Jump to content

Are my AutoIt exes really infected?

JSThePatriot
 Share

Recommended Posts

  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted
17 minutes ago, Sergeant_Shultz said:

Open to suggestions. 

Other than this list in the first post?:

There isn't too much we can do from our side but we are always open to suggestions.

Jos :)

 

 

 

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
  • Replies 293
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Jon
Jon

Maybe we just have most popular AV vendors explicitly (just in case an external link to a more in depth guide gets removed). Easier for us to maintain that way but still useful for the majority.

Jokerman
Jokerman

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected mont

gi_jimbo
gi_jimbo

I'm not a regular contributor here but if the @argumentum digital signing tool works, I think it would be good to add it to the "AutoIt and Malware" page (https://www.autoitscript.com/wiki/AutoIt_and_

Posted Images

  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

It isn't a matter of "abandoning support". The AutoIt team cannot control the false flags created by various AV companies. That is the point of this entire thread - of you are receiving false positives there is a method for reporting this to the AV company.

BTW I answered the same way in your email, and would clarify that you didn't "receive no response" in this thread, just not the one you were wanting. 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted (edited)

Why would anyone lie to you? Your response makes no sense to me (not to mention being insulting).

Edited by JLogan3o13

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • 4 weeks later...
cal Adventurer

cal

Posted
Posted

Arg.   Windows has gone nuts this weekend and declared all my compiled programs to be infected.   Bad Microsoft Bad....   ok   Rant over.  I feel better.

Guess I need to install the full autoit for a coworker who needs my apps right now.  Its a bit frustrating when both my home machine and work machine delete stuff the moment I compile it.  I could ignore the dir but I'd rather not do that.  I've always just used the defaults when compiling.  Is there something I can change to hopefully prevent the false positive.   I've had this happen a few times but never to this extent.

Found the microsoft page to submit false positives.  I'll do that.   Just wondering if I have any options for now on my side.

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

care to post the compiler flags you are using, and if it is defender what are the existing exclusions?   There is some due diligence to be exercised by the author and user before you need to include the vendors.

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
cal Adventurer

cal

Posted
Posted

Right....  Thats what I'm asking about.  Current is default.  Right click and compile.  That is it.  I do not have any compile instructions in the au3.

No exclusions.  At least not before today.  I have excluded this one exe now on one coworkers computer to get it working.  I was going to install auto it but I have a few custom includes both from here and of my own.  I did not feel like replicating my file structure elsewhere and then having to maintain it.

Its not excluded on mine.  I run the au3 anyhow.  And I want to see if there is something I can do to help prevent the false positive.

I have not submitted anything yet to any vendors.  If its something I can change about they way I'm doing my compile then I'm happy to test that out first.  Hence my post.

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)
57 minutes ago, cal said:

I do not have any compile instructions in the au3

so playing with compiler flags will probably start to vary results, especially the recommendations throughout this thread.

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
  • 5 weeks later...
eliass123 Seeker

eliass123

Posted
Posted

Hey,

I've already seen the sticky thread on autoit virusses but the first post doesn't mention windows defender and the thread is quite inactive so I made a new one.

I tried sending a simple keycombination to a program when my pc starts using 1) task scheduler and then 2) windows autostart folder. In both cases it's detected as a virus. I also tried adding the files as exeptions to windows defender while they were in their original folder, the autostart folder and I chose the .exes as well as the .au3s

I also tried to add an exeption using the process name you can find on the task manager. (Tried to type in the name with .exe as well as without)

I also changed the properties of the scripts so that they are started as an administrator.

My script looks like this

Sleep(15000)
ControlSend ( "OBS 21.1.0 (64bit, windows) - Profil: Unbenannt - Szenen: Unbenannt", "", "[CLASS:Qt5QWindowIcon; INSTANCE:1]", "+{f8}" )

 

please help me... those guys from microsoft are mental

Link to comment
Share on other sites
Bilgus Universalist

Bilgus

Posted
Posted

I think its this.. 

ControlSend ( "OBS 21.1.0 (64bit, windows) - Profil: Unbenannt - Szenen: Unbenannt", "", "[CLASS:Qt5QWindowIcon; INSTANCE:1]", "+{f8}" )

Should be

ControlSend ( "OBS 21.1.0 (64bit, windows) - Profil: Tote Pferde, die ich geschlagen habe - Szenen: Unbenannt", "", "[CLASS:Qt5QWindowIcon; INSTANCE:1]", "+{f8}" )

 

Link to comment
Share on other sites
bogQ Universalist

bogQ

Posted
Posted

So what is stopping you to install avast on your comp that will disable windows defender cos he is running?

I had relatively easy time with him and false positive detection.

TCP server and client - Learning about TCP servers and clients connection
Au3 oIrrlicht - Irrlicht project
Au3impact - Another 3D DLL game engine for autoit. (3impact 3Drad related)



460px-Thief-4-temp-banner.jpg
There are those that believe that the perfect heist lies in the preparation.
Some say that it’s all in the timing, seizing the right opportunity. Others even say it’s the ability to leave no trace behind, be a ghost.

 
Link to comment
Share on other sites
  • Moderators
Melba23 Universalist

Melba23

Posted
  • Moderators
Posted

eliass123,

Quote

I've already seen the sticky thread on autoit virusses but the first post doesn't mention windows defender and the thread is quite inactive so I made a new one.

And I have merged it into the sticky thread - we have it for a reason.

M23

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Link to comment
Share on other sites
eliass123 Seeker

eliass123

Posted
Posted
1 hour ago, bogQ said:

So what is stopping you to install avast on your comp that will disable windows defender cos he is running?

I had relatively easy time with him and false positive detection.

avast didn't work but I used regedit to permanently disable windows defender #imoneofthehardones

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

Did you turn upx off?  The fewer lines your code has, the more it matches malware sigs. Your script, to a robot, shares 99.999% of its code with other verified malicious compiled .au3s.  Its best to not compress it for detection purposes.

shell:startup is an awkward place to run interactive scripts from.  How about the script in the startup folder consists of one line that runs and exits, calling this script from another location.  Or use schedule tasks to create a task that runs on startup + X seconds

5b058bad23480_scheduledtask.PNG.3b223aa72a949634b5eea40aec718c63.PNG

 

and simply executes a command like 

Run(@AutoItExe & ' /AutoIt3ExecuteLine "ControlSend (''OBS 21.1.0 (64bit, windows) - Profil: Tote Pferde, die ich geschlagen habe - Szenen: Unbenannt'', '''', ''[CLASS:Qt5QWindowIcon; INSTANCE:1]'', ''+{f8}'' )"')

 

 

nuking defender might not be necessary.

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
  • 2 weeks later...
Nomad_RJ Seeker

Nomad_RJ

Posted
Posted (edited)

I had a file being tagged as "Trojan:Win32/Tilken.B!cl" by Windows Defender on Windows 10, with "severe" risk.

This was the only false positive among several of my scripts, so I decided to investigate the code...

Found out this particular script had "#pragma" directives, something I don't use anymore for quite a long time. So I replaced them with "#AutoIt3Wrapper" directives, recompiled and voilá, no more warnings on Windows Defender!

I have no idea the reason why, but this is definitely worth checking...

PS: It seems like UPX is unchecked by default by Autoit3Wrapper

PS2: Using version 3.3.14.2

Edited by Nomad_RJ
Link to comment
Share on other sites
careca Universalist

careca

Posted
Posted (edited)

My player is being killed by windows defender, got other programs that weren't flagged, lines and compile method is the same, im confused. 

#Region ;Wrapper
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_UseX64=n
#AutoIt3Wrapper_Run_Tidy=y
#AutoIt3Wrapper_Res_SaveSource=y
#AutoIt3Wrapper_Run_Debug_Mode=n
#AutoIt3Wrapper_Icon=BPlayer.ico
#pragma compile(CompanyName, 'careca')
#pragma compile(x64, false)
#pragma compile(UPX, False)
#AutoIt3Wrapper_Res_Comment=By: Careca
#AutoIt3Wrapper_Res_Icon_Add=BPlayer.ico
#AutoIt3Wrapper_Res_Description=Audio Player
#AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7
#EndRegion ;Wrapper

 

screenshot - 03062018-0138.jpg

EDIT: after i submitted the file to windows defender support, they un-flagged it from the system for the future.

Edited by careca
Windows defender support unflagged the file.
Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Link to comment
Share on other sites
  • 1 month later...
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted (edited)
1 minute ago, jonasmehler46 said:

Much obliged JS, does anyone have something else to include before I bolt this?

nah...  go ahead and bolt your stuff! ;)

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
  • 4 weeks later...
bdr529 Wayfarer

bdr529

Posted
Posted

 

I'm sorry but I do not write in English I need to google translator

my first very simple script (autoit 3.3.14.5)
  

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=simple_32bit_3-3-14-5.exe
#AutoIt3Wrapper_Outfile_x64=simple_64bit_3-3-14-5.exe
#AutoIt3Wrapper_Compression=0
#AutoIt3Wrapper_Compile_Both=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
msgbox(0,0,0)

this is the virustotal result of the 32-bit version
https://www.virustotal.com/#/file/000a78b60fd3f9e3e5c0d27ba7d10914fb34972cb6babfe331ba57d4e2f3ba3e/detection
this is the virustotal result of the 64-bit version
https://www.virustotal.com/#/file/15ab96e9c663db258f36696f0cba61788d0d91ba2229bd5066a057abd16a9603/detection

my second very simple script (autoit 3.3.14.2) 

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=simple_32bit_3-3-14-2.exe
#AutoIt3Wrapper_Outfile_x64=simple_64bit_3-3-14-2.exe
#AutoIt3Wrapper_Compression=0
#AutoIt3Wrapper_Compile_Both=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
msgbox(0,0,0)

this is the virustotal result of the 32-bit version

https://www.virustotal.com/#/file/7961c6b6a6dd492c2bcf36f45a07c81394c57d7b84775c84d448aa382233e82a/detection

this is the virustotal result of the 64-bit version

https://www.virustotal.com/#/file/5a65f4837ceea5a2e3387de9a69a773759dbe4a1b591a9ddf0ec8d0f0e559af5/detection

why are there different results?

To community goes all my regards and thanks

Link to comment
Share on other sites
  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...