lionfaggot Posted March 10, 2011 Posted March 10, 2011 turns out all autoit exes add the following registry values (im not sure why or how) but here they are: HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder 0 Value Change 1 this according to anubis scan, and this is all that keeps my autoit programs on the redlist of antiviruses. but ALL autoit exes apparently edit this key, so right, is it possible to keep autoit from editing these values? even an exe with JUST sleep(100) in it anubis said it edited these. anubis.iseclab.org - if one of the developers could solve that issue it'd mean we wouldnt have as much to deal with from antivirus companies i mean at least not as much. i was just thinking should be an option for an autoit exe to not edit said values thanks in advance
Bowmore Posted March 10, 2011 Posted March 10, 2011 (edited) turns out all autoit exes add the following registry values (im not sure why or how) but here they are:HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder 0 Value Change 1This statement is certainly not true for me. I've just run several AutoIt exes on my PC and monitored all registry access with sysinternals' RegMon.exe. Nothing under HKLM\system\CurrentControlSet\control\NetworkProvider was changed or even accessed.Edit: Put some words in the order I originally intended. Edited March 11, 2011 by Bowmore "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to build bigger and better idiots. So far, the universe is winning."- Rick Cook
Moderators Melba23 Posted March 10, 2011 Moderators Posted March 10, 2011 (edited) lionfaggot,I have been running compiled exes from many versions of AutoIt over several years and I do not have that key (or keys, you are imprecise in your post) set at all on my system. All I have in HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder is the ProviderOrder key which reads: "LanmanWorkstation,RDPNP,webclient".Are you sure that AutoIt is doing it? According to MS, the NetworkProvider subkey "provides a list of the available network providers that use the Microsoft network-independent APIs". It seems very likely to me that it is something else. M23Edit: Formatting went all funny. Edited March 10, 2011 by Melba23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area
JohnOne Posted March 10, 2011 Posted March 10, 2011 Its like deja vu all over again. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans.
lionfaggot Posted March 10, 2011 Author Posted March 10, 2011 well, according to runtime antivirus scans autoit exes do change values. i have no idea why. scan any of your compiled autoit exes in an online sandbox such as http://anubis.iseclab.org/ no seriously just try it, and thats not the only runtime scan that says autoit exes do this, all runtime scans ive tried say it. i dont know, im no developer, i just know what i see
JohnOne Posted March 10, 2011 Posted March 10, 2011 well, according to runtime antivirus scans autoit exes do change values. i have no idea why. scan any of your compiled autoit exes in an online sandbox such as http://anubis.iseclab.org/no seriously just try it, and thats not the only runtime scan that says autoit exes do this, all runtime scans ive tried say it. i dont know, im no developer, i just know what i seeAre you some sort of rep for this anubis, you keep piping up about them, I've got news for you, no-one cares about a lousey stinking online scan that hardly anyone has heard of, so you might as well give up with your aggressive "no really" "Just do it" "upload" suggestions.Even it it did write this elusive regkey, so what?, I doubt there is going to be a new release of autoit3 because of you dont like a false posotive from a scrotum scan.Live long and prosper. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans.
kylomas Posted March 10, 2011 Posted March 10, 2011 Funny, JohnOne... "hit it where they ain't" kylomas Forum Rules Procedure for posting code "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals." - Sir Winston Churchill
lionfaggot Posted March 11, 2011 Author Posted March 11, 2011 its not just anubis though, most antiviruses have runtime scans. i was just using anubis as an example. in fact the scans that detect autoit exes arent based on the file before its run. also another online sandbox from sunbelt says autoit exes do something called "checks for debugger" - the point here is that runtime scans have pretty common guidelines in what they check for from an exe. google "online sandbox" i highly advise you guys give this a try.
lionfaggot Posted March 11, 2011 Author Posted March 11, 2011 i try to get people to play a game i made in autoit and people complain its a virus. scan it on virustotal and its only detected by k7, none of my friends or no one i know uses k7, theyre detected not because of the file but because of RUNTIME
BrewManNH Posted March 11, 2011 Posted March 11, 2011 I just reimaged a computer here at work and ran one of my software install scripts on it (compiled .exe) and then I just checked that registry value you mentioned. There is absolutely no difference between the before and after values in that key. I then checked it as the program is running and there is no change there as well. Looks like your AV scanner sucks and is reading things that just aren't there. This isn't a false positive as I would categorize one, this is the AV scanner being used telling you things that aren't happening. The exe's do not modify, add or remove any entries in that key while running or after being run. Use a different AV program. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator
kylomas Posted March 11, 2011 Posted March 11, 2011 lionfaggot, Can you post the output form one of these scans that pops on AI? Also post an image of the reg keys and values that you think are affected. kylomas Forum Rules Procedure for posting code "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals." - Sir Winston Churchill
Carlo84 Posted March 11, 2011 Posted March 11, 2011 (edited) with the site you linked urself... it does no such thinghttp://anubis.iseclab.org/?action=result&task_id=10447a47c43d81094e9497d7be5263ea7&format=html- Monitored Registry Keys:Key Name: HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder Watch subtree: 0Notify Filter: Value ChangeCount: 1This means it checked the value once for a Value Changeit does not mean it changed the value.tbh sites like that are a load of crap anyways.there should be a monitor here somewhere thats reliable. http://technet.microsoft.com/en-gb/sysinternals Edited March 11, 2011 by Djarlo _SplashProgressImage | _Regionselector | _IsPressed360 | _UserAccountContol_SetLevel | _ListSubFolders
kylomas Posted March 12, 2011 Posted March 12, 2011 Here's one for trancexx... You are familiar with assonance... Interpret the OP's nick... Are'nt those "dots" annoying... Forum Rules Procedure for posting code "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals." - Sir Winston Churchill
ChrisL Posted March 12, 2011 Posted March 12, 2011 i try to get people to play a game i made in autoit and people complain its a virus. scan it on virustotal and its only detected by k7, none of my friends or no one i know uses k7, theyre detected not because of the file but because of RUNTIMEIf your compiled files are flagged as a virus then compile them without the UPX packer, this is the most likely part that is being flagged. [u]Scripts[/u]Minimize gui to systray _ Fail safe source recoveryMsgbox UDF _ _procwatch() Stop your app from being closedLicensed/Trial software system _ Buffering Hotkeys_SQL.au3 ADODB.Connection _ Search 2d Arrays_SplashTextWithGraphicOn() _ Adjust Screen GammaTransparent Controls _ Eventlogs without the crap_GuiCtrlCreateFlash() _ Simple Interscript communication[u]Websites[/u]Curious Campers VW Hightops Lambert Plant Hire
Zedna Posted March 12, 2011 Posted March 12, 2011 its not just anubis though, most antiviruses have runtime scans. i was just using anubis as an example. in fact the scans that detect autoit exes arent based on the file before its run. also another online sandbox from sunbelt says autoit exes do something called "checks for debugger" - the point here is that runtime scans have pretty common guidelines in what they check for from an exe. google "online sandbox" i highly advise you guys give this a try."checks for debugger"Yes Autoit has implemented test against debugging EXE files. If it's reason for being flagged as "bad" then replace your scanner by better one. Resources UDF ResourcesEx UDF AutoIt Forum Search
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now