Jump to content
Sign in to follow this  
TeraBit

Why My script detected by NOD32 as virus?

Recommended Posts

TeraBit

When I checked my script by NOD32 antivirus then I received this warning:

ScriptName.exe » AUTOIT » script.au3 - Possibly modified Win32/Autoit.EI worm.

But when I submit this script to Kaspersky Online antivirus center then It didn't see virus inside.

Why My script classified as virus by NOD32 ?

How that sort of viruses can harm system?

Share this post


Link to post
Share on other sites
TehWhale

This has been gone over a million times. Use the search feature of this forums. :mellow:

Share this post


Link to post
Share on other sites
TeraBit

Should I use alternative packer to avoid this antivirus fake warning detection?

Share this post


Link to post
Share on other sites
Andreik

Should I use alternative packer to avoid this antivirus fake warning detection?

I think you can compile without UPX.

If you use Compile script to .exe , in Compression menu, you will find this option.

Try it and then tell us if is a change or not.


When the words fail... music speaks

Share this post


Link to post
Share on other sites
Mobius

Should I use alternative packer to avoid this antivirus fake warning detection?

Kind of depends what sort of packer you chose, Pm me if you want to know more.

Mostly false positives given by Av's that cannot keep up with current trends.

Edited by Mobius

Share this post


Link to post
Share on other sites
Emiel Wieldraaijer

@Mobius

Hi :mellow:

@TeraBit

Send NOD an email ... to create a real virusscanner..

How to reduce false positives

- Don't use a beta version of AutoIt

- Don't use filepackers

- Don't use hotkeys in a script

- Don't use _IsPressed in a script

- Don't use autodownloads in a script

Edited by Emiel Wieldraaijer

Best regards,Emiel Wieldraaijer

Share this post


Link to post
Share on other sites
TeraBit

I have tried to pack my script.exe file with themida packer and now NOD32 don't detect my program as virus!

Hacker's favorite method.

Isn't it? :mellow:

Share this post


Link to post
Share on other sites
Mobius

I have tried to pack my script.exe file with themida packer and now NOD32 don't detect my program as virus!

Hacker's favorite method.

Isn't it? :(

:mellow: But at what cost to the size of the packed binary?

I mean ::

Unpacked size =

Packed size =

Edited by Mobius

Share this post


Link to post
Share on other sites
TeraBit

Unpacked size = 784 KB

Packed size = 1,76 MB

Why the size of Packed file exceeds many times over the Unpacked size?

Share this post


Link to post
Share on other sites
Andreik

I have tried to pack my script.exe file with themida packer and now NOD32 don't detect my program as virus!

Hacker's favorite method.

Isn't it? :(

Try to scan with another antivirus, not surprise you to be detected as a virus by different antivirus. :mellow:


When the words fail... music speaks

Share this post


Link to post
Share on other sites
Mobius

Unpacked size = 784 KB

Packed size = 1,76 MB

Why the size of Packed file exceeds many times over the Unpacked size?

OUCH Dude, that is a considerable increase in filesize for something that

is not going to protect your source at all.

Uber packers such as Themida and Armadillo and many others offer additional

header tricks, that are designed to Protect at all costs, against the many

tools that are out there to probe a binary.

Such packers are designed for major, often corporate applications, or for people

that do not care about the overall binary size. You might want to play around

with various settings to possibly trim this down a bit but don't get your hopes up.

Ed

Like Emiel said, Packers are really optional unless you wish to embed

sensitive data in the resource table, and require a packer to protect this

Edited by Mobius

Share this post


Link to post
Share on other sites
Cw2K1

@Mobius

Hi :mellow:

@TeraBit

Send NOD an email ... to create a real virusscanner..

How to reduce false positives

- Don't use a beta version of AutoIt

- Don't use filepackers

- Don't use hotkeys in a script

- Don't use _IsPressed in a script

- Don't use autodownloads in a script

- Don't use AutoIt

Enjoy the complexity.Feel the power of simplicity.

Share this post


Link to post
Share on other sites
TeraBit

I think it is not big increase in size for ours fast pc

and it is acceptable for me =)

Share this post


Link to post
Share on other sites
TeraBit

And you are using a Packer FOR???? :mellow:

Ed:

Protecting images and other data used by your binary?

I use it to avoid immediate deletion by my favorite antivirus

Share this post


Link to post
Share on other sites
Mobius

I use it to avoid immediate deletion by my favorite antivirus

Then why pack at all, that is what I was asking really.

If you do not care about filesize then why bother packing,

unless like I said, you wish to protect images and other data

used by your program.

Edited by Mobius

Share this post


Link to post
Share on other sites
Armand

- Don't use AutoIt

hhh - sad but true ... :mellow:


[u]My Au3 Scripts:[/u]____________(E)Lephant, A Share download manager (RS/MU etc)Http1.1 Console, The Ez Way!Internet Reconnection Automation Suite & A Macro Recording Tool.SK's Alarm Clock, Playing '.MP3 & .Wav' Files._________________Is GOD a mistake of the Humanity Or the Humanity is a mistake of GOD ?!

Share this post


Link to post
Share on other sites
Mobius

hhh - sad but true ... :(

So a couple of Av company's aren't up to scratch on current events (Won't mention NOD32 :mellow: )

And you guys advocate not using AutoIt at all because of THIS!!!!

You are not releasing a commercial app anyway so get over yourself.

Dammit, Lost me big green Lazer.....Has anyone seen it?

Edited by Mobius

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.