ever. 

 

*Also, everyone who has the script can read those passwords in plain text with minimal effort and many different ways.

 

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites
Posted (edited)
On 7/19/2019 at 9:27 PM, fastlane65 said:

First - I love AutoIt.  Very entrenched in it.  But the virus issue has me hamstrung.

I work in the corporate world.  I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients.  Every script I compile is getting flagged.  I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

I use Autoit because I inherited the process from a retiree.  is there another comparable software that won't get flagged by AV?  InstallShield seems like overkill.  What else is out there? 

You need to understand that AV softwares work in 2 ways:

 - they detect files that have the same signature as already detected viruses files. This is what the first post of this topic is about. It's basically a "is this file identical to this one?" process.

- they use "heuristics detection systems" that inspect what the softwares are doing. It's basically a "does this software act alike what most virus are doing?" process.

The problem you're having here is that since you're developping exe that install softwares and change system setting they do similar things as what real viruses are doing, so it triggers the heuristic detection system of AV.

Which means even if you switch to another programming language you'll probably still encounter the same problems with AV.

In other words, there is no solution to your problem that would allow you to bypass AV checks. So you need to deal with them. Easiest and fastest way is to add your exe to whitelist system, at an AV server level preferably or client level if not possible.

Longer but more durable way is what we're all doing in this topic: after the fast way is ok, report the false positive to the different AV companies so that they update their signature base and heuristic detection system to work more precisely.

Welcome to our world ;)

 

Edited by Neutro

Share this post


Link to post
Share on other sites
On 7/19/2019 at 2:27 PM, fastlane65 said:

First - I love AutoIt.  Very entrenched in it.  But the virus issue has me hamstrung.

I work in the corporate world.  I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients.  Every script I compile is getting flagged.  I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM.

I use Autoit because I inherited the process from a retiree.  is there another comparable software that won't get flagged by AV?  InstallShield seems like overkill.  What else is out there? 

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

Share this post


Link to post
Share on other sites

Do any AV software have a feature to add exclusion which will allow to run exe but only when all following condition will fit:

  1. specyfic selected single exe file
  2. only for this single exe file version 
  3. single known virus threat

What I want to achieve:
I want to add an exclusion for single file, but only for single known virus threat, and only for the EXE version which I know, because if the file was changed then this is not the same file which I give him a green light, and because the rule in security is to give permissions as little as possible, so why should I exclude a file from checking completely?


Signature beginning:   Wondering who uses AutoIT and what it can be used for ?
* GHAPI UDF - modest beginning - communication with GitHub REST API Forum Rules *
ADO.au3 UDF     POP3.au3 UDF     XML.au3 UDF    How to use IE.au3  UDF with  AutoIt v3.3.14.x  for other useful stuff click the following button

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library *

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskScheduler

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2019-10-01

Share this post


Link to post
Share on other sites
On 8/23/2019 at 9:47 AM, bowain said:

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected months or years after they've been sitting idle in an archive folder, the same script being flagged intermittently each time I compile it, you name it. I knew that would be unacceptable if we released our product in that condition so I researched for many days (probably weeks) before our initial release. This is the route we ended up choosing and I honestly couldn't be happier with the results. After we started signing all of our executables using a reputable code signing cert we no longer get flagged by Windows Defender - even using UPX with maximum compression. We've had rare issues with other AV providers but they've been so rare (easily less than 10 total over the past 18 months) it's really been a non-issue. If you already have a corporation setup I highly recommend doing this sooner rather than later. To be upfront, it does have a cost - both in time (generally 1-4 weeks from application to receiving your cert) and money (<$100/year) - but user trust and peace of mind are (very nearly) priceless.

Once you have the code signing cert downloaded and installed you can simply add a line to the top of your script to have SciTE automatically sign your newly compiled exe as the final step in the compile process. Something like this:

#AutoIt3Wrapper_Run_After=""%ProgramFiles(x86)%\Windows Kits\....\signtool.exe" sign /tr http://timestamp.comodoca.com/?td=sha384 /td SHA384 /a "%out%""

Also, if you have concerns about Windows Defender being reliable and accurate AV software you can let those concerns go. While it's true Windows Defender has had issues in the past, they were in the beginning of Microsoft's attempts at AV and things have improved significantly since then. If you want to check it out for yourself you can Google it or go here: https://www.techspot.com/news/81396-windows-defender-ranked-joint-best-antivirus-program.html (Fyi, up until about 5 years ago I'd been in IT for >20 years doing anywhere from tech support to Windows/Network Admin. In other words, basically dealing with viruses/rootkits/malware/ransomware on a daily basis because of users or customers lacking the wherewithal to not click the link in the email from an unknown source claiming their inheritance is waiting. 🤦‍♂️)

Edit: Btw, in case anyone does want to go this route I can recommend https://www.thesslstore.com/. I'm not affiliated with them in any way except for that's where I purchased our cert from and I can attest that we received it and it works exactly as I've described. We went with the standard Comodo Code Signing cert. The EV certs are more expensive because they require more background evaluation to be done to verify the entity applying for the cert. It may be advantageous in particular circumstances but isn't necessary to simply avoid AV quarantine.

Also, the other unmentioned advantage is your exes are now digitally signed. While for most customers this won't make a difference, if you're using your scripts in a corporate environment this may be a major peace-of-mind bonus since it's easy to verify the authenticity of your exes and they have certain assurances the exes haven't been tampered with. 👍

Edited by Jokerman
Additional info

Share this post


Link to post
Share on other sites

Is it me or are AV companies and digital signature companies fading out hobbyist coders and not just those that use interpreted languages either, okay if you are in a corporate environment or are looking to sell your work fine pay your dues to this self sustaining industry, those that do this for fun and knowledge shouldn't really be held to ransom on the off chance we craft something worthy of distribution.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...