Jump to content
JSThePatriot

Are my AutoIt EXEs really infected?

Recommended Posts

 
 
 
 
3 minutes ago, JLogan3o13 said:

@Mobius Just curious, if you were one of the big AV companies - how would you police and decide who is a hobbyist and who is not, so that you could apply different levels of response logic?

IMHO:

By allowing local admin to add a certificate to trusted zone (on central AV admin console).
And if APP Dev is using the same certificate for CodeSigning then such EXE file should be always treated as SECURE.

But did you ever seen any AV Software which has a feature to add a certificate to trusted zone?


Signature beginning:   Wondering who uses AutoIT and what it can be used for ?
* GHAPI UDF - modest beginning - communication with GitHub REST API Forum Rules *
ADO.au3 UDF     POP3.au3 UDF     XML.au3 UDF    How to use IE.au3  UDF with  AutoIt v3.3.14.x  for other useful stuff click the following button

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library *

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskScheduler

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2019-10-01

Share this post


Link to post
Share on other sites
32 minutes ago, JLogan3o13 said:

@Mobius Just curious, if you were one of the big AV companies - how would you police and decide who is a hobbyist and who is not, so that you could apply different levels of response logic?

To be honest I thought the sole purpose/concern of an antivirus company would be to ascertain what is malicious vs that which is not, and not just to green light those willing to pay and red light those that are not or cannot. Hobbyist vs not should not concern them in the least.

It is worth noting looking back at the early origins of digital signatures, malicious application developers were one of the biggest buyers so the point of recommending digital signatures seems a bit flat to me.

Share this post


Link to post
Share on other sites

so, you have zero ideas of how to implement it. So, you can stop complaining in other words. i wish this thread would get locked. I had an issue, I went to MS and had them whitelist my autoit apps, no more issues.

Edited by Earthshine

My resources are limited. You must ask the right questions

 

Share this post


Link to post
Share on other sites
1 minute ago, Earthshine said:

so, you have zero ideas of how to implement it. So, you can stop complaining in other words. i wish this thread would get locked. I had an issue, I went to MS and had them whitelist my autoit apps, no more issues.

"ascertain what is malicious vs that which is not"

There is my idea of implementing a model that works in plain english, not your strong point huh? <(rhetoric)

Share this post


Link to post
Share on other sites
2 minutes ago, Earthshine said:

HAGHAHAHAHA, and how are they to do that? do you think they have unlimited resources? You get ignored now.

It's called reverse engineering, but I suppose ignorance IS bliss for some, no offense intended in my statements but yet there is always one.

Share this post


Link to post
Share on other sites
41 minutes ago, Earthshine said:

so, you have zero ideas of how to implement it. So, you can stop complaining in other words. i wish this thread would get locked. I had an issue, I went to MS and had them whitelist my autoit apps, no more issues.

Not sure why you: A: think this post would be locked just because you don't like the content and B: don't move along if you don't like said content rather than ranting. I think you're getting your underwear in a twist over nothing.

Share this post


Link to post
Share on other sites
43 minutes ago, Mobius said:

"ascertain what is malicious vs that which is not"

so even if you look to something like cylance, where its 'pure math' there are still decision trees it has to follow (and that inexplecibably ended at a file size limit in their last reported bypass) and thresholds that breed false positives.

There is no magic bullet, and as long as you write small scripts that are 99.8% the same as every other autoit dropper ever, you will need to get your hashes whitelisted.  And that process is pretty easy these days, just need to work audit and exclusion tasks into the gantt for your project.

Edited by iamtheky
bad grammar, the worst.

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

(Aside from the dispute that is currently taking place)

Just my personal experiences :
Q : Is a quality certificate beneficial ? A : Yes (in the vast majority of cases)

Q : Does it make sense to report 'false positives' to the antivirus companies ? A : Yes (most of the problems will be solved within a few days)

As @iamtheky already wrote : There is no magic bullet.

I always find it somehow irritating, that people easily pay $1000+ per year for their mobile phone but getting a heart attack if they have to spend $200 on a good certificate.

(a bit off topic)
What concerns me more from a privacy point of view is :
The development goes increasingly in the direction of real-time cloud protection services. You can still disable this feature (at the moment), but my trust in this approach is rather low. From a technical perspective this might be great, but we all know what will happen to our personal informations :( .


Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Share this post


Link to post
Share on other sites

BTW, I would never implicitly trust a self-signed certificate, and neither should ANY AV company. If it doesn't come from a reputable certificate issuer, then it's not worth the metaphorical paper it's written on.

Just because someone with Admin rights has installed such a cert (self-signed) doesn't mean that the cert in question is secure, in any way shape or form, it just means someone that has admin credentials installed it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
On ‎9‎/‎27‎/‎2019 at 8:45 PM, BrewManNH said:

doesn't mean that the cert in question is secure

Minor nit pick here: The issue isn't no so much that a self-signed cert isn't secure, but whether or not the issuer of a cert is trustworthy. ;)


Share this post


Link to post
Share on other sites

To reaffirm some of what's been said before: Try compiling...

  • with UPX off
  • with compression set to Low or Lowest/Off
  • launching the 64-bit version of the exe. Sometimes this will work when the 32-bit will not

One of the above or some combination of them will very likely work for you.

Share this post


Link to post
Share on other sites
10 minutes ago, tcurran said:

To reaffirm some of what's been said before: Try compiling...

  • with UPX off
  • with compression set to Low or Lowest/Off
  • launching the 64-bit version of the exe. Sometimes this will work when the 32-bit will not

One of the above or some combination of them will very likely work for you.

To add on to this - if the first version you compile gets flagged try adding a new comment line, or edit an existing one, and compile again. Or add a new unused variable (which you can then comment/uncomment in future attempts at bypassing the AV filter). I've found that changes as small as these can cause a compiled exe to miraculously no longer be flagged. YMMV.

Share this post


Link to post
Share on other sites

That is indeed a thing, I might have scripts in the wild with some commented out Lorem Ipsum and Beowulf 🙋‍♂️

It has been years though, I really havent had a problem with the newer enterprise AVs.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites
On 9/27/2019 at 6:45 AM, BrewManNH said:

BTW, I would never implicitly trust a self-signed certificate, and neither should ANY AV company. If it doesn't come from a reputable certificate issuer, then it's not worth the metaphorical paper it's written on.

Just because someone with Admin rights has installed such a cert (self-signed) doesn't mean that the cert in question is secure, in any way shape or form, it just means someone that has admin credentials installed it.

My approach was meant more for in a work around in my corporate environment and not for public. If I were to distribute anything I code I would indeed buy a cert. And as you emphasize this will not work outside as it is a self signed cert.

I have had to whitelist most of my apps on my home lab as the AV here flags them. Mainly the older ones that were not signed and complied with UPX. I'm not sure if that is why or not.

Share this post


Link to post
Share on other sites
4 hours ago, bowain said:

My approach was meant more for in a work around in my corporate environment and not for public.

But it shouldn't work with a self-signed exe, the AV companies shouldn't be accepting them as valid proof you're not sending viruses around was my point. There's no reputation behind a SSC, it's just you saying "hey I swear I'm not encrypting everyone's files because I signed my exe."


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

@BrewManNH This is just white listed on the corporate rules, not by the AV company. Corporate created the cert on an in house CA so we know we can trust it on the corporate machines. This would never, should not ever and will not ever be used outside of our environment. As I said if I wanted to go beyond out corp area I would buy a cert from a recognized CA.

Share this post


Link to post
Share on other sites

That does make sense, I guess I was looking at it in a more general view.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...