rant: Windows Defender refuses to execute compiled autoit apps

[Burgaud]

I am at wits end Windows Defender keeps identifying Compiled scripts as a virus....

What are your suggestions to solve this? Add this to exclusion?

[TheDcoder]

Have you tried compiling without UPX compression?

[Musashi]

https://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/

[Jos]

... or simply do as I do for years now: Run your script source with AutoIt3.exe...  never had any issues since then.  

[TheDcoder]

@Jos Just curious, what are your thoughts on distributing the interpreter (AutoIt3.exe) along with the script to avoid virus detection? I think the signed interpreter executable is whitelisted by many AVs...

[Exit]

27 minutes ago, TheDcoder said:

Just curious, what are your thoughts on distributing the interpreter (AutoIt3.exe) along with the script

This was exactly what I thought and then I made Au3toCmd. See the link in my Signature.

[Musashi]

39 minutes ago, TheDcoder said:

Just curious, what are your thoughts on distributing the interpreter (AutoIt3.exe) along with the script to avoid virus detection? I think the signed interpreter executable is whitelisted by many AVs...

We are distributing tools created with AutoIt (.a3x, but .au3 would work just the same) since years to various customers. The launch is done via the interpreter AutoIt3.exe or AutoIt3_x64.exe and, with very very few exceptions, have never observed any problems with AV scanners.

[Jos]

52 minutes ago, TheDcoder said:

@Jos Just curious, what are your thoughts on distributing the interpreter (AutoIt3.exe) along with the script to avoid virus detection?

That is what I would do when running in an corporate environment to avoid a tsunami  of virus issues on all computers when the AV company messes up. 

The added benefit is that the "compiled" a3x files are much smaller to distribute and you only need to distribute the exe one time.
Disadvantage obviously is that all scripts need to be able to run on the same version interpreter. 

Edited December 15, 2021 by Jos

[Musashi]

3 hours ago, Jos said:

Disadvantage obviously is that all scripts need to be able to run on the same version interpreter. 

Not necessarily. One can manage scripts (.a3x), that need a certain interpreter version, together with the matching interpreter in separate folders.

The interpreters AutoIt3.exe / AutoIt3_64.exe do not have to be installed or associated with the extension .a3x. They are called (stand-alone) from the respective folder. This way one can run e.g. scripts of version 3.3.12.0 and 3.3.14.5. separately, no matter which AutoIt version is installed.

Edited December 15, 2021 by Musashi

[TheDcoder]

1 hour ago, Exit said:

Au3toCmd

Cool script, maybe you can adapt it to also work without ADS as an optional feature? Relying on ADS is bound to create issues, it only takes one person to move the file once to a non-NTFS location and the script would suddenly stop working and they would have no idea why.

[Burgaud]

14 hours ago, Jos said:

... or simply do as I do for years now: Run your script source with AutoIt3.exe...  never had any issues since then.  

... until someone uninstalled autoit3 from said machine, then the script wont work

13 hours ago, Exit said:

This was exactly what I thought and then I made Au3toCmd. See the link in my Signature.

I totally forgot this.. checking again.

[TheDcoder]

5 hours ago, Burgaud said:

... until someone uninstalled autoit3 from said machine, then the script wont work

You bundle the EXE with your application, no need for installation, it's portable and has no other dependencies. That's one of the cool features of AutoIt

[Musashi]

6 hours ago, Burgaud said:

... until someone uninstalled autoit3 from said machine, then the script wont work

It works, like @TheDcoder already wrote :

1 hour ago, TheDcoder said:

You bundle the EXE with your application, no need for installation, it's portable and has no other dependencies. That's one of the cool features of AutoIt

@Burgaud :

If you 'compile' your application as .a3x , then it will still work (since all required #Include 's are integrated), even if someone completely removes the AutoIt installation.

You only have to provide the corresponding (standalone) Version of the Interpreter (AutoIt3.exe/AutoIt3_64.exe) to execute the .a3x-File.

[Jos]

8 hours ago, Burgaud said:

.. until someone uninstalled autoit3 from said machine, then the script wont work

I would not install AutoIt3, but just redistribute autoit3.exe to the computers. This isn't different from distributing a compiled script!

 

[rcmaehl]

 

7 hours ago, Musashi said:

It works, like @TheDcoder already wrote :

@Burgaud :

If you 'compile' your application as .a3x , then it will still work (since all required #Include 's are integrated), even if someone completely removes the AutoIt installation.

You only have to provide the corresponding (standalone) Version of the Interpreter (AutoIt3.exe/AutoIt3_64.exe) to execute the .a3x-File.

Run the stripper and then distribute the generated stripped au3 with Autoit3.exe, a3x files are also picked up as false positives. Although avoiding AV detection in this method can be used for good as well as evil 

Edited December 16, 2021 by rcmaehl

[Exit]

2 hours ago, rcmaehl said:

a3x files are also picked up as false positives

Can you give an example of this?

[rcmaehl]

2 minutes ago, Exit said:

Can you give an example of this?

[Musashi]

2 hours ago, rcmaehl said:

Run the stripper and then distribute the generated stripped au3 with Autoit3.exe, a3x files are also picked up as false positives.

First of all, to prevent misunderstandings and unnecessary disputes : There is nothing wrong with distributing a generated stripped au3 with Autoit3.exe . Let's just hope, that the AutoIt Interpreter itself does not appear on the 'false positive' list in future AV updates .

2 hours ago, rcmaehl said:

... a3x files are also picked up as false positives.

According to my experience, this happens very rarely up to now. If they do, then from the lesser-known AV scanners named by Virustotal.

3 hours ago, rcmaehl said:

... avoiding AV detection in this method can be used for good as well as evil 

To a certain extent, I agree with you. In reality, however, very few users will bother to analyze a lengthy .au3 script (with various #includes) to see if it might contain malicious code.

[Musashi]

Here is an example : The script (self created , > 2500 lines - without the Includes) installs PostgreSQL directly from the binaries. It writes registry entries, sets user rights and much more .

Result :

I don't want to exclude the possibility that .a3x files will get into the focus of AV-Vendors in the future. However, this cannot be ruled out for .au3 files either .

[bobomb]

You can also use a tool like 7zSFXConstructor to pack the Au3 and AutoIT3.exe into a single SFX exe.. With that tool you can create a cmd script and during sfx exe creation point to that as the file to execute when the sfx is run.. The tool allows you to pick where you want the file to extract to e.g. %temp% and will self delete the extracted files on process close.. If you do use a cmd script to execute everything inside you can hide the console window completely and use the Start "" ????.cmd to keep the process going until you are finished (for self removal), you can lock running the exe down with a password etc..

An added benefit to the sfx method is that you are executing from removable media, the media can be disconnected after launch while the program is running..

Very simple easy way to package a "compiled" EXE from au3 scripts with AutoIT3.exe without too many headaches...

Tool located here: https://github.com/CryptoNickSoft/7z-SFX-Constructor

 

Edited December 18, 2021 by bobomb