Jump to content
Sign in to follow this  
Postman

Antivirus scanner problems

Recommended Posts

Postman

Hello,

I have a strange problem. I have several AutoIt scripts compiled as EXE (with UPX and without). If I copy one of these compiled scripts in another directory on my PC, it takes a long time until the file is copied. I have discovered that the problem relates to AutoIt and the Antivirus application. If I disable the Antivirus application, the copying of the script file is very fast.

I tested it on multiple PCs. All of them use Sophos or McAffee Antivirus and all of them have the problem. If I copy another EXE-file, e.g. an C# or C++ application, the copying is not delayed.

Has somebody an explanation or a workaround for this problem?

Thanks.

Share this post


Link to post
Share on other sites
Inverted

Are you sure it happens even when the compiled exe is not UPX'ed ?

You can try to lower the heuristics/aggression of the antiviruses, see if that helps.

Share this post


Link to post
Share on other sites
Postman

Hiho,

I tried different Au2Exe options with ANSI, UPX/non-UPX etc. But none of them brought a change.

Could it be that the created EXE files do not have any kind of signature? The most windows application are signed in some way, so that windows knows that they are from a trusted manufacture.

Changing the security level in the antivirus application is not an option. However I played a little bit with some options. Using Sophos there is a option called "Use 32-bit-executable emulator" (or something like that) causing the problem. If I disable this option, the copying is not delayed. As I said for production use, I cannot change the security level.

???

Share this post


Link to post
Share on other sites
Inverted

Yes, they use an emulator to emulate the execution of the executable without actually running it, because static scan is pretty useless, a lot of executables are packed and they want to get to the unpacked code. But I don't know why they choke on the AutoIt executables, something with the weird structure I guess (interpreter+attached encrypted script)

A LOT of common program executables aren't signed anyway.

Anyway, I'm pretty sure the delay happens only the first time the file is copied to a new location. Afterwards, the antiviruses just checksum it to be sure it hasn't changed.

The only idea I have now is to try using another packer (one of my favourites is PE Compact), maybe you'll get lucky. :D

And if you have time,. email the antivirus vendors with a couple of samples and whiiiine !!!

Edited by Inverted

Share this post


Link to post
Share on other sites
Datus

i have the same problem today when i upgraded the script compiler.

fix was to un-install it and install and older version.

hope they fix the issue on next release.


We live as we dream alone!

Share this post


Link to post
Share on other sites
Inverted

Don't whine on the AutoIt forum, people, whine to the antivirus vendors, it's their problem !

Share this post


Link to post
Share on other sites
Datus

Hope you never get to see a proper whine if you think people have been whining on this post.

The comments are to make people aware and how to over come them.

Heres a WHINE.

A previous compiler ok newer one isnt, if there is A history of AV not liking the compiler it cant be hard before releasing a new version to test it before launch to see if the most popular AV's have an issue.

But didnt want to post that........


We live as we dream alone!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×