Sign in to follow this  
Followers 0
amcdee

Virus Report

8 posts in this topic

Hi Guys,

Just a bit of a heads up I've just received the following warning from CA. Been using Autoit for a while now without issuse. Unforuneately its always effecting about of my compiled script.

The Win32/SillyAutorun.AYD was detected in C:\PROGRAM FILES\AUTOIT3\AUT2EXE\AUTOITSC.BIN.

Kindest regards,

Amcdee

Share this post


Link to post
Share on other sites



Hello,

That is not a good answer my friend. I am heavely using AutoIT for several years now (a great product for sure).

The Virus issue with AutoIT compiled script, is and stays an issue.

I have spend weeks of works to change my code, not to develop et enhance my applications, but just to work around the virus detection issues.

The fasle positive detection is a recuring issue and I think anyone using daily Autoit codes knows this.

For myself with I decided to do, at the end of many different wird experiences is :

1) Do not use UPX compressor at all

2) Do not use Obfuscrator option anymore

3) Avoid each time it is possible the FileInstall command

Doing so, I have eliminate most of the issues, but still I have to fight for time to time with an antiv-rus crappy vendor to request the change a wrong virus list where AutoIt code is detected as a false positive virus.

I have no magic solution for that and I hope this will improve with future AutoIT releases.

Enjoy :)

Dominique

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

How will future Autoit releases fix the "crappy AV vendors" ? (your words)

Just don't use shitty AV products, I never have any problems ! I used to have ESET Smart Security, now I've gotten rid of AV and just use the free Sunbelt Personal firewall.

Also, I doubt the obfuscator has any effect on the false alerts, the script is encrypted anyway. You could try other executable packers, like PeCompact, it's pretty tame.

Edited by Inverted

Share this post


Link to post
Share on other sites

It has been discussed so many times it gets boring to see all the new threads on it. Report it to them as a false positive. That's all you can do, because you've outlined the rest.

Share this post


Link to post
Share on other sites

We are using compiled scripts on many workstations and servers. False Positives are a great problem for us.

It is not possible to use the whitlist- function of the AV, because folder changes often.

In the next weeks we will setup a testsystem for compiled AutoIt Scripts and other important files.

- the samples will be scanned every hour with the mayor AV-Engines

- if there is a False-Positive, the system will send a report to the AV-Company

We hope to decrease the duration of a False-Positive down to a few hours.

Share this post


Link to post
Share on other sites

All AutoIt scripts will show as the same malware. That's because of idiots who write malware in AutoIt and idiots who tag every script as a malware.

Share this post


Link to post
Share on other sites

@amcdee

I had the same problem on 14th of May - CA eTrust started to delete my executables because if "found" AutoItSC.bin "infected" with that worm.

I have contacted them the same day, send them the samples they required and got the answer back that the file is clean. By next day (15th) they have released a new signature file which fixed the false warning on AutoItSC.bin.

Don't worry anymore about that from CA.

A piece of advice: even so, don't compress your executables with upx because eTrust might see them "suspicious".


SNMP_UDF ... for SNMPv1 and v2c so far, GetBulk and a new example script

wannabe "Unbeatable" Tic-Tac-Toe

Paper-Scissor-Rock ... try to beat it anyway :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0