Antivirus scanner problems

[Postman]

Hello,

I have a strange problem. I have several AutoIt scripts compiled as EXE (with UPX and without). If I copy one of these compiled scripts in another directory on my PC, it takes a long time until the file is copied. I have discovered that the problem relates to AutoIt and the Antivirus application. If I disable the Antivirus application, the copying of the script file is very fast.

I tested it on multiple PCs. All of them use Sophos or McAffee Antivirus and all of them have the problem. If I copy another EXE-file, e.g. an C# or C++ application, the copying is not delayed.

Has somebody an explanation or a workaround for this problem?

Thanks.

[Bert]

Try changing how the code is compiled.

[Inverted]

Are you sure it happens even when the compiled exe is not UPX'ed ?

You can try to lower the heuristics/aggression of the antiviruses, see if that helps.

[Postman]

Hiho,

I tried different Au2Exe options with ANSI, UPX/non-UPX etc. But none of them brought a change.

Could it be that the created EXE files do not have any kind of signature? The most windows application are signed in some way, so that windows knows that they are from a trusted manufacture.

Changing the security level in the antivirus application is not an option. However I played a little bit with some options. Using Sophos there is a option called "Use 32-bit-executable emulator" (or something like that) causing the problem. If I disable this option, the copying is not delayed. As I said for production use, I cannot change the security level.

???

[Inverted]

Yes, they use an emulator to emulate the execution of the executable without actually running it, because static scan is pretty useless, a lot of executables are packed and they want to get to the unpacked code. But I don't know why they choke on the AutoIt executables, something with the weird structure I guess (interpreter+attached encrypted script)

A LOT of common program executables aren't signed anyway.

Anyway, I'm pretty sure the delay happens only the first time the file is copied to a new location. Afterwards, the antiviruses just checksum it to be sure it hasn't changed.

The only idea I have now is to try using another packer (one of my favourites is PE Compact), maybe you'll get lucky.

And if you have time,. email the antivirus vendors with a couple of samples and whiiiine !!!

Edited June 23, 2009 by Inverted

[Datus]

i have the same problem today when i upgraded the script compiler.

fix was to un-install it and install and older version.

hope they fix the issue on next release.

[Inverted]

Don't whine on the AutoIt forum, people, whine to the antivirus vendors, it's their problem !

[Datus]

Hope you never get to see a proper whine if you think people have been whining on this post.

The comments are to make people aware and how to over come them.

Heres a WHINE.

A previous compiler ok newer one isnt, if there is A history of AV not liking the compiler it cant be hard before releasing a new version to test it before launch to see if the most popular AV's have an issue.

But didnt want to post that........

[James]

AutoAV (it's a link).