Jump to content

Are my AutoIt EXEs really infected?


Recommended Posts

On 8/23/2019 at 8:47 AM, bowain said:

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

Does a certificate really guarantee your app won't get flagged?  We have a client that says our app was getting quarantined, so we signed it with Entrust CA.  Apparently Windows Defender is still flagging it, but now at least he gets an option to run it anyway.  There's a little bit of an English issue, but we're going to set up a laptop here with the same version of MS Windows Defender and see if we can duplicate it in-house.

Link to post
Share on other sites
  • Replies 277
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

If you have been using AutoIt for any length of time you will know that it is a great, and powerful scripting language. As with all powerful languages there comes a downside. Virus creation by those t

That's the drawback of heuristics: they can misinterpret a tree as a school bus when a bird leaves its nest in the tree.

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected mont

Posted Images

29 minutes ago, quickbeam said:

Does a certificate really guarantee your app won't get flagged?

No, it has zero effect, not even what certs are for.

certificates verify the author (not that the file is certified clean), its the code equivalent of a pretty cursive signature.

 

**That being said, you can whitelist things in your Enterprise AV based off any value.  Cert is as valid a value in that sense as any other.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to post
Share on other sites
  • 2 weeks later...

I create a website builder with Autoit. Method is to merge text files and photos to build the website. Very simple. I scan the au3 file with virustotal. No virus. But when I scan the exe file, it is regarded as maleware by some virus scanners. I submit the software to Cnet. They reply approval is not given unless the problem is solved. 

Link to post
Share on other sites
1 hour ago, JLogan3o13 said:

@Musashi why would you link to the exact same thread? 

I have given the link to this thread as an answer in another thread. There the OP described his problems with "false positives". Later the thread was merged/moved in here by a moderator, including my contribution. Now my answer is outside the original context, and appears therefore pointless ;).

Perhaps it would be a good idea to simply remove the link.

Edited by Musashi

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to post
Share on other sites
  • 2 weeks later...

Productive work with AutoIt Newest Version is no longer possible under Windows 10. Windows Defender permanently reports a virus when the script has been compiled and the ".EXE" file is saved in an automatically saved onedrive folder (e.g. Downloads or Desktop etc.). This means that online transfers to other users are no longer possible and no longer execute there.

best regards Chris

Link to post
Share on other sites
  • Moderators
15 hours ago, Eishockeyfan said:

Productive work with AutoIt Newest Version is no longer possible under Windows 10.

Did you really think, for as long as AutoIt has supported Windows 10 (on systems with Defender), that if this was the case it wouldn't have been advertised far and wide??

In the future, rather than making a definitive statement such as this and then having to come back and retract it, perhaps start by asking a question in the forum about the problems you're encountering.

Edited by JLogan3o13

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to post
Share on other sites
  • 1 year later...
  • Moderators

Well, if you can't submit to anyone, you're out of luck. Without source, no AV company can do anything.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to post
Share on other sites
10 hours ago, Tripredacus said:

Some recent update to Defender in Windows 10 (noticed today) that some AutoIT .exe are being detected as Trojan:Win32/Fuerboos.D!cl and being quarantined automatically.

Considering your post count, you'll probably know the following info already ;). Furthermore, this has been mentioned numerous times in this and other threads. Just in case it has escaped your attention until now, here is a brief summary (simplified) :

Compile your scripts in a3x format instead of exe.

To execute a3x scripts on the target machine, there are several ways, e.g. :

  • Install AutoIt, then you can execute a3x scripts similar to .exe by double-clicking. However, this option is often not desired by the recipient. If the scripts should only run on your own computer this is irrelevant, because an AutoIt installation already exists.
  • Copy the appropriate file(s) AutoIt3.exe or AutoIt3_x64.exe to the target computer. Associate the extension a3x with the interpreter (AutoIt3.exe). Execution of a3x scripts by double-clicking possible. Since this requires a change in the registry of the target computer, it may also be undesirable.
  • Copy the appropriate file(s) AutoIt3.exe or AutoIt3_x64.exe to the target computer. a3x files can be executed e.g. via a .cmd or a shortcut. This is the least invasive variant.

I have switched all my scripts to the a3x format and since then virtually no problems with virus software anymore :).

Regarding security : au3 scripts will be embedded as a3x when compiling an .exe, so there are no differences.

 

==> Definitely worth a look is the solution from @Exit , see : au3tocmd-avoid-false-positives

Edited by Musashi
typo

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to post
Share on other sites
  • 2 months later...

If at all possible, compile your exe's as 64-bit.
When compiled as 32-Bit, I get as many as 12-18 virus detections from VirusTotal.
The exact same script, compiled as 64-Bit, only has 2-3 detections.

Almost all Windows computer systems these days are 64-Bit operating systems.

Take NOTICE: special considerations are required for the Windows Registry, Windows\System* files and ProgramFiles* directories.

Edited by Shark007
Link to post
Share on other sites
  • 3 months later...
  • Moderators
On 7/18/2021 at 5:53 AM, IlanMS said:

When using VirusTotal, several anti-viruses that are not listed here false positive

Not surprising when the original list was compiled 15 years ago ;)

The workaround is the same, as mentioned numerous times throughout this thread, there are things you can do to mitigate false positives. Failing these suggestions, you need to contact the AV vendor.

 

 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to post
Share on other sites
  • 1 month later...

2 weeks ago I starts having issue in time when I compile on of my projects.
Funny thing is that solution to all my problems was to add at the top of my scirpts, this following line:

If Not @Compiled Then ConsoleWrite('ESET')

Today it starts hapening for my other projects.

 

I also remember such case:

Several years ago, I was working on corrections to one of my projects. I have been correcting it for several hours of work.

At the end, when I achieved the desired effect, I noticed that I had a linguistic error (a typo) in one of the messages. So I literally corrected one letter and sent the amendment to the update server.

Then, in a remote connection (TeamViewer) at the client's workstation, I wanted to finally update the product.

It turned out that changing one letter in the program code regarding the displayed message may cause the heuristic methods of antivirus programs to recognize the program as a virus.

Signature beginning:
Please remember: "AutoIt".....  Wondering who uses AutoIt and what it can be used for ?
* GHAPI UDF - modest beginning - communication with GitHub REST API Forum Rules *
Include Dependency Tree (Tool for analyzing script relations)
ADO.au3 UDF     POP3.au3 UDF     XML.au3 UDF    How to use IE.au3  UDF with  AutoIt v3.3.14.x  for other useful stuff click the following button

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library *

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) *

PDF Related:How to get reference to PDF object embeded in IE *

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2021-03-17

Link to post
Share on other sites
15 minutes ago, mLipok said:

It turned out that changing one letter in the program code regarding the displayed message may cause the heuristic methods of antivirus programs to recognize the program as a virus.

That's the drawback of heuristics: they can misinterpret a tree as a school bus when a bird leaves its nest in the tree.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...